Merge pull request #728 from Plyrolith/simple-ad

use cn for simple ad user creation and auth
cgwire · Oct 19, 2023 · b9b986d · b9b986d
2 parents 73a71c9 + 0214564
commit b9b986d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/zou/app/services/auth_service.py b/zou/app/services/auth_service.py
@@ -180,7 +180,7 @@ def ldap_auth_strategy(person, password, app):
         try:
             SSL = app.config["LDAP_SSL"]
             if app.config["LDAP_IS_AD_SIMPLE"]:
-                user = f"sAMAccountName={person['desktop_login']},{app.config['LDAP_BASE_DN']}"
+                user = f"cn={person['desktop_login']},{app.config['LDAP_BASE_DN']}"
                 authentication = SIMPLE
             elif app.config["LDAP_IS_AD"]:
                 user = (

diff --git a/zou/app/utils/commands.py b/zou/app/utils/commands.py
@@ -210,8 +210,11 @@ def search_ldap_users(conn, excluded_accounts):
         is_ad = LDAP_IS_AD or LDAP_IS_AD_SIMPLE
         attributes = ["givenName", "sn", "mail", "cn"]
         if is_ad:
+            if LDAP_IS_AD_SIMPLE:
+                attributes += ["cn"]
+            else:
+                attributes += ["sAMAccountName"]
             attributes += [
-                "sAMAccountName",
                 "thumbnailPhoto",
                 "userAccountControl",
                 "objectGUID",
@@ -240,13 +243,16 @@ def search_ldap_users(conn, excluded_accounts):
         conn.search(LDAP_BASE_DN, query, attributes=attributes)
         ldap_users = []
         for entry in conn.entries:
-            if (
-                clean_value(entry.sAMAccountName if is_ad else entry.uid)
-                not in excluded_accounts
-                and (
-                    group_members is None
-                    or entry.entry_dn in group_members
-                )
+            if LDAP_IS_AD_SIMPLE:
+                desktop_login = entry.cn
+            elif LDAP_IS_AD:
+                desktop_login = entry.sAMAccountName
+            else:
+                desktop_login = entry.uid
+            desktop_login = clean_value(desktop_login)
+
+            if desktop_login not in excluded_accounts and (
+                group_members is None or entry.entry_dn in group_members
             ):
                 if is_ad:
                     ldap_uid = clean_value(entry.objectGUID)
@@ -262,10 +268,6 @@ def search_ldap_users(conn, excluded_accounts):
                 else:
                     thumbnail = None
 
-                desktop_login = clean_value(
-                    entry.sAMAccountName if is_ad else entry.uid
-                )
-
                 emails = entry.mail.values
                 if len(emails) == 0:
                     emails = ["%s@%s" % (desktop_login, EMAIL_DOMAIN)]