summaryrefslogtreecommitdiffstats
path: root/modules/auth/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'modules/auth/ldap')
-rw-r--r--modules/auth/ldap/ldap.go31
1 files changed, 24 insertions, 7 deletions
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 82d66fec37..7596762db5 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -26,6 +26,7 @@ type Ldapsource struct {
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
Filter string // Query filter to validate entry
+ AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
}
@@ -77,17 +78,17 @@ func (ls Ldapsource) FindUserDN(name string) (string, bool) {
}
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
-func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool) {
+func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool, bool) {
userDN, found := ls.FindUserDN(name)
if !found {
- return "", "", "", false
+ return "", "", "", false, false
}
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
- return "", "", "", false
+ return "", "", "", false, false
}
defer l.Close()
@@ -96,7 +97,7 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
err = l.Bind(userDN, passwd)
if err != nil {
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
- return "", "", "", false
+ return "", "", "", false, false
}
log.Trace("Bound successfully with userDN: %s", userDN)
@@ -109,16 +110,32 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
sr, err := l.Search(search)
if err != nil {
log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)
- return "", "", "", false
+ return "", "", "", false, false
} else if len(sr.Entries) < 1 {
log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
- return "", "", "", false
+ return "", "", "", false, false
}
name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName)
sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
- return name_attr, sn_attr, mail_attr, true
+
+ search = ldap.NewSearchRequest(
+ userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
+ []string{ls.AttributeName},
+ nil)
+
+ sr, err = l.Search(search)
+ admin_attr := false
+ if err != nil {
+ log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)
+ } else if len(sr.Entries) < 1 {
+ log.Error(4, "LDAP Admin Search failed")
+ } else {
+ admin_attr = true
+ }
+
+ return name_attr, sn_attr, mail_attr, admin_attr, true
}
func ldapDial(ls Ldapsource) (*ldap.Conn, error) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-14 10:35:33 +0000