summaryrefslogtreecommitdiffstats
path: root/modules/auth/ldap/ldap.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/auth/ldap/ldap.go')
-rw-r--r--modules/auth/ldap/ldap.go32
1 files changed, 26 insertions, 6 deletions
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 8fbefb4341..376092fcb0 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -31,6 +31,7 @@ type Source struct {
AttributeName string // First name attribute
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
+ AttributesInBind bool // fetch attributes in bind context (not user)
Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
@@ -130,14 +131,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
}
}
- log.Trace("Binding with userDN: %s", userDN)
- err = l.Bind(userDN, passwd)
- if err != nil {
- log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
- return "", "", "", "", false, false
+ if directBind || !ls.AttributesInBind {
+ // binds user (checking password) before looking-up attributes in user context
+ err = bindUser(l, userDN, passwd)
+ if err != nil {
+ return "", "", "", "", false, false
+ }
}
- log.Trace("Bound successfully with userDN: %s", userDN)
userFilter, ok := ls.sanitizedUserQuery(name)
if !ok {
return "", "", "", "", false, false
@@ -184,9 +185,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
}
}
+ if !directBind && ls.AttributesInBind {
+ // binds user (checking password) after looking-up attributes in BindDN context
+ err = bindUser(l, userDN, passwd)
+ if err != nil {
+ return "", "", "", "", false, false
+ }
+ }
+
return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
}
+func bindUser(l *ldap.Conn, userDN, passwd string) error {
+ log.Trace("Binding with userDN: %s", userDN)
+ err := l.Bind(userDN, passwd)
+ if err != nil {
+ log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
+ return err
+ }
+ log.Trace("Bound successfully with userDN: %s", userDN)
+ return err
+}
+
func ldapDial(ls *Source) (*ldap.Conn, error) {
if ls.UseSSL {
log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-29 09:33:28 +0000