summaryrefslogtreecommitdiffstats
path: root/modules/auth/ldap
diff options
context:
space:
mode:
authorGirish Ramakrishnan <girish@cloudron.io>2015-08-18 21:34:03 -0700
committerGirish Ramakrishnan <girish@cloudron.io>2015-08-18 23:49:12 -0700
commit24d7a86a8d35aa1fadf05deaa10e141d33ea6632 (patch)
tree81f20ad9fa63e815ae0accf59a39eca2252b6068 /modules/auth/ldap
parent03b85b73af03eae98308fc3d36cdbd47db1503d6 (diff)
downloadgitea-24d7a86a8d35aa1fadf05deaa10e141d33ea6632.tar.gz
gitea-24d7a86a8d35aa1fadf05deaa10e141d33ea6632.zip
Set IsAdmin using LDAP
The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
Diffstat (limited to 'modules/auth/ldap')
-rw-r--r--modules/auth/ldap/ldap.go31
1 files changed, 24 insertions, 7 deletions
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 82d66fec37..7596762db5 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -26,6 +26,7 @@ type Ldapsource struct {
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
Filter string // Query filter to validate entry
+ AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
}
@@ -77,17 +78,17 @@ func (ls Ldapsource) FindUserDN(name string) (string, bool) {
}
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
-func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool) {
+func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool, bool) {
userDN, found := ls.FindUserDN(name)
if !found {
- return "", "", "", false
+ return "", "", "", false, false
}
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
- return "", "", "", false
+ return "", "", "", false, false
}
defer l.Close()
@@ -96,7 +97,7 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
err = l.Bind(userDN, passwd)
if err != nil {
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
- return "", "", "", false
+ return "", "", "", false, false
}
log.Trace("Bound successfully with userDN: %s", userDN)
@@ -109,16 +110,32 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
sr, err := l.Search(search)
if err != nil {
log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)
- return "", "", "", false
+ return "", "", "", false, false
} else if len(sr.Entries) < 1 {
log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
- return "", "", "", false
+ return "", "", "", false, false
}
name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName)
sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
- return name_attr, sn_attr, mail_attr, true
+
+ search = ldap.NewSearchRequest(
+ userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
+ []string{ls.AttributeName},
+ nil)
+
+ sr, err = l.Search(search)
+ admin_attr := false
+ if err != nil {
+ log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)
+ } else if len(sr.Entries) < 1 {
+ log.Error(4, "LDAP Admin Search failed")
+ } else {
+ admin_attr = true
+ }
+
+ return name_attr, sn_attr, mail_attr, admin_attr, true
}
func ldapDial(ls Ldapsource) (*ldap.Conn, error) {