From 2d1db4bf055a425bf4529b2f9f0378d58e3ec648 Mon Sep 17 00:00:00 2001 From: Sergio Benitez Date: Fri, 4 Sep 2015 20:39:23 -0700 Subject: Added LDAP simple auth support. --- modules/auth/auth_form.go | 1 + modules/auth/ldap/ldap.go | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) (limited to 'modules/auth') diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go index b2d427b4..c1d49f66 100644 --- a/modules/auth/auth_form.go +++ b/modules/auth/auth_form.go @@ -19,6 +19,7 @@ type AuthenticationForm struct { BindDN string `form:"bind_dn"` BindPassword string UserBase string + UserDN string `form:"user_dn"` AttributeName string AttributeSurname string AttributeMail string diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index de1108fd..61cfca90 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -22,6 +22,7 @@ type Ldapsource struct { BindDN string // DN to bind with BindPassword string // Bind DN password UserBase string // Base search path for users + UserDN string // Template for the DN of the user for simple auth AttributeName string // First name attribute AttributeSurname string // Surname attribute AttributeMail string // E-mail attribute @@ -78,10 +79,19 @@ func (ls Ldapsource) FindUserDN(name string) (string, bool) { } // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter -func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool, bool) { - userDN, found := ls.FindUserDN(name) - if !found { - return "", "", "", false, false +func (ls Ldapsource) SearchEntry(name, passwd string, directBind bool) (string, string, string, bool, bool) { + var userDN string + if directBind { + log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN) + userDN = fmt.Sprintf(ls.UserDN, name) + } else { + log.Trace("LDAP will use BindDN.") + + var found bool + userDN, found = ls.FindUserDN(name) + if !found { + return "", "", "", false, false + } } l, err := ldapDial(ls) @@ -112,7 +122,12 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b log.Error(4, "LDAP Search failed unexpectedly! (%v)", err) return "", "", "", false, false } else if len(sr.Entries) < 1 { - log.Error(4, "LDAP Search failed unexpectedly! (0 entries)") + if directBind { + log.Error(4, "User filter inhibited user login.") + } else { + log.Error(4, "LDAP Search failed unexpectedly! (0 entries)") + } + return "", "", "", false, false } -- cgit v1.2.3 From 0f07a5cb84e9a24df3d5cf1fcfeb58bac301d646 Mon Sep 17 00:00:00 2001 From: Sergio Benitez Date: Fri, 4 Sep 2015 21:14:20 -0700 Subject: Updated the LDAP auth module README. --- modules/auth/ldap/README.md | 98 +++++++++++++++++++++++++++++++-------------- 1 file changed, 67 insertions(+), 31 deletions(-) (limited to 'modules/auth') diff --git a/modules/auth/ldap/README.md b/modules/auth/ldap/README.md index 9a2a6aa1..8a03384f 100644 --- a/modules/auth/ldap/README.md +++ b/modules/auth/ldap/README.md @@ -4,61 +4,97 @@ Gogs LDAP Authentication Module ## About This authentication module attempts to authorize and authenticate a user -against an LDAP server. Like most LDAP authentication systems, this module does -this in two steps. First, it queries the LDAP server using a Bind DN and +against an LDAP server. It provides two methods of authenitcation: LDAP via +BindDN, and LDAP simple authentication. + +LDAP via BindDN functions like most LDAP authentication systems. +First, it queries the LDAP server using a Bind DN and searches for the user that is attempting to sign in. If the user is found, the module attempts to bind to the server using the user's supplied credentials. If this succeeds, the user has been authenticated, and his account information is retrieved and passed to the Gogs login infrastructure. +LDAP simple authentication does not utilize a Bind DN. Instead, it binds +directly with the LDAP server using the user's supplied credentials. If the bind +succeeds and no filter rules out the user, the user is authenticated. + +LDAP via BindDN is recommended for most users. By using a Bind DN, the server +can perform authorization by restricting which entries the Bind DN account can +read. Further, using a Bind DN with reduced permissions can reduce security risk +in the face of application bugs. + ## Usage To use this module, add an LDAP authentication source via the Authentications -section in the admin panel. The fields should be set as follows: +section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP +share the following fields: * Authorization Name **(required)** - * A name to assign to the new method of authorization. + * A name to assign to the new method of authorization. * Host **(required)** - * The address where the LDAP server can be reached. - * Example: mydomain.com + * The address where the LDAP server can be reached. + * Example: mydomain.com * Port **(required)** - * The port to use when connecting to the server. - * Example: 636 + * The port to use when connecting to the server. + * Example: 636 * Enable TLS Encryption (optional) - * Whether to use TLS when connecting to the LDAP server. + * Whether to use TLS when connecting to the LDAP server. + +* Admin Filter (optional) + * An LDAP filter specifying if a user should be given administrator + privileges. If a user accounts passes the filter, the user will be + privileged as an administrator. + * Example: (objectClass=adminAccount) + +* First name attribute (optional) + * The attribute of the user's LDAP record containing the user's first name. + This will be used to populate their account information. + * Example: givenName + +* Surname attribute (optional) + * The attribute of the user's LDAP record containing the user's surname This + will be used to populate their account information. + * Example: sn + +* E-mail attribute **(required)** + * The attribute of the user's LDAP record containing the user's email + address. This will be used to populate their account information. + * Example: mail + +**LDAP via BindDN** adds the following fields: * Bind DN (optional) - * The DN to bind to the LDAP server with when searching for the user. - This may be left blank to perform an anonymous search. - * Example: cn=Search,dc=mydomain,dc=com + * The DN to bind to the LDAP server with when searching for the user. This + may be left blank to perform an anonymous search. + * Example: cn=Search,dc=mydomain,dc=com * Bind Password (optional) - * The password for the Bind DN specified above, if any. + * The password for the Bind DN specified above, if any. _Note: The password + is stored in plaintext at the server. As such, ensure that your Bind DN + has as few privileges as possible._ * User Search Base **(required)** - * The LDAP base at which user accounts will be searched for. - * Example: ou=Users,dc=mydomain,dc=com + * The LDAP base at which user accounts will be searched for. + * Example: ou=Users,dc=mydomain,dc=com * User Filter **(required)** - * An LDAP filter declaring how to find the user record that is attempting - to authenticate. The '%s' matching parameter will be substituted with - the user's username. - * Example: (&(objectClass=posixAccount)(uid=%s)) + * An LDAP filter declaring how to find the user record that is attempting to + authenticate. The '%s' matching parameter will be substituted with the + user's username. + * Example: (&(objectClass=posixAccount)(uid=%s)) -* First name attribute (optional) - * The attribute of the user's LDAP record containing the user's first - name. This will be used to populate their account information. - * Example: givenName +**LDAP using simple auth** adds the following fields: -* Surname name attribute (optional) - * The attribute of the user's LDAP record containing the user's surname - This will be used to populate their account information. - * Example: sn +* User DN **(required)** + * A template to use as the user's DN. The `%s` matching parameter will be + substituted with the user's username. + * Example: cn=%s,ou=Users,dc=mydomain,dc=com + * Example: uid=%s,ou=Users,dc=mydomain,dc=com -* E-mail attribute **(required)** - * The attribute of the user's LDAP record containing the user's email - address. This will be used to populate their account information. - * Example: mail +* User Filter **(required)** + * An LDAP filter declaring when a user should be allowed to log in. The `%s` + matching parameter will be substituted with the user's username. + * Example: (&(objectClass=posixAccount)(uid=%s)) -- cgit v1.2.3 From 079a2d68db5c843ef2dbba65aeca46d5887d6b02 Mon Sep 17 00:00:00 2001 From: Sergio Benitez Date: Sat, 5 Sep 2015 15:26:31 -0700 Subject: Minor fixes to the LDAP module readme --- modules/auth/ldap/README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'modules/auth') diff --git a/modules/auth/ldap/README.md b/modules/auth/ldap/README.md index 8a03384f..3a3e0204 100644 --- a/modules/auth/ldap/README.md +++ b/modules/auth/ldap/README.md @@ -4,15 +4,15 @@ Gogs LDAP Authentication Module ## About This authentication module attempts to authorize and authenticate a user -against an LDAP server. It provides two methods of authenitcation: LDAP via +against an LDAP server. It provides two methods of authentication: LDAP via BindDN, and LDAP simple authentication. -LDAP via BindDN functions like most LDAP authentication systems. -First, it queries the LDAP server using a Bind DN and -searches for the user that is attempting to sign in. If the user is found, the -module attempts to bind to the server using the user's supplied credentials. If -this succeeds, the user has been authenticated, and his account information is -retrieved and passed to the Gogs login infrastructure. +LDAP via BindDN functions like most LDAP authentication systems. First, it +queries the LDAP server using a Bind DN and searches for the user that is +attempting to sign in. If the user is found, the module attempts to bind to the +server using the user's supplied credentials. If this succeeds, the user has +been authenticated, and his account information is retrieved and passed to the +Gogs login infrastructure. LDAP simple authentication does not utilize a Bind DN. Instead, it binds directly with the LDAP server using the user's supplied credentials. If the bind @@ -97,4 +97,5 @@ share the following fields: * User Filter **(required)** * An LDAP filter declaring when a user should be allowed to log in. The `%s` matching parameter will be substituted with the user's username. + * Example: (&(objectClass=posixAccount)(cn=%s)) * Example: (&(objectClass=posixAccount)(uid=%s)) -- cgit v1.2.3