[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687)

* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
pull/708/head
Clément Michaud 2020-03-15 08:10:25 +01:00 committed by GitHub
parent 7a3d43a12a
commit cc6650dbcd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 375 additions and 346 deletions

View File

@ -8,7 +8,13 @@ breaking changes and about what you should do to overcome those changes.
## Breaking in v4.7.0 ## Breaking in v4.7.0
`logs_level` configuration key has been renamed to `log_level`. * `logs_level` configuration key has been renamed to `log_level`.
* `users_filter` was a search pattern for a given user with the `{0}` matcher replaced with the
actual username. In v4.7.0, `username_attribute` has been introduced. Consequently, the computed
user filter utilised by the LDAP search query is a combination of filters based on the
`username_attribute` and `users_filter`. `users_filter` now reduces the scope of users targeted by
the LDAP search query. For instance if `username_attribute` is set to `uid` and `users_filter` is
set to `(objectClass=person)` then the computed filter is `(&(uid=john)(objectClass=person))`.
## Breaking in v4.0.0 ## Breaking in v4.0.0

View File

@ -56,7 +56,7 @@ duo_api:
# and retrieve information such as email address and groups # and retrieve information such as email address and groups
# users belong to. # users belong to.
# #
# There are two supported backends: `ldap` and `file`. # There are two supported backends: 'ldap' and 'file'.
authentication_backend: authentication_backend:
# LDAP backend configuration. # LDAP backend configuration.
# #
@ -66,28 +66,48 @@ authentication_backend:
ldap: ldap:
# The url to the ldap server. Scheme can be ldap:// or ldaps:// # The url to the ldap server. Scheme can be ldap:// or ldaps://
url: ldap://127.0.0.1 url: ldap://127.0.0.1
# Skip verifying the server certificate (to allow self-signed certificate). # Skip verifying the server certificate (to allow self-signed certificate).
skip_verify: false skip_verify: false
# The base dn for every entries # The base dn for every entries
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
# The attribute holding the username of the user (introduced to handle
# case insensitive search queries: #561).
# Microsoft Active Directory usually uses 'sAMAccountName'
# OpenLDAP usually uses 'uid'
username_attribute: uid
# An additional dn to define the scope to all users # An additional dn to define the scope to all users
additional_users_dn: ou=users additional_users_dn: ou=users
# The users filter used to find the user DN
# {0} is a matcher replaced by username. # This attribute is optional. The user filter used in the LDAP search queries
# 'cn={0}' by default. # is a combination of this filter and the username attribute.
users_filter: (cn={0}) # This filter is used to reduce the scope of users targeted by the LDAP search query.
# For instance, if the username attribute is set to 'uid', the computed filter is
# (&(uid=<username>)(objectClass=person))
# Recommended settings are as follows:
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
users_filter: (objectClass=person)
# An additional dn to define the scope of groups # An additional dn to define the scope of groups
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user. # The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username. # {0} is a matcher replaced by username (as provided in login portal).
# {1} is a matcher replaced by username (as stored in LDAP).
# {dn} is a matcher replaced by user DN. # {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid.
# 'member={dn}' by default. # 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group # The attribute holding the name of the group
group_name_attribute: cn group_name_attribute: cn
# The attribute holding the mail address of the user # The attribute holding the mail address of the user
mail_attribute: mail mail_attribute: mail
# The username and password of the admin user. # The username and password of the admin user.
user: cn=admin,dc=example,dc=com user: cn=admin,dc=example,dc=com
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD # This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
@ -119,7 +139,7 @@ authentication_backend:
# Access control is a list of rules defining the authorizations applied for one # Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users. # resource to users or group of users.
# #
# If 'access_control' is not defined, ACL rules are disabled and the `bypass` # If 'access_control' is not defined, ACL rules are disabled and the 'bypass'
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow # rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined. # the rules defined.
# #
@ -129,27 +149,27 @@ authentication_backend:
# Note: You must put patterns containing wildcards between simple quotes for the YAML # Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntactically correct. # to be syntactically correct.
# #
# Definition: A `rule` is an object with the following keys: `domain`, `subject`, # Definition: A 'rule' is an object with the following keys: 'domain', 'subject',
# `policy` and `resources`. # 'policy' and 'resources'.
# #
# - `domain` defines which domain or set of domains the rule applies to. # - 'domain' defines which domain or set of domains the rule applies to.
# #
# - `subject` defines the subject to apply authorizations to. This parameter is # - 'subject' defines the subject to apply authorizations to. This parameter is
# optional and matching any user if not provided. If provided, the parameter # optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>' # represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'. # or 'group:<groupname>'.
# #
# - `policy` is the policy to apply to resources. It must be either `bypass`, # - 'policy' is the policy to apply to resources. It must be either 'bypass',
# `one_factor`, `two_factor` or `deny`. # 'one_factor', 'two_factor' or 'deny'.
# #
# - `resources` is a list of regular expressions that matches a set of resources to # - 'resources' is a list of regular expressions that matches a set of resources to
# apply the policy to. This parameter is optional and matches any resource if not # apply the policy to. This parameter is optional and matches any resource if not
# provided. # provided.
# #
# Note: the order of the rules is important. The first policy matching # Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies. # (domain, resource, subject) applies.
access_control: access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`. # Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
# It is the policy applied to any resource if there is no policy to be applied # It is the policy applied to any resource if there is no policy to be applied
# to the user. # to the user.
default_policy: deny default_policy: deny
@ -251,7 +271,7 @@ regulation:
max_retries: 3 max_retries: 3
# The time range during which the user can attempt login before being banned. # The time range during which the user can attempt login before being banned.
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
find_time: 120 find_time: 120
# The length of time before a banned user can login again. # The length of time before a banned user can login again.

View File

@ -26,21 +26,32 @@ authentication_backend:
# The base dn for every entries # The base dn for every entries
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
# The attribute holding the username of the user (introduced to handle
# case insensitive search queries: #561).
# Microsoft Active Directory usually uses 'sAMAccountName'
# OpenLDAP usually uses 'uid'
username_attribute: uid
# An additional dn to define the scope to all users # An additional dn to define the scope to all users
additional_users_dn: ou=users additional_users_dn: ou=users
# The users filter used to find the user DN # This attribute is optional. The user filter used in the LDAP search queries
# {0} is a matcher replaced by username. # is a combination of this filter and the username attribute.
# 'cn={0}' by default. # This filter is used to reduce the scope of users targeted by the LDAP search query.
users_filter: (cn={0}) # For instance, if the username attribute is set to 'uid', the computed filter is
# (&(uid=<username>)(objectClass=person))
# Recommended settings are as follows:
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
users_filter: (objectClass=person)
# An additional dn to define the scope of groups # An additional dn to define the scope of groups
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user. # The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username. # {0} is a matcher replaced by username (as provided in login portal).
# {1} is a matcher replaced by username (as stored in LDAP).
# {dn} is a matcher replaced by user DN. # {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid.
# 'member={dn}' by default. # 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))

View File

@ -101,6 +101,7 @@ func (p *FileUserProvider) CheckUserPassword(username string, password string) (
func (p *FileUserProvider) GetDetails(username string) (*UserDetails, error) { func (p *FileUserProvider) GetDetails(username string) (*UserDetails, error) {
if details, ok := p.database.Users[username]; ok { if details, ok := p.database.Users[username]; ok {
return &UserDetails{ return &UserDetails{
Username: username,
Groups: details.Groups, Groups: details.Groups,
Emails: []string{details.Email}, Emails: []string{details.Email},
}, nil }, nil

View File

@ -85,6 +85,7 @@ func TestShouldRetrieveUserDetails(t *testing.T) {
provider := NewFileUserProvider(&config) provider := NewFileUserProvider(&config)
details, err := provider.GetDetails("john") details, err := provider.GetDetails("john")
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, details.Username, "john")
assert.Equal(t, details.Emails, []string{"john.doe@authelia.com"}) assert.Equal(t, details.Emails, []string{"john.doe@authelia.com"})
assert.Equal(t, details.Groups, []string{"admins", "dev"}) assert.Equal(t, details.Groups, []string{"admins", "dev"})
}) })

View File

@ -75,12 +75,12 @@ func (p *LDAPUserProvider) CheckUserPassword(username string, password string) (
} }
defer adminClient.Close() defer adminClient.Close()
userDN, err := p.getUserDN(adminClient, username) profile, err := p.getUserProfile(adminClient, username)
if err != nil { if err != nil {
return false, err return false, err
} }
conn, err := p.connect(userDN, password) conn, err := p.connect(profile.DN, password)
if err != nil { if err != nil {
return false, fmt.Errorf("Authentication of user %s failed. Cause: %s", username, err) return false, fmt.Errorf("Authentication of user %s failed. Cause: %s", username, err)
} }
@ -100,85 +100,82 @@ func (p *LDAPUserProvider) ldapEscape(input string) string {
return input return input
} }
func (p *LDAPUserProvider) getUserAttribute(conn LDAPConnection, username string, attribute string) ([]string, error) { type ldapUserProfile struct {
client, err := p.connect(p.configuration.User, p.configuration.Password) DN string
if err != nil { Emails []string
return nil, err Username string
} }
defer client.Close()
func (p *LDAPUserProvider) getUserProfile(conn LDAPConnection, username string) (*ldapUserProfile, error) {
username = p.ldapEscape(username) username = p.ldapEscape(username)
userFilter := strings.Replace(p.configuration.UsersFilter, "{0}", username, -1) userFilter := fmt.Sprintf("(%s=%s)", p.configuration.UsernameAttribute, username)
if p.configuration.UsersFilter != "" {
userFilter = fmt.Sprintf("(&%s%s)", userFilter, p.configuration.UsersFilter)
}
baseDN := p.configuration.BaseDN baseDN := p.configuration.BaseDN
if p.configuration.AdditionalUsersDN != "" { if p.configuration.AdditionalUsersDN != "" {
baseDN = p.configuration.AdditionalUsersDN + "," + baseDN baseDN = p.configuration.AdditionalUsersDN + "," + baseDN
} }
attributes := []string{"dn",
p.configuration.MailAttribute,
p.configuration.UsernameAttribute}
// Search for the given username // Search for the given username
searchRequest := ldap.NewSearchRequest( searchRequest := ldap.NewSearchRequest(
baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
1, 0, false, userFilter, []string{attribute}, nil, 1, 0, false, userFilter, attributes, nil,
) )
sr, err := client.Search(searchRequest) sr, err := conn.Search(searchRequest)
if err != nil { if err != nil {
return nil, fmt.Errorf("Cannot find user DN of user %s. Cause: %s", username, err) return nil, fmt.Errorf("Cannot find user DN of user %s. Cause: %s", username, err)
} }
if len(sr.Entries) != 1 { if len(sr.Entries) == 0 {
return nil, fmt.Errorf("No %s found for user %s", attribute, username) return nil, fmt.Errorf("No user %s found", username)
} }
if attribute == "dn" { if len(sr.Entries) > 1 {
return []string{sr.Entries[0].DN}, nil return nil, fmt.Errorf("Multiple users %s found", username)
} }
return sr.Entries[0].Attributes[0].Values, nil userProfile := ldapUserProfile{
} DN: sr.Entries[0].DN,
}
func (p *LDAPUserProvider) getUserDN(conn LDAPConnection, username string) (string, error) { for _, attr := range sr.Entries[0].Attributes {
values, err := p.getUserAttribute(conn, username, "dn") if attr.Name == p.configuration.MailAttribute {
userProfile.Emails = attr.Values
if err != nil { } else if attr.Name == p.configuration.UsernameAttribute {
return "", err if len(attr.Values) != 1 {
return nil, fmt.Errorf("User %s cannot have multiple value for attribute %s", username, p.configuration.UsernameAttribute)
}
userProfile.Username = attr.Values[0]
}
} }
if len(values) != 1 { if userProfile.DN == "" {
return "", fmt.Errorf("DN attribute of user %s must be set", username) return nil, fmt.Errorf("No DN has been found for user %s", username)
} }
return values[0], nil return &userProfile, nil
}
func (p *LDAPUserProvider) getUserUID(conn LDAPConnection, username string) (string, error) {
values, err := p.getUserAttribute(conn, username, "uid")
if err != nil {
return "", err
}
if len(values) != 1 {
return "", fmt.Errorf("UID attribute of user %s must be set", username)
}
return values[0], nil
} }
func (p *LDAPUserProvider) createGroupsFilter(conn LDAPConnection, username string) (string, error) { func (p *LDAPUserProvider) createGroupsFilter(conn LDAPConnection, username string) (string, error) {
if strings.Contains(p.configuration.GroupsFilter, "{0}") { if strings.Contains(p.configuration.GroupsFilter, "{0}") {
return strings.Replace(p.configuration.GroupsFilter, "{0}", username, -1), nil return strings.Replace(p.configuration.GroupsFilter, "{0}", username, -1), nil
} else if strings.Contains(p.configuration.GroupsFilter, "{dn}") { } else if strings.Contains(p.configuration.GroupsFilter, "{dn}") {
userDN, err := p.getUserDN(conn, username) profile, err := p.getUserProfile(conn, username)
if err != nil { if err != nil {
return "", err return "", err
} }
return strings.Replace(p.configuration.GroupsFilter, "{dn}", userDN, -1), nil return strings.Replace(p.configuration.GroupsFilter, "{dn}", profile.DN, -1), nil
} else if strings.Contains(p.configuration.GroupsFilter, "{uid}") { } else if strings.Contains(p.configuration.GroupsFilter, "{1}") {
userUID, err := p.getUserUID(conn, username) profile, err := p.getUserProfile(conn, username)
if err != nil { if err != nil {
return "", err return "", err
} }
return strings.Replace(p.configuration.GroupsFilter, "{uid}", userUID, -1), nil return strings.Replace(p.configuration.GroupsFilter, "{1}", profile.Username, -1), nil
} }
return p.configuration.GroupsFilter, nil return p.configuration.GroupsFilter, nil
} }
@ -223,36 +220,14 @@ func (p *LDAPUserProvider) GetDetails(username string) (*UserDetails, error) {
groups = append(groups, res.Attributes[0].Values...) groups = append(groups, res.Attributes[0].Values...)
} }
userDN, err := p.getUserDN(conn, username) profile, err := p.getUserProfile(conn, username)
if err != nil { if err != nil {
return nil, err return nil, err
} }
searchEmailRequest := ldap.NewSearchRequest(
userDN, ldap.ScopeBaseObject, ldap.NeverDerefAliases,
0, 0, false, "(cn=*)", []string{p.configuration.MailAttribute}, nil,
)
sr, err = conn.Search(searchEmailRequest)
if err != nil {
return nil, fmt.Errorf("Unable to retrieve email of user %s. Cause: %s", username, err)
}
emails := make([]string, 0)
for _, res := range sr.Entries {
if len(res.Attributes) == 0 {
logging.Logger().Warningf("No email retrieved from LDAP for user %s", username)
break
}
// append all values of the document. Normally there should be only one per document.
emails = append(emails, res.Attributes[0].Values...)
}
return &UserDetails{ return &UserDetails{
Emails: emails, Username: profile.Username,
Emails: profile.Emails,
Groups: groups, Groups: groups,
}, nil }, nil
} }
@ -265,13 +240,13 @@ func (p *LDAPUserProvider) UpdatePassword(username string, newPassword string) e
return fmt.Errorf("Unable to update password. Cause: %s", err) return fmt.Errorf("Unable to update password. Cause: %s", err)
} }
userDN, err := p.getUserDN(client, username) profile, err := p.getUserProfile(client, username)
if err != nil { if err != nil {
return fmt.Errorf("Unable to update password. Cause: %s", err) return fmt.Errorf("Unable to update password. Cause: %s", err)
} }
modifyRequest := ldap.NewModifyRequest(userDN, nil) modifyRequest := ldap.NewModifyRequest(profile.DN, nil)
modifyRequest.Replace("userPassword", []string{newPassword}) modifyRequest.Replace("userPassword", []string{newPassword})

View File

@ -110,29 +110,42 @@ func TestShouldEscapeUserInput(t *testing.T) {
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{ ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389", URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com", User: "cn=admin,dc=example,dc=com",
UsernameAttribute: "uid",
Password: "password", Password: "password",
UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users", AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com", BaseDN: "dc=example,dc=com",
}, mockFactory) }, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
mockConn.EXPECT().
Close()
mockConn.EXPECT(). mockConn.EXPECT().
// Here we ensure that the input has been correctly escaped. // Here we ensure that the input has been correctly escaped.
Search(NewSearchRequestMatcher("uid=john\\=abc")). Search(NewSearchRequestMatcher("(uid=john\\=abc)")).
Return(&ldap.SearchResult{}, nil) Return(&ldap.SearchResult{}, nil)
ldapClient.getUserAttribute(mockConn, "john=abc", "dn") ldapClient.getUserProfile(mockConn, "john=abc")
}
func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
UsernameAttribute: "uid",
UsersFilter: "(&(objectCategory=person)(objectClass=user))",
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockConn.EXPECT().
Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")).
Return(&ldap.SearchResult{}, nil)
ldapClient.getUserProfile(mockConn, "john")
} }
func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult { func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult {
@ -160,6 +173,8 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
URL: "ldap://127.0.0.1:389", URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com", User: "cn=admin,dc=example,dc=com",
Password: "password", Password: "password",
UsernameAttribute: "uid",
MailAttribute: "mail",
UsersFilter: "uid={0}", UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users", AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com", BaseDN: "dc=example,dc=com",
@ -167,33 +182,46 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
mockFactory.EXPECT(). mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")). Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil).Times(2) Return(mockConn, nil)
mockConn.EXPECT(). mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil). Return(nil)
Times(2)
mockConn.EXPECT(). mockConn.EXPECT().
Close().Times(2) Close()
searchGroups := mockConn.EXPECT(). searchGroups := mockConn.EXPECT().
Search(gomock.Any()). Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil) Return(createSearchResultWithAttributes(), nil)
searchUserDN := mockConn.EXPECT(). searchProfile := mockConn.EXPECT().
Search(gomock.Any()). Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("uid=john,dc=example,dc=com"), nil) Return(&ldap.SearchResult{
searchEmails := mockConn.EXPECT(). Entries: []*ldap.Entry{
Search(gomock.Any()). &ldap.Entry{
Return(createSearchResultWithAttributeValues("test@example.com"), nil) DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "mail",
Values: []string{"test@example.com"},
},
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
gomock.InOrder(searchGroups, searchUserDN, searchEmails) gomock.InOrder(searchGroups, searchProfile)
details, err := ldapClient.GetDetails("john") details, err := ldapClient.GetDetails("john")
require.NoError(t, err) require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{}) assert.ElementsMatch(t, details.Groups, []string{})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"}) assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.Username, "john")
} }
func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) { func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
@ -207,6 +235,7 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
URL: "ldap://127.0.0.1:389", URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com", User: "cn=admin,dc=example,dc=com",
Password: "password", Password: "password",
UsernameAttribute: "uid",
UsersFilter: "uid={0}", UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users", AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com", BaseDN: "dc=example,dc=com",
@ -214,31 +243,102 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
mockFactory.EXPECT(). mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")). Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil).Times(2) Return(mockConn, nil)
mockConn.EXPECT(). mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")). Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil). Return(nil)
Times(2)
mockConn.EXPECT(). mockConn.EXPECT().
Close().Times(2) Close()
searchGroups := mockConn.EXPECT(). searchGroups := mockConn.EXPECT().
Search(gomock.Any()). Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("group1", "group2"), nil) Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
searchUserDN := mockConn.EXPECT(). searchProfile := mockConn.EXPECT().
Search(gomock.Any()). Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("uid=john,dc=example,dc=com"), nil) Return(&ldap.SearchResult{
searchEmails := mockConn.EXPECT(). Entries: []*ldap.Entry{
Search(gomock.Any()). &ldap.Entry{
Return(createSearchResultWithAttributes(), nil) DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
gomock.InOrder(searchGroups, searchUserDN, searchEmails) gomock.InOrder(searchGroups, searchProfile)
details, err := ldapClient.GetDetails("john") details, err := ldapClient.GetDetails("john")
require.NoError(t, err) require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"}) assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{}) assert.ElementsMatch(t, details.Emails, []string{})
assert.Equal(t, details.Username, "john")
}
func TestShouldReturnUsernameFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
UsernameAttribute: "uid",
MailAttribute: "mail",
UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
mockConn.EXPECT().
Close()
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
searchProfile := mockConn.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "mail",
Values: []string{"test@example.com"},
},
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
gomock.InOrder(searchGroups, searchProfile)
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.Username, "John")
} }

View File

@ -2,6 +2,7 @@ package authentication
// UserDetails represent the details retrieved for a given user. // UserDetails represent the details retrieved for a given user.
type UserDetails struct { type UserDetails struct {
Username string
Emails []string Emails []string
Groups []string Groups []string
} }

View File

@ -10,6 +10,7 @@ type LDAPAuthenticationBackendConfiguration struct {
AdditionalGroupsDN string `mapstructure:"additional_groups_dn"` AdditionalGroupsDN string `mapstructure:"additional_groups_dn"`
GroupsFilter string `mapstructure:"groups_filter"` GroupsFilter string `mapstructure:"groups_filter"`
GroupNameAttribute string `mapstructure:"group_name_attribute"` GroupNameAttribute string `mapstructure:"group_name_attribute"`
UsernameAttribute string `mapstructure:"username_attribute"`
MailAttribute string `mapstructure:"mail_attribute"` MailAttribute string `mapstructure:"mail_attribute"`
User string `mapstructure:"user"` User string `mapstructure:"user"`
Password string `mapstructure:"password"` Password string `mapstructure:"password"`

View File

@ -19,8 +19,9 @@ authentication_backend:
ldap: ldap:
url: ldap://127.0.0.1 url: ldap://127.0.0.1
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users additional_users_dn: ou=users
users_filter: (cn={0}) users_filter: (&(objectCategory=person)(objectClass=user))
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))
group_name_attribute: cn group_name_attribute: cn

View File

@ -121,20 +121,24 @@ func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationB
} }
if configuration.UsersFilter == "" { if configuration.UsersFilter == "" {
configuration.UsersFilter = "(cn={0})" validator.Push(errors.New("Please provide a users filter with `users_filter` attribute"))
} } else {
if !strings.HasPrefix(configuration.UsersFilter, "(") || !strings.HasSuffix(configuration.UsersFilter, ")") { if !strings.HasPrefix(configuration.UsersFilter, "(") || !strings.HasSuffix(configuration.UsersFilter, ")") {
validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")) validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance uid={0} should be (uid={0})"))
}
} }
if configuration.GroupsFilter == "" { if configuration.GroupsFilter == "" {
configuration.GroupsFilter = "(member={dn})" validator.Push(errors.New("Please provide a groups filter with `groups_filter` attribute"))
} } else {
if !strings.HasPrefix(configuration.GroupsFilter, "(") || !strings.HasSuffix(configuration.GroupsFilter, ")") { if !strings.HasPrefix(configuration.GroupsFilter, "(") || !strings.HasSuffix(configuration.GroupsFilter, ")") {
validator.Push(errors.New("The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")) validator.Push(errors.New("The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
} }
}
if configuration.UsernameAttribute == "" {
validator.Push(errors.New("Please provide a username attribute with `username_attribute`"))
}
if configuration.GroupNameAttribute == "" { if configuration.GroupNameAttribute == "" {
configuration.GroupNameAttribute = "cn" configuration.GroupNameAttribute = "cn"

View File

@ -169,6 +169,9 @@ func (suite *LdapAuthenticationBackendSuite) SetupTest() {
suite.configuration.Ldap.User = "user" suite.configuration.Ldap.User = "user"
suite.configuration.Ldap.Password = "password" suite.configuration.Ldap.Password = "password"
suite.configuration.Ldap.BaseDN = "base_dn" suite.configuration.Ldap.BaseDN = "base_dn"
suite.configuration.Ldap.UsernameAttribute = "uid"
suite.configuration.Ldap.UsersFilter = "(uid={0})"
suite.configuration.Ldap.GroupsFilter = "(cn={0})"
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() { func (suite *LdapAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
@ -204,16 +207,20 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenBaseDNNotPr
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a base DN to connect to the LDAP server") assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a base DN to connect to the LDAP server")
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultUsersFilter() { func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyFilterAndGroupsFilter() {
suite.configuration.Ldap.UsersFilter = ""
suite.configuration.Ldap.GroupsFilter = ""
ValidateAuthenticationBackend(&suite.configuration, suite.validator) ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 0) require.Len(suite.T(), suite.validator.Errors(), 2)
assert.Equal(suite.T(), "(cn={0})", suite.configuration.Ldap.UsersFilter) assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a users filter with `users_filter` attribute")
assert.EqualError(suite.T(), suite.validator.Errors()[1], "Please provide a groups filter with `groups_filter` attribute")
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupsFilter() { func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsernameAttribute() {
suite.configuration.Ldap.UsernameAttribute = ""
ValidateAuthenticationBackend(&suite.configuration, suite.validator) ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 0) require.Len(suite.T(), suite.validator.Errors(), 1)
assert.Equal(suite.T(), "(member={dn})", suite.configuration.Ldap.GroupsFilter) assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a username attribute with `username_attribute`")
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttribute() { func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttribute() {
@ -229,17 +236,17 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute()
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() { func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() {
suite.configuration.Ldap.UsersFilter = "cn={0}" suite.configuration.Ldap.UsersFilter = "uid={0}"
ValidateAuthenticationBackend(&suite.configuration, suite.validator) ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 1) assert.Len(suite.T(), suite.validator.Errors(), 1)
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})") assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance uid={0} should be (uid={0})")
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() { func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() {
suite.configuration.Ldap.UsersFilter = "cn={0}" suite.configuration.Ldap.GroupsFilter = "cn={0}"
ValidateAuthenticationBackend(&suite.configuration, suite.validator) ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 1) assert.Len(suite.T(), suite.validator.Errors(), 1)
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})") assert.EqualError(suite.T(), suite.validator.Errors()[0], "The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
} }
func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() { func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() {

View File

@ -95,7 +95,7 @@ func FirstFactorPost(ctx *middlewares.AutheliaCtx) {
// And set those information in the new session. // And set those information in the new session.
userSession := ctx.GetSession() userSession := ctx.GetSession()
userSession.Username = bodyJSON.Username userSession.Username = userDetails.Username
userSession.Groups = userDetails.Groups userSession.Groups = userDetails.Groups
userSession.Emails = userDetails.Emails userSession.Emails = userDetails.Emails
userSession.AuthenticationLevel = authentication.OneFactor userSession.AuthenticationLevel = authentication.OneFactor

View File

@ -163,6 +163,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeChecked() {
EXPECT(). EXPECT().
GetDetails(gomock.Eq("test")). GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{ Return(&authentication.UserDetails{
Username: "test",
Emails: []string{"test@example.com"}, Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"}, Groups: []string{"dev", "admins"},
}, nil) }, nil)
@ -202,6 +203,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
EXPECT(). EXPECT().
GetDetails(gomock.Eq("test")). GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{ Return(&authentication.UserDetails{
Username: "test",
Emails: []string{"test@example.com"}, Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"}, Groups: []string{"dev", "admins"},
}, nil) }, nil)
@ -231,6 +233,49 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups) assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups)
} }
func (s *FirstFactorSuite) TestShouldSaveUsernameFromAuthenticationBackendInSession() {
s.mock.UserProviderMock.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.UserProviderMock.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
// This is the name in authentication backend, in some setups the binding is
// case insensitive but the user ID in session must match the user in LDAP
// for the other modules of Authelia to be coherent.
Username: "Test",
Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"},
}, nil)
s.mock.StorageProviderMock.
EXPECT().
AppendAuthenticationLog(gomock.Any()).
Return(nil)
s.mock.Ctx.Request.SetBodyString(`{
"username": "test",
"password": "hello",
"keepMeLoggedIn": true
}`)
FirstFactorPost(s.mock.Ctx)
// Respond with 200.
assert.Equal(s.T(), 200, s.mock.Ctx.Response.StatusCode())
assert.Equal(s.T(), []byte("{\"status\":\"OK\"}"), s.mock.Ctx.Response.Body())
// And store authentication in session.
session := s.mock.Ctx.GetSession()
assert.Equal(s.T(), "Test", session.Username)
assert.Equal(s.T(), true, session.KeepMeLoggedIn)
assert.Equal(s.T(), authentication.OneFactor, session.AuthenticationLevel)
assert.Equal(s.T(), []string{"test@example.com"}, session.Emails)
assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups)
}
type FirstFactorRedirectionSuite struct { type FirstFactorRedirectionSuite struct {
suite.Suite suite.Suite
@ -259,6 +304,7 @@ func (s *FirstFactorRedirectionSuite) SetupTest() {
EXPECT(). EXPECT().
GetDetails(gomock.Eq("test")). GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{ Return(&authentication.UserDetails{
Username: "test",
Emails: []string{"test@example.com"}, Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"}, Groups: []string{"dev", "admins"},
}, nil) }, nil)

View File

@ -2,117 +2,30 @@
# Authelia configuration # # Authelia configuration #
############################################################### ###############################################################
# The port to listen on
port: 9091 port: 9091
# Log level
#
# Level of verbosity for logs
log_level: debug log_level: debug
jwt_secret: unsecure_secret jwt_secret: unsecure_secret
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp: totp:
issuer: authelia.com issuer: authelia.com
# The authentication backend to use for verifying user passwords
# and retrieve information such as email address and groups
# users belong to.
#
# There are two supported backends: `ldap` and `file`.
authentication_backend: authentication_backend:
# LDAP backend configuration.
#
# This backend allows Authelia to be scaled to more
# than one instance and therefore is recommended for
# production.
ldap: ldap:
# The url of the ldap server
url: ldap://openldap url: ldap://openldap
# The base dn for every entries
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
username_attribute: uid
# An additional dn to define the scope to all users
additional_users_dn: ou=users additional_users_dn: ou=users
users_filter: (objectClass=person)
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com user: cn=admin,dc=example,dc=com
password: password password: password
# File backend configuration.
#
# With this backend, the users database is stored in a file
# which is updated when users reset their passwords.
# Therefore, this backend is meant to be used in a dev environment
# and not in production since it prevents Authelia to be scaled to
# more than one instance.
#
## file:
## path: ./users_database.yml
# Access Control
#
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
# `policy` and `resources`.
#
# - `domain` defines which domain or set of domains the rule applies to.
#
# - `subject` defines the subject to apply authorizations to. This parameter is
# optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'.
#
# - `policy` is the policy to apply to resources. It must be either `bypass`,
# `one_factor`, `two_factor` or `deny`.
#
# - `resources` is a list of regular expressions that matches a set of resources to
# apply the policy to. This parameter is optional and matches any resource if not
# provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control: access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
default_policy: deny default_policy: deny
rules: rules:
@ -162,55 +75,23 @@ access_control:
subject: "user:bob" subject: "user:bob"
policy: two_factor policy: two_factor
# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session: session:
# The name of the session cookie. (default: authelia_session).
name: authelia_session name: authelia_session
# The secret to encrypt the session cookie.
secret: unsecure_session_secret secret: unsecure_session_secret
# The time in ms before the cookie expires and session is reset.
expiration: 3600 # 1 hour expiration: 3600 # 1 hour
# The inactivity time in ms before the session is reset.
inactivity: 300 # 5 minutes inactivity: 300 # 5 minutes
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain of the issuer.
domain: example.com domain: example.com
# The redis connection details
redis: redis:
host: redis host: redis
port: 6379 port: 6379
password: authelia password: authelia
# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation: regulation:
# The number of failed login attempts before user is banned.
# Set it to 0 to disable regulation.
max_retries: 3 max_retries: 3
# The time range during which the user can attempt login before being banned.
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8 find_time: 8
# The length of time before a banned user can login again.
ban_time: 10 ban_time: 10
# Configuration of the storage backend used to store data and secrets.
#
# You must use only an available configuration: local, sql
storage: storage:
# Settings to connect to mariadb server
mysql: mysql:
host: mariadb host: mariadb
port: 3306 port: 3306
@ -218,13 +99,7 @@ storage:
username: admin username: admin
password: password password: password
# Configuration of the notification system.
#
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
# Use only an available configuration: filesystem, gmail
notifier: notifier:
# Use a SMTP server for sending notifications
smtp: smtp:
host: smtp host: smtp
port: 1025 port: 1025

View File

@ -12,39 +12,16 @@ jwt_secret: very_important_secret
authentication_backend: authentication_backend:
ldap: ldap:
# The url of the ldap server
url: ldaps://openldap url: ldaps://openldap
# Skip certificate verification (for self-signed certificates)
skip_verify: true skip_verify: true
# The base dn for every entries
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
username_attribute: uid
# An additional dn to define the scope to all users
additional_users_dn: ou=users additional_users_dn: ou=users
users_filter: (objectClass=person)
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com user: cn=admin,dc=example,dc=com
password: password password: password
@ -54,15 +31,10 @@ session:
expiration: 3600 # 1 hour expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes inactivity: 300 # 5 minutes
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage: storage:
local: local:
path: /var/lib/authelia/db.sqlite3 path: /var/lib/authelia/db.sqlite3
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp: totp:
issuer: example.com issuer: example.com
@ -78,19 +50,12 @@ access_control:
- domain: "singlefactor.example.com" - domain: "singlefactor.example.com"
policy: one_factor policy: one_factor
# Configuration of the authentication regulation mechanism.
regulation: regulation:
# Set it to 0 to disable max_retries.
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300 find_time: 300
# The length of time before a banned user can login again.
ban_time: 900 ban_time: 900
notifier: notifier:
# Use a SMTP server for sending notifications
smtp: smtp:
host: smtp host: smtp
port: 1025 port: 1025

View File

@ -16,5 +16,7 @@ services:
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom' - './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
command: command:
- '--copy-service' - '--copy-service'
- '--loglevel'
- 'debug'
networks: networks:
- authelianet - authelianet

View File

@ -10,18 +10,19 @@ ou: users
dn: cn=dev,ou=groups,dc=example,dc=com dn: cn=dev,ou=groups,dc=example,dc=com
cn: dev cn: dev
member: cn=john,ou=users,dc=example,dc=com member: uid=john,ou=users,dc=example,dc=com
member: cn=bob,ou=users,dc=example,dc=com member: uid=bob,ou=users,dc=example,dc=com
objectclass: groupOfNames objectclass: groupOfNames
objectclass: top objectclass: top
dn: cn=admins,ou=groups,dc=example,dc=com dn: cn=admins,ou=groups,dc=example,dc=com
cn: admins cn: admins
member: cn=john,ou=users,dc=example,dc=com member: uid=john,ou=users,dc=example,dc=com
objectclass: groupOfNames objectclass: groupOfNames
objectclass: top objectclass: top
dn: cn=john,ou=users,dc=example,dc=com dn: uid=john,ou=users,dc=example,dc=com
uid: john
cn: john cn: john
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -29,7 +30,8 @@ mail: john.doe@authelia.com
sn: John Doe sn: John Doe
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=harry,ou=users,dc=example,dc=com dn: uid=harry,ou=users,dc=example,dc=com
uid: harry
cn: harry cn: harry
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -37,7 +39,8 @@ mail: harry.potter@authelia.com
sn: Harry Potter sn: Harry Potter
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=bob,ou=users,dc=example,dc=com dn: uid=bob,ou=users,dc=example,dc=com
uid: bob
cn: bob cn: bob
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -45,7 +48,8 @@ mail: bob.dylan@authelia.com
sn: Bob Dylan sn: Bob Dylan
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=james,ou=users,dc=example,dc=com dn: uid=james,ou=users,dc=example,dc=com
uid: james
cn: james cn: james
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -53,7 +57,8 @@ mail: james.dean@authelia.com
sn: James Dean sn: James Dean
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=blackhat,ou=users,dc=example,dc=com dn: uid=blackhat,ou=users,dc=example,dc=com
uid: blackhat
cn: blackhat cn: blackhat
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top

View File

@ -12,8 +12,9 @@ authentication_backend:
url: ldaps://ldap-service url: ldaps://ldap-service
skip_verify: true skip_verify: true
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users additional_users_dn: ou=users
users_filter: (cn={0}) users_filter: (objectClass=person)
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))
group_name_attribute: cn group_name_attribute: cn

View File

@ -10,18 +10,19 @@ ou: users
dn: cn=dev,ou=groups,dc=example,dc=com dn: cn=dev,ou=groups,dc=example,dc=com
cn: dev cn: dev
member: cn=john,ou=users,dc=example,dc=com member: uid=john,ou=users,dc=example,dc=com
member: cn=bob,ou=users,dc=example,dc=com member: uid=bob,ou=users,dc=example,dc=com
objectclass: groupOfNames objectclass: groupOfNames
objectclass: top objectclass: top
dn: cn=admins,ou=groups,dc=example,dc=com dn: cn=admins,ou=groups,dc=example,dc=com
cn: admins cn: admins
member: cn=john,ou=users,dc=example,dc=com member: uid=john,ou=users,dc=example,dc=com
objectclass: groupOfNames objectclass: groupOfNames
objectclass: top objectclass: top
dn: cn=john,ou=users,dc=example,dc=com dn: uid=john,ou=users,dc=example,dc=com
uid: john
cn: john cn: john
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -29,7 +30,8 @@ mail: john.doe@authelia.com
sn: John Doe sn: John Doe
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=harry,ou=users,dc=example,dc=com dn: uid=harry,ou=users,dc=example,dc=com
uid: harry
cn: harry cn: harry
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -37,7 +39,8 @@ mail: harry.potter@authelia.com
sn: Harry Potter sn: Harry Potter
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=bob,ou=users,dc=example,dc=com dn: uid=bob,ou=users,dc=example,dc=com
uid: bob
cn: bob cn: bob
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -45,7 +48,8 @@ mail: bob.dylan@authelia.com
sn: Bob Dylan sn: Bob Dylan
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=james,ou=users,dc=example,dc=com dn: uid=james,ou=users,dc=example,dc=com
uid: james
cn: james cn: james
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top
@ -53,7 +57,8 @@ mail: james.dean@authelia.com
sn: James Dean sn: James Dean
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/ userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=blackhat,ou=users,dc=example,dc=com dn: uid=blackhat,ou=users,dc=example,dc=com
uid: blackhat
cn: blackhat cn: blackhat
objectclass: inetOrgPerson objectclass: inetOrgPerson
objectclass: top objectclass: top

View File

@ -31,7 +31,7 @@ func init() {
return waitUntilAutheliaBackendIsReady(haDockerEnvironment) return waitUntilAutheliaBackendIsReady(haDockerEnvironment)
} }
onSetupTimeout := func() error { displayAutheliaLogs := func() error {
backendLogs, err := haDockerEnvironment.Logs("authelia-backend", nil) backendLogs, err := haDockerEnvironment.Logs("authelia-backend", nil)
if err != nil { if err != nil {
return err return err
@ -53,10 +53,11 @@ func init() {
GlobalRegistry.Register(highAvailabilitySuiteName, Suite{ GlobalRegistry.Register(highAvailabilitySuiteName, Suite{
SetUp: setup, SetUp: setup,
SetUpTimeout: 5 * time.Minute, SetUpTimeout: 5 * time.Minute,
OnSetupTimeout: onSetupTimeout, OnSetupTimeout: displayAutheliaLogs,
TestTimeout: 5 * time.Minute, TestTimeout: 5 * time.Minute,
TearDown: teardown, TearDown: teardown,
TearDownTimeout: 2 * time.Minute, TearDownTimeout: 2 * time.Minute,
OnError: displayAutheliaLogs,
Description: `This suite is made to test Authelia in a *complete* Description: `This suite is made to test Authelia in a *complete*
environment, that is, with all components making Authelia highly available.`, environment, that is, with all components making Authelia highly available.`,
}) })

View File

@ -30,7 +30,7 @@ func init() {
return waitUntilAutheliaBackendIsReady(dockerEnvironment) return waitUntilAutheliaBackendIsReady(dockerEnvironment)
} }
onSetupTimeout := func() error { displayAutheliaLogs := func() error {
backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil) backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
if err != nil { if err != nil {
return err return err
@ -53,9 +53,10 @@ func init() {
GlobalRegistry.Register(ldapSuiteName, Suite{ GlobalRegistry.Register(ldapSuiteName, Suite{
SetUp: setup, SetUp: setup,
SetUpTimeout: 5 * time.Minute, SetUpTimeout: 5 * time.Minute,
OnSetupTimeout: onSetupTimeout, OnSetupTimeout: displayAutheliaLogs,
TestTimeout: 1 * time.Minute, TestTimeout: 1 * time.Minute,
TearDown: teardown, TearDown: teardown,
TearDownTimeout: 2 * time.Minute, TearDownTimeout: 2 * time.Minute,
OnError: displayAutheliaLogs,
}) })
} }