LDAP Group Type Support + Typo Error (#1097) · Issues · funkwhale / funkwhale

LDAP Group Type Support + Typo Error

Steps to reproduce

Enable LDAP Authentication using ENV with Docker, working with users side only configuration. Then i want to use Group supports in order to have a granular matrice about my application. I’m using basic openldap backend with posixGroup. I’ve followed the instructions from https://docs.funkwhale.audio/installation/ldap.html with LDAP_GROUP_FILTER=(objectClass=posixGroup).

What happens?

I restart and check the console, the binding is fine except until the group search where it’s keep searching for a member attribute as i can see on my openldap logs. However posixGroup is based with memberUid rather than member which is used for "groupOfNames" types groups.
Checking the code on funkwhale/api/config/settings/common.py i can see first a typo error line 668 env("LDAP_GROUP_FILER", default="") this should have been env("LDAP_GROUP_FILTER", default="") according the LDAP documentation.
Still on the same page of code, we can see 667-673

        # Get filter
        AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILER", default="")
        # Search for the group in the specified DN
        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER
        )
        AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

From my understanding, (which may be wrong), whenever i may use any of the other kind of LDAP/ActiveDirectory group using the ENV LDAP_GROUP_FILTER i would still be stuck with the Django type AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(). This will lead to have always a query looking for member attribute from my openldap.

What is expected?

I think it would rather be good to have an ENV type LDAP_GROUP_TYPE optional to let us change the Django implementations from GroupOfNamesType() to any of the other supported group by Django as we can see on the Django url in the LDAP documentation.

PosixGroupType
MemberDNGroupType
NestedMemberDNGroupType
GroupOfNamesType
NestedGroupOfNamesType
GroupOfUniqueNamesType
NestedGroupOfUniqueNamesType
ActiveDirectoryGroupType
NestedActiveDirectoryGroupType
OrganizationalRoleGroupType
NestedOrganizationalRoleGroupType

I may suggest the following adaptation:

    # Search for group types
    LDAP_GROUP_DN = env("LDAP_GROUP_DN", default="")
    if LDAP_GROUP_DN:
        AUTH_LDAP_GROUP_DN = LDAP_GROUP_DN
        # Get filter
        AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILTER", default="")
        # Search for the group in the specified DN
        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER
        )
        AUTH_LDAP_GROUP_TYPE = env("LDAP_GROUP_TYPE", default="GroupOfNamesType()")

        # Configure basic group support
        LDAP_REQUIRE_GROUP = env("LDAP_REQUIRE_GROUP", default="")
        if LDAP_REQUIRE_GROUP:
            AUTH_LDAP_REQUIRE_GROUP = LDAP_REQUIRE_GROUP
        LDAP_DENY_GROUP = env("LDAP_DENY_GROUP", default="")
        if LDAP_DENY_GROUP:
            AUTH_LDAP_DENY_GROUP = LDAP_DENY_GROUP

I’m also willing to provide an update on the LDAP documenation.

Context

Funkwhale version(s) affected: 0.21

Platform: Docker

Image: funkwhale/all-in-one:0.21

Personal Note

Thank you so much for your work, i’m overjoyed to be able to get out my music from digital dust into this blue whale in order to listen music without any add as i used to do with Youtube or others. On the technical side, i speak python but i have no proper experience with Django.

Thank you !

<!--
Hi there! You are reporting a bug on this project, and we want to thank you!

If it's the first time you post here, please take a moment to read our Code of Conduct
(https://funkwhale.audio/code-of-conduct/) and ensure your issue respect our guidelines.

To ensure your bug report is as useful as possible, please try to stick
to the following structure. You can leave the parts text between `<!- ->`
markers untouched, they won't be displayed in your final message.

Please do not edit the following line, it's used for automatic classification
-->

/label ~"Type: Bug" ~"Status: Need triage"

## Steps to reproduce

1. Enable LDAP Authentication using ENV with Docker, working with users side only configuration. Then i want to use Group supports in order to have a granular matrice about my application. I’m using basic openldap backend with posixGroup. I’ve followed the instructions from https://docs.funkwhale.audio/installation/ldap.html with **LDAP_GROUP_FILTER=(objectClass=posixGroup)**.

## What happens?

1. I restart and check the console, the binding is fine except until the group search where it’s keep searching for a **member** attribute as i can see on my openldap logs. However posixGroup is based with **memberUid** rather than **member** which is used for "groupOfNames" types groups.
2. Checking the code on funkwhale/api/config/settings/common.py i can see first a typo error line **668** ```env("LDAP_GROUP_FILER", default="")``` this should have been ```env("LDAP_GROUP_FILTER", default="")``` according the LDAP documentation.
3. Still on the same page of code, we can see 667-673
```python
        # Get filter
        AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILER", default="")
        # Search for the group in the specified DN
        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER
        )
        AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
```
From my understanding, (which may be wrong), whenever i may use any of the other kind of LDAP/ActiveDirectory group using the ENV **LDAP_GROUP_FILTER** i would still be stuck with the Django type **AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()**. This will lead to have always a query looking for **member** attribute from my openldap.

## What is expected?

I think it would rather be good to have an ENV type **LDAP_GROUP_TYPE** optional to let us change the Django implementations from **GroupOfNamesType()** to any of the other supported group by Django as we can see on the Django url in the LDAP documentation.
```python
PosixGroupType
MemberDNGroupType
NestedMemberDNGroupType
GroupOfNamesType
NestedGroupOfNamesType
GroupOfUniqueNamesType
NestedGroupOfUniqueNamesType
ActiveDirectoryGroupType
NestedActiveDirectoryGroupType
OrganizationalRoleGroupType
NestedOrganizationalRoleGroupType
```

I may suggest the following adaptation:
```python
    # Search for group types
    LDAP_GROUP_DN = env("LDAP_GROUP_DN", default="")
    if LDAP_GROUP_DN:
        AUTH_LDAP_GROUP_DN = LDAP_GROUP_DN
        # Get filter
        AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILTER", default="")
        # Search for the group in the specified DN
        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER
        )
        AUTH_LDAP_GROUP_TYPE = env("LDAP_GROUP_TYPE", default="GroupOfNamesType()")

# Configure basic group support
        LDAP_REQUIRE_GROUP = env("LDAP_REQUIRE_GROUP", default="")
        if LDAP_REQUIRE_GROUP:
            AUTH_LDAP_REQUIRE_GROUP = LDAP_REQUIRE_GROUP
        LDAP_DENY_GROUP = env("LDAP_DENY_GROUP", default="")
        if LDAP_DENY_GROUP:
            AUTH_LDAP_DENY_GROUP = LDAP_DENY_GROUP

```

I’m also willing to provide an update on the LDAP documenation.

## Context

**Funkwhale version(s) affected**: 0.21

**Platform**: Docker

**Image**: funkwhale/all-in-one:0.21
<!--
If relevant, share additional context here like:

- Browser type and version (for front-end bugs)
- Instance configuration (Docker/non-docker, nginx/apache as proxy, etc.)
- Error messages, screenshots and logs
-->

## Personal Note

Thank you so much for your work, i’m overjoyed to be able to get out my music from digital dust into this blue whale in order to listen music without any add as i used to do with Youtube or others.
On the technical side, i speak  python but i have no proper experience with Django.