Skip to content

Commit

Permalink
Merge pull request #62 from wiltonsr/fix-issue-61
Browse files Browse the repository at this point in the history 
Use same operation mode to bind validations
  • Loading branch information
@wiltonsr
wiltonsr authored Mar 20, 2024
2 parents 5de938d + 059dce2 commit 64fac47
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 8 deletions.
21 changes: 13 additions & 8 deletions ldapauth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,13 +175,6 @@ func (la *LdapAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

LoggerDEBUG.Println("No session found! Trying to authenticate in LDAP")

var certPool *x509.CertPool

if la.config.CertificateAuthority != "" {
certPool = x509.NewCertPool()
certPool.AppendCertsFromPEM([]byte(la.config.CertificateAuthority))
}

conn, err := Connect(la.config)
if err != nil {
LoggerERROR.Printf("%s", err)
Expand Down Expand Up @@ -270,8 +263,13 @@ func LdapCheckUser(conn *ldap.Conn, config *Config, username, password string) (
userDN := result.Entries[0].DN
LoggerINFO.Printf("Authenticating User: %s", userDN)

// Create a new conn to validate user password. This prevents changing the bind made
// previously, then LdapCheckUserAuthorized will use same operation mode
_nconn, _ := Connect(config)
defer _nconn.Close()

// Bind User and password.
err = conn.Bind(userDN, password)
err = _nconn.Bind(userDN, password)
return err == nil, result.Entries[0], err
}

Expand Down Expand Up @@ -354,6 +352,13 @@ func LdapCheckUserGroups(conn *ldap.Conn, config *Config, entry *ldap.Entry, use

LoggerDEBUG.Printf("Group Filter: '%s'", group_filter.String())

res, err := conn.WhoAmI(nil)
if err != nil {
LoggerERROR.Printf("Failed to call WhoAmI(): %s", err)
} else {
LoggerDEBUG.Printf("Using credential: '%s' for Search Groups", res.AuthzID)
}

for _, g := range config.AllowedGroups {

LoggerDEBUG.Printf("Searching Group: '%s' with User: '%s'", g, entry.DN)
Expand Down
2 changes: 2 additions & 0 deletions readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ labels:
## Operations Mode
The `Operation Mode` detected will be used to perform all subsequent requests.

### Bind Mode

If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise, it returns a 401 Unauthorized status code.
Expand Down

0 comments on commit 64fac47

Please sign in to comment.