mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-14 06:39:40 +01:00
Merge pull request #2634 from nanoant/patch/ldap-attributes-in-bind
LDAP: Fetch attributes in Bind DN context
This commit is contained in:
commit
7e0baf4136
6 changed files with 741 additions and 931 deletions
|
@ -921,6 +921,7 @@ auths.attribute_username_placeholder = Leave empty to use sign-in form field val
|
||||||
auths.attribute_name = First name attribute
|
auths.attribute_name = First name attribute
|
||||||
auths.attribute_surname = Surname attribute
|
auths.attribute_surname = Surname attribute
|
||||||
auths.attribute_mail = Email attribute
|
auths.attribute_mail = Email attribute
|
||||||
|
auths.attributes_in_bind = Fetch attributes in Bind DN context
|
||||||
auths.filter = User Filter
|
auths.filter = User Filter
|
||||||
auths.admin_filter = Admin Filter
|
auths.admin_filter = Admin Filter
|
||||||
auths.ms_ad_sa = Ms Ad SA
|
auths.ms_ad_sa = Ms Ad SA
|
||||||
|
|
|
@ -23,6 +23,7 @@ type AuthenticationForm struct {
|
||||||
AttributeName string
|
AttributeName string
|
||||||
AttributeSurname string
|
AttributeSurname string
|
||||||
AttributeMail string
|
AttributeMail string
|
||||||
|
AttributesInBind bool
|
||||||
Filter string
|
Filter string
|
||||||
AdminFilter string
|
AdminFilter string
|
||||||
IsActive bool
|
IsActive bool
|
||||||
|
|
|
@ -31,6 +31,7 @@ type Source struct {
|
||||||
AttributeName string // First name attribute
|
AttributeName string // First name attribute
|
||||||
AttributeSurname string // Surname attribute
|
AttributeSurname string // Surname attribute
|
||||||
AttributeMail string // E-mail attribute
|
AttributeMail string // E-mail attribute
|
||||||
|
AttributesInBind bool // fetch attributes in bind context (not user)
|
||||||
Filter string // Query filter to validate entry
|
Filter string // Query filter to validate entry
|
||||||
AdminFilter string // Query filter to check if user is admin
|
AdminFilter string // Query filter to check if user is admin
|
||||||
Enabled bool // if this source is disabled
|
Enabled bool // if this source is disabled
|
||||||
|
@ -58,18 +59,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
|
||||||
return fmt.Sprintf(ls.UserDN, username), true
|
return fmt.Sprintf(ls.UserDN, username), true
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ls *Source) FindUserDN(name string) (string, bool) {
|
func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
|
||||||
l, err := ldapDial(ls)
|
|
||||||
if err != nil {
|
|
||||||
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
|
|
||||||
ls.Enabled = false
|
|
||||||
return "", false
|
|
||||||
}
|
|
||||||
defer l.Close()
|
|
||||||
|
|
||||||
log.Trace("Search for LDAP user: %s", name)
|
log.Trace("Search for LDAP user: %s", name)
|
||||||
if ls.BindDN != "" && ls.BindPassword != "" {
|
if ls.BindDN != "" && ls.BindPassword != "" {
|
||||||
err = l.Bind(ls.BindDN, ls.BindPassword)
|
err := l.Bind(ls.BindDN, ls.BindPassword)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
|
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
|
||||||
return "", false
|
return "", false
|
||||||
|
@ -85,7 +78,7 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Trace("Searching using filter %s", userFilter)
|
log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)
|
||||||
search := ldap.NewSearchRequest(
|
search := ldap.NewSearchRequest(
|
||||||
ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
|
ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
|
||||||
false, userFilter, []string{}, nil)
|
false, userFilter, []string{}, nil)
|
||||||
|
@ -111,6 +104,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
|
||||||
|
|
||||||
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
||||||
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
|
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
|
||||||
|
l, err := ldapDial(ls)
|
||||||
|
if err != nil {
|
||||||
|
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
|
||||||
|
ls.Enabled = false
|
||||||
|
return "", "", "", "", false, false
|
||||||
|
}
|
||||||
|
defer l.Close()
|
||||||
|
|
||||||
var userDN string
|
var userDN string
|
||||||
if directBind {
|
if directBind {
|
||||||
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
|
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
|
||||||
|
@ -124,33 +125,26 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
|
||||||
log.Trace("LDAP will use BindDN.")
|
log.Trace("LDAP will use BindDN.")
|
||||||
|
|
||||||
var found bool
|
var found bool
|
||||||
userDN, found = ls.FindUserDN(name)
|
userDN, found = ls.findUserDN(l, name)
|
||||||
if !found {
|
if !found {
|
||||||
return "", "", "", "", false, false
|
return "", "", "", "", false, false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
l, err := ldapDial(ls)
|
if directBind || !ls.AttributesInBind {
|
||||||
if err != nil {
|
// binds user (checking password) before looking-up attributes in user context
|
||||||
log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
|
err = bindUser(l, userDN, passwd)
|
||||||
ls.Enabled = false
|
if err != nil {
|
||||||
return "", "", "", "", false, false
|
return "", "", "", "", false, false
|
||||||
}
|
}
|
||||||
defer l.Close()
|
|
||||||
|
|
||||||
log.Trace("Binding with userDN: %s", userDN)
|
|
||||||
err = l.Bind(userDN, passwd)
|
|
||||||
if err != nil {
|
|
||||||
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
|
|
||||||
return "", "", "", "", false, false
|
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Trace("Bound successfully with userDN: %s", userDN)
|
|
||||||
userFilter, ok := ls.sanitizedUserQuery(name)
|
userFilter, ok := ls.sanitizedUserQuery(name)
|
||||||
if !ok {
|
if !ok {
|
||||||
return "", "", "", "", false, false
|
return "", "", "", "", false, false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)
|
||||||
search := ldap.NewSearchRequest(
|
search := ldap.NewSearchRequest(
|
||||||
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
|
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
|
||||||
[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
|
[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
|
||||||
|
@ -177,6 +171,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
|
||||||
|
|
||||||
admin_attr := false
|
admin_attr := false
|
||||||
if len(ls.AdminFilter) > 0 {
|
if len(ls.AdminFilter) > 0 {
|
||||||
|
log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
|
||||||
search = ldap.NewSearchRequest(
|
search = ldap.NewSearchRequest(
|
||||||
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
|
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
|
||||||
[]string{ls.AttributeName},
|
[]string{ls.AttributeName},
|
||||||
|
@ -192,9 +187,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !directBind && ls.AttributesInBind {
|
||||||
|
// binds user (checking password) after looking-up attributes in BindDN context
|
||||||
|
err = bindUser(l, userDN, passwd)
|
||||||
|
if err != nil {
|
||||||
|
return "", "", "", "", false, false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
|
return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func bindUser(l *ldap.Conn, userDN, passwd string) error {
|
||||||
|
log.Trace("Binding with userDN: %s", userDN)
|
||||||
|
err := l.Bind(userDN, passwd)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
log.Trace("Bound successfully with userDN: %s", userDN)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
func ldapDial(ls *Source) (*ldap.Conn, error) {
|
func ldapDial(ls *Source) (*ldap.Conn, error) {
|
||||||
if ls.UseSSL {
|
if ls.UseSSL {
|
||||||
log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)
|
log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -81,6 +81,7 @@ func parseLDAPConfig(form auth.AuthenticationForm) *models.LDAPConfig {
|
||||||
AttributeName: form.AttributeName,
|
AttributeName: form.AttributeName,
|
||||||
AttributeSurname: form.AttributeSurname,
|
AttributeSurname: form.AttributeSurname,
|
||||||
AttributeMail: form.AttributeMail,
|
AttributeMail: form.AttributeMail,
|
||||||
|
AttributesInBind: form.AttributesInBind,
|
||||||
Filter: form.Filter,
|
Filter: form.Filter,
|
||||||
AdminFilter: form.AdminFilter,
|
AdminFilter: form.AdminFilter,
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
|
|
|
@ -79,6 +79,14 @@
|
||||||
<label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label>
|
<label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label>
|
||||||
<input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required>
|
<input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required>
|
||||||
</div>
|
</div>
|
||||||
|
{{if .Source.IsLDAP}}
|
||||||
|
<div class="inline field">
|
||||||
|
<div class="ui checkbox">
|
||||||
|
<label><strong>{{.i18n.Tr "admin.auths.attributes_in_bind"}}</strong></label>
|
||||||
|
<input name="attributes_in_bind" type="checkbox" {{if $cfg.AttributesInBind}}checked{{end}}>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
{{end}}
|
||||||
{{end}}
|
{{end}}
|
||||||
|
|
||||||
<!-- SMTP -->
|
<!-- SMTP -->
|
||||||
|
|
Loading…
Reference in a new issue