IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

LDAP: Adds bind before searching LDAP for non-login cases. (#18023)

Browse Source
This commit is contained in:
Leonard Gram
2019-07-10 12:25:21 +02:00
committed by GitHub
parent 5f0a7f43c3
commit 5d3a60d46e
6 changed files with 51 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
pkg/services/ldap/ldap.go
View File

@@ -31,7 +31,8 @@ type IConnection interface {
type IServer interface {
Login(*models.LoginUserQuery) (*models.ExternalUserInfo, error)
Users([]string) ([]*models.ExternalUserInfo, error)
Auth(string, string) error
Bind() error
UserBind(string, string) error
Dial() error
Close()
}
@@ -43,6 +44,23 @@ type Server struct {
log log.Logger
}
// Bind authenticates the connection with the LDAP server
// - with the username and password setup in the config
// - or, anonymously
func (server *Server) Bind() error {
if server.shouldAuthAdmin() {
if err := server.AuthAdmin(); err != nil {
return err
}
} else {
err := server.Connection.UnauthenticatedBind(server.Config.BindDN)
if err != nil {
return err
}
}
return nil
}
// UsersMaxRequest is a max amount of users we can request via Users().
// Since many LDAP servers has limitations
// on how much items can we return in one request
@@ -149,7 +167,7 @@ func (server *Server) Login(query *models.LoginUserQuery) (
}
} else if server.shouldSingleBind() {
authAndBind = true
err = server.Auth(server.singleBindDN(query.Username), query.Password)
err = server.UserBind(server.singleBindDN(query.Username), query.Password)
if err != nil {
return nil, err
}
@@ -179,7 +197,7 @@ func (server *Server) Login(query *models.LoginUserQuery) (
if !authAndBind {
// Authenticate user
err = server.Auth(user.AuthId, query.Password)
err = server.UserBind(user.AuthId, query.Password)
if err != nil {
return nil, err
}
@@ -380,9 +398,9 @@ func (server *Server) shouldAuthAdmin() bool {
return server.Config.BindPassword != ""
}
// Auth authentificates user in LDAP
func (server *Server) Auth(username, password string) error {
err := server.auth(username, password)
// UserBind authenticates the connection with the LDAP server
func (server *Server) UserBind(username, password string) error {
err := server.userBind(username, password)
if err != nil {
server.log.Error(
fmt.Sprintf("Cannot authentificate user %s in LDAP", username),
@@ -397,7 +415,7 @@ func (server *Server) Auth(username, password string) error {
// AuthAdmin authentificates LDAP admin user
func (server *Server) AuthAdmin() error {
err := server.auth(server.Config.BindDN, server.Config.BindPassword)
err := server.userBind(server.Config.BindDN, server.Config.BindPassword)
if err != nil {
server.log.Error(
"Cannot authentificate admin user in LDAP",
@@ -410,8 +428,8 @@ func (server *Server) AuthAdmin() error {
return nil
}
// auth is helper for several types of LDAP authentification
func (server *Server) auth(path, password string) error {
// userBind authenticates the connection with the LDAP server
func (server *Server) userBind(path, password string) error {
err := server.Connection.Bind(path, password)
if err != nil {
if ldapErr, ok := err.(*ldap.Error); ok {