[redhat-3.9] authentication(LDAP): allow LDAP referrals to not be followed (PROJQUAY-5291) (#1922)

2026-01-26 06:21:37 +03:00 · 2023-06-02 18:42:39 +00:00
parent 171f9cc14c
commit 6be4d052ff
2 changed files with 22 additions and 2 deletions
--- a/data/users/init.py
+++ b/data/users/init.py
@@ -67,6 +67,7 @@ def get_users_handler(config, _, override_config_dir):
        ldap_user_filter = config.get("LDAP_USER_FILTER", None)
        ldap_superuser_filter = config.get("LDAP_SUPERUSER_FILTER", None)
        ldap_restricted_user_filter = config.get("LDAP_RESTRICTED_USER_FILTER", None)
+        ldap_referrals = int(config.get("LDAP_FOLLOW_REFERRALS", True))

        allow_tls_fallback = config.get("LDAP_ALLOW_INSECURE_FALLBACK", False)
        return LDAPUsers(
@@ -85,6 +86,7 @@ def get_users_handler(config, _, override_config_dir):
            ldap_user_filter=ldap_user_filter,
            ldap_superuser_filter=ldap_superuser_filter,
            ldap_restricted_user_filter=ldap_restricted_user_filter,
+            ldap_referrals=ldap_referrals,
        )

    if authentication_type == "JWT":
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -14,6 +14,8 @@ logger = logging.getLogger(__name__)
 _DEFAULT_NETWORK_TIMEOUT = 10.0  # seconds
 _DEFAULT_TIMEOUT = 10.0  # seconds
 _DEFAULT_PAGE_SIZE = 1000
+# setting config LDAP_FOLLOW_REFERRALS: 0 to disable referral lookups
+_DEFAULT_REFERRALS = True


 class LDAPConnectionBuilder(object):
@@ -25,6 +27,7 @@ class LDAPConnectionBuilder(object):
        allow_tls_fallback=False,
        timeout=None,
        network_timeout=None,
+        referrals=_DEFAULT_REFERRALS,
    ):
        self._ldap_uri = ldap_uri
        self._user_dn = user_dn
@@ -32,6 +35,7 @@ class LDAPConnectionBuilder(object):
        self._allow_tls_fallback = allow_tls_fallback
        self._timeout = timeout
        self._network_timeout = network_timeout
+        self._referrals = int(referrals)

    def get_connection(self):
        return LDAPConnection(
@@ -41,6 +45,7 @@ class LDAPConnectionBuilder(object):
            self._allow_tls_fallback,
            self._timeout,
            self._network_timeout,
+            self._referrals,
        )


@@ -53,6 +58,7 @@ class LDAPConnection(object):
        allow_tls_fallback=False,
        timeout=None,
        network_timeout=None,
+        referrals=_DEFAULT_REFERRALS,
    ):
        self._ldap_uri = ldap_uri
        self._user_dn = user_dn
@@ -60,13 +66,14 @@ class LDAPConnection(object):
        self._allow_tls_fallback = allow_tls_fallback
        self._timeout = timeout
        self._network_timeout = network_timeout
+        self._referrals = int(referrals)
        self._conn = None

    def __enter__(self):
        trace_level = 2 if os.environ.get("USERS_DEBUG") == "1" else 0

        self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
-        self._conn.set_option(ldap.OPT_REFERRALS, 1)
+        self._conn.set_option(ldap.OPT_REFERRALS, self._referrals)
        self._conn.set_option(
            ldap.OPT_NETWORK_TIMEOUT, self._network_timeout or _DEFAULT_NETWORK_TIMEOUT
        )
@@ -107,11 +114,18 @@ class LDAPUsers(FederatedUsers):
        ldap_user_filter=None,
        ldap_superuser_filter=None,
        ldap_restricted_user_filter=None,
+        ldap_referrals=_DEFAULT_REFERRALS,
    ):
        super(LDAPUsers, self).__init__("ldap", requires_email)

        self._ldap = LDAPConnectionBuilder(
-            ldap_uri, admin_dn, admin_passwd, allow_tls_fallback, timeout, network_timeout
+            ldap_uri,
+            admin_dn,
+            admin_passwd,
+            allow_tls_fallback,
+            timeout,
+            network_timeout,
+            referrals=ldap_referrals,
        )
        self._ldap_uri = ldap_uri
        self._uid_attr = uid_attr
@@ -122,6 +136,7 @@ class LDAPUsers(FederatedUsers):
        self._ldap_user_filter = ldap_user_filter
        self._ldap_superuser_filter = ldap_superuser_filter
        self._ldap_restricted_user_filter = ldap_restricted_user_filter
+        self._ldap_referrals = int(ldap_referrals)

        # Note: user_rdn is a list of RDN pieces (for historical reasons), and secondary_user_rds
        # is a list of RDN strings.
@@ -577,6 +592,9 @@ class LDAPUsers(FederatedUsers):
                        # Yield any users found.
                        for userdata in rdata:
                            found_results = found_results + 1
+                            if isinstance(userdata[1], list):
+                                # we do not follow referrals here
+                                continue
                            yield self._build_user_information(userdata[1])

                        logger.debug(