Skip to content

LDAP via simple auth separate bind user and search base #5055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Dec 27, 2018
Merged

LDAP via simple auth separate bind user and search base #5055

merged 6 commits into from
Dec 27, 2018

Conversation

@tenacubus
Copy link
Contributor

Resolves #3048

If you're using Active Directory and need to bind using the format [email protected] or DOMAIN\user LDAP simple auth will fail. The problem is that UserDN setting we bind on is also used for the search base and it's not a qualified DN.

To solve this I added the User Search Base field previously only on LDAP via BindDN to the simple auth as well. If you have a setting in this field on simple auth it will use that as the LDAP search base instead of the UserDN.

It works but I'm not a huge fan of my code to have User Search Base only required for BindDN but not simple auth. If somebody has suggestions for how to do it cleanly I'm open. The existing classes and js didn't have a good way for a field to be in both but only required in one.

@tenacubus
show userbase on simple LDAP
0e71d2a 
change templates so user base shows on simple LDAP new and edit forms

Signed-off-by: Tony Homrich <[email protected]>
@tenacubus
refactor findUserDN func; pull BindDN code out
9924b9c 
Pull BindDN code out of findUserDN function so it is more universal. It is only called once so the bind now occurs just before the call.

Signed-off-by: Tony Homrich <[email protected]>
@tenacubus
simple LDAP - UserBase find full UserDN
ca4f99b 
if UserBase is set for a simple LDAP auth then use it to find the full UserDN

This allows AD users who bind using a special format like domain\user or user@domain and need the fully qualified UserDN

Signed-off-by: Tony Homrich <[email protected]>
@tenacubus
user_base only required for BindDN
6490389 
allow user_base to be required on BindDN LDAP but not simple auth LDAP
@techknowlogick techknowlogick added this to the 1.7.0 milestone Oct 10, 2018
@codecov-io
Copy link

codecov-io commented Nov 1, 2018
edited
Loading

Codecov Report

Merging #5055 into master will increase coverage by 0.01%.
The diff coverage is 20%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #5055      +/-   ##
==========================================
+ Coverage   37.51%   37.53%   +0.01%     
==========================================
  Files         322      322              
  Lines       47307    47323      +16     
==========================================
+ Hits        17748    17761      +13     
- Misses      27008    27014       +6     
+ Partials     2551     2548       -3
Impacted Files Coverage Δ
modules/auth/ldap/ldap.go 51.22% <20%> (-2.28%) ⬇️
models/repo_list.go 64.55% <0%> (+1.26%) ⬆️
models/repo_indexer.go 47.88% <0%> (+3.38%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6e20b50...8ba0f99. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 1, 2018
@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 27, 2018
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 27, 2018
@zeripath
Copy link
Contributor

zeripath commented Dec 27, 2018
edited
Loading

@tenacubus Would it be possible to create a PR to update the documentation for LDAP to match your changes - and explain when the user_base field is required and what it should be? (Or update this PR)

@zeripath
Copy link
Contributor

The file is docs/content/doc/features/authentication.en-us.md

@techknowlogick techknowlogick merged commit 2058c36 into go-gitea:master Dec 27, 2018
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@lafriks lafriks lafriks approved these changes

+1 more reviewer

@zeripath zeripath zeripath approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.7.0

Development

Successfully merging this pull request may close these issues.

LDAP Simple Auth does not work against Active Directory

6 participants

@tenacubus @codecov-io @zeripath @lafriks @techknowlogick @bkcsoft