Skip to content

Commit 2058c36

Browse files
tenacubustechknowlogick
tenacubus
authored and
techknowlogick
committed
LDAP via simple auth separate bind user and search base (#5055)
1 parent 6e20b50 commit 2058c36

4 files changed

Lines changed: 37 additions & 17 deletions

File tree

modules/auth/ldap/ldap.go

Lines changed: 29 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
8383

8484
func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
8585
log.Trace("Search for LDAP user: %s", name)
86-
if ls.BindDN != "" && ls.BindPassword != "" {
87-
err := l.Bind(ls.BindDN, ls.BindPassword)
88-
if err != nil {
89-
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
90-
return "", false
91-
}
92-
log.Trace("Bound as BindDN %s", ls.BindDN)
93-
} else {
94-
log.Trace("Proceeding with anonymous LDAP search.")
95-
}
9686

9787
// A search for the user.
9888
userFilter, ok := ls.sanitizedUserQuery(name)
@@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
203193

204194
var ok bool
205195
userDN, ok = ls.sanitizedUserDN(name)
196+
206197
if !ok {
207198
return nil
208199
}
200+
201+
err = bindUser(l, userDN, passwd)
202+
if err != nil {
203+
return nil
204+
}
205+
206+
if ls.UserBase != "" {
207+
// not everyone has a CN compatible with input name so we need to find
208+
// the real userDN in that case
209+
210+
userDN, ok = ls.findUserDN(l, name)
211+
if !ok {
212+
return nil
213+
}
214+
}
209215
} else {
210216
log.Trace("LDAP will use BindDN.")
211217

212218
var found bool
219+
220+
if ls.BindDN != "" && ls.BindPassword != "" {
221+
err := l.Bind(ls.BindDN, ls.BindPassword)
222+
if err != nil {
223+
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
224+
return nil
225+
}
226+
log.Trace("Bound as BindDN %s", ls.BindDN)
227+
} else {
228+
log.Trace("Proceeding with anonymous LDAP search.")
229+
}
230+
213231
userDN, found = ls.findUserDN(l, name)
214232
if !found {
215233
return nil
216234
}
217235
}
218236

219-
if directBind || !ls.AttributesInBind {
237+
if !ls.AttributesInBind {
220238
// binds user (checking password) before looking-up attributes in user context
221239
err = bindUser(l, userDN, passwd)
222240
if err != nil {

public/js/index.js

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1415,13 +1415,15 @@ function initAdmin() {
14151415
$('#auth_type').change(function () {
14161416
$('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide();
14171417

1418-
$('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
1418+
$('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
1419+
$('.binddnrequired').removeClass("required");
14191420

14201421
var authType = $(this).val();
14211422
switch (authType) {
14221423
case '2': // LDAP
14231424
$('.ldap').show();
1424-
$('.ldap div.required:not(.dldap) input').attr('required', 'required');
1425+
$('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required');
1426+
$('.binddnrequired').addClass("required");
14251427
break;
14261428
case '3': // SMTP
14271429
$('.smtp').show();

templates/admin/auth/edit.tmpl

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,11 @@
5555
<input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
5656
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
5757
</div>
58-
<div class="required field">
58+
{{end}}
59+
<div class="{{if .Source.IsLDAP}}required{{end}} field">
5960
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
6061
<input id="user_base" name="user_base" value="{{$cfg.UserBase}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com" required>
61-
</div>
62-
{{end}}
62+
</div>
6363
{{if .Source.IsDLDAP}}
6464
<div class="required field">
6565
<label for="user_dn">{{.i18n.Tr "admin.auths.user_dn"}}</label>

templates/admin/auth/source/ldap.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
<input id="bind_password" name="bind_password" type="password" value="{{.bind_password}}">
3131
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
3232
</div>
33-
<div class="ldap required field {{if not (eq .type 2)}}hide{{end}}">
33+
<div class="binddnrequired {{if (eq .type 2)}}required{{end}} field">
3434
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
3535
<input id="user_base" name="user_base" value="{{.user_base}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com">
3636
</div>

0 commit comments

Comments
 (0)