fix: Ignore LDAP search referrals

[fredthomsen]

Description

LDAP referrals are completely broken anyway, and we've already set
ldap.OPT_REFERRALS to 0, so there is no reason to care about these.

Thus the presence of referrals alone should not cause authentication of
a user to fail due to multiple results being returned.

Fixes issue #1581.

If this change is not desired, and rather a documentation update to
indicate that setting up LDAP against Microsoft AD requires a
organizational unit to be specified in the LDAP search base, and I
happy to make that update. I can add the necessary tests once I get
feedback if we want to move forward with this.

ADDITIONAL INFORMATION

• Has associated issue:
• Is CRUD MVC related.
• Is Auth, RBAC security related.
• Changes the security db schema.
• Introduces new feature
• Removes existing feature

[codecov]

Codecov Report

Merging #1602 (0ea1ea8) into master (27b15e5) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #1602   +/-   ##
=======================================
  Coverage   75.44%   75.45%           
=======================================
  Files          54       54           
  Lines        7869     7870    +1     
=======================================
+ Hits         5937     5938    +1     
  Misses       1932     1932           

Flag	Coverage Δ
python	75.45% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
flask_appbuilder/security/manager.py	72.08% <100.00%> (+0.03%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 27b15e5...0ea1ea8. Read the comment docs.

[thesuperzapper]

I also think we should add some unit tests for this, but possibly that is overkill.

BTW, for unit tests you will need to add refs to our LDAP test structure, similar to how dalibo does it, but do note that they use a different LDAP test library.

[fredthomsen]

I also think we should add some unit tests for this, but possibly that is overkill.

BTW, for unit tests you will need to add refs to our LDAP test structure, similar to how dalibo does it, but do note that they use a different LDAP test library.

I tend to agree that unit tests are likely overkill here, and using mockldap would be a no go, and I'd have to mock the search_s method directly. Ok regardless, I went ahead and made one.

[thesuperzapper]

@dpgaspar this looks good, can you test this, and then put out a patch release ASAP, as this was a breaking change for some users.

The airflow community decided to push the default version of Flask-AppBuilder to 3.2.X, but this has caused some issues for people who are not setting AUTH_LDAP_SEARCH.

/cc @potiuk

[dpgaspar]

LGTM

[dpgaspar]

Just released 3.2.3rc1

[potiuk]

Can we expect an officiall pypi release soon? I am preparing new constraint files for Airflow (to fix other problems) and I would love to include that one

[dpgaspar]

yes probably this week

[potiuk]

I see. I push the new constraints in ~ 20 minutes. so i will limit it to 3.1.1 for now (but won't add install_requires limits). Thanks for acting quickly !