coolaj86
/
gitroast
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

LDAP: Use single connection in BindDN mode auth 

According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send
multiple Bind requests to change the authentication and/or security
associations or to complete a multi-stage Bind process. Authentication from
earlier binds is subsequently ignored."

Therefore we should not use 2 connections, but single one just sending two bind
requests.
This commit is contained in:
Adam Strzelecki 2016-02-16 11:58:00 +01:00
parent b7f3d94cd0
commit e2f95c2845
1 changed files with 11 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/auth/ldap/ldap.go
View File

@ -58,18 +58,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
return fmt.Sprintf(ls.UserDN, username), true return fmt.Sprintf(ls.UserDN, username), true
} }
func (ls *Source) FindUserDN(name string) (string, bool) { func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
return "", false
}
defer l.Close()
log.Trace("Search for LDAP user: %s", name) log.Trace("Search for LDAP user: %s", name)
if ls.BindDN != "" && ls.BindPassword != "" { if ls.BindDN != "" && ls.BindPassword != "" {
err = l.Bind(ls.BindDN, ls.BindPassword) err := l.Bind(ls.BindDN, ls.BindPassword)
if err != nil { if err != nil {
log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err) log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
return "", false return "", false
@ -111,6 +103,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) { func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
ls.Enabled = false
return "", "", "", "", false, false
}
defer l.Close()
var userDN string var userDN string
if directBind { if directBind {
log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN) log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
@ -124,20 +124,12 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
log.Trace("LDAP will use BindDN.") log.Trace("LDAP will use BindDN.")
var found bool var found bool
userDN, found = ls.FindUserDN(name) userDN, found = ls.findUserDN(l, name)
if !found { if !found {
return "", "", "", "", false, false return "", "", "", "", false, false
} }
} }
l, err := ldapDial(ls)
if err != nil {
log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
ls.Enabled = false
return "", "", "", "", false, false
}
defer l.Close()
log.Trace("Binding with userDN: %s", userDN) log.Trace("Binding with userDN: %s", userDN)
err = l.Bind(userDN, passwd) err = l.Bind(userDN, passwd)
if err != nil { if err != nil {