Issue with AD Authentication in recent conservancy version

Mads Kiilerich mads at kiilerich.com
Thu Mar 5 15:48:48 UTC 2020 

On 3/5/20 4:29 PM, Reuben Popp wrote:
> Good morning Mads (or afternoon as the case may be where you're at).
>
> My apologies that the report was so sparse.  When I wrote it, I was 
> neck deep in the middle of trying to get things set up for our 
> architects to trial Kallithea.
>
> Yes, this was the default branch downloaded from the bitbucket mirror 
> on February 25th.
>
> My original report and fix were incorrect.  With it in place, what I 
> noticed was that while an Active Directory account could log in, it 
> would prevent me from logging in using the (local) kallithea admin 
> account.  My best guess here, being a relatively new python noob is 
> that in the case of the kallithea admin account, the email was a 
> string literal, which would then fail because there was no decode() 
> method.  On the other hand, it would work for a byte string such as 
> that coming from AD.
>
> That said, the following works for both AD and the local kallithea 
> account:
>
> --- lib/helpers.py  2020-02-25 11:18:44.000000000 -0600
>
> +++ lib/helpers.py.new 2020-03-05 09:11:30.394700849 -0600
>
> @@ -951,6 +951,9 @@
>
>      if email_address == _def:
>
>          return default
>
> +    if isinstance(email_address, bytes):
>
> +        email_address = email_address.decode('utf-8')
>
> +
>
>      parsed_url = urllib.parse.urlparse(url.current(qualified=True))
>
>      url = (c.visual.gravatar_url or User.DEFAULT_GRAVATAR_URL) \
>
>                 .replace('{email}', email_address) \
>
>
> One thing of note though, and I think this is a deeper issue, as you 
> said, and that's when I look at any AD user account in kallithea, each 
> field (eg, first, last, etc) is enclosed in the byte (?) field 
> delimiter.  eg:  b'Reuben' b'Popp'


Yes, the problem seems to be that values retrieved from LDAP are byte 
encoded. They should be decoded in auth_ldap. But probably only some of 
the values. I would thus still need


>
>     Can you try this and report back when it prints out when you log in
>     using AD/LDAP?
>
>     --- kallithea/lib/auth_modules/auth_ldap.py
>     +++ kallithea/lib/auth_modules/auth_ldap.py
>     @@ -326,6 +326,7 @@ class KallitheaAuthPlugin(auth_modules.K
>                   aldap = AuthLdap(**kwargs)
>                   (user_dn, ldap_attrs) =
>     aldap.authenticate_ldap(username,
>     password)
>                   log.debug('Got ldap DN response %s', user_dn)
>     +            print(ldap_attrs)
>
>                   def get_ldap_attr(k):
>                       return ldap_attrs.get(settings.get(k), [''])[0]
>

/Mads


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20200305/77a19b7e/attachment.html>

More information about the kallithea-general mailing list