Merge pull request #2634 from nanoant/patch/ldap-attributes-in-bind

LDAP: Fetch attributes in Bind DN context
2016-02-20 14:44:21 -05:00 · 2016-02-20 14:44:21 -05:00 · 7e0baf4136
commit 7e0baf4136
parent a703f7d7b4 a9981d8099
6 changed files with 741 additions and 931 deletions
--- a/conf/locale/locale_en-US.ini
+++ b/conf/locale/locale_en-US.ini
@ -921,6 +921,7 @@ auths.attribute_username_placeholder = Leave empty to use sign-in form field val
 auths.attribute_name = First name attribute
 auths.attribute_surname = Surname attribute
 auths.attribute_mail = Email attribute
+auths.attributes_in_bind = Fetch attributes in Bind DN context
 auths.filter = User Filter
 auths.admin_filter = Admin Filter
 auths.ms_ad_sa = Ms Ad SA
--- a/modules/auth/auth_form.go
+++ b/modules/auth/auth_form.go
@ -23,6 +23,7 @@ type AuthenticationForm struct {
 	AttributeName     string
 	AttributeSurname  string
 	AttributeMail     string
+	AttributesInBind  bool
 	Filter            string
 	AdminFilter       string
 	IsActive          bool
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@ -31,6 +31,7 @@ type Source struct {
 	AttributeName     string // First name attribute
 	AttributeSurname  string // Surname attribute
 	AttributeMail     string // E-mail attribute
+	AttributesInBind  bool   // fetch attributes in bind context (not user)
 	Filter            string // Query filter to validate entry
 	AdminFilter       string // Query filter to check if user is admin
 	Enabled           bool   // if this source is disabled
@ -58,18 +59,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
 	return fmt.Sprintf(ls.UserDN, username), true
 }

-func (ls *Source) FindUserDN(name string) (string, bool) {
-	l, err := ldapDial(ls)
-	if err != nil {
-		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
-		ls.Enabled = false
-		return "", false
-	}
-	defer l.Close()
-
+func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
 	log.Trace("Search for LDAP user: %s", name)
 	if ls.BindDN != "" && ls.BindPassword != "" {
-		err = l.Bind(ls.BindDN, ls.BindPassword)
+		err := l.Bind(ls.BindDN, ls.BindPassword)
 		if err != nil {
 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
 			return "", false
@ -85,7 +78,7 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
 		return "", false
 	}

-	log.Trace("Searching using filter %s", userFilter)
+	log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)
 	search := ldap.NewSearchRequest(
 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
 		false, userFilter, []string{}, nil)
@ -111,6 +104,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {

 // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
 func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
+	l, err := ldapDial(ls)
+	if err != nil {
+		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
+		ls.Enabled = false
+		return "", "", "", "", false, false
+	}
+	defer l.Close()
+
 	var userDN string
 	if directBind {
 		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
@ -124,33 +125,26 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 		log.Trace("LDAP will use BindDN.")

 		var found bool
-		userDN, found = ls.FindUserDN(name)
+		userDN, found = ls.findUserDN(l, name)
 		if !found {
 			return "", "", "", "", false, false
 		}
 	}

-	l, err := ldapDial(ls)
-	if err != nil {
-		log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
-		ls.Enabled = false
-		return "", "", "", "", false, false
-	}
-	defer l.Close()
-
-	log.Trace("Binding with userDN: %s", userDN)
-	err = l.Bind(userDN, passwd)
-	if err != nil {
-		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
-		return "", "", "", "", false, false
+	if directBind || !ls.AttributesInBind {
+		// binds user (checking password) before looking-up attributes in user context
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return "", "", "", "", false, false
+		}
 	}

-	log.Trace("Bound successfully with userDN: %s", userDN)
 	userFilter, ok := ls.sanitizedUserQuery(name)
 	if !ok {
 		return "", "", "", "", false, false
 	}

+	log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)
 	search := ldap.NewSearchRequest(
 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
 		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
@ -177,6 +171,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str

 	admin_attr := false
 	if len(ls.AdminFilter) > 0 {
+		log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
 		search = ldap.NewSearchRequest(
 			userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
 			[]string{ls.AttributeName},
@ -192,9 +187,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 		}
 	}

+	if !directBind && ls.AttributesInBind {
+		// binds user (checking password) after looking-up attributes in BindDN context
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return "", "", "", "", false, false
+		}
+	}
+
 	return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
 }

+func bindUser(l *ldap.Conn, userDN, passwd string) error {
+	log.Trace("Binding with userDN: %s", userDN)
+	err := l.Bind(userDN, passwd)
+	if err != nil {
+		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
+		return err
+	}
+	log.Trace("Bound successfully with userDN: %s", userDN)
+	return err
+}
+
 func ldapDial(ls *Source) (*ldap.Conn, error) {
 	if ls.UseSSL {
 		log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)
--- a/modules/bindata/bindata.go
+++ b/modules/bindata/bindata.go
--- a/routers/admin/auths.go
+++ b/routers/admin/auths.go
@ -81,6 +81,7 @@ func parseLDAPConfig(form auth.AuthenticationForm) *models.LDAPConfig {
 			AttributeName:     form.AttributeName,
 			AttributeSurname:  form.AttributeSurname,
 			AttributeMail:     form.AttributeMail,
+			AttributesInBind:  form.AttributesInBind,
 			Filter:            form.Filter,
 			AdminFilter:       form.AdminFilter,
 			Enabled:           true,
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@ -79,6 +79,14 @@
 								<label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label>
 								<input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required>
 							</div>
+							{{if .Source.IsLDAP}}
+								<div class="inline field">
+									<div class="ui checkbox">
+										<label><strong>{{.i18n.Tr "admin.auths.attributes_in_bind"}}</strong></label>
+										<input name="attributes_in_bind" type="checkbox" {{if $cfg.AttributesInBind}}checked{{end}}>
+									</div>
+								</div>
+							{{end}}
 						{{end}}

 						<!-- SMTP -->