nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

handle ldap usernames that don't include domain name
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2024-01-04 20:57:05 +11:00
parent ffa8778d2b
commit 8068ddc0b2
1 changed files with 35 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
models/ldap.go
View File

@@ -26,6 +26,7 @@ var ldaps *ldap.Conn
var CertLoaded bool var CertLoaded bool
var LdapEnabled bool var LdapEnabled bool
var LdapBaseDn string var LdapBaseDn string
var DefaultDomainSuffix string
func GetFilePath(path string) string { func GetFilePath(path string) string {
// Check for empty filename // Check for empty filename
@@ -48,6 +49,30 @@ func GetFilePath(path string) string {
return path return path
} }
// DomainSuffixFromNamingContext will convert DC=example,DC=com to example.com
func DomainSuffixFromNamingContext(input string) string {
tokens := strings.Split(input, ",")
var args []string
for _, token := range tokens {
parts := strings.Split(token, "=")
if len(parts) == 2 && parts[0] == "DC" {
args = append(args, parts[1])
}
}
return strings.Join(args, ".")
}
func CheckUsername(username string) string {
if strings.ContainsAny(username, "/@") {
// Username contains forward slash or at symbol
return username
}
// Append suffix to the username
log.Printf("CheckUsername appending default domain suffix '%s'\n", DefaultDomainSuffix)
return username + "@" + DefaultDomainSuffix
}
func loadLdapCert() { func loadLdapCert() {
var err error var err error
// Get a copy of the system defined CA's // Get a copy of the system defined CA's
@@ -130,12 +155,15 @@ func LdapSetup() bool {
LdapEnabled = true LdapEnabled = true
LookupNamingContext() namingContext := LookupNamingContext()
if namingContext != "" {
DefaultDomainSuffix = DomainSuffixFromNamingContext(namingContext)
}
return true return true
} }
func LookupNamingContext() { func LookupNamingContext() string {
// Retrieve the defaultNamingContext // Retrieve the defaultNamingContext
searchRequest := ldap.NewSearchRequest( searchRequest := ldap.NewSearchRequest(
"", "",
@@ -148,25 +176,27 @@ func LookupNamingContext() {
searchResult, err := ldaps.Search(searchRequest) searchResult, err := ldaps.Search(searchRequest)
if err != nil { if err != nil {
log.Printf("LookupNamingContext unable to perform unauthenticated search : '%s'\n", err) log.Printf("LookupNamingContext unable to perform unauthenticated search : '%s'\n", err)
return return ""
} }
if len(searchResult.Entries) != 1 { if len(searchResult.Entries) != 1 {
log.Printf("LookupNamingContext unable to retrieve defaultNamingContext\n") log.Printf("LookupNamingContext unable to retrieve defaultNamingContext\n")
return return ""
} }
defaultNamingContext := searchResult.Entries[0].GetAttributeValue("defaultNamingContext") defaultNamingContext := searchResult.Entries[0].GetAttributeValue("defaultNamingContext")
if defaultNamingContext == "" { if defaultNamingContext == "" {
log.Printf("LookupNamingContext defaultNamingContext attribute not found\n") log.Printf("LookupNamingContext defaultNamingContext attribute not found\n")
return return ""
} }
log.Printf("Default Naming Context: '%s'\n", defaultNamingContext) log.Printf("Default Naming Context: '%s'\n", defaultNamingContext)
return defaultNamingContext
} }
func VerifyLdapCreds(username string, password string) bool { func VerifyLdapCreds(username string, password string) bool {
var err error var err error
username = CheckUsername(username)
// try an authenticated bind to AD to verify credentials // try an authenticated bind to AD to verify credentials
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password)) log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))