feat(auth): make ldap user filter configurable

This commit is contained in:
kolaente 2025-01-27 15:22:28 +01:00 committed by konrad
parent f01dd2ff52
commit d22c3fb19e
2 changed files with 27 additions and 8 deletions

View File

@ -78,13 +78,14 @@ const (
AuthOpenIDEnabled Key = `auth.openid.enabled`
AuthOpenIDProviders Key = `auth.openid.providers`
AuthLdapEnabled Key = `auth.ldap.enabled`
AuthLdapHost Key = `auth.ldap.host`
AuthLdapPort Key = `auth.ldap.port`
AuthLdapBaseDN Key = `auth.ldap.basedn`
AuthLdapUseTLS Key = `auth.ldap.usetls`
AuthLdapVerifyTLS Key = `auth.ldap.verifytls`
AuthLdapBindDN Key = `auth.ldap.binddn`
AuthLdapEnabled Key = `auth.ldap.enabled`
AuthLdapHost Key = `auth.ldap.host`
AuthLdapPort Key = `auth.ldap.port`
AuthLdapBaseDN Key = `auth.ldap.basedn`
AuthLdapUserFilter Key = `auth.ldap.userfilter`
AuthLdapUseTLS Key = `auth.ldap.usetls`
AuthLdapVerifyTLS Key = `auth.ldap.verifytls`
AuthLdapBindDN Key = `auth.ldap.binddn`
// #nosec G101
AuthLdapBindPassword Key = `auth.ldap.bindpassword`
AuthLdapAttributeUsername Key = `auth.ldap.attribute.username`

View File

@ -56,6 +56,18 @@ func ConnectAndBindToLDAPDirectory() (l *ldap.Conn, err error) {
return
}
// Adjusted from https://github.com/go-gitea/gitea/blob/6ca91f555ab9778310ac46cbbe33849c59286793/services/auth/source/ldap/source_search.go#L34
func sanitizedUserQuery(username string) (string, bool) {
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00()*\\"
if strings.ContainsAny(username, badCharacters) {
log.Debugf("'%s' contains invalid query characters. Aborting.", username)
return "", false
}
return fmt.Sprintf(config.AuthLdapUserFilter.GetString(), username), true
}
func AuthenticateUserInLDAP(s *xorm.Session, username, password string) (u *user.User, err error) {
if password == "" || username == "" {
return nil, user.ErrNoUsernamePassword{}
@ -70,10 +82,16 @@ func AuthenticateUserInLDAP(s *xorm.Session, username, password string) (u *user
log.Debugf("Connected to LDAP server")
userFilter, ok := sanitizedUserQuery(username)
if !ok {
log.Debugf("Could not sanitize username %s", username)
return nil, user.ErrWrongUsernameOrPassword{}
}
searchRequest := ldap.NewSearchRequest(
config.AuthLdapBaseDN.GetString(),
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", username),
userFilter,
[]string{
"dn",
config.AuthLdapAttributeUsername.GetString(),