From 1ca41e2128e792ee7644908c4c341b598f6a6fe2 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 20:43:14 +0100 Subject: [PATCH] LDAP auth: only ask for memberOf if ldap_load_groups = True Ask for the 'memberOf' attribute to be returned in the user query only if 'ldap_load_groups' is set to True. This fixes the issue that currently LDAP authentication can only be used on LDAP servers that know this non-standard (it's an Active Directory extension) attribute. Other LDAP servers either do not necessarily have the group memberships stored in the user object (e.g. OpenLDAP), or use different attributes for this purpose (e.g. Novell eDirectory uses 'groupMembership') --- radicale/auth/ldap.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 2290794b..50b2768a 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,7 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str - _ldap_attributes: list[str] = ['memberOf'] + _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -111,6 +111,8 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" + if self._ldap_load_groups: + self._ldap_attributes.append('memberOf') if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes)