From eb1f3efc8234cc1fb1d6df8a4409ab742e89b046 Mon Sep 17 00:00:00 2001
From: Rafael Lopez <endless@airelle.info>
Date: Wed, 28 Aug 2024 14:54:51 +0200
Subject: [PATCH] Allow more complex LDAP user queries

---
 README.rst                     | 2 +-
 cas_server/auth.py             | 4 ++--
 cas_server/default_settings.py | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.rst b/README.rst
index 05ee8bf..0642749 100644
--- a/README.rst
+++ b/README.rst
@@ -436,7 +436,7 @@ Only useful if you are using the ldap authentication backend:
 * ``CAS_LDAP_PASSWORD``: Password for connecting to the LDAP server.
 * ``CAS_LDAP_BASE_DN``: LDAP search base DN, for example ``"ou=data,dc=crans,dc=org"``.
 * ``CAS_LDAP_USER_QUERY``: Search filter for searching user by username. User entered usernames are
-  escaped using ``ldap3.utils.conv.escape_bytes``. The default is ``"(uid=%s)"``
+  escaped using ``ldap3.utils.conv.escape_bytes``. The default is ``"(uid=%(username)s)"``
 * ``CAS_LDAP_USERNAME_ATTR``: Attribute used for user's usernames. The default is ``"uid"``
 * ``CAS_LDAP_PASSWORD_ATTR``: Attribute used for user's passwords. The default is ``"userPassword"``
 * ``CAS_LDAP_PASSWORD_CHECK``: The method used to check the user password. Must be one of the following:
diff --git a/cas_server/auth.py b/cas_server/auth.py
index 2741c97..6f4d135 100644
--- a/cas_server/auth.py
+++ b/cas_server/auth.py
@@ -296,7 +296,7 @@ def __init__(self, username):
                 conn = self.get_conn()
                 if conn.search(
                     settings.CAS_LDAP_BASE_DN,
-                    settings.CAS_LDAP_USER_QUERY % ldap3.utils.conv.escape_bytes(username),
+                    settings.CAS_LDAP_USER_QUERY % {'username': ldap3.utils.conv.escape_bytes(username)},
                     attributes=ldap3.ALL_ATTRIBUTES
                 ) and len(conn.entries) == 1:
                     # try the new ldap3>=2 API
@@ -345,7 +345,7 @@ def test_password(self, password):
                     # fetch the user attribute
                     if conn.search(
                         settings.CAS_LDAP_BASE_DN,
-                        settings.CAS_LDAP_USER_QUERY % ldap3.utils.conv.escape_bytes(self.username),
+                        settings.CAS_LDAP_USER_QUERY % {'username': ldap3.utils.conv.escape_bytes(self.username)},
                         attributes=ldap3.ALL_ATTRIBUTES
                     ) and len(conn.entries) == 1:
                         # try the ldap3>=2 API
diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py
index bf78af1..931d82a 100644
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -158,7 +158,7 @@
 CAS_LDAP_BASE_DN = None
 #: LDAP search filter for searching user by username. User inputed usernames are escaped using
 #: :func:`ldap3.utils.conv.escape_bytes`.
-CAS_LDAP_USER_QUERY = "(uid=%s)"
+CAS_LDAP_USER_QUERY = "(uid=%(username)s)"
 #: LDAP attribute used for users usernames
 CAS_LDAP_USERNAME_ATTR = "uid"
 #: LDAP attribute used for users passwords