avoid unnecessary ldap bind for first user login
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@@ -185,12 +185,14 @@ func ldapConnect() *ldap.Conn {
|
|||||||
InsecureSkipVerify: LdapInsecure,
|
InsecureSkipVerify: LdapInsecure,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Printf("ldapConnect initiating connection\n")
|
||||||
ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
|
ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err)
|
log.Printf("VerifyLdapCreds error connecting to LDAP server '%s' : '%s'\n", LdapServer, err)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Printf("ldapConnect connection succeeded\n")
|
||||||
return ldaps
|
return ldaps
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -93,9 +93,8 @@ func VerifyPassword(password, hashedPassword string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func LoginCheck(username string, password string) (string, error) {
|
func LoginCheck(username string, password string) (string, error) {
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
|
newLdapUser := false
|
||||||
u := User{}
|
u := User{}
|
||||||
|
|
||||||
// Query database for matching user object
|
// Query database for matching user object
|
||||||
@@ -119,6 +118,11 @@ func LoginCheck(username string, password string) (string, error) {
|
|||||||
} else {
|
} else {
|
||||||
log.Printf("LoginCheck verified LDAP user successfully\n")
|
log.Printf("LoginCheck verified LDAP user successfully\n")
|
||||||
u = ldapUser
|
u = ldapUser
|
||||||
|
|
||||||
|
// Since this user wasn't in the database, they must have been logging in for the first time
|
||||||
|
// So we don't need to repeat the ldap bind and verification
|
||||||
|
newLdapUser = true
|
||||||
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// LDAP is not enabled, if user is not in the database then they can't login
|
// LDAP is not enabled, if user is not in the database then they can't login
|
||||||
@@ -132,6 +136,7 @@ func LoginCheck(username string, password string) (string, error) {
|
|||||||
//log.Printf("u: %v\n", u)
|
//log.Printf("u: %v\n", u)
|
||||||
|
|
||||||
if !u.LdapUser {
|
if !u.LdapUser {
|
||||||
|
// Locally defined user, perform password verification
|
||||||
err = VerifyPassword(password, u.Password)
|
err = VerifyPassword(password, u.Password)
|
||||||
|
|
||||||
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
|
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
|
||||||
@@ -141,17 +146,24 @@ func LoginCheck(username string, password string) (string, error) {
|
|||||||
log.Printf("LoginCheck verified password against stored hash.\n")
|
log.Printf("LoginCheck verified password against stored hash.\n")
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
err := VerifyLdapCreds(username, password)
|
// LDAP user, verify credential if user wasn't logging in for the first time
|
||||||
|
if !newLdapUser {
|
||||||
|
err := VerifyLdapCreds(username, password)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
|
errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
|
||||||
log.Print(errString)
|
log.Print(errString)
|
||||||
return "", errors.New(errString)
|
return "", errors.New(errString)
|
||||||
|
} else {
|
||||||
|
log.Printf("LoginCheck successfully verified LDAP user\n")
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
log.Printf("LoginCheck successfully verified LDAP user\n")
|
log.Printf("LoginCheck no need to repeat LDAP bind for new user login\n")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If we reached this point then the login was successful
|
||||||
|
// Generate a new token and return it to the user
|
||||||
token, err := token.GenerateToken(uint(u.UserId))
|
token, err := token.GenerateToken(uint(u.UserId))
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -191,9 +203,9 @@ func LdapLoginCheck(username string, password string) (User, error) {
|
|||||||
u.RoleId = role.RoleId
|
u.RoleId = role.RoleId
|
||||||
matchFound = true
|
matchFound = true
|
||||||
break
|
break
|
||||||
} else {
|
} //else {
|
||||||
//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
|
//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
|
||||||
}
|
//}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user