From db8b53693f1854f4355f49bade6f99b35b6a5712 Mon Sep 17 00:00:00 2001 From: SinnySupernova <155481713+SinnySupernova@users.noreply.github.com> Date: Mon, 21 Oct 2024 14:34:03 +0000 Subject: [PATCH] allow to search using bind dn instead of auth bind connection when bind auth is enabled (#873) --- crates/directory/src/backend/ldap/config.rs | 8 ++++++-- crates/directory/src/backend/ldap/lookup.rs | 17 ++++++++++------- crates/directory/src/backend/ldap/mod.rs | 7 ++++++- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/crates/directory/src/backend/ldap/config.rs b/crates/directory/src/backend/ldap/config.rs index 8381856cf..c8811f2ce 100644 --- a/crates/directory/src/backend/ldap/config.rs +++ b/crates/directory/src/backend/ldap/config.rs @@ -12,7 +12,7 @@ use utils::config::{utils::AsKey, Config}; use crate::core::config::build_pool; -use super::{Bind, LdapConnectionManager, LdapDirectory, LdapFilter, LdapMappings}; +use super::{AuthBind, Bind, LdapConnectionManager, LdapDirectory, LdapFilter, LdapMappings}; impl LdapDirectory { pub fn from_config(config: &mut Config, prefix: impl AsKey, data_store: Store) -> Option { @@ -107,7 +107,11 @@ impl LdapDirectory { .property_or_default::((&prefix, "bind.auth.enable"), "false") .unwrap_or_default() { - LdapFilter::from_config(config, (&prefix, "bind.auth.dn")).into() + let filter = LdapFilter::from_config(config, (&prefix, "bind.auth.dn")); + let search = config + .property_or_default::((&prefix, "bind.auth.search"), "true") + .unwrap_or(true); + Some(AuthBind { filter, search }) } else { None }; diff --git a/crates/directory/src/backend/ldap/lookup.rs b/crates/directory/src/backend/ldap/lookup.rs index 09813b747..c68c70d83 100644 --- a/crates/directory/src/backend/ldap/lookup.rs +++ b/crates/directory/src/backend/ldap/lookup.rs @@ -70,16 +70,16 @@ impl LdapDirectory { }; if let Some(auth_bind) = &self.auth_bind { - let (conn, mut ldap) = LdapConnAsync::with_settings( + let (auth_bind_conn, mut ldap) = LdapConnAsync::with_settings( self.pool.manager().settings.clone(), &self.pool.manager().address, ) .await .map_err(|err| err.into_error().caused_by(trc::location!()))?; - ldap3::drive!(conn); + ldap3::drive!(auth_bind_conn); - let dn = auth_bind.build(username); + let dn = auth_bind.filter.build(username); trc::event!(Store(trc::StoreEvent::LdapBind), Details = dn.clone()); @@ -93,10 +93,13 @@ impl LdapDirectory { return Ok(None); } - match self - .find_principal(&mut ldap, &self.mappings.filter_name.build(username)) - .await - { + let filter = &self.mappings.filter_name.build(username); + let principal = if auth_bind.search { + self.find_principal(&mut ldap, filter).await + } else { + self.find_principal(&mut conn, filter).await + }; + match principal { Ok(Some(principal)) => ( principal.with_field(PrincipalField::Name, username.to_string()), None, diff --git a/crates/directory/src/backend/ldap/mod.rs b/crates/directory/src/backend/ldap/mod.rs index 1ab52826c..1037b2c80 100644 --- a/crates/directory/src/backend/ldap/mod.rs +++ b/crates/directory/src/backend/ldap/mod.rs @@ -15,7 +15,7 @@ pub mod pool; pub struct LdapDirectory { pool: Pool, mappings: LdapMappings, - auth_bind: Option, + auth_bind: Option, pub(crate) data_store: Store, } @@ -76,3 +76,8 @@ impl Bind { Self { dn, password } } } + +pub(crate) struct AuthBind { + filter: LdapFilter, + search: bool, +}