dataflake.org

Home Documentation Software Old Stuff

LDAP in plone should ignore disabled users (Resolved)

Request LDAP User Folder -- bug report -- by Danny Bloemendaal (ender)
Posted on Jul 23, 2008 7:37 am
Subscribe

Enter your email address to receive mail on every change to this issue.

Entries (Latest first)


  Resolve by Jens Vagelpohl on Aug 1, 2008 7:08 am
  This is the current implementation. Please test:

http://svn.dataflake.org/viewvc?view=rev&revision=1589

 

  Comment by Wichert Akkerman on Jul 29, 2008 9:16 am
  On top of my last patch: this patch changes the AD multiplugin to add a filter to LDAPUserFolder which filters out inactive users.

Index: Products/LDAPMultiPlugins/ActiveDirectoryMultiPlugin.py
===================================================================
--- Products/LDAPMultiPlugins/ActiveDirectoryMultiPlugin.py (revision 1583)
+++ Products/LDAPMultiPlugins/ActiveDirectoryMultiPlugin.py (working copy)
@@ -94,6 +94,9 @@
, local_groups=local_groups
, encryption=encryption
, read_only=read_only
+ , users_filter='(!(userAccountControl:1.2.840.113556.1.4.803:=2))'
+
+
, REQUEST=None
)

Index: setup.py
===================================================================
--- setup.py (revision 1583)
+++ setup.py (working copy)
@@ -43,7 +43,7 @@
install_requires=[
#"Zope >= 2.8",
"setuptools",
- "Products.LDAPUserFolder >= 2.9",
+ "Products.LDAPUserFolder >= 2.11dev",
"Products.PluggableAuthService >= 1.4.0",
],
entry_points="""
 

  Comment by Wichert Akkerman on Jul 29, 2008 9:10 am
  Luckily it seems this is not incredibly hard to implement. I decided to implement this using a feature I've often missed in LDAPUserFolder: the ability to define an optional extra filter for users. You can then filter out inactive AD users by adding the correct magic filter there: (!(userAccountControl:1.2.840.113556.1.4.803:=2))

LDAPMultiPlugins should probably set that filter by default for its AD plugin.

Below is the patch for LDAPUserFolder.

Index: Products/LDAPUserFolder/dtml/properties.dtml
===================================================================
--- Products/LDAPUserFolder/dtml/properties.dtml (revision 1583)
+++ Products/LDAPUserFolder/dtml/properties.dtml (working copy)
@@ -237,6 +237,16 @@

<tr>
<td align="left" valign="top" class="form-label">
+ Additional user search filter
+ </td>
+ <td align="left" valign="top">
+ <input type="text" name="users_filter" size="40"
+ value="<dtml-var expr="getProperty('users_filter')">" />
+ </td>
+ </tr>
+
+ <tr>
+ <td align="left" valign="top" class="form-label">
User password encryption
</td>
<td align="left" valign="top">
Index: Products/LDAPUserFolder/LDAPUserFolder.py
===================================================================
--- Products/LDAPUserFolder/LDAPUserFolder.py (revision 1583)
+++ Products/LDAPUserFolder/LDAPUserFolder.py (working copy)
@@ -114,6 +114,7 @@
security.declareProtected(view_management_screens, 'manage_grouprecords')
manage_grouprecords = DTMLFile('dtml/groups', globals())

+ users_filter = ''

#################################################################
#
@@ -363,7 +364,7 @@
, binduid, bindpwd, binduid_usage=1, rdn_attr='cn'
, obj_classes='top,person', local_groups=0
, implicit_mapping=0, encryption='SHA', read_only=0
- , REQUEST=None
+ , users_filter='', REQUEST=None
):
""" Edit the LDAPUserFolder Object """
if not binduid:
@@ -375,6 +376,7 @@
self.groups_base = groups_base or users_base
self.groups_scope = groups_scope
self.read_only = not not read_only
+ self.users_filter = users_filter

self._delegate.edit( login_attr=login_attr,
users_base=users_base,
@@ -640,6 +642,8 @@
user_filter = [filter_format('(%s=%s)', ('objectClass', o))
for o in filter(None, self._user_objclasses)]
user_filter.append("(%s=*)" % self._uid_attr)
+ if self.users_filter:
+ user_filter.append(self.users_filter)
user_filter = '(&%s)' % ''.join(user_filter)

return user_filter
@@ -999,6 +1003,8 @@
else:
filt_list.extend( [ filter_format('(%s=%s)', ('objectClass', o))
for o in self._user_objclasses ] )
+ if self.users_filter:
+ filt_list.append(self.users_filter)
search_str = '(&%s)' % ''.join(filt_list)
res = self._delegate.search( base=users_base
, scope=search_scope
 

  Comment by Jens Vagelpohl on Jul 23, 2008 8:54 am
  I'd research access control rules and how they could be applied to
prevent those records to be revealed. That's what I would do if this
was OpenLDAP or another proper LDAP implementation.

There's a few bits of AD-specific code in the code base (remember,
there are several packages involved here), but none have anything to
do with this particular issue.


 

  Comment by Danny Bloemendaal on Jul 23, 2008 8:46 am
  Well, that's a pity. I don't see a way to not have AD spit out these
accounts. But now the problem remains that these users end up in plone
while they shouldn't.
I am not able to write this code myself. I'm just a user of this
module and unfortunately one of many AD users :-/
Isn't there already some kind of AD specific code inside the LDAP
stuff? Can't that be used to do the required filtering?


On 23 jul 2008, at 14:36, JTracker wrote:

> Issue followup (Defer) by Jens Vagelpohl (jens@dataflake.org):
>
> "LDAP in plone should ignore disabled users"
> http://www.dataflake.org/tracker/issue_00615
>
> ----------
>
> I've dug through the code and have come to the conclusion that even
> with a suitable filter expression it's not straightforward to add
> this feature. AD-specific code changes would be required in several
> packages, which I'm not very happy about.
>
> My suggestion would be for you to investigate if there's any setting
> in AD which prevents it from returning disabled records. If not,
> then I would move disabled records to a different part of the tree,
> thus excluding them from user searches. If none of this helps you
> always have the option to suggest a patch, including unit tests,
> that does what you need. Until then, or until I have proof that this
> is a manageable change to make, I'll defer this issue.
>
>
> ----------
>
> Sent automatically by JTracker "Report Bugs" at http://www.dataflake.org/tracker

 

  Defer by Jens Vagelpohl on Jul 23, 2008 8:36 am
  I've dug through the code and have come to the conclusion that even with a suitable filter expression it's not straightforward to add this feature. AD-specific code changes would be required in several packages, which I'm not very happy about.

My suggestion would be for you to investigate if there's any setting in AD which prevents it from returning disabled records. If not, then I would move disabled records to a different part of the tree, thus excluding them from user searches. If none of this helps you always have the option to suggest a patch, including unit tests, that does what you need. Until then, or until I have proof that this is a manageable change to make, I'll defer this issue.
 

  Comment by Jens Vagelpohl on Jul 23, 2008 8:08 am
  The example shows how to list disabled users. It does not tell me how
to list non-disabled users.

Please provide me with that information or point me to specific
documentation that does not require me to learn how AD works or how M$
abuses standards.

 

  Comment by Danny Bloemendaal on Jul 23, 2008 7:50 am
  True.. here is the required link from m$

http://support.microsoft.com/kb/269181

And I'd love to do some tests here but I don't know how to do this filtering. Let me know :)
 

  Comment by Jens Vagelpohl on Jul 23, 2008 7:44 am
  That's great but since I know next to nothing about AD I don't even
know what "disabled" means. I would need specific instructions how to
recognize disabled accounts in order to filter them. I also have no
way to test this since I don't run any Windoze installation anywhere,
so I would need help for that as well.

 

  Initial Request by Danny Bloemendaal (ender) on Jul 23, 2008 7:37 am
  When you do queries in plone against AD/LDAP, disabled accounts show up but they should be completely ignored in alle search results.

(I discussed this with Wichert and he agrees)

Cheers,
Danny :)