Add direct bind support
This commit is contained in:
RatCornu
@@ -91,16 +91,23 @@ async fn ldap_login(
|
|||||||
lowercased_user_id: &UserId,
|
lowercased_user_id: &UserId,
|
||||||
password: &str,
|
password: &str,
|
||||||
) -> Result<OwnedUserId> {
|
) -> Result<OwnedUserId> {
|
||||||
debug!("Searching user in LDAP");
|
let user_dn = match services.config.ldap.bind_dn.as_ref() {
|
||||||
|
| Some(bind_dn) if bind_dn.contains("{username}") =>
|
||||||
|
bind_dn.replace("{username}", lowercased_user_id.localpart()),
|
||||||
|
| _ => {
|
||||||
|
debug!("Searching user in LDAP");
|
||||||
|
|
||||||
let dns = services.users.search_ldap(user_id).await?;
|
let dns = services.users.search_ldap(user_id).await?;
|
||||||
|
if dns.len() >= 2 {
|
||||||
|
return Err!(Ldap("LDAP search returned two or more results"));
|
||||||
|
}
|
||||||
|
|
||||||
if dns.len() >= 2 {
|
let Some(user_dn) = dns.first() else {
|
||||||
return Err!(Ldap("LDAP search returned two or more results"));
|
return password_login(services, user_id, lowercased_user_id, password).await;
|
||||||
}
|
};
|
||||||
|
|
||||||
let Some(user_dn) = dns.first() else {
|
user_dn.clone()
|
||||||
return password_login(services, user_id, lowercased_user_id, password).await;
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
// LDAP users are automatically created on first login attempt. This is a very
|
// LDAP users are automatically created on first login attempt. This is a very
|
||||||
@@ -111,16 +118,16 @@ async fn ldap_login(
|
|||||||
// password is reserved for deactivated accounts. The tuwunel password field
|
// password is reserved for deactivated accounts. The tuwunel password field
|
||||||
// will never be read to login a LDAP user so it's not an issue.
|
// will never be read to login a LDAP user so it's not an issue.
|
||||||
if !services.users.exists(lowercased_user_id).await {
|
if !services.users.exists(lowercased_user_id).await {
|
||||||
debug!("Creating user {lowercased_user_id} from LDAP");
|
|
||||||
services
|
services
|
||||||
.users
|
.users
|
||||||
.create(lowercased_user_id, Some("*"), Some("ldap"))
|
.create(lowercased_user_id, Some("*"), Some("ldap"))
|
||||||
.await?;
|
.await?;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
debug!("{user_dn:?} {password:?}");
|
||||||
services
|
services
|
||||||
.users
|
.users
|
||||||
.auth_ldap(user_dn, password)
|
.auth_ldap(&user_dn, password)
|
||||||
.await
|
.await
|
||||||
.map(|()| lowercased_user_id.to_owned())
|
.map(|()| lowercased_user_id.to_owned())
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1805,14 +1805,7 @@ pub struct Config {
|
|||||||
#[serde(default)]
|
#[serde(default)]
|
||||||
pub blurhashing: BlurhashConfig,
|
pub blurhashing: BlurhashConfig,
|
||||||
|
|
||||||
#[cfg(not(doctest))]
|
// external structure; separate section
|
||||||
/// Examples:
|
|
||||||
///
|
|
||||||
/// - No LDAP login (default):
|
|
||||||
///
|
|
||||||
/// ldap = "none"
|
|
||||||
///
|
|
||||||
/// default: "none"
|
|
||||||
pub ldap: LdapConfig,
|
pub ldap: LdapConfig,
|
||||||
|
|
||||||
#[serde(flatten)]
|
#[serde(flatten)]
|
||||||
@@ -1911,12 +1904,6 @@ pub struct LdapConfig {
|
|||||||
#[serde(deserialize_with = "crate::utils::deserialize_from_str")]
|
#[serde(deserialize_with = "crate::utils::deserialize_from_str")]
|
||||||
pub uri: Url,
|
pub uri: Url,
|
||||||
|
|
||||||
/// Whether to use StartTLS to bind to the LDAP server.
|
|
||||||
///
|
|
||||||
/// example: true
|
|
||||||
#[serde(default)]
|
|
||||||
pub start_tls: bool,
|
|
||||||
|
|
||||||
/// Root of the searches.
|
/// Root of the searches.
|
||||||
///
|
///
|
||||||
/// example: "ou=users,dc=example,dc=org"
|
/// example: "ou=users,dc=example,dc=org"
|
||||||
@@ -1925,7 +1912,13 @@ pub struct LdapConfig {
|
|||||||
|
|
||||||
/// Bind DN if anonymous search is not enabled.
|
/// Bind DN if anonymous search is not enabled.
|
||||||
///
|
///
|
||||||
/// example: "cn=ldap-reader,dc=example,dc=org"
|
/// You can use the variable `{username}` that will be replaced by the
|
||||||
|
/// entered username. In such case, the password used to bind will be the
|
||||||
|
/// one provided for the login and not the one given by
|
||||||
|
/// `bind_password_file`.
|
||||||
|
///
|
||||||
|
/// example: "cn=ldap-reader,dc=example,dc=org" or
|
||||||
|
/// "cn={username},ou=users,dc=example,dc=org"
|
||||||
#[serde(default)]
|
#[serde(default)]
|
||||||
pub bind_dn: Option<String>,
|
pub bind_dn: Option<String>,
|
||||||
|
|
||||||
@@ -1955,12 +1948,16 @@ pub struct LdapConfig {
|
|||||||
/// Attribute containing the mail of the user.
|
/// Attribute containing the mail of the user.
|
||||||
///
|
///
|
||||||
/// example: "mail"
|
/// example: "mail"
|
||||||
|
///
|
||||||
|
/// default: "mail"
|
||||||
#[serde(default = "default_ldap_mail_attribute")]
|
#[serde(default = "default_ldap_mail_attribute")]
|
||||||
pub mail_attribute: String,
|
pub mail_attribute: String,
|
||||||
|
|
||||||
/// Attribute containing the distinguished name of the user.
|
/// Attribute containing the distinguished name of the user.
|
||||||
///
|
///
|
||||||
/// example: "givenName" or "sn"
|
/// example: "givenName" or "sn"
|
||||||
|
///
|
||||||
|
/// default: "givenName"
|
||||||
#[serde(default = "default_ldap_name_attribute")]
|
#[serde(default = "default_ldap_name_attribute")]
|
||||||
pub name_attribute: String,
|
pub name_attribute: String,
|
||||||
}
|
}
|
||||||
@@ -2359,4 +2356,4 @@ fn default_ldap_uid_attribute() -> String { String::from("uid") }
|
|||||||
|
|
||||||
fn default_ldap_mail_attribute() -> String { String::from("mail") }
|
fn default_ldap_mail_attribute() -> String { String::from("mail") }
|
||||||
|
|
||||||
fn default_ldap_name_attribute() -> String { String::from("name") }
|
fn default_ldap_name_attribute() -> String { String::from("givenName") }
|
||||||
|
|||||||
@@ -1641,12 +1641,6 @@
|
|||||||
#
|
#
|
||||||
#uri =
|
#uri =
|
||||||
|
|
||||||
# Whether to use StartTLS to bind to the LDAP server.
|
|
||||||
#
|
|
||||||
# example: true
|
|
||||||
#
|
|
||||||
#start_tls = false
|
|
||||||
|
|
||||||
# Root of the searches.
|
# Root of the searches.
|
||||||
#
|
#
|
||||||
# example: "ou=users,dc=example,dc=org"
|
# example: "ou=users,dc=example,dc=org"
|
||||||
@@ -1655,7 +1649,13 @@
|
|||||||
|
|
||||||
# Bind DN if anonymous search is not enabled.
|
# Bind DN if anonymous search is not enabled.
|
||||||
#
|
#
|
||||||
# example: "cn=ldap-reader,dc=example,dc=org"
|
# You can use the variable `{username}` that will be replaced by the
|
||||||
|
# entered username. In such case, the password used to bind will be the
|
||||||
|
# one provided for the login and not the one given by
|
||||||
|
# `bind_password_file`.
|
||||||
|
#
|
||||||
|
# example: "cn=ldap-reader,dc=example,dc=org" or
|
||||||
|
# "cn={username},ou=users,dc=example,dc=org"
|
||||||
#
|
#
|
||||||
#bind_dn = false
|
#bind_dn = false
|
||||||
|
|
||||||
@@ -1682,10 +1682,10 @@
|
|||||||
#
|
#
|
||||||
# example: "mail"
|
# example: "mail"
|
||||||
#
|
#
|
||||||
#mail_attribute =
|
#mail_attribute = "mail"
|
||||||
|
|
||||||
# Attribute containing the distinguished name of the user.
|
# Attribute containing the distinguished name of the user.
|
||||||
#
|
#
|
||||||
# example: "givenName" or "sn"
|
# example: "givenName" or "sn"
|
||||||
#
|
#
|
||||||
#name_attribute =
|
#name_attribute = "givenName"
|
||||||
|
|||||||
Reference in New Issue
Block a user