aboutsummaryrefslogtreecommitdiff
path: root/modules/auth/ldap/ldap.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/auth/ldap/ldap.go')
-rw-r--r--modules/auth/ldap/ldap.go66
1 files changed, 40 insertions, 26 deletions
diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 7f36c8bd..8a8cb89b 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -31,6 +31,7 @@ type Source struct {
AttributeName string // First name attribute
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
+ AttributesInBind bool // fetch attributes in bind context (not user)
Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
@@ -58,18 +59,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
return fmt.Sprintf(ls.UserDN, username), true
}
-func (ls *Source) FindUserDN(name string) (string, bool) {
- l, err := ldapDial(ls)
- if err != nil {
- log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
- ls.Enabled = false
- return "", false
- }
- defer l.Close()
-
+func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
log.Trace("Search for LDAP user: %s", name)
if ls.BindDN != "" && ls.BindPassword != "" {
- err = l.Bind(ls.BindDN, ls.BindPassword)
+ err := l.Bind(ls.BindDN, ls.BindPassword)
if err != nil {
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
return "", false
@@ -85,7 +78,7 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
return "", false
}
- log.Trace("Searching using filter %s", userFilter)
+ log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)
search := ldap.NewSearchRequest(
ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
false, userFilter, []string{}, nil)
@@ -111,6 +104,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
+ l, err := ldapDial(ls)
+ if err != nil {
+ log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
+ ls.Enabled = false
+ return "", "", "", "", false, false
+ }
+ defer l.Close()
+
var userDN string
if directBind {
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
@@ -124,33 +125,26 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
log.Trace("LDAP will use BindDN.")
var found bool
- userDN, found = ls.FindUserDN(name)
+ userDN, found = ls.findUserDN(l, name)
if !found {
return "", "", "", "", false, false
}
}
- l, err := ldapDial(ls)
- if err != nil {
- log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
- ls.Enabled = false
- return "", "", "", "", false, false
- }
- defer l.Close()
-
- log.Trace("Binding with userDN: %s", userDN)
- err = l.Bind(userDN, passwd)
- if err != nil {
- log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
- return "", "", "", "", false, false
+ if directBind || !ls.AttributesInBind {
+ // binds user (checking password) before looking-up attributes in user context
+ err = bindUser(l, userDN, passwd)
+ if err != nil {
+ return "", "", "", "", false, false
+ }
}
- log.Trace("Bound successfully with userDN: %s", userDN)
userFilter, ok := ls.sanitizedUserQuery(name)
if !ok {
return "", "", "", "", false, false
}
+ log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)
search := ldap.NewSearchRequest(
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
@@ -177,6 +171,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
admin_attr := false
if len(ls.AdminFilter) > 0 {
+ log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
search = ldap.NewSearchRequest(
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
[]string{ls.AttributeName},
@@ -192,9 +187,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
}
}
+ if !directBind && ls.AttributesInBind {
+ // binds user (checking password) after looking-up attributes in BindDN context
+ err = bindUser(l, userDN, passwd)
+ if err != nil {
+ return "", "", "", "", false, false
+ }
+ }
+
return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
}
+func bindUser(l *ldap.Conn, userDN, passwd string) error {
+ log.Trace("Binding with userDN: %s", userDN)
+ err := l.Bind(userDN, passwd)
+ if err != nil {
+ log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
+ return err
+ }
+ log.Trace("Bound successfully with userDN: %s", userDN)
+ return err
+}
+
func ldapDial(ls *Source) (*ldap.Conn, error) {
if ls.UseSSL {
log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)
Powered by cgit, Themed by Ted Yin.