refactor(authentication): log ldap warning on startup in rare condition (#2141)
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.pull/2147/head
parent
ef549f851d
commit
31c5c820f0
|
@ -103,7 +103,7 @@ func startServer() {
|
||||||
case config.AuthenticationBackend.File != nil:
|
case config.AuthenticationBackend.File != nil:
|
||||||
userProvider = authentication.NewFileUserProvider(config.AuthenticationBackend.File)
|
userProvider = authentication.NewFileUserProvider(config.AuthenticationBackend.File)
|
||||||
case config.AuthenticationBackend.LDAP != nil:
|
case config.AuthenticationBackend.LDAP != nil:
|
||||||
userProvider, err = authentication.NewLDAPUserProvider(*config.AuthenticationBackend.LDAP, autheliaCertPool)
|
userProvider, err = authentication.NewLDAPUserProvider(config.AuthenticationBackend, autheliaCertPool)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Fatalf("Failed to Check LDAP Authentication Backend: %v", err)
|
logger.Fatalf("Failed to Check LDAP Authentication Backend: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,18 +29,19 @@ type LDAPUserProvider struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
|
// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
|
||||||
func NewLDAPUserProvider(configuration schema.LDAPAuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) {
|
func NewLDAPUserProvider(configuration schema.AuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) {
|
||||||
provider = newLDAPUserProvider(configuration, certPool, nil)
|
provider = newLDAPUserProvider(*configuration.LDAP, certPool, nil)
|
||||||
|
|
||||||
err = provider.checkServer()
|
err = provider.checkServer()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return provider, err
|
return provider, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if provider.supportExtensionPasswdModify {
|
if !provider.supportExtensionPasswdModify && !configuration.DisableResetPassword &&
|
||||||
provider.logger.Trace("LDAP Server does support passwdModifyOID Extension")
|
provider.configuration.Implementation != schema.LDAPImplementationActiveDirectory {
|
||||||
} else {
|
provider.logger.Warnf("Your LDAP server implementation may not support a method for password hashing " +
|
||||||
provider.logger.Trace("LDAP Server does not support passwdModifyOID Extension")
|
"known to Authelia, it's strongly recommended you ensure your directory server hashes the password " +
|
||||||
|
"attribute when users reset their password via Authelia.")
|
||||||
}
|
}
|
||||||
|
|
||||||
return provider, nil
|
return provider, nil
|
||||||
|
|
Loading…
Reference in New Issue