Skip to content

Commit

Permalink
Use same operation mode to bind validations
Browse files Browse the repository at this point in the history
- Fix #61
- Use the same credentials based on detected operation mode to validate AllowedGroups
- Add LoggerDebug showing who is searching for groups
  • Loading branch information
wiltonsr committed Mar 20, 2024
1 parent 5399ef0 commit 059dce2
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
14 changes: 13 additions & 1 deletion ldapauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -263,8 +263,13 @@ func LdapCheckUser(conn *ldap.Conn, config *Config, username, password string) (
userDN := result.Entries[0].DN
LoggerINFO.Printf("Authenticating User: %s", userDN)

// Create a new conn to validate user password. This prevents changing the bind made
// previously, then LdapCheckUserAuthorized will use same operation mode
_nconn, _ := Connect(config)
defer _nconn.Close()

// Bind User and password.
err = conn.Bind(userDN, password)
err = _nconn.Bind(userDN, password)
return err == nil, result.Entries[0], err
}

Expand Down Expand Up @@ -347,6 +352,13 @@ func LdapCheckUserGroups(conn *ldap.Conn, config *Config, entry *ldap.Entry, use

LoggerDEBUG.Printf("Group Filter: '%s'", group_filter.String())

res, err := conn.WhoAmI(nil)
if err != nil {
LoggerERROR.Printf("Failed to call WhoAmI(): %s", err)
} else {
LoggerDEBUG.Printf("Using credential: '%s' for Search Groups", res.AuthzID)
}

for _, g := range config.AllowedGroups {

LoggerDEBUG.Printf("Searching Group: '%s' with User: '%s'", g, entry.DN)
Expand Down
2 changes: 2 additions & 0 deletions readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ labels:
## Operations Mode
The `Operation Mode` detected will be used to perform all subsequent requests.

### Bind Mode

If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise, it returns a 401 Unauthorized status code.
Expand Down

0 comments on commit 059dce2

Please sign in to comment.