From 8068ddc0b242ff3f19e4828829edf83338365a8f Mon Sep 17 00:00:00 2001
From: Nathan Coad <nathan@thecoads.com>
Date: Thu, 4 Jan 2024 20:57:05 +1100
Subject: [PATCH] handle ldap usernames that don't include domain name

---
 models/ldap.go | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/models/ldap.go b/models/ldap.go
index f47fc01..9dcaab7 100644
--- a/models/ldap.go
+++ b/models/ldap.go
@@ -26,6 +26,7 @@ var ldaps *ldap.Conn
 var CertLoaded bool
 var LdapEnabled bool
 var LdapBaseDn string
+var DefaultDomainSuffix string
 
 func GetFilePath(path string) string {
 	// Check for empty filename
@@ -48,6 +49,30 @@ func GetFilePath(path string) string {
 	return path
 }
 
+// DomainSuffixFromNamingContext will convert DC=example,DC=com to example.com
+func DomainSuffixFromNamingContext(input string) string {
+	tokens := strings.Split(input, ",")
+	var args []string
+	for _, token := range tokens {
+		parts := strings.Split(token, "=")
+		if len(parts) == 2 && parts[0] == "DC" {
+			args = append(args, parts[1])
+		}
+	}
+	return strings.Join(args, ".")
+}
+
+func CheckUsername(username string) string {
+	if strings.ContainsAny(username, "/@") {
+		// Username contains forward slash or at symbol
+		return username
+	}
+
+	// Append suffix to the username
+	log.Printf("CheckUsername appending default domain suffix '%s'\n", DefaultDomainSuffix)
+	return username + "@" + DefaultDomainSuffix
+}
+
 func loadLdapCert() {
 	var err error
 	// Get a copy of the system defined CA's
@@ -130,12 +155,15 @@ func LdapSetup() bool {
 
 	LdapEnabled = true
 
-	LookupNamingContext()
+	namingContext := LookupNamingContext()
+	if namingContext != "" {
+		DefaultDomainSuffix = DomainSuffixFromNamingContext(namingContext)
+	}
 
 	return true
 }
 
-func LookupNamingContext() {
+func LookupNamingContext() string {
 	// Retrieve the defaultNamingContext
 	searchRequest := ldap.NewSearchRequest(
 		"",
@@ -148,25 +176,27 @@ func LookupNamingContext() {
 	searchResult, err := ldaps.Search(searchRequest)
 	if err != nil {
 		log.Printf("LookupNamingContext unable to perform unauthenticated search : '%s'\n", err)
-		return
+		return ""
 	}
 
 	if len(searchResult.Entries) != 1 {
 		log.Printf("LookupNamingContext unable to retrieve defaultNamingContext\n")
-		return
+		return ""
 	}
 
 	defaultNamingContext := searchResult.Entries[0].GetAttributeValue("defaultNamingContext")
 	if defaultNamingContext == "" {
 		log.Printf("LookupNamingContext defaultNamingContext attribute not found\n")
-		return
+		return ""
 	}
 
 	log.Printf("Default Naming Context: '%s'\n", defaultNamingContext)
+	return defaultNamingContext
 }
 
 func VerifyLdapCreds(username string, password string) bool {
 	var err error
+	username = CheckUsername(username)
 
 	// try an authenticated bind to AD to verify credentials
 	log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))