From 0c4d21f20493d3d37f80c741de8fb02bc8369420 Mon Sep 17 00:00:00 2001
From: Vladimir Sukhonosov <founder.sl@gmail.com>
Date: Thu, 28 Sep 2023 01:52:30 +0300
Subject: check group name in ldap result (#150)

---
 kvmd/plugins/auth/ldap.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'kvmd/plugins')

diff --git a/kvmd/plugins/auth/ldap.py b/kvmd/plugins/auth/ldap.py
index 4ef9c29c..8743b2c9 100644
--- a/kvmd/plugins/auth/ldap.py
+++ b/kvmd/plugins/auth/ldap.py
@@ -88,10 +88,10 @@ class Plugin(BaseAuthService):
                 base=self.__base,
                 scope=ldap.SCOPE_SUBTREE,
                 filterstr=f"(&(objectClass=user)(userPrincipalName={user})(memberOf={self.__group}))",
-                attrlist=["userPrincipalName", "memberOf"],
+                attrlist=["memberOf"],
                 timeout=self.__timeout,
             ) or []):
-                if dn is not None and isinstance(attrs, dict) and attrs.get("memberOf"):
+                if dn is not None and isinstance(attrs, dict) and self.__group.encode() in attrs.get("memberOf"):  # type: ignore
                     return True
         except ldap.INVALID_CREDENTIALS:
             pass
-- 
cgit v1.2.3