forked from Shiloh/githaven
LDAP: Use single connection in BindDN mode auth
According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
This commit is contained in:
parent
b7f3d94cd0
commit
e2f95c2845
@ -58,18 +58,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
|
|||||||
return fmt.Sprintf(ls.UserDN, username), true
|
return fmt.Sprintf(ls.UserDN, username), true
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ls *Source) FindUserDN(name string) (string, bool) {
|
func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
|
||||||
l, err := ldapDial(ls)
|
|
||||||
if err != nil {
|
|
||||||
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
|
|
||||||
ls.Enabled = false
|
|
||||||
return "", false
|
|
||||||
}
|
|
||||||
defer l.Close()
|
|
||||||
|
|
||||||
log.Trace("Search for LDAP user: %s", name)
|
log.Trace("Search for LDAP user: %s", name)
|
||||||
if ls.BindDN != "" && ls.BindPassword != "" {
|
if ls.BindDN != "" && ls.BindPassword != "" {
|
||||||
err = l.Bind(ls.BindDN, ls.BindPassword)
|
err := l.Bind(ls.BindDN, ls.BindPassword)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
|
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
|
||||||
return "", false
|
return "", false
|
||||||
@ -111,6 +103,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
|
|||||||
|
|
||||||
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
||||||
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
|
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
|
||||||
|
l, err := ldapDial(ls)
|
||||||
|
if err != nil {
|
||||||
|
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
|
||||||
|
ls.Enabled = false
|
||||||
|
return "", "", "", "", false, false
|
||||||
|
}
|
||||||
|
defer l.Close()
|
||||||
|
|
||||||
var userDN string
|
var userDN string
|
||||||
if directBind {
|
if directBind {
|
||||||
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
|
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
|
||||||
@ -124,20 +124,12 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
|
|||||||
log.Trace("LDAP will use BindDN.")
|
log.Trace("LDAP will use BindDN.")
|
||||||
|
|
||||||
var found bool
|
var found bool
|
||||||
userDN, found = ls.FindUserDN(name)
|
userDN, found = ls.findUserDN(l, name)
|
||||||
if !found {
|
if !found {
|
||||||
return "", "", "", "", false, false
|
return "", "", "", "", false, false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
l, err := ldapDial(ls)
|
|
||||||
if err != nil {
|
|
||||||
log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
|
|
||||||
ls.Enabled = false
|
|
||||||
return "", "", "", "", false, false
|
|
||||||
}
|
|
||||||
defer l.Close()
|
|
||||||
|
|
||||||
log.Trace("Binding with userDN: %s", userDN)
|
log.Trace("Binding with userDN: %s", userDN)
|
||||||
err = l.Bind(userDN, passwd)
|
err = l.Bind(userDN, passwd)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user