outpost/ldap: make users and groups OU instead of CN
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
fabdb6448f
commit
9485f0b8cc
|
@ -357,7 +357,7 @@ class Outpost(models.Model):
|
||||||
LOGGER.warning("permission doesn't exist", perm=model_or_perm)
|
LOGGER.warning("permission doesn't exist", perm=model_or_perm)
|
||||||
continue
|
continue
|
||||||
user.user_permissions.add(permission.first())
|
user.user_permissions.add(permission.first())
|
||||||
LOGGER.debug("Updated service account's permissions")
|
LOGGER.debug("Updated service account's permissions", perms=UserObjectPermission.objects.filter(user=user))
|
||||||
return user
|
return user
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -20,8 +20,8 @@ func (ls *LDAPServer) Refresh() error {
|
||||||
}
|
}
|
||||||
providers := make([]*ProviderInstance, len(outposts.Payload.Results))
|
providers := make([]*ProviderInstance, len(outposts.Payload.Results))
|
||||||
for idx, provider := range outposts.Payload.Results {
|
for idx, provider := range outposts.Payload.Results {
|
||||||
userDN := strings.ToLower(fmt.Sprintf("cn=users,%s", provider.BaseDn))
|
userDN := strings.ToLower(fmt.Sprintf("ou=users,%s", provider.BaseDn))
|
||||||
groupDN := strings.ToLower(fmt.Sprintf("cn=groups,%s", provider.BaseDn))
|
groupDN := strings.ToLower(fmt.Sprintf("ou=groups,%s", provider.BaseDn))
|
||||||
providers[idx] = &ProviderInstance{
|
providers[idx] = &ProviderInstance{
|
||||||
BaseDN: provider.BaseDn,
|
BaseDN: provider.BaseDn,
|
||||||
GroupDN: groupDN,
|
GroupDN: groupDN,
|
||||||
|
|
|
@ -12,6 +12,8 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
|
||||||
username, err := instance.getUsername(bindDN)
|
username, err := instance.getUsername(bindDN)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
return instance.Bind(username, bindPW, conn)
|
return instance.Bind(username, bindPW, conn)
|
||||||
|
} else {
|
||||||
|
ls.log.WithError(err).Debug("Username not for instance")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ls.log.WithField("boundDN", bindDN).WithField("request", "bind").Warning("No provider found for request")
|
ls.log.WithField("boundDN", bindDN).WithField("request", "bind").Warning("No provider found for request")
|
||||||
|
|
|
@ -29,7 +29,7 @@ type PasswordResponse struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pi *ProviderInstance) getUsername(dn string) (string, error) {
|
func (pi *ProviderInstance) getUsername(dn string) (string, error) {
|
||||||
if !strings.HasSuffix(dn, pi.BaseDN) {
|
if !strings.HasSuffix(strings.ToLower(dn), strings.ToLower(pi.BaseDN)) {
|
||||||
return "", errors.New("invalid base DN")
|
return "", errors.New("invalid base DN")
|
||||||
}
|
}
|
||||||
dns, err := goldap.ParseDN(dn)
|
dns, err := goldap.ParseDN(dn)
|
||||||
|
@ -38,12 +38,12 @@ func (pi *ProviderInstance) getUsername(dn string) (string, error) {
|
||||||
}
|
}
|
||||||
for _, part := range dns.RDNs {
|
for _, part := range dns.RDNs {
|
||||||
for _, attribute := range part.Attributes {
|
for _, attribute := range part.Attributes {
|
||||||
if attribute.Type == "DN" {
|
if strings.ToLower(attribute.Type) == "cn" {
|
||||||
return attribute.Value, nil
|
return attribute.Value, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return "", errors.New("failed to find dn")
|
return "", errors.New("failed to find cn")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
|
func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
|
||||||
|
@ -150,6 +150,8 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c
|
||||||
responseParams.Data = &UIDResponse{UIDFIeld: bindDN}
|
responseParams.Data = &UIDResponse{UIDFIeld: bindDN}
|
||||||
case "ak-stage-password":
|
case "ak-stage-password":
|
||||||
responseParams.Data = &PasswordResponse{Password: password}
|
responseParams.Data = &PasswordResponse{Password: password}
|
||||||
|
case "ak-stage-access-denied":
|
||||||
|
return false, errors.New("got ak-stage-access-denied")
|
||||||
default:
|
default:
|
||||||
return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)
|
return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,9 @@ Binding against the LDAP Server uses a flow in the background. This allows you t
|
||||||
|
|
||||||
You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
|
You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
|
||||||
|
|
||||||
Users are available under `cn=users,<base DN>` and groups under `cn=groups,<base DN>`.
|
Users are available under `ou=users,<base DN>` and groups under `ou=groups,<base DN>`.
|
||||||
|
|
||||||
|
You can bind using the DN `cn=<username>,ou=users,<base DN>`.
|
||||||
|
|
||||||
The following fields are currently sent for users:
|
The following fields are currently sent for users:
|
||||||
|
|
||||||
|
@ -36,7 +38,7 @@ The following fields are current set for groups:
|
||||||
- cn: The group's name
|
- cn: The group's name
|
||||||
- uid: Unique group identifier
|
- uid: Unique group identifier
|
||||||
- objectClass: A list of these strings:
|
- objectClass: A list of these strings:
|
||||||
- "user"
|
- "group"
|
||||||
- "goauthentik.io/ldap/group"
|
- "goauthentik.io/ldap/group"
|
||||||
|
|
||||||
**Additionally**, for both users and groups, any attributes you set are also present as LDAP Attributes.
|
**Additionally**, for both users and groups, any attributes you set are also present as LDAP Attributes.
|
||||||
|
|
Reference in a new issue