Skip to content

GitLab

Open
Created by Zwordi@Zwordi

LDAP Group Type Support + Typo Error

Steps to reproduce

  1. Enable LDAP Authentication using ENV with Docker, working with users side only configuration. Then i want to use Group supports in order to have a granular matrice about my application. I’m using basic openldap backend with posixGroup. I’ve followed the instructions from https://docs.funkwhale.audio/installation/ldap.html with LDAP_GROUP_FILTER=(objectClass=posixGroup).

What happens?

  1. I restart and check the console, the binding is fine except until the group search where it’s keep searching for a member attribute as i can see on my openldap logs. However posixGroup is based with memberUid rather than member which is used for "groupOfNames" types groups.
  2. Checking the code on funkwhale/api/config/settings/common.py i can see first a typo error line 668 env("LDAP_GROUP_FILER", default="") this should have been env("LDAP_GROUP_FILTER", default="") according the LDAP documentation.
  3. Still on the same page of code, we can see 667-673
        # Get filter
        AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILER", default="")
        # Search for the group in the specified DN
        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER
        )
        AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

From my understanding, (which may be wrong), whenever i may use any of the other kind of LDAP/ActiveDirectory group using the ENV LDAP_GROUP_FILTER i would still be stuck with the Django type AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(). This will lead to have always a query looking for member attribute from my openldap.

What is expected?

I think it would rather be good to have an ENV type LDAP_GROUP_TYPE optional to let us change the Django implementations from GroupOfNamesType() to any of the other supported group by Django as we can see on the Django url in the LDAP documentation.

PosixGroupType
MemberDNGroupType
NestedMemberDNGroupType
GroupOfNamesType
NestedGroupOfNamesType
GroupOfUniqueNamesType
NestedGroupOfUniqueNamesType
ActiveDirectoryGroupType
NestedActiveDirectoryGroupType
OrganizationalRoleGroupType
NestedOrganizationalRoleGroupType

I may suggest the following adaptation:

    # Search for group types
    LDAP_GROUP_DN = env("LDAP_GROUP_DN", default="")
    if LDAP_GROUP_DN:
        AUTH_LDAP_GROUP_DN = LDAP_GROUP_DN
        # Get filter
        AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILTER", default="")
        # Search for the group in the specified DN
        AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
            AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER
        )
        AUTH_LDAP_GROUP_TYPE = env("LDAP_GROUP_TYPE", default="GroupOfNamesType()")

        # Configure basic group support
        LDAP_REQUIRE_GROUP = env("LDAP_REQUIRE_GROUP", default="")
        if LDAP_REQUIRE_GROUP:
            AUTH_LDAP_REQUIRE_GROUP = LDAP_REQUIRE_GROUP
        LDAP_DENY_GROUP = env("LDAP_DENY_GROUP", default="")
        if LDAP_DENY_GROUP:
            AUTH_LDAP_DENY_GROUP = LDAP_DENY_GROUP

I’m also willing to provide an update on the LDAP documenation.

Context

Funkwhale version(s) affected: 0.21

Platform: Docker

Image: funkwhale/all-in-one:0.21

Personal Note

Thank you so much for your work, i’m overjoyed to be able to get out my music from digital dust into this blue whale in order to listen music without any add as i used to do with Youtube or others. On the technical side, i speak python but i have no proper experience with Django.

Thank you !

Edited by funkwhale-bot