LDAP: users without org mappings are marked as disabled (#26650)

* LDAP: users without org mappings are marked as disabled * Update pkg/services/ldap/ldap.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * LDAP: verifies that unmapped users are tagged as isDisabled Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2025-02-25 18:55:37 -06:00 · 2020-07-31 14:41:31 +02:00 · 2020-07-31 14:41:31 +02:00 · c266f45858
commit c266f45858
parent 35c67606ce
2 changed files with 35 additions and 0 deletions
--- a/pkg/services/ldap/ldap.go
+++ b/pkg/services/ldap/ldap.go
@ -427,6 +427,12 @@ func (server *Server) buildGrafanaUser(user *ldap.Entry) (*models.ExternalUserIn
 		}
 	}

+	// If there are group org mappings configured, but no matching mappings,
+	// the user will not be able to login and will be disabled
+	if len(server.Config.Groups) > 0 && len(extUser.OrgRoles) == 0 {
+		extUser.IsDisabled = true
+	}
+
 	return extUser, nil
 }

--- a/pkg/services/ldap/ldap_private_test.go
+++ b/pkg/services/ldap/ldap_private_test.go
@ -113,8 +113,37 @@ func TestLDAPPrivateMethods(t *testing.T) {
 			result, err := server.serializeUsers(users)

 			So(err, ShouldBeNil)
+			So(result[0].IsDisabled, ShouldBeFalse)
 			So(result[0].Name, ShouldEqual, "Roel")
 		})
+
+		Convey("a user without matching groups should be marked as disabled", func() {
+			server := &Server{
+				Config: &ServerConfig{
+					Groups: []*GroupToOrgRole{{
+						GroupDN: "foo",
+						OrgId:   1,
+						OrgRole: models.ROLE_EDITOR,
+					}},
+				},
+				Connection: &MockConnection{},
+				log:        log.New("test-logger"),
+			}
+
+			entry := ldap.Entry{
+				DN: "dn",
+				Attributes: []*ldap.EntryAttribute{
+					{Name: "memberof", Values: []string{"admins"}},
+				},
+			}
+			users := []*ldap.Entry{&entry}
+
+			result, err := server.serializeUsers(users)
+
+			So(err, ShouldBeNil)
+			So(len(result), ShouldEqual, 1)
+			So(result[0].IsDisabled, ShouldBeTrue)
+		})
 	})

 	Convey("validateGrafanaUser()", t, func() {