OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
Browse Source

Merge pull request #2634 from nanoant/patch/ldap-attributes-in-bind 

LDAP: Fetch attributes in Bind DN context
tags/v1.2.0-rc1
Unknwon 9 years ago
parent
beaaf5b8f2 c5844bab8e
commit
81f7a2d374
6 changed files with 741 additions and 931 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      conf/locale/locale_en-US.ini
  2. +1
    -0
      modules/auth/auth_form.go
  3. +40
    -26
      modules/auth/ldap/ldap.go
  4. +690
    -905
      modules/bindata/bindata.go
  5. +1
    -0
      routers/admin/auths.go
  6. +8
    -0
      templates/admin/auth/edit.tmpl

+ 1
- 0
conf/locale/locale_en-US.ini View File

@@ -921,6 +921,7 @@ auths.attribute_username_placeholder = Leave empty to use sign-in form field val
auths.attribute_name = First name attribute
auths.attribute_surname = Surname attribute
auths.attribute_mail = Email attribute
auths.attributes_in_bind = Fetch attributes in Bind DN context
auths.filter = User Filter
auths.admin_filter = Admin Filter
auths.ms_ad_sa = Ms Ad SA


+ 1
- 0
modules/auth/auth_form.go View File

@@ -23,6 +23,7 @@ type AuthenticationForm struct {
AttributeName string
AttributeSurname string
AttributeMail string
AttributesInBind bool
Filter string
AdminFilter string
IsActive bool


+ 40
- 26
modules/auth/ldap/ldap.go View File

@@ -31,6 +31,7 @@ type Source struct {
AttributeName string // First name attribute
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
AttributesInBind bool // fetch attributes in bind context (not user)
Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
@@ -58,18 +59,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
return fmt.Sprintf(ls.UserDN, username), true
}

func (ls *Source) FindUserDN(name string) (string, bool) {
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
return "", false
}
defer l.Close()

func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
log.Trace("Search for LDAP user: %s", name)
if ls.BindDN != "" && ls.BindPassword != "" {
err = l.Bind(ls.BindDN, ls.BindPassword)
err := l.Bind(ls.BindDN, ls.BindPassword)
if err != nil {
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
return "", false
@@ -85,7 +78,7 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
return "", false
}

log.Trace("Searching using filter %s", userFilter)
log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)
search := ldap.NewSearchRequest(
ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
false, userFilter, []string{}, nil)
@@ -111,6 +104,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {

// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
return "", "", "", "", false, false
}
defer l.Close()

var userDN string
if directBind {
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
@@ -124,33 +125,26 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
log.Trace("LDAP will use BindDN.")

var found bool
userDN, found = ls.FindUserDN(name)
userDN, found = ls.findUserDN(l, name)
if !found {
return "", "", "", "", false, false
}
}

l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
ls.Enabled = false
return "", "", "", "", false, false
}
defer l.Close()

log.Trace("Binding with userDN: %s", userDN)
err = l.Bind(userDN, passwd)
if err != nil {
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
return "", "", "", "", false, false
if directBind || !ls.AttributesInBind {
// binds user (checking password) before looking-up attributes in user context
err = bindUser(l, userDN, passwd)
if err != nil {
return "", "", "", "", false, false
}
}

log.Trace("Bound successfully with userDN: %s", userDN)
userFilter, ok := ls.sanitizedUserQuery(name)
if !ok {
return "", "", "", "", false, false
}

log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)
search := ldap.NewSearchRequest(
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
@@ -177,6 +171,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str

admin_attr := false
if len(ls.AdminFilter) > 0 {
log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
search = ldap.NewSearchRequest(
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
[]string{ls.AttributeName},
@@ -192,9 +187,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
}
}

if !directBind && ls.AttributesInBind {
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser(l, userDN, passwd)
if err != nil {
return "", "", "", "", false, false
}
}

return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
}

func bindUser(l *ldap.Conn, userDN, passwd string) error {
log.Trace("Binding with userDN: %s", userDN)
err := l.Bind(userDN, passwd)
if err != nil {
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
return err
}
log.Trace("Bound successfully with userDN: %s", userDN)
return err
}

func ldapDial(ls *Source) (*ldap.Conn, error) {
if ls.UseSSL {
log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)


+ 690
- 905
modules/bindata/bindata.go
File diff suppressed because it is too large
View File


+ 1
- 0
routers/admin/auths.go View File

@@ -81,6 +81,7 @@ func parseLDAPConfig(form auth.AuthenticationForm) *models.LDAPConfig {
AttributeName: form.AttributeName,
AttributeSurname: form.AttributeSurname,
AttributeMail: form.AttributeMail,
AttributesInBind: form.AttributesInBind,
Filter: form.Filter,
AdminFilter: form.AdminFilter,
Enabled: true,


+ 8
- 0
templates/admin/auth/edit.tmpl View File

@@ -79,6 +79,14 @@
<label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label>
<input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required>
</div>
{{if .Source.IsLDAP}}
<div class="inline field">
<div class="ui checkbox">
<label><strong>{{.i18n.Tr "admin.auths.attributes_in_bind"}}</strong></label>
<input name="attributes_in_bind" type="checkbox" {{if $cfg.AttributesInBind}}checked{{end}}>
</div>
</div>
{{end}}
{{end}}

<!-- SMTP -->


Write Preview
Loading…
Cancel
Save