third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2634 from nanoant/patch/ldap-attributes-in-bind

Browse Source 
LDAP: Fetch attributes in Bind DN context
tokarchuk/v1.17
Unknwon 9 years ago
parent a703f7d7b4 a9981d8099
commit 7e0baf4136
6 changed files with 741 additions and 931 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      conf/locale/locale_en-US.ini
  2. 1
      modules/auth/auth_form.go
  3. 66
      modules/auth/ldap/ldap.go
  4. 1595
      modules/bindata/bindata.go
  5. 1
      routers/admin/auths.go
  6. 8
      templates/admin/auth/edit.tmpl

1
conf/locale/locale_en-US.ini
Unescape View File

@ -921,6 +921,7 @@ auths.attribute_username_placeholder = Leave empty to use sign-in form field val
auths.attribute_name = First name attribute auths.attribute_name = First name attribute
auths.attribute_surname = Surname attribute auths.attribute_surname = Surname attribute
auths.attribute_mail = Email attribute auths.attribute_mail = Email attribute
auths.attributes_in_bind = Fetch attributes in Bind DN context
auths.filter = User Filter auths.filter = User Filter
auths.admin_filter = Admin Filter auths.admin_filter = Admin Filter
auths.ms_ad_sa = Ms Ad SA auths.ms_ad_sa = Ms Ad SA

1
modules/auth/auth_form.go
Unescape View File

@ -23,6 +23,7 @@ type AuthenticationForm struct {
AttributeName string AttributeName string
AttributeSurname string AttributeSurname string
AttributeMail string AttributeMail string
AttributesInBind bool
Filter string Filter string
AdminFilter string AdminFilter string
IsActive bool IsActive bool

66
modules/auth/ldap/ldap.go
Unescape View File

@ -31,6 +31,7 @@ type Source struct {
AttributeName string // First name attribute AttributeName string // First name attribute
AttributeSurname string // Surname attribute AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute AttributeMail string // E-mail attribute
AttributesInBind bool // fetch attributes in bind context (not user)
Filter string // Query filter to validate entry Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled Enabled bool // if this source is disabled
@ -58,18 +59,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
return fmt.Sprintf(ls.UserDN, username), true return fmt.Sprintf(ls.UserDN, username), true
} }
func (ls *Source) FindUserDN(name string) (string, bool) { func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
return "", false
}
defer l.Close()
log.Trace("Search for LDAP user: %s", name) log.Trace("Search for LDAP user: %s", name)
if ls.BindDN != "" && ls.BindPassword != "" { if ls.BindDN != "" && ls.BindPassword != "" {
err = l.Bind(ls.BindDN, ls.BindPassword) err := l.Bind(ls.BindDN, ls.BindPassword)
if err != nil { if err != nil {
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err) log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
return "", false return "", false
@ -85,7 +78,7 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
return "", false return "", false
} }
log.Trace("Searching using filter %s", userFilter) log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)
search := ldap.NewSearchRequest( search := ldap.NewSearchRequest(
ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
false, userFilter, []string{}, nil) false, userFilter, []string{}, nil)
@ -111,6 +104,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) { func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
return "", "", "", "", false, false
}
defer l.Close()
var userDN string var userDN string
if directBind { if directBind {
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN) log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
@ -124,33 +125,26 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
log.Trace("LDAP will use BindDN.") log.Trace("LDAP will use BindDN.")
var found bool var found bool
userDN, found = ls.FindUserDN(name) userDN, found = ls.findUserDN(l, name)
if !found { if !found {
return "", "", "", "", false, false return "", "", "", "", false, false
} }
} }
l, err := ldapDial(ls) if directBind || !ls.AttributesInBind {
if err != nil { // binds user (checking password) before looking-up attributes in user context
log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err) err = bindUser(l, userDN, passwd)
ls.Enabled = false if err != nil {
return "", "", "", "", false, false return "", "", "", "", false, false
} }
defer l.Close()
log.Trace("Binding with userDN: %s", userDN)
err = l.Bind(userDN, passwd)
if err != nil {
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
return "", "", "", "", false, false
} }
log.Trace("Bound successfully with userDN: %s", userDN)
userFilter, ok := ls.sanitizedUserQuery(name) userFilter, ok := ls.sanitizedUserQuery(name)
if !ok { if !ok {
return "", "", "", "", false, false return "", "", "", "", false, false
} }
log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)
search := ldap.NewSearchRequest( search := ldap.NewSearchRequest(
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter, userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}, []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
@ -177,6 +171,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
admin_attr := false admin_attr := false
if len(ls.AdminFilter) > 0 { if len(ls.AdminFilter) > 0 {
log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
search = ldap.NewSearchRequest( search = ldap.NewSearchRequest(
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter, userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
[]string{ls.AttributeName}, []string{ls.AttributeName},
@ -192,9 +187,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
} }
} }
if !directBind && ls.AttributesInBind {
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser(l, userDN, passwd)
if err != nil {
return "", "", "", "", false, false
}
}
return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
} }
func bindUser(l *ldap.Conn, userDN, passwd string) error {
log.Trace("Binding with userDN: %s", userDN)
err := l.Bind(userDN, passwd)
if err != nil {
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
return err
}
log.Trace("Bound successfully with userDN: %s", userDN)
return err
}
func ldapDial(ls *Source) (*ldap.Conn, error) { func ldapDial(ls *Source) (*ldap.Conn, error) {
if ls.UseSSL { if ls.UseSSL {
log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify) log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)

1595
modules/bindata/bindata.go
View File

File diff suppressed because one or more lines are too long

1
routers/admin/auths.go
Unescape View File

@ -81,6 +81,7 @@ func parseLDAPConfig(form auth.AuthenticationForm) *models.LDAPConfig {
AttributeName: form.AttributeName, AttributeName: form.AttributeName,
AttributeSurname: form.AttributeSurname, AttributeSurname: form.AttributeSurname,
AttributeMail: form.AttributeMail, AttributeMail: form.AttributeMail,
AttributesInBind: form.AttributesInBind,
Filter: form.Filter, Filter: form.Filter,
AdminFilter: form.AdminFilter, AdminFilter: form.AdminFilter,
Enabled: true, Enabled: true,

8
templates/admin/auth/edit.tmpl
Unescape View File

@ -79,6 +79,14 @@
<label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label> <label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label>
<input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required> <input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required>
</div> </div>
{{if .Source.IsLDAP}}
<div class="inline field">
<div class="ui checkbox">
<label><strong>{{.i18n.Tr "admin.auths.attributes_in_bind"}}</strong></label>
<input name="attributes_in_bind" type="checkbox" {{if $cfg.AttributesInBind}}checked{{end}}>
</div>
</div>
{{end}}
{{end}} {{end}}
<!-- SMTP --> <!-- SMTP -->

Write Preview
Loading…
Cancel
Save