From f290134d3ae776c45e3945e4d24f9ce2052ad341 Mon Sep 17 00:00:00 2001
From: Joe VLcek <jvlcek@redhat.com>
Date: Wed, 30 May 2018 13:42:59 -0400
Subject: [PATCH] Extend support from memberof to other multi-value attribute
 for group membership

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1353037
---
 config/settings.yml       |  1 +
 lib/miq_ldap.rb           |  5 +++--
 spec/lib/miq_ldap_spec.rb | 23 +++++++++++++++++++++++
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/config/settings.yml b/config/settings.yml
index 5daeca1b3c6..e780155082d 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -7,6 +7,7 @@
   :follow_referrals: false
   :get_direct_groups: true
   :group_memberships_max_depth: 2
+  :group_attribute: memberof
   :ldaphost:
   :ldapport: '389'
   :mode: database
diff --git a/lib/miq_ldap.rb b/lib/miq_ldap.rb
index d818b30b64f..59479a3e7c0 100644
--- a/lib/miq_ldap.rb
+++ b/lib/miq_ldap.rb
@@ -43,6 +43,7 @@ def initialize(options = {})
     @bind_timeout     = options.delete(:bind_timeout) || ::Settings.authentication.bind_timeout.to_i_with_method
     @search_timeout   = options.delete(:search_timeout) || ::Settings.authentication.search_timeout.to_i_with_method
     @follow_referrals = options.delete(:follow_referrals) || ::Settings.authentication.follow_referrals
+    @group_attribute  = options.delete(:group_attribute) || ::Settings.authentication.group_attribute
     options[:host] ||= ::Settings.authentication.ldaphost
     options[:port] ||= ::Settings.authentication.ldapport
     options[:host] = resolve_host(options[:host], options[:port])
@@ -304,7 +305,7 @@ def get_user_object(username, user_type = nil)
     user_type ||= @user_type.split("-").first
     user_type = "dn" if self.is_dn?(username)
     begin
-      search_opts = {:base => @basedn, :scope => :sub, :attributes => ["*", "memberof"]}
+      search_opts = {:base => @basedn, :scope => :sub, :attributes => ["*", @group_attribute]}
 
       case user_type
       when "samaccountname"
@@ -368,7 +369,7 @@ def get_user_info(username, user_type = 'mail')
     udata
   end
 
-  def get_memberships(obj, max_depth = 0, attr = :memberof, followed = [], current_depth = 0)
+  def get_memberships(obj, max_depth = 0, attr = @group_attribute.to_sym, followed = [], current_depth = 0)
     current_depth += 1
 
     _log.debug("Enter get_memberships: #{obj.inspect}")
diff --git a/spec/lib/miq_ldap_spec.rb b/spec/lib/miq_ldap_spec.rb
index add3ea3167a..f446803ce2c 100644
--- a/spec/lib/miq_ldap_spec.rb
+++ b/spec/lib/miq_ldap_spec.rb
@@ -157,4 +157,27 @@
       expect(ldap.ldap.instance_variable_get(:@encryption)).to be_nil
     end
   end
+
+  context '#get_user_object' do
+    before do
+      allow(TCPSocket).to receive(:new)
+      @opts = {:base => nil, :scope => :sub, :filter => "(userprincipalname=myuserid@mycompany.com)"}
+    end
+
+    it "searches for group memberships with the specified group attribute" do
+      ldap = MiqLdap.new(:host => ["192.0.2.2"], :group_attribute => "groupMembership")
+      @opts[:attributes] = ["*", "groupMembership"]
+      expect(ldap).to receive(:search).with(@opts)
+
+      ldap.get_user_object("myuserid@mycompany.com", "upn")
+    end
+
+    it "searches for group memberships with the default group attribute" do
+      ldap = MiqLdap.new(:host => ["192.0.2.2"])
+      @opts[:attributes] = ["*", "memberof"]
+      expect(ldap).to receive(:search).with(@opts)
+
+      ldap.get_user_object("myuserid@mycompany.com", "upn")
+    end
+  end
 end