RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/authentication/ldap_util.go

107 lines
2.3 KiB
Go
Raw Normal View History

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
package authentication
import (
"fmt"
"strings"
ber "github.com/go-asn1-ber/asn1-ber"
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
ldap "github.com/go-ldap/ldap/v3"
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
)
func ldapEntriesContainsEntry(needle *ldap.Entry, haystack []*ldap.Entry) bool {
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
if needle == nil || len(haystack) == 0 {
return false
}
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
for i := 0; i < len(haystack); i++ {
if haystack[i].DN == needle.DN {
return true
}
}
return false
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
func ldapGetFeatureSupportFromEntry(entry *ldap.Entry) (controlTypeOIDs, extensionOIDs []string, features LDAPSupportedFeatures) {
if entry == nil {
return controlTypeOIDs, extensionOIDs, features
}
for _, attr := range entry.Attributes {
switch attr.Name {
case ldapSupportedControlAttribute:
controlTypeOIDs = attr.Values
for _, oid := range attr.Values {
switch oid {
case ldapOIDControlMsftServerPolicyHints:
features.ControlTypes.MsftPwdPolHints = true
case ldapOIDControlMsftServerPolicyHintsDeprecated:
features.ControlTypes.MsftPwdPolHintsDeprecated = true
}
}
case ldapSupportedExtensionAttribute:
extensionOIDs = attr.Values
for _, oid := range attr.Values {
switch oid {
case ldapOIDExtensionPwdModifyExOp:
features.Extensions.PwdModifyExOp = true
case ldapOIDExtensionTLS:
features.Extensions.TLS = true
}
}
}
}
return controlTypeOIDs, extensionOIDs, features
}
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
func ldapEscape(inputUsername string) string {
inputUsername = ldap.EscapeFilter(inputUsername)
for _, c := range specialLDAPRunes {
inputUsername = strings.ReplaceAll(inputUsername, string(c), fmt.Sprintf("\\%c", c))
}
return inputUsername
}
func ldapGetReferral(err error) (referral string, ok bool) {
switch e := err.(type) {
case *ldap.Error:
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-06-18 04:40:38 +00:00
if e.ResultCode != ldap.LDAPResultReferral {
return "", false
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
if e.Packet == nil {
return "", false
}
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
if len(e.Packet.Children) < 2 {
return "", false
}
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
2022-05-10 04:38:36 +00:00
if e.Packet.Children[1].Tag != ber.TagObjectDescriptor {
return "", false
}
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-05-02 01:51:38 +00:00
for i := 0; i < len(e.Packet.Children[1].Children); i++ {
if e.Packet.Children[1].Children[i].Tag != ber.TagBitString || len(e.Packet.Children[1].Children[i].Children) < 1 {
continue
}
referral, ok = e.Packet.Children[1].Children[i].Children[0].Value.(string)
if !ok {
continue
}
return referral, true
}
return "", false
default:
return "", false
}
}