From d68bb881ab84360922e33bf04ff5a5773f24e0ee Mon Sep 17 00:00:00 2001
From: Jan Orel <jorel@opennebula.io>
Date: Mon, 11 Mar 2024 16:53:05 +0100
Subject: [PATCH] B Opennebula#6528: Fix LDAP authorize by group for AD (#2977)

(cherry picked from commit bcb3e7df0ed05612946c68d448cfc7e9dd50bc9e)
---
 src/authm_mad/remotes/ldap/authenticate |  4 ++--
 src/authm_mad/remotes/ldap/ldap_auth.rb | 17 +++++++++++++----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/authm_mad/remotes/ldap/authenticate b/src/authm_mad/remotes/ldap/authenticate
index fdf4cc2cf95..9dc93405d63 100755
--- a/src/authm_mad/remotes/ldap/authenticate
+++ b/src/authm_mad/remotes/ldap/authenticate
@@ -100,7 +100,7 @@ order.each do |servers|
             Timeout.timeout(timeout) do
                 ldap=OpenNebula::LdapAuth.new(server_conf)
 
-                user_dn, user_uid, user_group_name = ldap.find_user(user)
+                user_dn, user_uid, user_group_name, memberof = ldap.find_user(user)
 
                 if !user_dn
                     STDERR.puts "User #{user} not found"
@@ -114,7 +114,7 @@ order.each do |servers|
                 end
 
                 if server_conf[:group]
-                    if !ldap.is_in_group?(user_group_name, server_conf[:group])
+                    if !ldap.is_in_group?(user_group_name, server_conf[:group], memberof)
                         STDERR.puts "User #{user} is not in group #{server_conf[:group]}"
                         break
                     end
diff --git a/src/authm_mad/remotes/ldap/ldap_auth.rb b/src/authm_mad/remotes/ldap/ldap_auth.rb
index eafb366ffdf..0537c2a2143 100644
--- a/src/authm_mad/remotes/ldap/ldap_auth.rb
+++ b/src/authm_mad/remotes/ldap/ldap_auth.rb
@@ -147,7 +147,9 @@ def find_user(name)
 
             [@user.dn,
              @user[@options[:user_field]].first,
-             @user[@options[:user_group_field]]]
+             @user[@options[:user_group_field]],
+             @user['memberof']
+            ]
         else
             result=@ldap.search(:base => name)
 
@@ -155,14 +157,21 @@ def find_user(name)
                 @user = result.first
                 [name,
                  @user[@options[:user_field]].first,
-                 @user[@options[:user_group_field]]]
+                 @user[@options[:user_group_field]],
+                 @user['memberof']
+                ]
             else
-                [nil, nil, nil]
+                [nil, nil, nil, nil]
             end
         end
     end
 
-    def is_in_group?(user, group)
+    def is_in_group?(user, group, memberof)
+        if @options[:rfc2307bis]
+            # compare case in-sensitive, like LDAP does
+            return memberof.map(&:downcase).include?(group.downcase)
+        end
+
         username = Net::LDAP::Filter.escape(
             user.first.force_encoding(Encoding::UTF_8))
         result=@ldap.search(