[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687)
* [BUGFIX] Set username retrieved from authentication backend in session. In some setups, binding is case insensitive but Authelia is case sensitive and therefore need the actual username as stored in the authentication backend in order for Authelia to work correctly. Fixes #561. * Use uid attribute as unique user identifier in suites. * Fix the integration tests. * Update config.template.yml * Compute user filter based on username attribute and users_filter. The filter provided in users_filter is now combined with a filter based on the username attribute to perform the LDAP search query finding a user object from the username. * Fix LDAP based integration tests. * Update `users_filter` reference examplespull/708/head
parent
7a3d43a12a
commit
cc6650dbcd
|
@ -8,7 +8,13 @@ breaking changes and about what you should do to overcome those changes.
|
|||
|
||||
## Breaking in v4.7.0
|
||||
|
||||
`logs_level` configuration key has been renamed to `log_level`.
|
||||
* `logs_level` configuration key has been renamed to `log_level`.
|
||||
* `users_filter` was a search pattern for a given user with the `{0}` matcher replaced with the
|
||||
actual username. In v4.7.0, `username_attribute` has been introduced. Consequently, the computed
|
||||
user filter utilised by the LDAP search query is a combination of filters based on the
|
||||
`username_attribute` and `users_filter`. `users_filter` now reduces the scope of users targeted by
|
||||
the LDAP search query. For instance if `username_attribute` is set to `uid` and `users_filter` is
|
||||
set to `(objectClass=person)` then the computed filter is `(&(uid=john)(objectClass=person))`.
|
||||
|
||||
## Breaking in v4.0.0
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@ duo_api:
|
|||
# and retrieve information such as email address and groups
|
||||
# users belong to.
|
||||
#
|
||||
# There are two supported backends: `ldap` and `file`.
|
||||
# There are two supported backends: 'ldap' and 'file'.
|
||||
authentication_backend:
|
||||
# LDAP backend configuration.
|
||||
#
|
||||
|
@ -66,28 +66,48 @@ authentication_backend:
|
|||
ldap:
|
||||
# The url to the ldap server. Scheme can be ldap:// or ldaps://
|
||||
url: ldap://127.0.0.1
|
||||
|
||||
# Skip verifying the server certificate (to allow self-signed certificate).
|
||||
skip_verify: false
|
||||
|
||||
# The base dn for every entries
|
||||
base_dn: dc=example,dc=com
|
||||
|
||||
# The attribute holding the username of the user (introduced to handle
|
||||
# case insensitive search queries: #561).
|
||||
# Microsoft Active Directory usually uses 'sAMAccountName'
|
||||
# OpenLDAP usually uses 'uid'
|
||||
username_attribute: uid
|
||||
|
||||
# An additional dn to define the scope to all users
|
||||
additional_users_dn: ou=users
|
||||
# The users filter used to find the user DN
|
||||
# {0} is a matcher replaced by username.
|
||||
# 'cn={0}' by default.
|
||||
users_filter: (cn={0})
|
||||
|
||||
# This attribute is optional. The user filter used in the LDAP search queries
|
||||
# is a combination of this filter and the username attribute.
|
||||
# This filter is used to reduce the scope of users targeted by the LDAP search query.
|
||||
# For instance, if the username attribute is set to 'uid', the computed filter is
|
||||
# (&(uid=<username>)(objectClass=person))
|
||||
# Recommended settings are as follows:
|
||||
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
|
||||
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
|
||||
users_filter: (objectClass=person)
|
||||
|
||||
# An additional dn to define the scope of groups
|
||||
additional_groups_dn: ou=groups
|
||||
|
||||
# The groups filter used for retrieving groups of a given user.
|
||||
# {0} is a matcher replaced by username.
|
||||
# {0} is a matcher replaced by username (as provided in login portal).
|
||||
# {1} is a matcher replaced by username (as stored in LDAP).
|
||||
# {dn} is a matcher replaced by user DN.
|
||||
# {uid} is a matcher replaced by user uid.
|
||||
# 'member={dn}' by default.
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
|
||||
# The attribute holding the name of the group
|
||||
group_name_attribute: cn
|
||||
|
||||
# The attribute holding the mail address of the user
|
||||
mail_attribute: mail
|
||||
|
||||
# The username and password of the admin user.
|
||||
user: cn=admin,dc=example,dc=com
|
||||
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
||||
|
@ -119,7 +139,7 @@ authentication_backend:
|
|||
# Access control is a list of rules defining the authorizations applied for one
|
||||
# resource to users or group of users.
|
||||
#
|
||||
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
|
||||
# If 'access_control' is not defined, ACL rules are disabled and the 'bypass'
|
||||
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
||||
# the rules defined.
|
||||
#
|
||||
|
@ -129,27 +149,27 @@ authentication_backend:
|
|||
# Note: You must put patterns containing wildcards between simple quotes for the YAML
|
||||
# to be syntactically correct.
|
||||
#
|
||||
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
|
||||
# `policy` and `resources`.
|
||||
# Definition: A 'rule' is an object with the following keys: 'domain', 'subject',
|
||||
# 'policy' and 'resources'.
|
||||
#
|
||||
# - `domain` defines which domain or set of domains the rule applies to.
|
||||
# - 'domain' defines which domain or set of domains the rule applies to.
|
||||
#
|
||||
# - `subject` defines the subject to apply authorizations to. This parameter is
|
||||
# - 'subject' defines the subject to apply authorizations to. This parameter is
|
||||
# optional and matching any user if not provided. If provided, the parameter
|
||||
# represents either a user or a group. It should be of the form 'user:<username>'
|
||||
# or 'group:<groupname>'.
|
||||
#
|
||||
# - `policy` is the policy to apply to resources. It must be either `bypass`,
|
||||
# `one_factor`, `two_factor` or `deny`.
|
||||
# - 'policy' is the policy to apply to resources. It must be either 'bypass',
|
||||
# 'one_factor', 'two_factor' or 'deny'.
|
||||
#
|
||||
# - `resources` is a list of regular expressions that matches a set of resources to
|
||||
# - 'resources' is a list of regular expressions that matches a set of resources to
|
||||
# apply the policy to. This parameter is optional and matches any resource if not
|
||||
# provided.
|
||||
#
|
||||
# Note: the order of the rules is important. The first policy matching
|
||||
# (domain, resource, subject) applies.
|
||||
access_control:
|
||||
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
||||
# Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
|
||||
# It is the policy applied to any resource if there is no policy to be applied
|
||||
# to the user.
|
||||
default_policy: deny
|
||||
|
@ -251,7 +271,7 @@ regulation:
|
|||
max_retries: 3
|
||||
|
||||
# The time range during which the user can attempt login before being banned.
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
# The user is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
|
||||
find_time: 120
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
|
|
|
@ -26,21 +26,32 @@ authentication_backend:
|
|||
# The base dn for every entries
|
||||
base_dn: dc=example,dc=com
|
||||
|
||||
# The attribute holding the username of the user (introduced to handle
|
||||
# case insensitive search queries: #561).
|
||||
# Microsoft Active Directory usually uses 'sAMAccountName'
|
||||
# OpenLDAP usually uses 'uid'
|
||||
username_attribute: uid
|
||||
|
||||
# An additional dn to define the scope to all users
|
||||
additional_users_dn: ou=users
|
||||
|
||||
# The users filter used to find the user DN
|
||||
# {0} is a matcher replaced by username.
|
||||
# 'cn={0}' by default.
|
||||
users_filter: (cn={0})
|
||||
# This attribute is optional. The user filter used in the LDAP search queries
|
||||
# is a combination of this filter and the username attribute.
|
||||
# This filter is used to reduce the scope of users targeted by the LDAP search query.
|
||||
# For instance, if the username attribute is set to 'uid', the computed filter is
|
||||
# (&(uid=<username>)(objectClass=person))
|
||||
# Recommended settings are as follows:
|
||||
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
|
||||
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
|
||||
users_filter: (objectClass=person)
|
||||
|
||||
# An additional dn to define the scope of groups
|
||||
additional_groups_dn: ou=groups
|
||||
|
||||
# The groups filter used for retrieving groups of a given user.
|
||||
# {0} is a matcher replaced by username.
|
||||
# {0} is a matcher replaced by username (as provided in login portal).
|
||||
# {1} is a matcher replaced by username (as stored in LDAP).
|
||||
# {dn} is a matcher replaced by user DN.
|
||||
# {uid} is a matcher replaced by user uid.
|
||||
# 'member={dn}' by default.
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
|
||||
|
|
|
@ -101,6 +101,7 @@ func (p *FileUserProvider) CheckUserPassword(username string, password string) (
|
|||
func (p *FileUserProvider) GetDetails(username string) (*UserDetails, error) {
|
||||
if details, ok := p.database.Users[username]; ok {
|
||||
return &UserDetails{
|
||||
Username: username,
|
||||
Groups: details.Groups,
|
||||
Emails: []string{details.Email},
|
||||
}, nil
|
||||
|
|
|
@ -85,6 +85,7 @@ func TestShouldRetrieveUserDetails(t *testing.T) {
|
|||
provider := NewFileUserProvider(&config)
|
||||
details, err := provider.GetDetails("john")
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, details.Username, "john")
|
||||
assert.Equal(t, details.Emails, []string{"john.doe@authelia.com"})
|
||||
assert.Equal(t, details.Groups, []string{"admins", "dev"})
|
||||
})
|
||||
|
|
|
@ -75,12 +75,12 @@ func (p *LDAPUserProvider) CheckUserPassword(username string, password string) (
|
|||
}
|
||||
defer adminClient.Close()
|
||||
|
||||
userDN, err := p.getUserDN(adminClient, username)
|
||||
profile, err := p.getUserProfile(adminClient, username)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
conn, err := p.connect(userDN, password)
|
||||
conn, err := p.connect(profile.DN, password)
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("Authentication of user %s failed. Cause: %s", username, err)
|
||||
}
|
||||
|
@ -100,85 +100,82 @@ func (p *LDAPUserProvider) ldapEscape(input string) string {
|
|||
return input
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserAttribute(conn LDAPConnection, username string, attribute string) ([]string, error) {
|
||||
client, err := p.connect(p.configuration.User, p.configuration.Password)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
type ldapUserProfile struct {
|
||||
DN string
|
||||
Emails []string
|
||||
Username string
|
||||
}
|
||||
defer client.Close()
|
||||
|
||||
func (p *LDAPUserProvider) getUserProfile(conn LDAPConnection, username string) (*ldapUserProfile, error) {
|
||||
username = p.ldapEscape(username)
|
||||
userFilter := strings.Replace(p.configuration.UsersFilter, "{0}", username, -1)
|
||||
userFilter := fmt.Sprintf("(%s=%s)", p.configuration.UsernameAttribute, username)
|
||||
if p.configuration.UsersFilter != "" {
|
||||
userFilter = fmt.Sprintf("(&%s%s)", userFilter, p.configuration.UsersFilter)
|
||||
}
|
||||
baseDN := p.configuration.BaseDN
|
||||
if p.configuration.AdditionalUsersDN != "" {
|
||||
baseDN = p.configuration.AdditionalUsersDN + "," + baseDN
|
||||
}
|
||||
|
||||
attributes := []string{"dn",
|
||||
p.configuration.MailAttribute,
|
||||
p.configuration.UsernameAttribute}
|
||||
|
||||
// Search for the given username
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
|
||||
1, 0, false, userFilter, []string{attribute}, nil,
|
||||
1, 0, false, userFilter, attributes, nil,
|
||||
)
|
||||
|
||||
sr, err := client.Search(searchRequest)
|
||||
sr, err := conn.Search(searchRequest)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Cannot find user DN of user %s. Cause: %s", username, err)
|
||||
}
|
||||
|
||||
if len(sr.Entries) != 1 {
|
||||
return nil, fmt.Errorf("No %s found for user %s", attribute, username)
|
||||
if len(sr.Entries) == 0 {
|
||||
return nil, fmt.Errorf("No user %s found", username)
|
||||
}
|
||||
|
||||
if attribute == "dn" {
|
||||
return []string{sr.Entries[0].DN}, nil
|
||||
if len(sr.Entries) > 1 {
|
||||
return nil, fmt.Errorf("Multiple users %s found", username)
|
||||
}
|
||||
|
||||
return sr.Entries[0].Attributes[0].Values, nil
|
||||
userProfile := ldapUserProfile{
|
||||
DN: sr.Entries[0].DN,
|
||||
}
|
||||
for _, attr := range sr.Entries[0].Attributes {
|
||||
if attr.Name == p.configuration.MailAttribute {
|
||||
userProfile.Emails = attr.Values
|
||||
} else if attr.Name == p.configuration.UsernameAttribute {
|
||||
if len(attr.Values) != 1 {
|
||||
return nil, fmt.Errorf("User %s cannot have multiple value for attribute %s", username, p.configuration.UsernameAttribute)
|
||||
}
|
||||
userProfile.Username = attr.Values[0]
|
||||
}
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserDN(conn LDAPConnection, username string) (string, error) {
|
||||
values, err := p.getUserAttribute(conn, username, "dn")
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
if userProfile.DN == "" {
|
||||
return nil, fmt.Errorf("No DN has been found for user %s", username)
|
||||
}
|
||||
|
||||
if len(values) != 1 {
|
||||
return "", fmt.Errorf("DN attribute of user %s must be set", username)
|
||||
}
|
||||
|
||||
return values[0], nil
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserUID(conn LDAPConnection, username string) (string, error) {
|
||||
values, err := p.getUserAttribute(conn, username, "uid")
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if len(values) != 1 {
|
||||
return "", fmt.Errorf("UID attribute of user %s must be set", username)
|
||||
}
|
||||
|
||||
return values[0], nil
|
||||
return &userProfile, nil
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) createGroupsFilter(conn LDAPConnection, username string) (string, error) {
|
||||
if strings.Contains(p.configuration.GroupsFilter, "{0}") {
|
||||
return strings.Replace(p.configuration.GroupsFilter, "{0}", username, -1), nil
|
||||
} else if strings.Contains(p.configuration.GroupsFilter, "{dn}") {
|
||||
userDN, err := p.getUserDN(conn, username)
|
||||
profile, err := p.getUserProfile(conn, username)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return strings.Replace(p.configuration.GroupsFilter, "{dn}", userDN, -1), nil
|
||||
} else if strings.Contains(p.configuration.GroupsFilter, "{uid}") {
|
||||
userUID, err := p.getUserUID(conn, username)
|
||||
return strings.Replace(p.configuration.GroupsFilter, "{dn}", profile.DN, -1), nil
|
||||
} else if strings.Contains(p.configuration.GroupsFilter, "{1}") {
|
||||
profile, err := p.getUserProfile(conn, username)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return strings.Replace(p.configuration.GroupsFilter, "{uid}", userUID, -1), nil
|
||||
return strings.Replace(p.configuration.GroupsFilter, "{1}", profile.Username, -1), nil
|
||||
}
|
||||
return p.configuration.GroupsFilter, nil
|
||||
}
|
||||
|
@ -223,36 +220,14 @@ func (p *LDAPUserProvider) GetDetails(username string) (*UserDetails, error) {
|
|||
groups = append(groups, res.Attributes[0].Values...)
|
||||
}
|
||||
|
||||
userDN, err := p.getUserDN(conn, username)
|
||||
|
||||
profile, err := p.getUserProfile(conn, username)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
searchEmailRequest := ldap.NewSearchRequest(
|
||||
userDN, ldap.ScopeBaseObject, ldap.NeverDerefAliases,
|
||||
0, 0, false, "(cn=*)", []string{p.configuration.MailAttribute}, nil,
|
||||
)
|
||||
|
||||
sr, err = conn.Search(searchEmailRequest)
|
||||
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Unable to retrieve email of user %s. Cause: %s", username, err)
|
||||
}
|
||||
|
||||
emails := make([]string, 0)
|
||||
|
||||
for _, res := range sr.Entries {
|
||||
if len(res.Attributes) == 0 {
|
||||
logging.Logger().Warningf("No email retrieved from LDAP for user %s", username)
|
||||
break
|
||||
}
|
||||
// append all values of the document. Normally there should be only one per document.
|
||||
emails = append(emails, res.Attributes[0].Values...)
|
||||
}
|
||||
|
||||
return &UserDetails{
|
||||
Emails: emails,
|
||||
Username: profile.Username,
|
||||
Emails: profile.Emails,
|
||||
Groups: groups,
|
||||
}, nil
|
||||
}
|
||||
|
@ -265,13 +240,13 @@ func (p *LDAPUserProvider) UpdatePassword(username string, newPassword string) e
|
|||
return fmt.Errorf("Unable to update password. Cause: %s", err)
|
||||
}
|
||||
|
||||
userDN, err := p.getUserDN(client, username)
|
||||
profile, err := p.getUserProfile(client, username)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to update password. Cause: %s", err)
|
||||
}
|
||||
|
||||
modifyRequest := ldap.NewModifyRequest(userDN, nil)
|
||||
modifyRequest := ldap.NewModifyRequest(profile.DN, nil)
|
||||
|
||||
modifyRequest.Replace("userPassword", []string{newPassword})
|
||||
|
||||
|
|
|
@ -110,29 +110,42 @@ func TestShouldEscapeUserInput(t *testing.T) {
|
|||
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
|
||||
URL: "ldap://127.0.0.1:389",
|
||||
User: "cn=admin,dc=example,dc=com",
|
||||
UsernameAttribute: "uid",
|
||||
Password: "password",
|
||||
UsersFilter: "uid={0}",
|
||||
AdditionalUsersDN: "ou=users",
|
||||
BaseDN: "dc=example,dc=com",
|
||||
}, mockFactory)
|
||||
|
||||
mockFactory.EXPECT().
|
||||
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
|
||||
Return(mockConn, nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
|
||||
Return(nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Close()
|
||||
|
||||
mockConn.EXPECT().
|
||||
// Here we ensure that the input has been correctly escaped.
|
||||
Search(NewSearchRequestMatcher("uid=john\\=abc")).
|
||||
Search(NewSearchRequestMatcher("(uid=john\\=abc)")).
|
||||
Return(&ldap.SearchResult{}, nil)
|
||||
|
||||
ldapClient.getUserAttribute(mockConn, "john=abc", "dn")
|
||||
ldapClient.getUserProfile(mockConn, "john=abc")
|
||||
}
|
||||
|
||||
func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) {
|
||||
ctrl := gomock.NewController(t)
|
||||
defer ctrl.Finish()
|
||||
|
||||
mockFactory := NewMockLDAPConnectionFactory(ctrl)
|
||||
mockConn := NewMockLDAPConnection(ctrl)
|
||||
|
||||
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
|
||||
URL: "ldap://127.0.0.1:389",
|
||||
User: "cn=admin,dc=example,dc=com",
|
||||
UsernameAttribute: "uid",
|
||||
UsersFilter: "(&(objectCategory=person)(objectClass=user))",
|
||||
Password: "password",
|
||||
AdditionalUsersDN: "ou=users",
|
||||
BaseDN: "dc=example,dc=com",
|
||||
}, mockFactory)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")).
|
||||
Return(&ldap.SearchResult{}, nil)
|
||||
|
||||
ldapClient.getUserProfile(mockConn, "john")
|
||||
}
|
||||
|
||||
func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult {
|
||||
|
@ -160,6 +173,8 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
|
|||
URL: "ldap://127.0.0.1:389",
|
||||
User: "cn=admin,dc=example,dc=com",
|
||||
Password: "password",
|
||||
UsernameAttribute: "uid",
|
||||
MailAttribute: "mail",
|
||||
UsersFilter: "uid={0}",
|
||||
AdditionalUsersDN: "ou=users",
|
||||
BaseDN: "dc=example,dc=com",
|
||||
|
@ -167,33 +182,46 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
|
|||
|
||||
mockFactory.EXPECT().
|
||||
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
|
||||
Return(mockConn, nil).Times(2)
|
||||
Return(mockConn, nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
|
||||
Return(nil).
|
||||
Times(2)
|
||||
Return(nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Close().Times(2)
|
||||
Close()
|
||||
|
||||
searchGroups := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributes(), nil)
|
||||
searchUserDN := mockConn.EXPECT().
|
||||
searchProfile := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributeValues("uid=john,dc=example,dc=com"), nil)
|
||||
searchEmails := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributeValues("test@example.com"), nil)
|
||||
Return(&ldap.SearchResult{
|
||||
Entries: []*ldap.Entry{
|
||||
&ldap.Entry{
|
||||
DN: "uid=test,dc=example,dc=com",
|
||||
Attributes: []*ldap.EntryAttribute{
|
||||
&ldap.EntryAttribute{
|
||||
Name: "mail",
|
||||
Values: []string{"test@example.com"},
|
||||
},
|
||||
&ldap.EntryAttribute{
|
||||
Name: "uid",
|
||||
Values: []string{"john"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}, nil)
|
||||
|
||||
gomock.InOrder(searchGroups, searchUserDN, searchEmails)
|
||||
gomock.InOrder(searchGroups, searchProfile)
|
||||
|
||||
details, err := ldapClient.GetDetails("john")
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.ElementsMatch(t, details.Groups, []string{})
|
||||
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
|
||||
assert.Equal(t, details.Username, "john")
|
||||
}
|
||||
|
||||
func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
|
||||
|
@ -207,6 +235,7 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
|
|||
URL: "ldap://127.0.0.1:389",
|
||||
User: "cn=admin,dc=example,dc=com",
|
||||
Password: "password",
|
||||
UsernameAttribute: "uid",
|
||||
UsersFilter: "uid={0}",
|
||||
AdditionalUsersDN: "ou=users",
|
||||
BaseDN: "dc=example,dc=com",
|
||||
|
@ -214,31 +243,102 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
|
|||
|
||||
mockFactory.EXPECT().
|
||||
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
|
||||
Return(mockConn, nil).Times(2)
|
||||
Return(mockConn, nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
|
||||
Return(nil).
|
||||
Times(2)
|
||||
Return(nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Close().Times(2)
|
||||
Close()
|
||||
|
||||
searchGroups := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
|
||||
searchUserDN := mockConn.EXPECT().
|
||||
searchProfile := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributeValues("uid=john,dc=example,dc=com"), nil)
|
||||
searchEmails := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributes(), nil)
|
||||
Return(&ldap.SearchResult{
|
||||
Entries: []*ldap.Entry{
|
||||
&ldap.Entry{
|
||||
DN: "uid=test,dc=example,dc=com",
|
||||
Attributes: []*ldap.EntryAttribute{
|
||||
&ldap.EntryAttribute{
|
||||
Name: "uid",
|
||||
Values: []string{"john"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}, nil)
|
||||
|
||||
gomock.InOrder(searchGroups, searchUserDN, searchEmails)
|
||||
gomock.InOrder(searchGroups, searchProfile)
|
||||
|
||||
details, err := ldapClient.GetDetails("john")
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
|
||||
assert.ElementsMatch(t, details.Emails, []string{})
|
||||
assert.Equal(t, details.Username, "john")
|
||||
}
|
||||
|
||||
func TestShouldReturnUsernameFromLDAP(t *testing.T) {
|
||||
ctrl := gomock.NewController(t)
|
||||
defer ctrl.Finish()
|
||||
|
||||
mockFactory := NewMockLDAPConnectionFactory(ctrl)
|
||||
mockConn := NewMockLDAPConnection(ctrl)
|
||||
|
||||
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
|
||||
URL: "ldap://127.0.0.1:389",
|
||||
User: "cn=admin,dc=example,dc=com",
|
||||
Password: "password",
|
||||
UsernameAttribute: "uid",
|
||||
MailAttribute: "mail",
|
||||
UsersFilter: "uid={0}",
|
||||
AdditionalUsersDN: "ou=users",
|
||||
BaseDN: "dc=example,dc=com",
|
||||
}, mockFactory)
|
||||
|
||||
mockFactory.EXPECT().
|
||||
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
|
||||
Return(mockConn, nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
|
||||
Return(nil)
|
||||
|
||||
mockConn.EXPECT().
|
||||
Close()
|
||||
|
||||
searchGroups := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
|
||||
searchProfile := mockConn.EXPECT().
|
||||
Search(gomock.Any()).
|
||||
Return(&ldap.SearchResult{
|
||||
Entries: []*ldap.Entry{
|
||||
&ldap.Entry{
|
||||
DN: "uid=test,dc=example,dc=com",
|
||||
Attributes: []*ldap.EntryAttribute{
|
||||
&ldap.EntryAttribute{
|
||||
Name: "mail",
|
||||
Values: []string{"test@example.com"},
|
||||
},
|
||||
&ldap.EntryAttribute{
|
||||
Name: "uid",
|
||||
Values: []string{"John"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}, nil)
|
||||
|
||||
gomock.InOrder(searchGroups, searchProfile)
|
||||
|
||||
details, err := ldapClient.GetDetails("john")
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
|
||||
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
|
||||
assert.Equal(t, details.Username, "John")
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@ package authentication
|
|||
|
||||
// UserDetails represent the details retrieved for a given user.
|
||||
type UserDetails struct {
|
||||
Username string
|
||||
Emails []string
|
||||
Groups []string
|
||||
}
|
||||
|
|
|
@ -10,6 +10,7 @@ type LDAPAuthenticationBackendConfiguration struct {
|
|||
AdditionalGroupsDN string `mapstructure:"additional_groups_dn"`
|
||||
GroupsFilter string `mapstructure:"groups_filter"`
|
||||
GroupNameAttribute string `mapstructure:"group_name_attribute"`
|
||||
UsernameAttribute string `mapstructure:"username_attribute"`
|
||||
MailAttribute string `mapstructure:"mail_attribute"`
|
||||
User string `mapstructure:"user"`
|
||||
Password string `mapstructure:"password"`
|
||||
|
|
|
@ -19,8 +19,9 @@ authentication_backend:
|
|||
ldap:
|
||||
url: ldap://127.0.0.1
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (cn={0})
|
||||
users_filter: (&(objectCategory=person)(objectClass=user))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
|
|
|
@ -121,20 +121,24 @@ func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationB
|
|||
}
|
||||
|
||||
if configuration.UsersFilter == "" {
|
||||
configuration.UsersFilter = "(cn={0})"
|
||||
}
|
||||
|
||||
validator.Push(errors.New("Please provide a users filter with `users_filter` attribute"))
|
||||
} else {
|
||||
if !strings.HasPrefix(configuration.UsersFilter, "(") || !strings.HasSuffix(configuration.UsersFilter, ")") {
|
||||
validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
|
||||
validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance uid={0} should be (uid={0})"))
|
||||
}
|
||||
}
|
||||
|
||||
if configuration.GroupsFilter == "" {
|
||||
configuration.GroupsFilter = "(member={dn})"
|
||||
}
|
||||
|
||||
validator.Push(errors.New("Please provide a groups filter with `groups_filter` attribute"))
|
||||
} else {
|
||||
if !strings.HasPrefix(configuration.GroupsFilter, "(") || !strings.HasSuffix(configuration.GroupsFilter, ")") {
|
||||
validator.Push(errors.New("The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
|
||||
}
|
||||
}
|
||||
|
||||
if configuration.UsernameAttribute == "" {
|
||||
validator.Push(errors.New("Please provide a username attribute with `username_attribute`"))
|
||||
}
|
||||
|
||||
if configuration.GroupNameAttribute == "" {
|
||||
configuration.GroupNameAttribute = "cn"
|
||||
|
|
|
@ -169,6 +169,9 @@ func (suite *LdapAuthenticationBackendSuite) SetupTest() {
|
|||
suite.configuration.Ldap.User = "user"
|
||||
suite.configuration.Ldap.Password = "password"
|
||||
suite.configuration.Ldap.BaseDN = "base_dn"
|
||||
suite.configuration.Ldap.UsernameAttribute = "uid"
|
||||
suite.configuration.Ldap.UsersFilter = "(uid={0})"
|
||||
suite.configuration.Ldap.GroupsFilter = "(cn={0})"
|
||||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
|
||||
|
@ -204,16 +207,20 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenBaseDNNotPr
|
|||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a base DN to connect to the LDAP server")
|
||||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultUsersFilter() {
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyFilterAndGroupsFilter() {
|
||||
suite.configuration.Ldap.UsersFilter = ""
|
||||
suite.configuration.Ldap.GroupsFilter = ""
|
||||
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
|
||||
assert.Len(suite.T(), suite.validator.Errors(), 0)
|
||||
assert.Equal(suite.T(), "(cn={0})", suite.configuration.Ldap.UsersFilter)
|
||||
require.Len(suite.T(), suite.validator.Errors(), 2)
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a users filter with `users_filter` attribute")
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[1], "Please provide a groups filter with `groups_filter` attribute")
|
||||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupsFilter() {
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsernameAttribute() {
|
||||
suite.configuration.Ldap.UsernameAttribute = ""
|
||||
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
|
||||
assert.Len(suite.T(), suite.validator.Errors(), 0)
|
||||
assert.Equal(suite.T(), "(member={dn})", suite.configuration.Ldap.GroupsFilter)
|
||||
require.Len(suite.T(), suite.validator.Errors(), 1)
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a username attribute with `username_attribute`")
|
||||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttribute() {
|
||||
|
@ -229,17 +236,17 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute()
|
|||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() {
|
||||
suite.configuration.Ldap.UsersFilter = "cn={0}"
|
||||
suite.configuration.Ldap.UsersFilter = "uid={0}"
|
||||
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
|
||||
assert.Len(suite.T(), suite.validator.Errors(), 1)
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance uid={0} should be (uid={0})")
|
||||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() {
|
||||
suite.configuration.Ldap.UsersFilter = "cn={0}"
|
||||
suite.configuration.Ldap.GroupsFilter = "cn={0}"
|
||||
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
|
||||
assert.Len(suite.T(), suite.validator.Errors(), 1)
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
|
||||
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
|
||||
}
|
||||
|
||||
func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() {
|
||||
|
|
|
@ -95,7 +95,7 @@ func FirstFactorPost(ctx *middlewares.AutheliaCtx) {
|
|||
|
||||
// And set those information in the new session.
|
||||
userSession := ctx.GetSession()
|
||||
userSession.Username = bodyJSON.Username
|
||||
userSession.Username = userDetails.Username
|
||||
userSession.Groups = userDetails.Groups
|
||||
userSession.Emails = userDetails.Emails
|
||||
userSession.AuthenticationLevel = authentication.OneFactor
|
||||
|
|
|
@ -163,6 +163,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeChecked() {
|
|||
EXPECT().
|
||||
GetDetails(gomock.Eq("test")).
|
||||
Return(&authentication.UserDetails{
|
||||
Username: "test",
|
||||
Emails: []string{"test@example.com"},
|
||||
Groups: []string{"dev", "admins"},
|
||||
}, nil)
|
||||
|
@ -202,6 +203,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
|
|||
EXPECT().
|
||||
GetDetails(gomock.Eq("test")).
|
||||
Return(&authentication.UserDetails{
|
||||
Username: "test",
|
||||
Emails: []string{"test@example.com"},
|
||||
Groups: []string{"dev", "admins"},
|
||||
}, nil)
|
||||
|
@ -231,6 +233,49 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
|
|||
assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups)
|
||||
}
|
||||
|
||||
func (s *FirstFactorSuite) TestShouldSaveUsernameFromAuthenticationBackendInSession() {
|
||||
s.mock.UserProviderMock.
|
||||
EXPECT().
|
||||
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
|
||||
Return(true, nil)
|
||||
|
||||
s.mock.UserProviderMock.
|
||||
EXPECT().
|
||||
GetDetails(gomock.Eq("test")).
|
||||
Return(&authentication.UserDetails{
|
||||
// This is the name in authentication backend, in some setups the binding is
|
||||
// case insensitive but the user ID in session must match the user in LDAP
|
||||
// for the other modules of Authelia to be coherent.
|
||||
Username: "Test",
|
||||
Emails: []string{"test@example.com"},
|
||||
Groups: []string{"dev", "admins"},
|
||||
}, nil)
|
||||
|
||||
s.mock.StorageProviderMock.
|
||||
EXPECT().
|
||||
AppendAuthenticationLog(gomock.Any()).
|
||||
Return(nil)
|
||||
|
||||
s.mock.Ctx.Request.SetBodyString(`{
|
||||
"username": "test",
|
||||
"password": "hello",
|
||||
"keepMeLoggedIn": true
|
||||
}`)
|
||||
FirstFactorPost(s.mock.Ctx)
|
||||
|
||||
// Respond with 200.
|
||||
assert.Equal(s.T(), 200, s.mock.Ctx.Response.StatusCode())
|
||||
assert.Equal(s.T(), []byte("{\"status\":\"OK\"}"), s.mock.Ctx.Response.Body())
|
||||
|
||||
// And store authentication in session.
|
||||
session := s.mock.Ctx.GetSession()
|
||||
assert.Equal(s.T(), "Test", session.Username)
|
||||
assert.Equal(s.T(), true, session.KeepMeLoggedIn)
|
||||
assert.Equal(s.T(), authentication.OneFactor, session.AuthenticationLevel)
|
||||
assert.Equal(s.T(), []string{"test@example.com"}, session.Emails)
|
||||
assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups)
|
||||
}
|
||||
|
||||
type FirstFactorRedirectionSuite struct {
|
||||
suite.Suite
|
||||
|
||||
|
@ -259,6 +304,7 @@ func (s *FirstFactorRedirectionSuite) SetupTest() {
|
|||
EXPECT().
|
||||
GetDetails(gomock.Eq("test")).
|
||||
Return(&authentication.UserDetails{
|
||||
Username: "test",
|
||||
Emails: []string{"test@example.com"},
|
||||
Groups: []string{"dev", "admins"},
|
||||
}, nil)
|
||||
|
|
|
@ -2,117 +2,30 @@
|
|||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
# The port to listen on
|
||||
port: 9091
|
||||
|
||||
# Log level
|
||||
#
|
||||
# Level of verbosity for logs
|
||||
log_level: debug
|
||||
|
||||
jwt_secret: unsecure_secret
|
||||
|
||||
# TOTP Issuer Name
|
||||
#
|
||||
# This will be the issuer name displayed in Google Authenticator
|
||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
|
||||
# The authentication backend to use for verifying user passwords
|
||||
# and retrieve information such as email address and groups
|
||||
# users belong to.
|
||||
#
|
||||
# There are two supported backends: `ldap` and `file`.
|
||||
authentication_backend:
|
||||
# LDAP backend configuration.
|
||||
#
|
||||
# This backend allows Authelia to be scaled to more
|
||||
# than one instance and therefore is recommended for
|
||||
# production.
|
||||
ldap:
|
||||
# The url of the ldap server
|
||||
url: ldap://openldap
|
||||
|
||||
# The base dn for every entries
|
||||
base_dn: dc=example,dc=com
|
||||
|
||||
# An additional dn to define the scope to all users
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
|
||||
# The users filter used to find the user DN
|
||||
# {0} is a matcher replaced by username.
|
||||
# 'cn={0}' by default.
|
||||
users_filter: (cn={0})
|
||||
|
||||
# An additional dn to define the scope of groups
|
||||
users_filter: (objectClass=person)
|
||||
additional_groups_dn: ou=groups
|
||||
|
||||
# The groups filter used for retrieving groups of a given user.
|
||||
# {0} is a matcher replaced by username.
|
||||
# {dn} is a matcher replaced by user DN.
|
||||
# 'member={dn}' by default.
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
|
||||
# The attribute holding the name of the group
|
||||
group_name_attribute: cn
|
||||
|
||||
# The attribute holding the mail address of the user
|
||||
mail_attribute: mail
|
||||
|
||||
# The username and password of the admin user.
|
||||
user: cn=admin,dc=example,dc=com
|
||||
password: password
|
||||
|
||||
# File backend configuration.
|
||||
#
|
||||
# With this backend, the users database is stored in a file
|
||||
# which is updated when users reset their passwords.
|
||||
# Therefore, this backend is meant to be used in a dev environment
|
||||
# and not in production since it prevents Authelia to be scaled to
|
||||
# more than one instance.
|
||||
#
|
||||
## file:
|
||||
## path: ./users_database.yml
|
||||
|
||||
# Access Control
|
||||
#
|
||||
# Access control is a list of rules defining the authorizations applied for one
|
||||
# resource to users or group of users.
|
||||
#
|
||||
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
|
||||
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
|
||||
# the rules defined.
|
||||
#
|
||||
# Note: One can use the wildcard * to match any subdomain.
|
||||
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||||
#
|
||||
# Note: You must put patterns containing wildcards between simple quotes for the YAML
|
||||
# to be syntaxically correct.
|
||||
#
|
||||
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
|
||||
# `policy` and `resources`.
|
||||
#
|
||||
# - `domain` defines which domain or set of domains the rule applies to.
|
||||
#
|
||||
# - `subject` defines the subject to apply authorizations to. This parameter is
|
||||
# optional and matching any user if not provided. If provided, the parameter
|
||||
# represents either a user or a group. It should be of the form 'user:<username>'
|
||||
# or 'group:<groupname>'.
|
||||
#
|
||||
# - `policy` is the policy to apply to resources. It must be either `bypass`,
|
||||
# `one_factor`, `two_factor` or `deny`.
|
||||
#
|
||||
# - `resources` is a list of regular expressions that matches a set of resources to
|
||||
# apply the policy to. This parameter is optional and matches any resource if not
|
||||
# provided.
|
||||
#
|
||||
# Note: the order of the rules is important. The first policy matching
|
||||
# (domain, resource, subject) applies.
|
||||
access_control:
|
||||
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
||||
# It is the policy applied to any resource if there is no policy to be applied
|
||||
# to the user.
|
||||
default_policy: deny
|
||||
|
||||
rules:
|
||||
|
@ -162,55 +75,23 @@ access_control:
|
|||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
|
||||
# Configuration of session cookies
|
||||
#
|
||||
# The session cookies identify the user once logged in.
|
||||
session:
|
||||
# The name of the session cookie. (default: authelia_session).
|
||||
name: authelia_session
|
||||
|
||||
# The secret to encrypt the session cookie.
|
||||
secret: unsecure_session_secret
|
||||
|
||||
# The time in ms before the cookie expires and session is reset.
|
||||
expiration: 3600 # 1 hour
|
||||
|
||||
# The inactivity time in ms before the session is reset.
|
||||
inactivity: 300 # 5 minutes
|
||||
|
||||
# The domain to protect.
|
||||
# Note: the authenticator must also be in that domain. If empty, the cookie
|
||||
# is restricted to the subdomain of the issuer.
|
||||
domain: example.com
|
||||
|
||||
# The redis connection details
|
||||
redis:
|
||||
host: redis
|
||||
port: 6379
|
||||
password: authelia
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
#
|
||||
# This mechanism prevents attackers from brute forcing the first factor.
|
||||
# It bans the user if too many attempts are done in a short period of
|
||||
# time.
|
||||
regulation:
|
||||
# The number of failed login attempts before user is banned.
|
||||
# Set it to 0 to disable regulation.
|
||||
max_retries: 3
|
||||
|
||||
# The time range during which the user can attempt login before being banned.
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 8
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 10
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets.
|
||||
#
|
||||
# You must use only an available configuration: local, sql
|
||||
storage:
|
||||
# Settings to connect to mariadb server
|
||||
mysql:
|
||||
host: mariadb
|
||||
port: 3306
|
||||
|
@ -218,13 +99,7 @@ storage:
|
|||
username: admin
|
||||
password: password
|
||||
|
||||
# Configuration of the notification system.
|
||||
#
|
||||
# Notifications are sent to users when they require a password reset, a u2f
|
||||
# registration or a TOTP registration.
|
||||
# Use only an available configuration: filesystem, gmail
|
||||
notifier:
|
||||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
host: smtp
|
||||
port: 1025
|
||||
|
|
|
@ -12,39 +12,16 @@ jwt_secret: very_important_secret
|
|||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
# The url of the ldap server
|
||||
url: ldaps://openldap
|
||||
|
||||
# Skip certificate verification (for self-signed certificates)
|
||||
skip_verify: true
|
||||
|
||||
# The base dn for every entries
|
||||
base_dn: dc=example,dc=com
|
||||
|
||||
# An additional dn to define the scope to all users
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
|
||||
# The users filter used to find the user DN
|
||||
# {0} is a matcher replaced by username.
|
||||
# 'cn={0}' by default.
|
||||
users_filter: (cn={0})
|
||||
|
||||
# An additional dn to define the scope of groups
|
||||
users_filter: (objectClass=person)
|
||||
additional_groups_dn: ou=groups
|
||||
|
||||
# The groups filter used for retrieving groups of a given user.
|
||||
# {0} is a matcher replaced by username.
|
||||
# {dn} is a matcher replaced by user DN.
|
||||
# 'member={dn}' by default.
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
|
||||
# The attribute holding the name of the group
|
||||
group_name_attribute: cn
|
||||
|
||||
# The attribute holding the mail address of the user
|
||||
mail_attribute: mail
|
||||
|
||||
# The username and password of the admin user.
|
||||
user: cn=admin,dc=example,dc=com
|
||||
password: password
|
||||
|
||||
|
@ -54,15 +31,10 @@ session:
|
|||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
|
||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||
storage:
|
||||
local:
|
||||
path: /var/lib/authelia/db.sqlite3
|
||||
|
||||
# TOTP Issuer Name
|
||||
#
|
||||
# This will be the issuer name displayed in Google Authenticator
|
||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||
totp:
|
||||
issuer: example.com
|
||||
|
||||
|
@ -78,19 +50,12 @@ access_control:
|
|||
- domain: "singlefactor.example.com"
|
||||
policy: one_factor
|
||||
|
||||
# Configuration of the authentication regulation mechanism.
|
||||
regulation:
|
||||
# Set it to 0 to disable max_retries.
|
||||
max_retries: 3
|
||||
|
||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||
find_time: 300
|
||||
|
||||
# The length of time before a banned user can login again.
|
||||
ban_time: 900
|
||||
|
||||
notifier:
|
||||
# Use a SMTP server for sending notifications
|
||||
smtp:
|
||||
host: smtp
|
||||
port: 1025
|
||||
|
|
|
@ -16,5 +16,7 @@ services:
|
|||
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
|
||||
command:
|
||||
- '--copy-service'
|
||||
- '--loglevel'
|
||||
- 'debug'
|
||||
networks:
|
||||
- authelianet
|
|
@ -10,18 +10,19 @@ ou: users
|
|||
|
||||
dn: cn=dev,ou=groups,dc=example,dc=com
|
||||
cn: dev
|
||||
member: cn=john,ou=users,dc=example,dc=com
|
||||
member: cn=bob,ou=users,dc=example,dc=com
|
||||
member: uid=john,ou=users,dc=example,dc=com
|
||||
member: uid=bob,ou=users,dc=example,dc=com
|
||||
objectclass: groupOfNames
|
||||
objectclass: top
|
||||
|
||||
dn: cn=admins,ou=groups,dc=example,dc=com
|
||||
cn: admins
|
||||
member: cn=john,ou=users,dc=example,dc=com
|
||||
member: uid=john,ou=users,dc=example,dc=com
|
||||
objectclass: groupOfNames
|
||||
objectclass: top
|
||||
|
||||
dn: cn=john,ou=users,dc=example,dc=com
|
||||
dn: uid=john,ou=users,dc=example,dc=com
|
||||
uid: john
|
||||
cn: john
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -29,7 +30,8 @@ mail: john.doe@authelia.com
|
|||
sn: John Doe
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=harry,ou=users,dc=example,dc=com
|
||||
dn: uid=harry,ou=users,dc=example,dc=com
|
||||
uid: harry
|
||||
cn: harry
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -37,7 +39,8 @@ mail: harry.potter@authelia.com
|
|||
sn: Harry Potter
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=bob,ou=users,dc=example,dc=com
|
||||
dn: uid=bob,ou=users,dc=example,dc=com
|
||||
uid: bob
|
||||
cn: bob
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -45,7 +48,8 @@ mail: bob.dylan@authelia.com
|
|||
sn: Bob Dylan
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=james,ou=users,dc=example,dc=com
|
||||
dn: uid=james,ou=users,dc=example,dc=com
|
||||
uid: james
|
||||
cn: james
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -53,7 +57,8 @@ mail: james.dean@authelia.com
|
|||
sn: James Dean
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=blackhat,ou=users,dc=example,dc=com
|
||||
dn: uid=blackhat,ou=users,dc=example,dc=com
|
||||
uid: blackhat
|
||||
cn: blackhat
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
|
|
@ -12,8 +12,9 @@ authentication_backend:
|
|||
url: ldaps://ldap-service
|
||||
skip_verify: true
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (cn={0})
|
||||
users_filter: (objectClass=person)
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
|
|
|
@ -10,18 +10,19 @@ ou: users
|
|||
|
||||
dn: cn=dev,ou=groups,dc=example,dc=com
|
||||
cn: dev
|
||||
member: cn=john,ou=users,dc=example,dc=com
|
||||
member: cn=bob,ou=users,dc=example,dc=com
|
||||
member: uid=john,ou=users,dc=example,dc=com
|
||||
member: uid=bob,ou=users,dc=example,dc=com
|
||||
objectclass: groupOfNames
|
||||
objectclass: top
|
||||
|
||||
dn: cn=admins,ou=groups,dc=example,dc=com
|
||||
cn: admins
|
||||
member: cn=john,ou=users,dc=example,dc=com
|
||||
member: uid=john,ou=users,dc=example,dc=com
|
||||
objectclass: groupOfNames
|
||||
objectclass: top
|
||||
|
||||
dn: cn=john,ou=users,dc=example,dc=com
|
||||
dn: uid=john,ou=users,dc=example,dc=com
|
||||
uid: john
|
||||
cn: john
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -29,7 +30,8 @@ mail: john.doe@authelia.com
|
|||
sn: John Doe
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=harry,ou=users,dc=example,dc=com
|
||||
dn: uid=harry,ou=users,dc=example,dc=com
|
||||
uid: harry
|
||||
cn: harry
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -37,7 +39,8 @@ mail: harry.potter@authelia.com
|
|||
sn: Harry Potter
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=bob,ou=users,dc=example,dc=com
|
||||
dn: uid=bob,ou=users,dc=example,dc=com
|
||||
uid: bob
|
||||
cn: bob
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -45,7 +48,8 @@ mail: bob.dylan@authelia.com
|
|||
sn: Bob Dylan
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=james,ou=users,dc=example,dc=com
|
||||
dn: uid=james,ou=users,dc=example,dc=com
|
||||
uid: james
|
||||
cn: james
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
@ -53,7 +57,8 @@ mail: james.dean@authelia.com
|
|||
sn: James Dean
|
||||
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
|
||||
|
||||
dn: cn=blackhat,ou=users,dc=example,dc=com
|
||||
dn: uid=blackhat,ou=users,dc=example,dc=com
|
||||
uid: blackhat
|
||||
cn: blackhat
|
||||
objectclass: inetOrgPerson
|
||||
objectclass: top
|
||||
|
|
|
@ -31,7 +31,7 @@ func init() {
|
|||
return waitUntilAutheliaBackendIsReady(haDockerEnvironment)
|
||||
}
|
||||
|
||||
onSetupTimeout := func() error {
|
||||
displayAutheliaLogs := func() error {
|
||||
backendLogs, err := haDockerEnvironment.Logs("authelia-backend", nil)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -53,10 +53,11 @@ func init() {
|
|||
GlobalRegistry.Register(highAvailabilitySuiteName, Suite{
|
||||
SetUp: setup,
|
||||
SetUpTimeout: 5 * time.Minute,
|
||||
OnSetupTimeout: onSetupTimeout,
|
||||
OnSetupTimeout: displayAutheliaLogs,
|
||||
TestTimeout: 5 * time.Minute,
|
||||
TearDown: teardown,
|
||||
TearDownTimeout: 2 * time.Minute,
|
||||
OnError: displayAutheliaLogs,
|
||||
Description: `This suite is made to test Authelia in a *complete*
|
||||
environment, that is, with all components making Authelia highly available.`,
|
||||
})
|
||||
|
|
|
@ -30,7 +30,7 @@ func init() {
|
|||
return waitUntilAutheliaBackendIsReady(dockerEnvironment)
|
||||
}
|
||||
|
||||
onSetupTimeout := func() error {
|
||||
displayAutheliaLogs := func() error {
|
||||
backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -53,9 +53,10 @@ func init() {
|
|||
GlobalRegistry.Register(ldapSuiteName, Suite{
|
||||
SetUp: setup,
|
||||
SetUpTimeout: 5 * time.Minute,
|
||||
OnSetupTimeout: onSetupTimeout,
|
||||
OnSetupTimeout: displayAutheliaLogs,
|
||||
TestTimeout: 1 * time.Minute,
|
||||
TearDown: teardown,
|
||||
TearDownTimeout: 2 * time.Minute,
|
||||
OnError: displayAutheliaLogs,
|
||||
})
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue