From 2058c362a8325790ed1f83163b233ce342d3789b Mon Sep 17 00:00:00 2001 From: Tony Homrich Date: Thu, 27 Dec 2018 11:51:19 -0500 Subject: [PATCH] LDAP via simple auth separate bind user and search base (#5055) --- modules/auth/ldap/ldap.go | 40 +++++++++++++++++++-------- public/js/index.js | 6 ++-- templates/admin/auth/edit.tmpl | 6 ++-- templates/admin/auth/source/ldap.tmpl | 2 +- 4 files changed, 37 insertions(+), 17 deletions(-) diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index 8a5a6cf4d0f..f4c55d0bd67 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) { func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) { log.Trace("Search for LDAP user: %s", name) - if ls.BindDN != "" && ls.BindPassword != "" { - err := l.Bind(ls.BindDN, ls.BindPassword) - if err != nil { - log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err) - return "", false - } - log.Trace("Bound as BindDN %s", ls.BindDN) - } else { - log.Trace("Proceeding with anonymous LDAP search.") - } // A search for the user. userFilter, ok := ls.sanitizedUserQuery(name) @@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul var ok bool userDN, ok = ls.sanitizedUserDN(name) + if !ok { return nil } + + err = bindUser(l, userDN, passwd) + if err != nil { + return nil + } + + if ls.UserBase != "" { + // not everyone has a CN compatible with input name so we need to find + // the real userDN in that case + + userDN, ok = ls.findUserDN(l, name) + if !ok { + return nil + } + } } else { log.Trace("LDAP will use BindDN.") var found bool + + if ls.BindDN != "" && ls.BindPassword != "" { + err := l.Bind(ls.BindDN, ls.BindPassword) + if err != nil { + log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err) + return nil + } + log.Trace("Bound as BindDN %s", ls.BindDN) + } else { + log.Trace("Proceeding with anonymous LDAP search.") + } + userDN, found = ls.findUserDN(l, name) if !found { return nil } } - if directBind || !ls.AttributesInBind { + if !ls.AttributesInBind { // binds user (checking password) before looking-up attributes in user context err = bindUser(l, userDN, passwd) if err != nil { diff --git a/public/js/index.js b/public/js/index.js index 3d078a9848a..918918ef466 100644 --- a/public/js/index.js +++ b/public/js/index.js @@ -1415,13 +1415,15 @@ function initAdmin() { $('#auth_type').change(function () { $('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide(); - $('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required'); + $('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required'); + $('.binddnrequired').removeClass("required"); var authType = $(this).val(); switch (authType) { case '2': // LDAP $('.ldap').show(); - $('.ldap div.required:not(.dldap) input').attr('required', 'required'); + $('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required'); + $('.binddnrequired').addClass("required"); break; case '3': // SMTP $('.smtp').show(); diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index 5c492ff521d..8807657c33c 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -55,11 +55,11 @@

{{.i18n.Tr "admin.auths.bind_password_helper"}}

-
+ {{end}} +
-
- {{end}} +
{{if .Source.IsDLDAP}}
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl index 0c39d057a42..3386884ff14 100644 --- a/templates/admin/auth/source/ldap.tmpl +++ b/templates/admin/auth/source/ldap.tmpl @@ -30,7 +30,7 @@

{{.i18n.Tr "admin.auths.bind_password_helper"}}

-
+