Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP via simple auth separate bind user and search base #5055

Merged
merged 6 commits into from
Dec 27, 2018
Merged

LDAP via simple auth separate bind user and search base #5055

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0e71d2a
show userbase on simple LDAP
tenacubus Oct 4, 2018
9924b9c
refactor findUserDN func; pull BindDN code out
tenacubus Oct 9, 2018
ca4f99b
simple LDAP - UserBase find full UserDN
tenacubus Oct 9, 2018
6490389
user_base only required for BindDN
tenacubus Oct 9, 2018
b623fb9
Merge branch 'master' into LDAP-simple-AD-fix
techknowlogick Nov 1, 2018
8ba0f99
Merge branch 'master' into LDAP-simple-AD-fix
techknowlogick Dec 27, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 29 additions & 11 deletions modules/auth/ldap/ldap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {

func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
log.Trace("Search for LDAP user: %s", name)
if ls.BindDN != "" && ls.BindPassword != "" {
err := l.Bind(ls.BindDN, ls.BindPassword)
if err != nil {
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
return "", false
}
log.Trace("Bound as BindDN %s", ls.BindDN)
} else {
log.Trace("Proceeding with anonymous LDAP search.")
}

// A search for the user.
userFilter, ok := ls.sanitizedUserQuery(name)
Expand Down Expand Up @@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul

var ok bool
userDN, ok = ls.sanitizedUserDN(name)

if !ok {
return nil
}

err = bindUser(l, userDN, passwd)
if err != nil {
return nil
}

if ls.UserBase != "" {
// not everyone has a CN compatible with input name so we need to find
// the real userDN in that case

userDN, ok = ls.findUserDN(l, name)
if !ok {
return nil
}
}
} else {
log.Trace("LDAP will use BindDN.")

var found bool

if ls.BindDN != "" && ls.BindPassword != "" {
err := l.Bind(ls.BindDN, ls.BindPassword)
if err != nil {
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
return nil
}
log.Trace("Bound as BindDN %s", ls.BindDN)
} else {
log.Trace("Proceeding with anonymous LDAP search.")
}

userDN, found = ls.findUserDN(l, name)
if !found {
return nil
}
}

if directBind || !ls.AttributesInBind {
if !ls.AttributesInBind {
// binds user (checking password) before looking-up attributes in user context
err = bindUser(l, userDN, passwd)
if err != nil {
Expand Down
6 changes: 4 additions & 2 deletions public/js/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1415,13 +1415,15 @@ function initAdmin() {
$('#auth_type').change(function () {
$('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide();

$('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
$('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
$('.binddnrequired').removeClass("required");

var authType = $(this).val();
switch (authType) {
case '2': // LDAP
$('.ldap').show();
$('.ldap div.required:not(.dldap) input').attr('required', 'required');
$('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required');
$('.binddnrequired').addClass("required");
break;
case '3': // SMTP
$('.smtp').show();
Expand Down
6 changes: 3 additions & 3 deletions templates/admin/auth/edit.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,11 @@
<input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
</div>
<div class="required field">
{{end}}
<div class="{{if .Source.IsLDAP}}required{{end}} field">
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
<input id="user_base" name="user_base" value="{{$cfg.UserBase}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com" required>
</div>
{{end}}
</div>
{{if .Source.IsDLDAP}}
<div class="required field">
<label for="user_dn">{{.i18n.Tr "admin.auths.user_dn"}}</label>
Expand Down
2 changes: 1 addition & 1 deletion templates/admin/auth/source/ldap.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
<input id="bind_password" name="bind_password" type="password" value="{{.bind_password}}">
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
</div>
<div class="ldap required field {{if not (eq .type 2)}}hide{{end}}">
<div class="binddnrequired {{if (eq .type 2)}}required{{end}} field">
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
<input id="user_base" name="user_base" value="{{.user_base}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com">
</div>
Expand Down