From 5399ef01804d90b1b5abbeeffd03a340de38dd45 Mon Sep 17 00:00:00 2001 From: Wilton Rodrigues Date: Wed, 20 Mar 2024 17:30:37 -0300 Subject: [PATCH 1/2] Removing unused certPool var --- ldapauth.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ldapauth.go b/ldapauth.go index 316148a..caa8d1e 100644 --- a/ldapauth.go +++ b/ldapauth.go @@ -175,13 +175,6 @@ func (la *LdapAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) { LoggerDEBUG.Println("No session found! Trying to authenticate in LDAP") - var certPool *x509.CertPool - - if la.config.CertificateAuthority != "" { - certPool = x509.NewCertPool() - certPool.AppendCertsFromPEM([]byte(la.config.CertificateAuthority)) - } - conn, err := Connect(la.config) if err != nil { LoggerERROR.Printf("%s", err) From 059dce20ff16c86349669d54f35591ea81bea02a Mon Sep 17 00:00:00 2001 From: Wilton Rodrigues Date: Wed, 20 Mar 2024 14:30:33 -0300 Subject: [PATCH 2/2] Use same operation mode to bind validations - Fix #61 - Use the same credentials based on detected operation mode to validate AllowedGroups - Add LoggerDebug showing who is searching for groups --- ldapauth.go | 14 +++++++++++++- readme.md | 2 ++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ldapauth.go b/ldapauth.go index caa8d1e..95e7e62 100644 --- a/ldapauth.go +++ b/ldapauth.go @@ -263,8 +263,13 @@ func LdapCheckUser(conn *ldap.Conn, config *Config, username, password string) ( userDN := result.Entries[0].DN LoggerINFO.Printf("Authenticating User: %s", userDN) + // Create a new conn to validate user password. This prevents changing the bind made + // previously, then LdapCheckUserAuthorized will use same operation mode + _nconn, _ := Connect(config) + defer _nconn.Close() + // Bind User and password. - err = conn.Bind(userDN, password) + err = _nconn.Bind(userDN, password) return err == nil, result.Entries[0], err } @@ -347,6 +352,13 @@ func LdapCheckUserGroups(conn *ldap.Conn, config *Config, entry *ldap.Entry, use LoggerDEBUG.Printf("Group Filter: '%s'", group_filter.String()) + res, err := conn.WhoAmI(nil) + if err != nil { + LoggerERROR.Printf("Failed to call WhoAmI(): %s", err) + } else { + LoggerDEBUG.Printf("Using credential: '%s' for Search Groups", res.AuthzID) + } + for _, g := range config.AllowedGroups { LoggerDEBUG.Printf("Searching Group: '%s' with User: '%s'", g, entry.DN) diff --git a/readme.md b/readme.md index 0c531e1..6444146 100644 --- a/readme.md +++ b/readme.md @@ -101,6 +101,8 @@ labels: ## Operations Mode +The `Operation Mode` detected will be used to perform all subsequent requests. + ### Bind Mode If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise, it returns a 401 Unauthorized status code.