LDAP via simple auth separate bind user and search base (#5055)
This commit is contained in:
parent
6e20b504b1
commit
2058c362a8
@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
|
|||||||
|
|
||||||
func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
|
func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
|
||||||
log.Trace("Search for LDAP user: %s", name)
|
log.Trace("Search for LDAP user: %s", name)
|
||||||
if ls.BindDN != "" && ls.BindPassword != "" {
|
|
||||||
err := l.Bind(ls.BindDN, ls.BindPassword)
|
|
||||||
if err != nil {
|
|
||||||
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
|
|
||||||
return "", false
|
|
||||||
}
|
|
||||||
log.Trace("Bound as BindDN %s", ls.BindDN)
|
|
||||||
} else {
|
|
||||||
log.Trace("Proceeding with anonymous LDAP search.")
|
|
||||||
}
|
|
||||||
|
|
||||||
// A search for the user.
|
// A search for the user.
|
||||||
userFilter, ok := ls.sanitizedUserQuery(name)
|
userFilter, ok := ls.sanitizedUserQuery(name)
|
||||||
@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
|
|||||||
|
|
||||||
var ok bool
|
var ok bool
|
||||||
userDN, ok = ls.sanitizedUserDN(name)
|
userDN, ok = ls.sanitizedUserDN(name)
|
||||||
|
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = bindUser(l, userDN, passwd)
|
||||||
|
if err != nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if ls.UserBase != "" {
|
||||||
|
// not everyone has a CN compatible with input name so we need to find
|
||||||
|
// the real userDN in that case
|
||||||
|
|
||||||
|
userDN, ok = ls.findUserDN(l, name)
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
log.Trace("LDAP will use BindDN.")
|
log.Trace("LDAP will use BindDN.")
|
||||||
|
|
||||||
var found bool
|
var found bool
|
||||||
|
|
||||||
|
if ls.BindDN != "" && ls.BindPassword != "" {
|
||||||
|
err := l.Bind(ls.BindDN, ls.BindPassword)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
log.Trace("Bound as BindDN %s", ls.BindDN)
|
||||||
|
} else {
|
||||||
|
log.Trace("Proceeding with anonymous LDAP search.")
|
||||||
|
}
|
||||||
|
|
||||||
userDN, found = ls.findUserDN(l, name)
|
userDN, found = ls.findUserDN(l, name)
|
||||||
if !found {
|
if !found {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if directBind || !ls.AttributesInBind {
|
if !ls.AttributesInBind {
|
||||||
// binds user (checking password) before looking-up attributes in user context
|
// binds user (checking password) before looking-up attributes in user context
|
||||||
err = bindUser(l, userDN, passwd)
|
err = bindUser(l, userDN, passwd)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -1415,13 +1415,15 @@ function initAdmin() {
|
|||||||
$('#auth_type').change(function () {
|
$('#auth_type').change(function () {
|
||||||
$('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide();
|
$('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide();
|
||||||
|
|
||||||
$('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
|
$('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
|
||||||
|
$('.binddnrequired').removeClass("required");
|
||||||
|
|
||||||
var authType = $(this).val();
|
var authType = $(this).val();
|
||||||
switch (authType) {
|
switch (authType) {
|
||||||
case '2': // LDAP
|
case '2': // LDAP
|
||||||
$('.ldap').show();
|
$('.ldap').show();
|
||||||
$('.ldap div.required:not(.dldap) input').attr('required', 'required');
|
$('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required');
|
||||||
|
$('.binddnrequired').addClass("required");
|
||||||
break;
|
break;
|
||||||
case '3': // SMTP
|
case '3': // SMTP
|
||||||
$('.smtp').show();
|
$('.smtp').show();
|
||||||
|
@ -55,11 +55,11 @@
|
|||||||
<input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
|
<input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
|
||||||
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
|
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
|
||||||
</div>
|
</div>
|
||||||
<div class="required field">
|
{{end}}
|
||||||
|
<div class="{{if .Source.IsLDAP}}required{{end}} field">
|
||||||
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
|
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
|
||||||
<input id="user_base" name="user_base" value="{{$cfg.UserBase}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com" required>
|
<input id="user_base" name="user_base" value="{{$cfg.UserBase}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com" required>
|
||||||
</div>
|
</div>
|
||||||
{{end}}
|
|
||||||
{{if .Source.IsDLDAP}}
|
{{if .Source.IsDLDAP}}
|
||||||
<div class="required field">
|
<div class="required field">
|
||||||
<label for="user_dn">{{.i18n.Tr "admin.auths.user_dn"}}</label>
|
<label for="user_dn">{{.i18n.Tr "admin.auths.user_dn"}}</label>
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
<input id="bind_password" name="bind_password" type="password" value="{{.bind_password}}">
|
<input id="bind_password" name="bind_password" type="password" value="{{.bind_password}}">
|
||||||
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
|
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
|
||||||
</div>
|
</div>
|
||||||
<div class="ldap required field {{if not (eq .type 2)}}hide{{end}}">
|
<div class="binddnrequired {{if (eq .type 2)}}required{{end}} field">
|
||||||
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
|
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
|
||||||
<input id="user_base" name="user_base" value="{{.user_base}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com">
|
<input id="user_base" name="user_base" value="{{.user_base}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com">
|
||||||
</div>
|
</div>
|
||||||
|
Loading…
Reference in New Issue
Block a user