WIP attempt to do non anonymous ldap connect #908

Open
trinity-1686a wants to merge 1 commits from ldap-non-anon into main
Owner

attempt at fixing #902
@pwFoo could you test if it works for you?

attempt at fixing #902 @pwFoo could you test if it works for you?
trinity-1686a added the
C: Enhancement
A: Backend
labels 9 months ago

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

I have to finish some other tasks and need to learn how to compile project based on a pull request first...
Poster
Owner

If you know how to compile from sources, you can run git checkout ldap-non-anon before running cargo commands. You might need to run git fetch before git checkout if it does not find the branch

If you know how to compile from sources, you can run `git checkout ldap-non-anon` before running cargo commands. You might need to run `git fetch` before git checkout if it does not find the branch

First a binddn is connected and than in a second step verify the real user.
Build is done, how to configure the additional LDAP parameters for bind?

First a binddn is connected and than in a second step verify the real user. Build is done, how to configure the additional LDAP parameters for bind?
Poster
Owner

it's LDAP_USER and LDAP_PASSWORD, as environment variables or in .env

it's `LDAP_USER` and `LDAP_PASSWORD`, as environment variables or in .env

Login works, but I think need some improvements.
I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one?

plume ldap

6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389)
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding
6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))"
6033d7ce conn=1007 op=2 SRCH attr=email
6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d7ce conn=1007 op=3 UNBIND
6033d7ce conn=1007 fd=13 closed

Working application

6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389)
6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d752 conn=1006 op=0 RESULT tag=97 err=0 text=
6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"
6033d752 conn=1006 op=1 SRCH attr=dn
6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0

ToDo

1. Rename bind user ENV

LDAP_BINDDN   # == bind user
LDAP_BINDPW   # == bind user pw

2. That part should be removed! Second bind!

6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding

3. search filter
Binded user need to search for the "real" user. And the search filter need to be configurable like that filter part

6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"

LDAP_FILTER example. search attribute is given by (uid=%u) part and %u is replaced by the login user name.

LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))'

Configurable search base and search filter would be most flexible I think?

Login works, but I think need some improvements. I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one? plume ldap ``` 6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389) 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding 6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))" 6033d7ce conn=1007 op=2 SRCH attr=email 6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d7ce conn=1007 op=3 UNBIND 6033d7ce conn=1007 fd=13 closed ``` Working application ``` 6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389) 6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d752 conn=1006 op=0 RESULT tag=97 err=0 text= 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" 6033d752 conn=1006 op=1 SRCH attr=dn 6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 ``` ## ToDo **1. Rename bind user ENV** ``` LDAP_BINDDN # == bind user LDAP_BINDPW # == bind user pw ``` **2. That part should be removed! Second bind!** ``` 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding ``` **3. search filter** Binded user need to search for the "real" user. And the **search filter** need to be configurable like that **filter** part ``` 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" ``` *LDAP_FILTER* example. search attribute is given by `(uid=%u)` part and `%u` is replaced by the login user name. ``` LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))' ``` Configurable search base and search filter would be most flexible I think?

Hi @trinity-1686a,
what do you think about the suggested changes?

Hi @trinity-1686a, what do you think about the suggested changes?
This Pull Request doesn't have enough approvals yet. 0 of 1 approvals granted.
This branch is out-of-date with the base branch
Sign in to join this conversation.
No reviewers
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This pull request currently doesn't have any dependencies.

Loading…
There is no content yet.