From d45e61f59e9ed440e7e4122dd8d6bcd91ce13324 Mon Sep 17 00:00:00 2001 From: Nathan Coad Date: Fri, 5 Jan 2024 11:45:35 +1100 Subject: [PATCH] avoid unnecessary ldap bind for first user login --- models/ldap.go | 4 +++- models/user.go | 34 +++++++++++++++++++++++----------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/models/ldap.go b/models/ldap.go index cd56c04..3ddcb6b 100644 --- a/models/ldap.go +++ b/models/ldap.go @@ -185,12 +185,14 @@ func ldapConnect() *ldap.Conn { InsecureSkipVerify: LdapInsecure, } + log.Printf("ldapConnect initiating connection\n") ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig) if err != nil { - log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err) + log.Printf("VerifyLdapCreds error connecting to LDAP server '%s' : '%s'\n", LdapServer, err) return nil } + log.Printf("ldapConnect connection succeeded\n") return ldaps } diff --git a/models/user.go b/models/user.go index 6413215..a75f762 100644 --- a/models/user.go +++ b/models/user.go @@ -93,9 +93,8 @@ func VerifyPassword(password, hashedPassword string) error { } func LoginCheck(username string, password string) (string, error) { - var err error - + newLdapUser := false u := User{} // Query database for matching user object @@ -119,6 +118,11 @@ func LoginCheck(username string, password string) (string, error) { } else { log.Printf("LoginCheck verified LDAP user successfully\n") u = ldapUser + + // Since this user wasn't in the database, they must have been logging in for the first time + // So we don't need to repeat the ldap bind and verification + newLdapUser = true + } } else { // LDAP is not enabled, if user is not in the database then they can't login @@ -132,6 +136,7 @@ func LoginCheck(username string, password string) (string, error) { //log.Printf("u: %v\n", u) if !u.LdapUser { + // Locally defined user, perform password verification err = VerifyPassword(password, u.Password) if err != nil && err == bcrypt.ErrMismatchedHashAndPassword { @@ -141,17 +146,24 @@ func LoginCheck(username string, password string) (string, error) { log.Printf("LoginCheck verified password against stored hash.\n") } } else { - err := VerifyLdapCreds(username, password) + // LDAP user, verify credential if user wasn't logging in for the first time + if !newLdapUser { + err := VerifyLdapCreds(username, password) - if err != nil { - errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err) - log.Print(errString) - return "", errors.New(errString) + if err != nil { + errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err) + log.Print(errString) + return "", errors.New(errString) + } else { + log.Printf("LoginCheck successfully verified LDAP user\n") + } } else { - log.Printf("LoginCheck successfully verified LDAP user\n") + log.Printf("LoginCheck no need to repeat LDAP bind for new user login\n") } } + // If we reached this point then the login was successful + // Generate a new token and return it to the user token, err := token.GenerateToken(uint(u.UserId)) if err != nil { @@ -191,9 +203,9 @@ func LdapLoginCheck(username string, password string) (User, error) { u.RoleId = role.RoleId matchFound = true break - } else { - //log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group) - } + } //else { + //log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group) + //} } }