From 6b1c327ee886488eedbe8a8721708b89f37d5560 Mon Sep 17 00:00:00 2001
From: Vianney Foucault <vianney.foucault@gmail.com>
Date: Mon, 10 Apr 2017 11:08:04 -0700
Subject: [PATCH] [AIRFLOW-1095] Make ldap_auth memberOf come from
 configuration

If the key ldap/group_member_attr is set in the
airflow.cfg, this value is used to lookup groups
for the user.

Closes #2232 from vfoucault/fixbug/ldap_auth
---
 airflow/config_templates/default_airflow.cfg | 12 ++++++++++++
 airflow/contrib/auth/backends/ldap_auth.py   | 14 +++++++++-----
 docs/security.rst                            | 10 ++++++++--
 3 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index b28256a59c34f..2b5fb5d261d57 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -332,6 +332,18 @@ max_threads = 2
 
 authenticate = False
 
+[ldap]
+uri = ldaps://<your.ldap.server>:<port>
+user_filter = objectClass=*
+user_name_attr = uid
+group_member_attr = memberOf
+superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
+bind_user = cn=Manager,dc=example,dc=com
+bind_password = insecure
+basedn = dc=example,dc=com
+cacert = /etc/ca/ldap_ca.crt
+search_scope = LEVEL
 
 [mesos]
 # Mesos master address which MesosExecutor will connect to.
diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
index 0e066e2f7dd28..341f710ee3454 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -89,18 +89,22 @@ def group_contains_user(conn, search_base, group_filter, user_name_attr, usernam
 
 def groups_user(conn, search_base, user_filter, user_name_att, username):
     search_filter = "(&({0})({1}={2}))".format(user_filter, user_name_att, username)
-    res = conn.search(native(search_base), native(search_filter), attributes=[native("memberOf")])
+    try:
+        memberof_attr = configuration.get("ldap", "group_member_attr")
+    except:
+        memberof_attr = "memberOf"
+    res = conn.search(native(search_base), native(search_filter), attributes=[native(memberof_attr)])
     if not res:
         LOG.info("Cannot find user %s", username)
         raise AuthenticationError("Invalid username or password")
 
-    if conn.response and "memberOf" not in conn.response[0]["attributes"]:
-        LOG.warning("""Missing attribute "memberOf" when looked-up in Ldap database.
+    if conn.response and memberof_attr not in conn.response[0]["attributes"]:
+        LOG.warning("""Missing attribute "%s" when looked-up in Ldap database.
         The user does not seem to be a member of a group and therefore won't see any dag
-        if the option filter_by_owner=True and owner_mode=ldapgroup are set""")
+        if the option filter_by_owner=True and owner_mode=ldapgroup are set""", memberof_attr)
         return []
 
-    user_groups = conn.response[0]["attributes"]["memberOf"]
+    user_groups = conn.response[0]["attributes"][memberof_attr]
 
     regex = re.compile("cn=([^,]*).*", re.IGNORECASE)
     groups_list = []
diff --git a/docs/security.rst b/docs/security.rst
index c0e2918884563..ada34a27e1ee2 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -72,6 +72,11 @@ Valid search_scope options can be found in the `ldap3 Documentation <http://ldap
     user_filter = objectClass=*
     # in case of Active Directory you would use: user_name_attr = sAMAccountName
     user_name_attr = uid
+    # group_member_attr should be set accordingly with *_filter
+    # eg :
+    #     group_member_attr = groupMembership
+    #     superuser_filter = groupMembership=CN=airflow-super-users...
+    group_member_attr = memberOf
     superuser_filter = memberOf=CN=airflow-super-users,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
     data_profiler_filter = memberOf=CN=airflow-data-profilers,OU=Groups,OU=RWC,OU=US,OU=NORAM,DC=example,DC=com
     bind_user = cn=Manager,dc=example,dc=com
@@ -101,7 +106,7 @@ Multi-tenancy
 -------------
 
 You can filter the list of dags in webserver by owner name when authentication
-is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will see 
+is turned on by setting ``webserver:filter_by_owner`` in your config. With this, a user will see
 only the dags which it is owner of, unless it is a superuser.
 
 .. code-block:: bash
@@ -287,6 +292,7 @@ backend. In order to setup an application:
 
 1. Navigate to https://console.developers.google.com/apis/
 2. Select 'Credentials' from the left hand nav
+2. Select 'Credentials' from the left hand nav
 3. Click 'Create credentials' and choose 'OAuth client ID'
 4. Choose 'Web application'
 5. Fill in the required information (the 'Authorized redirect URIs' must be fully qualifed e.g. http://airflow.example.com/oauth2callback)
@@ -338,7 +344,7 @@ log to will have permissions changed such that only the unix user can write to i
 Default Impersonation
 '''''''''''''''''''''
 To prevent tasks that don't use impersonation to be run with `sudo` privileges, you can set the
-``core:default_impersonation`` config which sets a default user impersonate if `run_as_user` is 
+``core:default_impersonation`` config which sets a default user impersonate if `run_as_user` is
 not set.
 
 .. code-block:: bash