diff options
| author | Adam Strzelecki <ono@java.pl> | 2016-02-16 12:33:16 +0100 |
|---|---|---|
| committer | Adam Strzelecki <ono@java.pl> | 2016-02-20 14:12:32 +0100 |
| commit | 834d92a47ba782b0f6cf609799864c4c73d44c5e (patch) | |
| tree | 08ea949517fdbb17f2c550a53fb952def73a5c65 /modules/auth | |
| parent | e2f95c284570271267a6239faa944c381960a3d9 (diff) | |
| download | gitea-834d92a47ba782b0f6cf609799864c4c73d44c5e.tar.gz gitea-834d92a47ba782b0f6cf609799864c4c73d44c5e.zip | |
LDAP: Fetch attributes in Bind DN context option
This is feature is workaround for #2628 (JumpCloud) and some other services
that allow LDAP search only under BindDN user account, but not allow any LDAP
search query in logged user DN context.
Such approach is an alternative to minimal permissions security pattern for
BindDN user.
Diffstat (limited to 'modules/auth')
| -rw-r--r-- | modules/auth/auth_form.go | 1 | ||||
| -rw-r--r-- | modules/auth/ldap/ldap.go | 32 |
2 files changed, 27 insertions, 6 deletions
diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go index 68a9688303..15dbb3605b 100644 --- a/modules/auth/auth_form.go +++ b/modules/auth/auth_form.go @@ -23,6 +23,7 @@ type AuthenticationForm struct { AttributeName string AttributeSurname string AttributeMail string + AttributesInBind bool Filter string AdminFilter string IsActive bool diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index 8fbefb4341..376092fcb0 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -31,6 +31,7 @@ type Source struct { AttributeName string // First name attribute AttributeSurname string // Surname attribute AttributeMail string // E-mail attribute + AttributesInBind bool // fetch attributes in bind context (not user) Filter string // Query filter to validate entry AdminFilter string // Query filter to check if user is admin Enabled bool // if this source is disabled @@ -130,14 +131,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str } } - log.Trace("Binding with userDN: %s", userDN) - err = l.Bind(userDN, passwd) - if err != nil { - log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err) - return "", "", "", "", false, false + if directBind || !ls.AttributesInBind { + // binds user (checking password) before looking-up attributes in user context + err = bindUser(l, userDN, passwd) + if err != nil { + return "", "", "", "", false, false + } } - log.Trace("Bound successfully with userDN: %s", userDN) userFilter, ok := ls.sanitizedUserQuery(name) if !ok { return "", "", "", "", false, false @@ -184,9 +185,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str } } + if !directBind && ls.AttributesInBind { + // binds user (checking password) after looking-up attributes in BindDN context + err = bindUser(l, userDN, passwd) + if err != nil { + return "", "", "", "", false, false + } + } + return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true } +func bindUser(l *ldap.Conn, userDN, passwd string) error { + log.Trace("Binding with userDN: %s", userDN) + err := l.Bind(userDN, passwd) + if err != nil { + log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err) + return err + } + log.Trace("Bound successfully with userDN: %s", userDN) + return err +} + func ldapDial(ls *Source) (*ldap.Conn, error) { if ls.UseSSL { log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify) |