theforeman · adamruzicka · Apr 8, 2024 · Apr 9, 2024 · ekohl · Apr 9, 2024
diff --git a/lib/ldap_fluff/posix_member_service.rb b/lib/ldap_fluff/posix_member_service.rb
@@ -16,14 +16,17 @@ def find_user(uid, base_dn = @base)
   # return an ldap user with groups attached
   # note : this method is not particularly fast for large ldap systems
   def find_user_groups(uid)
+    user = find_user(uid).first
     groups = []
     @ldap.search(
-      :filter => Net::LDAP::Filter.eq('memberuid', uid),
+      :filter => user_group_filter(uid, user[:dn].first),
       :base => @group_base, :attributes => ["cn"]
     ).each do |entry|
       groups << entry[:cn][0]
     end
     groups
+  rescue UIDNotFoundException
+    return []
   end
 
   def times_in_groups(uid, gids, all)
@@ -52,4 +55,12 @@ class UIDNotFoundException < LdapFluff::Error
 
   class GIDNotFoundException < LdapFluff::Error
   end
+
+  private
+
+  def user_group_filter(uid, user_dn)
+    unique_filter = Net::LDAP::Filter.eq('uniquemember', user_dn) &
+                    Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames')
 Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') | 
 Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames') | 
+    Net::LDAP::Filter.eq('memberuid', uid) | unique_filter
+  end
 end
diff --git a/test/lib/ldap_test_helper.rb b/test/lib/ldap_test_helper.rb
@@ -121,7 +121,7 @@ def netiq_group_payload
   end
 
   def posix_user_payload
-    [{ :cn => ["john"] }]
+    [{ :cn => ["john"], :dn => ["cn=john,ou=people,dc=internet,dc=com"] }]
   end
 
   def posix_group_payload

diff --git a/test/posix_member_services_test.rb b/test/posix_member_services_test.rb
@@ -18,21 +18,32 @@ def test_find_user
   end
 
   def test_find_user_groups
-    user = posix_group_payload
-    @ldap.expect(:search, user, [:filter => @ms.name_filter('john'),
+    group = posix_group_payload
+    user = posix_user_payload
+    username = 'john'
+
+    @ldap.expect(:search, user, [:filter => @ms.name_filter(username),
+                                 :base => config.base_dn])
+    filter = @ms.send(:user_group_filter, username, user.first[:dn].first)
+    @ldap.expect(:search, group, [:filter => filter,
                                  :base => config.group_base,
                                  :attributes => ["cn"]])
     @ms.ldap = @ldap
-    assert_equal ['broze'], @ms.find_user_groups('john')
+    assert_equal ['broze'], @ms.find_user_groups(username)
     @ldap.verify
   end
 
   def test_find_no_groups
-    @ldap.expect(:search, [], [:filter => @ms.name_filter("john"),
+    user = posix_user_payload
+    username = 'john'
+    @ldap.expect(:search, user, [:filter => @ms.name_filter(username),
+                                 :base => config.base_dn])
+    filter = @ms.send(:user_group_filter, username, user.first[:dn].first)
+    @ldap.expect(:search, [], [:filter => filter,
                                :base => config.group_base,
                                :attributes => ["cn"]])
     @ms.ldap = @ldap
-    assert_equal [], @ms.find_user_groups('john')
+    assert_equal [], @ms.find_user_groups(username)
     @ldap.verify
   end