From 51043837f03e8c56872a14b67fbbe2afe507851c Mon Sep 17 00:00:00 2001
From: Olivier DUMAS <olivier.dumas@orange.com>
Date: Mon, 1 Oct 2018 19:27:52 +0200
Subject: [PATCH 1/2] Recursively find ActiveDirectory groups to check whether
 user is in LDAP_ADMIN_GROUP or LDAP_OPERATOR_GROUP

---
 app/models.py | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/app/models.py b/app/models.py
index 4869608..3ad1043 100644
--- a/app/models.py
+++ b/app/models.py
@@ -160,6 +160,26 @@ class User(db.Model):
             logging.error(e)
             return False
 
+    def ad_recursive_groups(self, groupDN):
+        """
+        Recursively list groups belonging to a group. It will allow checking deep in the Active Directory 
+        whether a user is allowed to enter or not
+        """
+        LDAP_BASE_DN = Setting().get('ldap_base_dn')
+        groupSearchFilter =  "(&(objectcategory=group)(member=%s))" % groupDN
+        result=[ groupDN ]
+        try:
+            groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
+            for group in groups:
+                result += [ group[0][0] ]
+                if 'memberOf' in group[0][1]:
+                    for member in group[0][1]['memberOf']:
+                        result += self.ad_recursive_groups( member.decode("utf-8") )
+            return result
+        except:
+            logging.exception("Recursive AD Group search error")
+            return result
+
     def is_validate(self, method, src_ip=''):
         """
         Validate user credential
@@ -218,8 +238,9 @@ class User(db.Model):
                                     logging.error('User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_OPERATOR_GROUP, LDAP_USER_GROUP))
                                     return False
                             elif LDAP_TYPE == 'ad':
-                                user_ldap_groups = [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]
-                                logging.debug('user_ldap_groups: {0}'.format(user_ldap_groups))
+                                user_ldap_groups = []
+                                for group in [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]:
+                                    user_ldap_groups += self.ad_recursive_groups( group )
 
                                 if (LDAP_ADMIN_GROUP in user_ldap_groups):
                                     role_name = 'Administrator'

From 3f2d14327cb28b003fd93bcf159b7a305f95ae8a Mon Sep 17 00:00:00 2001
From: odumasFR <37532391+odumasFR@users.noreply.github.com>
Date: Mon, 1 Oct 2018 23:08:45 +0200
Subject: [PATCH 2/2] better exception handling for ldap errors

---
 app/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models.py b/app/models.py
index 3ad1043..db0a23f 100644
--- a/app/models.py
+++ b/app/models.py
@@ -176,7 +176,7 @@ class User(db.Model):
                     for member in group[0][1]['memberOf']:
                         result += self.ad_recursive_groups( member.decode("utf-8") )
             return result
-        except:
+        except ldap.LDAPError as e:
             logging.exception("Recursive AD Group search error")
             return result