1

使用 flask-ldap3-login 查询 AD 以获取我的 Web 应用登录信息。适合所有人;但是,对于在 AD 中的名字中包含“()”的用户。这是调试日志。

未成功登录

DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser@mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser@mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=ebadu))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Badu\, ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'ebadu'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
ERROR:flask_ldap3_login:malformed filter
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629604c50>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628eabf98>

成功登录

DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser@mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser@mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=mpeters))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'mpeters'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629683828>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628e91048>

AD 日志显示“一个帐户已成功登录”;但是,用户没有登录到应用程序。用户在其他任何地方使用 AD 凭据登录都没有问题。

可能是什么问题?

这是 flask-ldap3-login 代码:

LDAP_USER_RDN_ATTR = 'cn'
LDAP_USER_LOGIN_ATTR = 'sAMAccountName'
LDAP_BASE_DN = 'DC=mydomain,DC=com'
LDAP_REQUIRED_GROUP = 'ou=helpdesk,dc=mydomain,dc=com'
LDAP_USER_SEARCH_SCOPE = 'SUBTREE'
4

2 回答 2

0

但是“格式错误的过滤器”通常意味着发送到 AD 的 LDAP 查询在某种程度上是无效的。我询问了帐户中的奇数字符,因为如果某些特殊字符没有正确编码,它们可能会被误解为 LDAP 查询中使用的特殊字符。

它可能是您的代码中的错误,或者是 flask-ldap3-login 中的错误。如果您显示您的代码,我也许可以给您一些指示。

另外,看看您是否可以启用调试日志记录。它可能会告诉你真正的过滤器是什么让它成为炸弹。我不熟悉flask-ldap3-login,但是,查看文档,这可能会做到吗?:

app.config['DEBUG'] = True
于 2018-10-31T12:38:03.140 回答
0

解决了!似乎在最新版的flask-ldap3-login中解决了。我没有升级但修改了现有代码:

替换了这个:

    `search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format('`    
    `group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`    
    `members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`  
    `user_dn=dn`

有了这个:

    `safe_dn = ldap3.utils.conv.escape_filter_chars(dn)`  
    `search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format(`  
    `group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`  
    `members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`  
    `user_dn=safe_dn`
于 2018-11-02T06:21:50.103 回答