Correction LDAP validation (#342)
* Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
This commit is contained in:
parent
abcd39f7d5
commit
f0a989c1d0
2 changed files with 7 additions and 2 deletions
|
@ -548,9 +548,9 @@ func ExternalUserLogin(user *User, login, password string, source *LoginSource,
|
||||||
func UserSignIn(username, password string) (*User, error) {
|
func UserSignIn(username, password string) (*User, error) {
|
||||||
var user *User
|
var user *User
|
||||||
if strings.Contains(username, "@") {
|
if strings.Contains(username, "@") {
|
||||||
user = &User{Email: strings.ToLower(username)}
|
user = &User{Email: strings.ToLower(strings.TrimSpace(username))}
|
||||||
} else {
|
} else {
|
||||||
user = &User{LowerName: strings.ToLower(username)}
|
user = &User{LowerName: strings.ToLower(strings.TrimSpace(username))}
|
||||||
}
|
}
|
||||||
|
|
||||||
hasUser, err := x.Get(user)
|
hasUser, err := x.Get(user)
|
||||||
|
|
|
@ -151,6 +151,11 @@ func bindUser(l *ldap.Conn, userDN, passwd string) error {
|
||||||
|
|
||||||
// SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
// SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
||||||
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
|
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
|
||||||
|
// See https://tools.ietf.org/search/rfc4513#section-5.1.2
|
||||||
|
if len(passwd) == 0 {
|
||||||
|
log.Debug("Auth. failed for %s, password cannot be empty")
|
||||||
|
return "", "", "", "", false, false
|
||||||
|
}
|
||||||
l, err := dial(ls)
|
l, err := dial(ls)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
|
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
|
||||||
|
|
Reference in a new issue