Fix LDAP DN building for empty RDN list

data/users/externalldap.py

@@ -60,8 +60,13 @@ class LDAPUsers(FederatedUsers):
     # Note: user_rdn is a list of RDN pieces (for historical reasons), and secondary_user_rds
     # is a list of RDN strings.
     relative_user_dns = [','.join(user_rdn)] + (secondary_user_rdns or [])
-    self._user_dns = [','.join(relative_dn.split(',') + base_dn)
-                      for relative_dn in relative_user_dns]
+
+    def get_full_rdn(relative_dn):
+      prefix = relative_dn.split(',') if relative_dn else []
+      return ','.join(prefix + base_dn)
+
+    # Create the set of full DN paths.
+    self._user_dns = [get_full_rdn(relative_dn) for relative_dn in relative_user_dns]
 
   def _get_ldap_referral_dn(self, referral_exception):
     logger.debug('Got referral: %s', referral_exception.args[0])

test/test_ldap.py

@@ -176,6 +176,28 @@ class TestLDAP(unittest.TestCase):
     (response, _) = self.ldap.verify_and_link_user('multientry', 'somepass')
     self.assertEquals(response.username, 'multientry')
 
+  def test_login_empty_userdn(self):
+    base_dn = ['ou=employees', 'dc=quay', 'dc=io']
+    admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
+    admin_passwd = 'password'
+    user_rdn = []
+    uid_attr = 'uid'
+    email_attr = 'mail'
+    secondary_user_rdns = ['ou=otheremployees']
+
+    ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
+                     uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns)
+
+    self.ldap = ldap
+
+    # Verify we can login.
+    (response, _) = self.ldap.verify_and_link_user('someuser', 'somepass')
+    self.assertEquals(response.username, 'someuser')
+
+    # Verify we can confirm the user.
+    (response, _) = self.ldap.confirm_existing_user('someuser', 'somepass')
+    self.assertEquals(response.username, 'someuser')
+
 if __name__ == '__main__':
   unittest.main()