LDAP Groups Ignored due to improper Byte string handling in _transform_find_group_results function

[hamdiazz]

Is there an existing issue for this?

• I have searched the existing issues

Description

When synchronizing LDAP users and groups in Hue, the system incorrectly ignores valid groups due to improper handling of byte-encoded attributes. Specifically, attributes such as objectClass and memberUid are returned as bytes, but the code processes them as str, leading to errors like:

[30/Jan/2025 15:50:12 +0100] ldap_access WARNING Skipping import of non-posix users from group group_test since group_member_attr is memberUid or group did not contain any members [30/Jan/2025 15:50:12 +0100] ldap_access WARNING Skipping import of posix users from group group_test since posixGroup not an objectClass or no memberUids found

The root cause is that the code does not decode bytes values into str before performing string comparisons.

Here is the conf I have on hue.ini:

`[[[users]]]
user_filter="objectClass=posixAccount"
user_name_attr=uid

[[[groups]]]
group_filter="objectClass=posixGroup"
group_name_attr=cn
group_member_attr=memberUid`

Environment Details
Hue Version: 4.11.0
OS: RHEL 8.5
Python Version: 3.8.17
LDAP Backend: OpenLDAP

Steps To Reproduce

Steps to Reproduce:
1.

/opt/tdp/hue-release-4.11.0/build/env/bin/hue sync_ldap_users_and_groups

Observe that valid LDAP groups are skipped with warnings about missing posixGroup or memberUid.

Logs

[30/Jan/2025 15:50:12 +0100] ldap_access WARNING Skipping import of non-posix users from group group_test since group_member_attr is memberUid or group did not contain any members [30/Jan/2025 15:50:12 +0100] ldap_access WARNING Skipping import of posix users from group group_test since posixGroup not an objectClass or no memberUids found

Hue version

4.11.0

[hamdiazz]

I suggest this fixed code :

   def _transform_find_group_results(self, result_data, group_name_attr, group_member_attr):
    group_info = []
    if result_data:
      for dn, data in result_data:
        # Skip Active Directory # refldap entries.
        if dn is not None:
          # Case insensitivity
          data = {
                    k.lower(): [v.decode('utf-8') if isinstance(v, bytes) else v for v in values]
                    for k, values in data.items()
                }


          # Skip unnamed entries.
          if group_name_attr not in data:
            LOG.warning('Could not find %s in ldap attributes' % group_name_attr)
            continue

          group_name = smart_str(data[group_name_attr][0])
          if desktop.conf.LDAP.FORCE_USERNAME_LOWERCASE.get():
            group_name = group_name.lower()
          elif desktop.conf.LDAP.FORCE_USERNAME_UPPERCASE.get():
            group_name = group_name.upper()

          ldap_info = {
            'dn': dn,
            'name': group_name
          }

          if group_member_attr in data and group_member_attr.lower() != 'memberuid':
            ldap_info['members'] = data[group_member_attr]
          else:
            LOG.warning('Skipping import of non-posix users from group %s since group_member_attr '
                     'is memberUid or group did not contain any members' % group_name)
            ldap_info['members'] = []

          if 'posixgroup' in (item.lower() for item in data['objectclass']):
            ldap_info['posix_members'] = data.get('memberuid', [])
          else:
            LOG.warning('Skipping import of posix users from group %s since posixGroup '
                     'not an objectClass or no memberUids found' % group_name)
            ldap_info['posix_members'] = []

          group_info.append(ldap_info)

    return group_info