[jira] [Created] (AIRFLOW-3020) LDAP Authentication doesn't check whether a user belongs to a group correctly

["Yi Wei (JIRA)" <ji...@apache.org>]

Yi Wei created AIRFLOW-3020:
-------------------------------

             Summary: LDAP Authentication doesn't check whether a user belongs to a group correctly
                 Key: AIRFLOW-3020
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3020
             Project: Apache Airflow
          Issue Type: Bug
          Components: authentication
    Affects Versions: 1.10.0, 1.9.0
            Reporter: Yi Wei
            Assignee: Yi Wei


According to Airflow documentation at [https://airflow.apache.org/security.html#ldap,] to enable LDAP authentication, we should write airflow.cfg like this:

[ldap]

uri = ldap://XXX.YYY.org
user_filter = objectClass=*
user_name_attr = sAMAccountName
superuser_filter = CN=XXX_Programmers
bind_user = user_on_ldap
bind_password = insecure
basedn =OU=Some,DC=other,DC=org
search_scope = SUBTREE

 

But after enabling LDAP authentication, I just cannot log in with a superuser role. I double-checked my membership to the superuser groups and confirmed I belong to the specified group in 'superuser_filter', still Airflow won't recognize me as a superuser.

So, I checked airflow/contrib/auth/backends/ldap_auth.py, the group_contains_user function doesn't work as I expected:

 

This line:

conn.search(native(search_base), native(search_filter), attributes=[native(user_name_attr)])

it search the group and extracts the sAMAccountName attribute of the group, then:

 for entry in conn.entries:
  if user_name in getattr(entry, user_name_attr).values:
     return True

the code snippet will never return True, because how can user_name occur in group_name anyway? 

Not sure if this issue only occurs in my company, please correct me if you have any suggestion.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)