LDAP Group Type Support + Typo Error
Steps to reproduce
- Enable LDAP Authentication using ENV with Docker, working with users side only configuration. Then i want to use Group supports in order to have a granular matrice about my application. I’m using basic openldap backend with posixGroup. I’ve followed the instructions from https://docs.funkwhale.audio/installation/ldap.html with LDAP_GROUP_FILTER=(objectClass=posixGroup).
- I restart and check the console, the binding is fine except until the group search where it’s keep searching for a member attribute as i can see on my openldap logs. However posixGroup is based with memberUid rather than member which is used for "groupOfNames" types groups.
- Checking the code on funkwhale/api/config/settings/common.py i can see first a typo error line 668
env("LDAP_GROUP_FILER", default="")this should have been
env("LDAP_GROUP_FILTER", default="")according the LDAP documentation.
- Still on the same page of code, we can see 667-673
# Get filter AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILER", default="") # Search for the group in the specified DN AUTH_LDAP_GROUP_SEARCH = LDAPSearch( AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER ) AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
From my understanding, (which may be wrong), whenever i may use any of the other kind of LDAP/ActiveDirectory group using the ENV LDAP_GROUP_FILTER i would still be stuck with the Django type AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(). This will lead to have always a query looking for member attribute from my openldap.
What is expected?
I think it would rather be good to have an ENV type LDAP_GROUP_TYPE optional to let us change the Django implementations from GroupOfNamesType() to any of the other supported group by Django as we can see on the Django url in the LDAP documentation.
PosixGroupType MemberDNGroupType NestedMemberDNGroupType GroupOfNamesType NestedGroupOfNamesType GroupOfUniqueNamesType NestedGroupOfUniqueNamesType ActiveDirectoryGroupType NestedActiveDirectoryGroupType OrganizationalRoleGroupType NestedOrganizationalRoleGroupType
I may suggest the following adaptation:
# Search for group types LDAP_GROUP_DN = env("LDAP_GROUP_DN", default="") if LDAP_GROUP_DN: AUTH_LDAP_GROUP_DN = LDAP_GROUP_DN # Get filter AUTH_LDAP_GROUP_FILTER = env("LDAP_GROUP_FILTER", default="") # Search for the group in the specified DN AUTH_LDAP_GROUP_SEARCH = LDAPSearch( AUTH_LDAP_GROUP_DN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER ) AUTH_LDAP_GROUP_TYPE = env("LDAP_GROUP_TYPE", default="GroupOfNamesType()") # Configure basic group support LDAP_REQUIRE_GROUP = env("LDAP_REQUIRE_GROUP", default="") if LDAP_REQUIRE_GROUP: AUTH_LDAP_REQUIRE_GROUP = LDAP_REQUIRE_GROUP LDAP_DENY_GROUP = env("LDAP_DENY_GROUP", default="") if LDAP_DENY_GROUP: AUTH_LDAP_DENY_GROUP = LDAP_DENY_GROUP
I’m also willing to provide an update on the LDAP documenation.
Funkwhale version(s) affected: 0.21
Thank you so much for your work, i’m overjoyed to be able to get out my music from digital dust into this blue whale in order to listen music without any add as i used to do with Youtube or others. On the technical side, i speak python but i have no proper experience with Django.
Thank you !