fixup! Revert to use full DN instead of CN for autorization.

ca-gip · Jan 13, 2025 · 2fcde3d · 2fcde3d
1 parent 31ad7c9
commit 2fcde3d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/internal/ldap/membership.go b/internal/ldap/membership.go
@@ -121,7 +121,7 @@ func (m *LDAPMemberships) isUserAllowedOnCluster(regexpPatterns []string) (bool,
 
 		for _, groupName := range m.NonSpecificGroups {
 			for _, pattern := range regexpPatterns {
-				matched, err := regexp.MatchString(pattern, strings.ToUpper(groupName.DN)) // we match on full DN rather than CN because nobody prevents the ppl in the different entities to create a CN identical as the one used for adminGroup. This is purely out of precaution. In the future, we might want to change the regexp to match only the cn of the groups if we have the guarantee the users will not create groups that are duplicate.
+				matched, err := regexp.MatchString(strings.ToUpper(pattern), strings.ToUpper(groupName.DN)) // we match on full DN rather than CN because nobody prevents the ppl in the different entities to create a CN identical as the one used for adminGroup. This is purely out of precaution. In the future, we might want to change the regexp to match only the cn of the groups if we have the guarantee the users will not create groups that are duplicate.
 				if err != nil {
 					return false, fmt.Errorf("error matching pattern %v: %v", pattern, err)
 				}