Commit db394674 authored by ale's avatar ale
Browse files

Properly handle LDAP search scopes, and encrypted passwords

Drop the {crypt} prefix from LDAP-encrypted passwords, if present
parent 7b1b6837
......@@ -38,7 +38,7 @@ func (c *LDAPServiceConfig) Valid() error {
if c.SearchFilter == "" {
return errors.New("empty search_filter")
}
if c.Scope != "one" && c.Scope != "sub" {
if c.Scope != "base" && c.Scope != "one" && c.Scope != "sub" {
return errors.New("unknown scope")
}
return nil
......@@ -70,9 +70,14 @@ func (c *LDAPServiceConfig) compile() error {
func (c *LDAPServiceConfig) searchRequest(username string) *ldap.SearchRequest {
filter := strings.Replace(c.SearchFilter, "%s", ldap.EscapeFilter(username), -1)
scope := ldap.ScopeWholeSubtree
if c.Scope == "one" {
var scope int
switch c.Scope {
case "base":
scope = ldap.ScopeBaseObject
case "one":
scope = ldap.ScopeSingleLevel
case "sub":
scope = ldap.ScopeWholeSubtree
}
return ldap.NewSearchRequest(
c.SearchBase,
......@@ -92,13 +97,15 @@ func (c *LDAPServiceConfig) userFromResponse(username string, result *ldap.Searc
if len(result.Entries) < 1 {
return nil, false
}
// TODO: return an error if more than one entry is returned.
entry := result.Entries[0]
// Apply the attribute map.
u := User{
Name: username,
Email: getStringFromLDAPEntry(entry, c.Attrs["email"]),
EncryptedPassword: []byte(getStringFromLDAPEntry(entry, c.Attrs["password"])),
EncryptedPassword: []byte(dropCryptPrefix(getStringFromLDAPEntry(entry, c.Attrs["password"]))),
TOTPSecret: getStringFromLDAPEntry(entry, c.Attrs["totp_secret"]),
AppSpecificPasswords: decodeAppSpecificPasswordList(getListFromLDAPEntry(entry, c.Attrs["app_specific_password"])),
}
......@@ -106,6 +113,13 @@ func (c *LDAPServiceConfig) userFromResponse(username string, result *ldap.Searc
return &u, true
}
func dropCryptPrefix(s string) string {
if strings.HasPrefix(s, "{crypt}") || strings.HasPrefix(s, "{CRYPT}") {
return s[7:]
}
return s
}
func getStringFromLDAPEntry(entry *ldap.Entry, attr string) string {
if attr == "" {
return ""
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment