Add a test for memberof attribute

2025-02-09 11:40:22 -08:00
parent 49067f8cdc
commit f6a3105fa5
2 changed files with 43 additions and 0 deletions
--- a/authentik/sources/ldap/tests/mock_freeipa.py
+++ b/authentik/sources/ldap/tests/mock_freeipa.py
@ -96,6 +96,17 @@ def mock_freeipa_connection(password: str) -> Connection:
            "objectClass": "posixAccount",
        },
    )
+    # User with groups in memberOf attribute
+    connection.strategy.add_entry(
+        "cn=user4,ou=users,dc=goauthentik,dc=io",
+        {
+            "name": "user4_sn",
+            "objectClass": "person",
+            "memberOf": [
+              "cn=group1,ou=groups,dc=goauthentik,dc=io",
+            ]
+        },
+    )
    # Locked out user
    connection.strategy.add_entry(
        "cn=user-nsaccountlock,ou=users,dc=goauthentik,dc=io",
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -162,6 +162,38 @@ class LDAPSyncTests(TestCase):
            self.assertFalse(User.objects.filter(username="user1_sn").exists())
            self.assertFalse(User.objects.get(username="user-nsaccountlock").is_active)

+    def test_sync_groups_freeipa_memberOf(self):
+        """Test group sync when membership is derived from memberOf user attribute"""
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.lookup_groups_from_user = True
+        self.source.user_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+            )
+        )
+        self.source.group_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                managed="goauthentik.io/sources/ldap/openldap-cn"
+            )
+        )
+        connection = MagicMock(return_value=mock_freeipa_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            self.source.save()
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync_full()
+            group_sync = GroupLDAPSynchronizer(self.source)
+            group_sync.sync_full()
+            membership_sync = MembershipLDAPSynchronizer(self.source)
+            membership_sync.sync_full()
+
+            self.assertTrue(User.objects.filter(username="user4_sn").exists())
+            # Test if membership mapping based on memberOf works.
+            memberof_group = Group.objects.filter(name="group1").first()
+            self.assertTrue(memberof_group.exists())
+            self.assertTrue(memberof_group.users.filter(name="user4_sn").exists())
+
    def test_sync_groups_ad(self):
        """Test group sync"""
        self.source.user_property_mappings.set(