octoleo/syncthing
1
0
Fork 0
mirror of https://github.com/octoleo/syncthing.git synced 2024-11-10 07:11:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

lib/api: Allow BindDN to exclude any username formatting (fixes #8899) (#8900)

Browse Source 
This allows a syncthing instance to be locked to exactly 1 user without
needing search capability on the LDAP instance.
This commit is contained in:
Will Rouesnel 2023-05-10 15:52:02 +10:00 committed by GitHub
parent e136d11dce
commit b2fb2ef276
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/api/api_auth.go
View File

@ -161,7 +161,7 @@ func authLDAP(username string, password string, cfg config.LDAPConfiguration) bo
defer connection.Close()
err = connection.Bind(fmt.Sprintf(cfg.BindDN, username), password)
err = connection.Bind(ldapTemplateBindDN(cfg.BindDN, username), password)
if err != nil {
l.Warnln("LDAP Bind:", err)
return false
@ -199,6 +199,15 @@ func authLDAP(username string, password string, cfg config.LDAPConfiguration) bo
return true
}
func ldapTemplateBindDN(bindDN string, username string) string {
// Check if formatting directives are included in the ldapTemplateBindDN - if so add username.
// (%%s is a literal %s - unlikely for LDAP, but easy to handle here).
if strings.Count(bindDN, "%s") != strings.Count(bindDN, "%%s") {
bindDN = fmt.Sprintf(bindDN, username)
}
return bindDN
}
// Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the
// principle that ISO-8859-1 bytes are equivalent to unicode code points,
// that a rune slice is a list of code points, and that stringifying a slice

20
lib/api/api_auth_test.go
View File

@ -45,3 +45,23 @@ func TestStaticAuthPasswordFail(t *testing.T) {
t.Fatalf("should fail auth")
}
}
func TestAuthLDAPSendsCorrectBindDNWithTemplate(t *testing.T) {
t.Parallel()
templatedDn := ldapTemplateBindDN("cn=%s,dc=some,dc=example,dc=com", "username")
expectedDn := "cn=username,dc=some,dc=example,dc=com"
if expectedDn != templatedDn {
t.Fatalf("ldapTemplateBindDN should be %s != %s", expectedDn, templatedDn)
}
}
func TestAuthLDAPSendsCorrectBindDNWithNoTemplate(t *testing.T) {
t.Parallel()
templatedDn := ldapTemplateBindDN("cn=fixedusername,dc=some,dc=example,dc=com", "username")
expectedDn := "cn=fixedusername,dc=some,dc=example,dc=com"
if expectedDn != templatedDn {
t.Fatalf("ldapTemplateBindDN should be %s != %s", expectedDn, templatedDn)
}
}