fix: gracefully handle missing ldap.group_search to prevent HTTP 500#12364
Open
andrianbalanesq wants to merge 1 commit into
Open
fix: gracefully handle missing ldap.group_search to prevent HTTP 500#12364andrianbalanesq wants to merge 1 commit into
andrianbalanesq wants to merge 1 commit into
Conversation
…nventree#12225) When LDAP is enabled but ldap.group_search is not configured, django-auth-ldap crashes at runtime with TypeError when performing group permission lookups. This results in HTTP 500 errors during normal API requests. Changes: - Make AUTH_LDAP_FIND_GROUP_PERMS configurable via ldap.find_group_perms setting (defaults to True for backward compatibility) - When group_search DN is None, disable all group-based features (find_group_perms, mirror_groups, require_group, deny_group, user_flags_by_group) gracefully with a warning instead of crashing - Set AUTH_LDAP_GROUP_SEARCH to None instead of LDAPSearch(None, ...) - Add tests for all three scenarios: missing group_search, configured group_search, explicit find_group_perms=False - Document new ldap.find_group_perms setting
✅ Deploy Preview for inventree-web-pui-preview canceled.
|
| # If group search DN is not configured, group-based features cannot | ||
| # work. Disable them gracefully with a warning instead of letting | ||
| # django-auth-ldap crash at runtime with a TypeError (see #12225). | ||
| if group_search_dn is None: |
Member
There was a problem hiding this comment.
Should you also check for empty string here? e.g.
if not group_search_dn:
...| 'AUTH_LDAP_MIRROR_GROUPS': get_boolean_setting( | ||
| 'INVENTREE_LDAP_MIRROR_GROUPS', 'ldap.mirror_groups', False | ||
| ), | ||
| ) if group_search_dn is not None else False, |
Member
There was a problem hiding this comment.
could simplify to:
) if group_search_dn else False
Member
|
Someone with LDAP experience will need to review this |
|
Thanks for the review! Both suggestions make sense:
Happy to wait for someone with LDAP experience to review the broader approach. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #12225
When LDAP authentication is enabled (
ldap.enabled: true) with group permission lookup active, butldap.group_searchis not configured, the server starts normally but later crashes withTypeError: search_ext() argument 1 must be str, not Noneduring normal API requests that require permission evaluation.This happens because
AUTH_LDAP_FIND_GROUP_PERMSwas hardcoded toTrue, andAUTH_LDAP_GROUP_SEARCHwas created asLDAPSearch(None, ...)when the setting was missing.Changes
AUTH_LDAP_FIND_GROUP_PERMSconfigurable via the newldap.find_group_permssetting (defaults toTruefor backward compatibility)ldap.group_searchis not set (None), all group-based features are disabled gracefully with a warning message instead of crashing:AUTH_LDAP_FIND_GROUP_PERMSset toFalseAUTH_LDAP_GROUP_SEARCHset toNone(instead ofLDAPSearch(None, ...))AUTH_LDAP_MIRROR_GROUPSset toFalseAUTH_LDAP_REQUIRE_GROUPset toNoneAUTH_LDAP_DENY_GROUPset toNoneAUTH_LDAP_USER_FLAGS_BY_GROUPset toNonegroup_searchwithfind_group_perms=True(should disable gracefully)group_searchwithfind_group_perms=True(should stay enabled)group_searchwithfind_group_perms=False(should respect explicit disable)ldap.find_group_permssetting in the LDAP configuration docsChecklist