LDAP auth: do not blindly assume groups have a 2-letter naming attribute

Instead, strip away everything before (and including) the '=' sign of ther RDN.
Kozea · Jan 2, 2025 · 0253682 · 0253682
1 parent 8c2feb4
commit 0253682
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
@@ -142,7 +142,9 @@ def _login2(self, login: str, password: str) -> str:
             if self._ldap_load_groups:
                 tmp = []
                 for g in user_entry[1]['memberOf']:
-                    tmp.append(g.decode('utf-8').split(',')[0][3:])
+                    """Get group g's RDN's attribute value"""
+                    g = g.decode('utf-8').split(',')[0]
+                    tmp.append(g.partition('=')[2])
                 self._ldap_groups = set(tmp)
                 logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups))
             conn.unbind()
@@ -205,7 +207,9 @@ def _login3(self, login: str, password: str) -> str:
             if self._ldap_load_groups:
                 tmp = []
                 for g in user_entry['attributes']['memberOf']:
-                    tmp.append(g.split(',')[0][3:])
+                    """Get group g's RDN's attribute value"""
+                    g = g.split(',')[0]
+                    tmp.append(g.partition('=')[2])
                 self._ldap_groups = set(tmp)
                 logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups))
             conn.unbind()