diff options
| author | Tony Homrich <tenacubus@gmail.com> | 2018-12-27 11:51:19 -0500 |
|---|---|---|
| committer | techknowlogick <hello@techknowlogick.com> | 2018-12-27 11:51:19 -0500 |
| commit | 2058c362a8325790ed1f83163b233ce342d3789b (patch) | |
| tree | 1bd54126b9e89e785738060f1f730a2dcc87d9fb /modules/auth | |
| parent | 6e20b504b1d5f63b1835f2826d6cbaf2064f479d (diff) | |
| download | gitea-2058c362a8325790ed1f83163b233ce342d3789b.tar.gz gitea-2058c362a8325790ed1f83163b233ce342d3789b.zip | |
LDAP via simple auth separate bind user and search base (#5055)
Diffstat (limited to 'modules/auth')
| -rw-r--r-- | modules/auth/ldap/ldap.go | 40 |
1 files changed, 29 insertions, 11 deletions
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index 8a5a6cf4d0..f4c55d0bd6 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) { func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) { log.Trace("Search for LDAP user: %s", name) - if ls.BindDN != "" && ls.BindPassword != "" { - err := l.Bind(ls.BindDN, ls.BindPassword) - if err != nil { - log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err) - return "", false - } - log.Trace("Bound as BindDN %s", ls.BindDN) - } else { - log.Trace("Proceeding with anonymous LDAP search.") - } // A search for the user. userFilter, ok := ls.sanitizedUserQuery(name) @@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul var ok bool userDN, ok = ls.sanitizedUserDN(name) + if !ok { return nil } + + err = bindUser(l, userDN, passwd) + if err != nil { + return nil + } + + if ls.UserBase != "" { + // not everyone has a CN compatible with input name so we need to find + // the real userDN in that case + + userDN, ok = ls.findUserDN(l, name) + if !ok { + return nil + } + } } else { log.Trace("LDAP will use BindDN.") var found bool + + if ls.BindDN != "" && ls.BindPassword != "" { + err := l.Bind(ls.BindDN, ls.BindPassword) + if err != nil { + log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err) + return nil + } + log.Trace("Bound as BindDN %s", ls.BindDN) + } else { + log.Trace("Proceeding with anonymous LDAP search.") + } + userDN, found = ls.findUserDN(l, name) if !found { return nil } } - if directBind || !ls.AttributesInBind { + if !ls.AttributesInBind { // binds user (checking password) before looking-up attributes in user context err = bindUser(l, userDN, passwd) if err != nil { |