WIP attempt to do non anonymous ldap connect #908

オープン
trinity-1686aldap-non-anon から main への 1 コミットのマージを希望しています
trinity-1686a がコメント 3年前
オーナー

attempt at fixing #902
@pwFoo could you test if it works for you?

attempt at fixing #902 @pwFoo could you test if it works for you?
trinity-1686a がラベル
C: Enhancement
A: Backend
を追加 3年前
pwFoo がコメント 3年前

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

I have to finish some other tasks and need to learn how to compile project based on a pull request first...
trinity-1686a がコメント 3年前
投稿者
オーナー

If you know how to compile from sources, you can run git checkout ldap-non-anon before running cargo commands. You might need to run git fetch before git checkout if it does not find the branch

If you know how to compile from sources, you can run `git checkout ldap-non-anon` before running cargo commands. You might need to run `git fetch` before git checkout if it does not find the branch
pwFoo がコメント 3年前

First a binddn is connected and than in a second step verify the real user.
Build is done, how to configure the additional LDAP parameters for bind?

First a binddn is connected and than in a second step verify the real user. Build is done, how to configure the additional LDAP parameters for bind?
trinity-1686a がコメント 3年前
投稿者
オーナー

it's LDAP_USER and LDAP_PASSWORD, as environment variables or in .env

it's `LDAP_USER` and `LDAP_PASSWORD`, as environment variables or in .env
pwFoo がコメント 3年前

Login works, but I think need some improvements.
I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one?

plume ldap

6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389)
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding
6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))"
6033d7ce conn=1007 op=2 SRCH attr=email
6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d7ce conn=1007 op=3 UNBIND
6033d7ce conn=1007 fd=13 closed

Working application

6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389)
6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d752 conn=1006 op=0 RESULT tag=97 err=0 text=
6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"
6033d752 conn=1006 op=1 SRCH attr=dn
6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0

ToDo

1. Rename bind user ENV

LDAP_BINDDN   # == bind user
LDAP_BINDPW   # == bind user pw

2. That part should be removed! Second bind!

6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding

3. search filter
Binded user need to search for the "real" user. And the search filter need to be configurable like that filter part

6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"

LDAP_FILTER example. search attribute is given by (uid=%u) part and %u is replaced by the login user name.

LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))'

Configurable search base and search filter would be most flexible I think?

Login works, but I think need some improvements. I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one? plume ldap ``` 6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389) 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding 6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))" 6033d7ce conn=1007 op=2 SRCH attr=email 6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d7ce conn=1007 op=3 UNBIND 6033d7ce conn=1007 fd=13 closed ``` Working application ``` 6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389) 6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d752 conn=1006 op=0 RESULT tag=97 err=0 text= 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" 6033d752 conn=1006 op=1 SRCH attr=dn 6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 ``` ## ToDo **1. Rename bind user ENV** ``` LDAP_BINDDN # == bind user LDAP_BINDPW # == bind user pw ``` **2. That part should be removed! Second bind!** ``` 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding ``` **3. search filter** Binded user need to search for the "real" user. And the **search filter** need to be configurable like that **filter** part ``` 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" ``` *LDAP_FILTER* example. search attribute is given by `(uid=%u)` part and `%u` is replaced by the login user name. ``` LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))' ``` Configurable search base and search filter would be most flexible I think?
pwFoo がコメント 3年前

Hi @trinity-1686a,
what do you think about the suggested changes?

Hi @trinity-1686a, what do you think about the suggested changes?
このプルリクエストは、ターゲットブランチと競合する変更を含んでいます。
  • plume-models/src/config.rs
サインインしてこの会話に参加。
レビューアなし
マイルストーンなし
担当者なし
2 人の参加者
通知
期日
期日が正しくないか範囲を超えています。 'yyyy-mm-dd' の形式で入力してください。

期日は未設定です。

依存関係

依存関係が設定されていません。

リファレンス: Plume/Plume#908
読み込み中…
まだ内容がありません