From 1827a9e042725c126e7b8c6fe130f449dbafaed5 Mon Sep 17 00:00:00 2001
From: Clemens Bergmann <github@cbergmann.net>
Date: Thu, 14 Sep 2023 10:23:00 +0200
Subject: [PATCH] allow wildcards for passthrough

---
 pi_ldapproxy/proxy.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pi_ldapproxy/proxy.py b/pi_ldapproxy/proxy.py
index 05fd14c..ba1f2a5 100644
--- a/pi_ldapproxy/proxy.py
+++ b/pi_ldapproxy/proxy.py
@@ -4,6 +4,7 @@
 import sys
 import re
 import urllib
+import fnmatch
 from io import BytesIO
 from functools import partial
 
@@ -272,7 +273,7 @@ def handleBeforeForwardRequest(self, request, controls, reply):
             elif self.factory.is_dn_blacklisted(request.dn):
                 self.send_bind_response((False, 'DN is blacklisted.'), request, reply)
                 return None
-            elif request.dn in self.factory.passthrough_binds:
+            elif self.factory.is_passthrough_dn(request.dn):
                 log.info('BindRequest for {dn!r}, passing through ...', dn=request.dn)
                 self.forwarded_passthrough_bind = True
                 return request, controls
@@ -463,6 +464,14 @@ def is_dn_blacklisted(self, dn):
         """
         return any(pattern.match(dn) for pattern in DN_BLACKLIST)
 
+    def is_passthrough_dn(self, dn):
+        """
+        Check whether the given distinguished name is part of our passthrough-binds setting
+        :param dn: Distinguished Name as string
+        :return: a boolean
+        """
+        return any(fnmatch.fnmatch(dn, pattern) for pattern in self.passthrough_binds)
+
     def buildProtocol(self, addr):
         """
         called by Twisted for each new incoming connection.