[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687)

* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
pull/708/head
Clément Michaud 2020-03-15 08:10:25 +01:00 committed by GitHub
parent 7a3d43a12a
commit cc6650dbcd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 375 additions and 346 deletions

View File

@ -8,7 +8,13 @@ breaking changes and about what you should do to overcome those changes.
## Breaking in v4.7.0
`logs_level` configuration key has been renamed to `log_level`.
* `logs_level` configuration key has been renamed to `log_level`.
* `users_filter` was a search pattern for a given user with the `{0}` matcher replaced with the
actual username. In v4.7.0, `username_attribute` has been introduced. Consequently, the computed
user filter utilised by the LDAP search query is a combination of filters based on the
`username_attribute` and `users_filter`. `users_filter` now reduces the scope of users targeted by
the LDAP search query. For instance if `username_attribute` is set to `uid` and `users_filter` is
set to `(objectClass=person)` then the computed filter is `(&(uid=john)(objectClass=person))`.
## Breaking in v4.0.0

View File

@ -56,7 +56,7 @@ duo_api:
# and retrieve information such as email address and groups
# users belong to.
#
# There are two supported backends: `ldap` and `file`.
# There are two supported backends: 'ldap' and 'file'.
authentication_backend:
# LDAP backend configuration.
#
@ -66,28 +66,48 @@ authentication_backend:
ldap:
# The url to the ldap server. Scheme can be ldap:// or ldaps://
url: ldap://127.0.0.1
# Skip verifying the server certificate (to allow self-signed certificate).
skip_verify: false
# The base dn for every entries
base_dn: dc=example,dc=com
# The attribute holding the username of the user (introduced to handle
# case insensitive search queries: #561).
# Microsoft Active Directory usually uses 'sAMAccountName'
# OpenLDAP usually uses 'uid'
username_attribute: uid
# An additional dn to define the scope to all users
additional_users_dn: ou=users
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# This attribute is optional. The user filter used in the LDAP search queries
# is a combination of this filter and the username attribute.
# This filter is used to reduce the scope of users targeted by the LDAP search query.
# For instance, if the username attribute is set to 'uid', the computed filter is
# (&(uid=<username>)(objectClass=person))
# Recommended settings are as follows:
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
users_filter: (objectClass=person)
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {0} is a matcher replaced by username (as provided in login portal).
# {1} is a matcher replaced by username (as stored in LDAP).
# {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
@ -119,7 +139,7 @@ authentication_backend:
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
# If 'access_control' is not defined, ACL rules are disabled and the 'bypass'
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
@ -129,27 +149,27 @@ authentication_backend:
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntactically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
# `policy` and `resources`.
# Definition: A 'rule' is an object with the following keys: 'domain', 'subject',
# 'policy' and 'resources'.
#
# - `domain` defines which domain or set of domains the rule applies to.
# - 'domain' defines which domain or set of domains the rule applies to.
#
# - `subject` defines the subject to apply authorizations to. This parameter is
# - 'subject' defines the subject to apply authorizations to. This parameter is
# optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'.
#
# - `policy` is the policy to apply to resources. It must be either `bypass`,
# `one_factor`, `two_factor` or `deny`.
# - 'policy' is the policy to apply to resources. It must be either 'bypass',
# 'one_factor', 'two_factor' or 'deny'.
#
# - `resources` is a list of regular expressions that matches a set of resources to
# - 'resources' is a list of regular expressions that matches a set of resources to
# apply the policy to. This parameter is optional and matches any resource if not
# provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
# Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
default_policy: deny
@ -251,7 +271,7 @@ regulation:
max_retries: 3
# The time range during which the user can attempt login before being banned.
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
# The user is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window.
find_time: 120
# The length of time before a banned user can login again.

View File

@ -26,21 +26,32 @@ authentication_backend:
# The base dn for every entries
base_dn: dc=example,dc=com
# The attribute holding the username of the user (introduced to handle
# case insensitive search queries: #561).
# Microsoft Active Directory usually uses 'sAMAccountName'
# OpenLDAP usually uses 'uid'
username_attribute: uid
# An additional dn to define the scope to all users
additional_users_dn: ou=users
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# This attribute is optional. The user filter used in the LDAP search queries
# is a combination of this filter and the username attribute.
# This filter is used to reduce the scope of users targeted by the LDAP search query.
# For instance, if the username attribute is set to 'uid', the computed filter is
# (&(uid=<username>)(objectClass=person))
# Recommended settings are as follows:
# Microsoft Active Directory '(&(objectCategory=person)(objectClass=user))'
# OpenLDAP '(objectClass=person)' or '(objectClass=inetOrgPerson)'
users_filter: (objectClass=person)
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {0} is a matcher replaced by username (as provided in login portal).
# {1} is a matcher replaced by username (as stored in LDAP).
# {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames))

View File

@ -101,6 +101,7 @@ func (p *FileUserProvider) CheckUserPassword(username string, password string) (
func (p *FileUserProvider) GetDetails(username string) (*UserDetails, error) {
if details, ok := p.database.Users[username]; ok {
return &UserDetails{
Username: username,
Groups: details.Groups,
Emails: []string{details.Email},
}, nil

View File

@ -85,6 +85,7 @@ func TestShouldRetrieveUserDetails(t *testing.T) {
provider := NewFileUserProvider(&config)
details, err := provider.GetDetails("john")
assert.NoError(t, err)
assert.Equal(t, details.Username, "john")
assert.Equal(t, details.Emails, []string{"john.doe@authelia.com"})
assert.Equal(t, details.Groups, []string{"admins", "dev"})
})

View File

@ -75,12 +75,12 @@ func (p *LDAPUserProvider) CheckUserPassword(username string, password string) (
}
defer adminClient.Close()
userDN, err := p.getUserDN(adminClient, username)
profile, err := p.getUserProfile(adminClient, username)
if err != nil {
return false, err
}
conn, err := p.connect(userDN, password)
conn, err := p.connect(profile.DN, password)
if err != nil {
return false, fmt.Errorf("Authentication of user %s failed. Cause: %s", username, err)
}
@ -100,85 +100,82 @@ func (p *LDAPUserProvider) ldapEscape(input string) string {
return input
}
func (p *LDAPUserProvider) getUserAttribute(conn LDAPConnection, username string, attribute string) ([]string, error) {
client, err := p.connect(p.configuration.User, p.configuration.Password)
if err != nil {
return nil, err
type ldapUserProfile struct {
DN string
Emails []string
Username string
}
defer client.Close()
func (p *LDAPUserProvider) getUserProfile(conn LDAPConnection, username string) (*ldapUserProfile, error) {
username = p.ldapEscape(username)
userFilter := strings.Replace(p.configuration.UsersFilter, "{0}", username, -1)
userFilter := fmt.Sprintf("(%s=%s)", p.configuration.UsernameAttribute, username)
if p.configuration.UsersFilter != "" {
userFilter = fmt.Sprintf("(&%s%s)", userFilter, p.configuration.UsersFilter)
}
baseDN := p.configuration.BaseDN
if p.configuration.AdditionalUsersDN != "" {
baseDN = p.configuration.AdditionalUsersDN + "," + baseDN
}
attributes := []string{"dn",
p.configuration.MailAttribute,
p.configuration.UsernameAttribute}
// Search for the given username
searchRequest := ldap.NewSearchRequest(
baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
1, 0, false, userFilter, []string{attribute}, nil,
1, 0, false, userFilter, attributes, nil,
)
sr, err := client.Search(searchRequest)
sr, err := conn.Search(searchRequest)
if err != nil {
return nil, fmt.Errorf("Cannot find user DN of user %s. Cause: %s", username, err)
}
if len(sr.Entries) != 1 {
return nil, fmt.Errorf("No %s found for user %s", attribute, username)
if len(sr.Entries) == 0 {
return nil, fmt.Errorf("No user %s found", username)
}
if attribute == "dn" {
return []string{sr.Entries[0].DN}, nil
if len(sr.Entries) > 1 {
return nil, fmt.Errorf("Multiple users %s found", username)
}
return sr.Entries[0].Attributes[0].Values, nil
userProfile := ldapUserProfile{
DN: sr.Entries[0].DN,
}
for _, attr := range sr.Entries[0].Attributes {
if attr.Name == p.configuration.MailAttribute {
userProfile.Emails = attr.Values
} else if attr.Name == p.configuration.UsernameAttribute {
if len(attr.Values) != 1 {
return nil, fmt.Errorf("User %s cannot have multiple value for attribute %s", username, p.configuration.UsernameAttribute)
}
userProfile.Username = attr.Values[0]
}
}
func (p *LDAPUserProvider) getUserDN(conn LDAPConnection, username string) (string, error) {
values, err := p.getUserAttribute(conn, username, "dn")
if err != nil {
return "", err
if userProfile.DN == "" {
return nil, fmt.Errorf("No DN has been found for user %s", username)
}
if len(values) != 1 {
return "", fmt.Errorf("DN attribute of user %s must be set", username)
}
return values[0], nil
}
func (p *LDAPUserProvider) getUserUID(conn LDAPConnection, username string) (string, error) {
values, err := p.getUserAttribute(conn, username, "uid")
if err != nil {
return "", err
}
if len(values) != 1 {
return "", fmt.Errorf("UID attribute of user %s must be set", username)
}
return values[0], nil
return &userProfile, nil
}
func (p *LDAPUserProvider) createGroupsFilter(conn LDAPConnection, username string) (string, error) {
if strings.Contains(p.configuration.GroupsFilter, "{0}") {
return strings.Replace(p.configuration.GroupsFilter, "{0}", username, -1), nil
} else if strings.Contains(p.configuration.GroupsFilter, "{dn}") {
userDN, err := p.getUserDN(conn, username)
profile, err := p.getUserProfile(conn, username)
if err != nil {
return "", err
}
return strings.Replace(p.configuration.GroupsFilter, "{dn}", userDN, -1), nil
} else if strings.Contains(p.configuration.GroupsFilter, "{uid}") {
userUID, err := p.getUserUID(conn, username)
return strings.Replace(p.configuration.GroupsFilter, "{dn}", profile.DN, -1), nil
} else if strings.Contains(p.configuration.GroupsFilter, "{1}") {
profile, err := p.getUserProfile(conn, username)
if err != nil {
return "", err
}
return strings.Replace(p.configuration.GroupsFilter, "{uid}", userUID, -1), nil
return strings.Replace(p.configuration.GroupsFilter, "{1}", profile.Username, -1), nil
}
return p.configuration.GroupsFilter, nil
}
@ -223,36 +220,14 @@ func (p *LDAPUserProvider) GetDetails(username string) (*UserDetails, error) {
groups = append(groups, res.Attributes[0].Values...)
}
userDN, err := p.getUserDN(conn, username)
profile, err := p.getUserProfile(conn, username)
if err != nil {
return nil, err
}
searchEmailRequest := ldap.NewSearchRequest(
userDN, ldap.ScopeBaseObject, ldap.NeverDerefAliases,
0, 0, false, "(cn=*)", []string{p.configuration.MailAttribute}, nil,
)
sr, err = conn.Search(searchEmailRequest)
if err != nil {
return nil, fmt.Errorf("Unable to retrieve email of user %s. Cause: %s", username, err)
}
emails := make([]string, 0)
for _, res := range sr.Entries {
if len(res.Attributes) == 0 {
logging.Logger().Warningf("No email retrieved from LDAP for user %s", username)
break
}
// append all values of the document. Normally there should be only one per document.
emails = append(emails, res.Attributes[0].Values...)
}
return &UserDetails{
Emails: emails,
Username: profile.Username,
Emails: profile.Emails,
Groups: groups,
}, nil
}
@ -265,13 +240,13 @@ func (p *LDAPUserProvider) UpdatePassword(username string, newPassword string) e
return fmt.Errorf("Unable to update password. Cause: %s", err)
}
userDN, err := p.getUserDN(client, username)
profile, err := p.getUserProfile(client, username)
if err != nil {
return fmt.Errorf("Unable to update password. Cause: %s", err)
}
modifyRequest := ldap.NewModifyRequest(userDN, nil)
modifyRequest := ldap.NewModifyRequest(profile.DN, nil)
modifyRequest.Replace("userPassword", []string{newPassword})

View File

@ -110,29 +110,42 @@ func TestShouldEscapeUserInput(t *testing.T) {
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
UsernameAttribute: "uid",
Password: "password",
UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
mockConn.EXPECT().
Close()
mockConn.EXPECT().
// Here we ensure that the input has been correctly escaped.
Search(NewSearchRequestMatcher("uid=john\\=abc")).
Search(NewSearchRequestMatcher("(uid=john\\=abc)")).
Return(&ldap.SearchResult{}, nil)
ldapClient.getUserAttribute(mockConn, "john=abc", "dn")
ldapClient.getUserProfile(mockConn, "john=abc")
}
func TestShouldCombineUsernameFilterAndUsersFilter(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
UsernameAttribute: "uid",
UsersFilter: "(&(objectCategory=person)(objectClass=user))",
Password: "password",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockConn.EXPECT().
Search(NewSearchRequestMatcher("(&(uid=john)(&(objectCategory=person)(objectClass=user)))")).
Return(&ldap.SearchResult{}, nil)
ldapClient.getUserProfile(mockConn, "john")
}
func createSearchResultWithAttributes(attributes ...*ldap.EntryAttribute) *ldap.SearchResult {
@ -160,6 +173,8 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
UsernameAttribute: "uid",
MailAttribute: "mail",
UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
@ -167,33 +182,46 @@ func TestShouldNotCrashWhenGroupsAreNotRetrievedFromLDAP(t *testing.T) {
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil).Times(2)
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil).
Times(2)
Return(nil)
mockConn.EXPECT().
Close().Times(2)
Close()
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil)
searchUserDN := mockConn.EXPECT().
searchProfile := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("uid=john,dc=example,dc=com"), nil)
searchEmails := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("test@example.com"), nil)
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "mail",
Values: []string{"test@example.com"},
},
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
gomock.InOrder(searchGroups, searchUserDN, searchEmails)
gomock.InOrder(searchGroups, searchProfile)
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.Username, "john")
}
func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
@ -207,6 +235,7 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
UsernameAttribute: "uid",
UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
@ -214,31 +243,102 @@ func TestShouldNotCrashWhenEmailsAreNotRetrievedFromLDAP(t *testing.T) {
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil).Times(2)
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil).
Times(2)
Return(nil)
mockConn.EXPECT().
Close().Times(2)
Close()
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
searchUserDN := mockConn.EXPECT().
searchProfile := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("uid=john,dc=example,dc=com"), nil)
searchEmails := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributes(), nil)
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"john"},
},
},
},
},
}, nil)
gomock.InOrder(searchGroups, searchUserDN, searchEmails)
gomock.InOrder(searchGroups, searchProfile)
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{})
assert.Equal(t, details.Username, "john")
}
func TestShouldReturnUsernameFromLDAP(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockFactory := NewMockLDAPConnectionFactory(ctrl)
mockConn := NewMockLDAPConnection(ctrl)
ldapClient := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
URL: "ldap://127.0.0.1:389",
User: "cn=admin,dc=example,dc=com",
Password: "password",
UsernameAttribute: "uid",
MailAttribute: "mail",
UsersFilter: "uid={0}",
AdditionalUsersDN: "ou=users",
BaseDN: "dc=example,dc=com",
}, mockFactory)
mockFactory.EXPECT().
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
Return(mockConn, nil)
mockConn.EXPECT().
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
Return(nil)
mockConn.EXPECT().
Close()
searchGroups := mockConn.EXPECT().
Search(gomock.Any()).
Return(createSearchResultWithAttributeValues("group1", "group2"), nil)
searchProfile := mockConn.EXPECT().
Search(gomock.Any()).
Return(&ldap.SearchResult{
Entries: []*ldap.Entry{
&ldap.Entry{
DN: "uid=test,dc=example,dc=com",
Attributes: []*ldap.EntryAttribute{
&ldap.EntryAttribute{
Name: "mail",
Values: []string{"test@example.com"},
},
&ldap.EntryAttribute{
Name: "uid",
Values: []string{"John"},
},
},
},
},
}, nil)
gomock.InOrder(searchGroups, searchProfile)
details, err := ldapClient.GetDetails("john")
require.NoError(t, err)
assert.ElementsMatch(t, details.Groups, []string{"group1", "group2"})
assert.ElementsMatch(t, details.Emails, []string{"test@example.com"})
assert.Equal(t, details.Username, "John")
}

View File

@ -2,6 +2,7 @@ package authentication
// UserDetails represent the details retrieved for a given user.
type UserDetails struct {
Username string
Emails []string
Groups []string
}

View File

@ -10,6 +10,7 @@ type LDAPAuthenticationBackendConfiguration struct {
AdditionalGroupsDN string `mapstructure:"additional_groups_dn"`
GroupsFilter string `mapstructure:"groups_filter"`
GroupNameAttribute string `mapstructure:"group_name_attribute"`
UsernameAttribute string `mapstructure:"username_attribute"`
MailAttribute string `mapstructure:"mail_attribute"`
User string `mapstructure:"user"`
Password string `mapstructure:"password"`

View File

@ -19,8 +19,9 @@ authentication_backend:
ldap:
url: ldap://127.0.0.1
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (cn={0})
users_filter: (&(objectCategory=person)(objectClass=user))
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectclass=groupOfNames))
group_name_attribute: cn

View File

@ -121,20 +121,24 @@ func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationB
}
if configuration.UsersFilter == "" {
configuration.UsersFilter = "(cn={0})"
}
validator.Push(errors.New("Please provide a users filter with `users_filter` attribute"))
} else {
if !strings.HasPrefix(configuration.UsersFilter, "(") || !strings.HasSuffix(configuration.UsersFilter, ")") {
validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance uid={0} should be (uid={0})"))
}
}
if configuration.GroupsFilter == "" {
configuration.GroupsFilter = "(member={dn})"
}
validator.Push(errors.New("Please provide a groups filter with `groups_filter` attribute"))
} else {
if !strings.HasPrefix(configuration.GroupsFilter, "(") || !strings.HasSuffix(configuration.GroupsFilter, ")") {
validator.Push(errors.New("The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
}
}
if configuration.UsernameAttribute == "" {
validator.Push(errors.New("Please provide a username attribute with `username_attribute`"))
}
if configuration.GroupNameAttribute == "" {
configuration.GroupNameAttribute = "cn"

View File

@ -169,6 +169,9 @@ func (suite *LdapAuthenticationBackendSuite) SetupTest() {
suite.configuration.Ldap.User = "user"
suite.configuration.Ldap.Password = "password"
suite.configuration.Ldap.BaseDN = "base_dn"
suite.configuration.Ldap.UsernameAttribute = "uid"
suite.configuration.Ldap.UsersFilter = "(uid={0})"
suite.configuration.Ldap.GroupsFilter = "(cn={0})"
}
func (suite *LdapAuthenticationBackendSuite) TestShouldValidateCompleteConfiguration() {
@ -204,16 +207,20 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseErrorWhenBaseDNNotPr
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a base DN to connect to the LDAP server")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultUsersFilter() {
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyFilterAndGroupsFilter() {
suite.configuration.Ldap.UsersFilter = ""
suite.configuration.Ldap.GroupsFilter = ""
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 0)
assert.Equal(suite.T(), "(cn={0})", suite.configuration.Ldap.UsersFilter)
require.Len(suite.T(), suite.validator.Errors(), 2)
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a users filter with `users_filter` attribute")
assert.EqualError(suite.T(), suite.validator.Errors()[1], "Please provide a groups filter with `groups_filter` attribute")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupsFilter() {
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsernameAttribute() {
suite.configuration.Ldap.UsernameAttribute = ""
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 0)
assert.Equal(suite.T(), "(member={dn})", suite.configuration.Ldap.GroupsFilter)
require.Len(suite.T(), suite.validator.Errors(), 1)
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Please provide a username attribute with `username_attribute`")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttribute() {
@ -229,17 +236,17 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute()
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() {
suite.configuration.Ldap.UsersFilter = "cn={0}"
suite.configuration.Ldap.UsersFilter = "uid={0}"
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 1)
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance uid={0} should be (uid={0})")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() {
suite.configuration.Ldap.UsersFilter = "cn={0}"
suite.configuration.Ldap.GroupsFilter = "cn={0}"
ValidateAuthenticationBackend(&suite.configuration, suite.validator)
assert.Len(suite.T(), suite.validator.Errors(), 1)
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
assert.EqualError(suite.T(), suite.validator.Errors()[0], "The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")
}
func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() {

View File

@ -95,7 +95,7 @@ func FirstFactorPost(ctx *middlewares.AutheliaCtx) {
// And set those information in the new session.
userSession := ctx.GetSession()
userSession.Username = bodyJSON.Username
userSession.Username = userDetails.Username
userSession.Groups = userDetails.Groups
userSession.Emails = userDetails.Emails
userSession.AuthenticationLevel = authentication.OneFactor

View File

@ -163,6 +163,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeChecked() {
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
Username: "test",
Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"},
}, nil)
@ -202,6 +203,7 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
Username: "test",
Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"},
}, nil)
@ -231,6 +233,49 @@ func (s *FirstFactorSuite) TestShouldAuthenticateUserWithRememberMeUnchecked() {
assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups)
}
func (s *FirstFactorSuite) TestShouldSaveUsernameFromAuthenticationBackendInSession() {
s.mock.UserProviderMock.
EXPECT().
CheckUserPassword(gomock.Eq("test"), gomock.Eq("hello")).
Return(true, nil)
s.mock.UserProviderMock.
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
// This is the name in authentication backend, in some setups the binding is
// case insensitive but the user ID in session must match the user in LDAP
// for the other modules of Authelia to be coherent.
Username: "Test",
Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"},
}, nil)
s.mock.StorageProviderMock.
EXPECT().
AppendAuthenticationLog(gomock.Any()).
Return(nil)
s.mock.Ctx.Request.SetBodyString(`{
"username": "test",
"password": "hello",
"keepMeLoggedIn": true
}`)
FirstFactorPost(s.mock.Ctx)
// Respond with 200.
assert.Equal(s.T(), 200, s.mock.Ctx.Response.StatusCode())
assert.Equal(s.T(), []byte("{\"status\":\"OK\"}"), s.mock.Ctx.Response.Body())
// And store authentication in session.
session := s.mock.Ctx.GetSession()
assert.Equal(s.T(), "Test", session.Username)
assert.Equal(s.T(), true, session.KeepMeLoggedIn)
assert.Equal(s.T(), authentication.OneFactor, session.AuthenticationLevel)
assert.Equal(s.T(), []string{"test@example.com"}, session.Emails)
assert.Equal(s.T(), []string{"dev", "admins"}, session.Groups)
}
type FirstFactorRedirectionSuite struct {
suite.Suite
@ -259,6 +304,7 @@ func (s *FirstFactorRedirectionSuite) SetupTest() {
EXPECT().
GetDetails(gomock.Eq("test")).
Return(&authentication.UserDetails{
Username: "test",
Emails: []string{"test@example.com"},
Groups: []string{"dev", "admins"},
}, nil)

View File

@ -2,117 +2,30 @@
# Authelia configuration #
###############################################################
# The port to listen on
port: 9091
# Log level
#
# Level of verbosity for logs
log_level: debug
jwt_secret: unsecure_secret
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: authelia.com
# The authentication backend to use for verifying user passwords
# and retrieve information such as email address and groups
# users belong to.
#
# There are two supported backends: `ldap` and `file`.
authentication_backend:
# LDAP backend configuration.
#
# This backend allows Authelia to be scaled to more
# than one instance and therefore is recommended for
# production.
ldap:
# The url of the ldap server
url: ldap://openldap
# The base dn for every entries
base_dn: dc=example,dc=com
# An additional dn to define the scope to all users
username_attribute: uid
additional_users_dn: ou=users
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# An additional dn to define the scope of groups
users_filter: (objectClass=person)
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com
password: password
# File backend configuration.
#
# With this backend, the users database is stored in a file
# which is updated when users reset their passwords.
# Therefore, this backend is meant to be used in a dev environment
# and not in production since it prevents Authelia to be scaled to
# more than one instance.
#
## file:
## path: ./users_database.yml
# Access Control
#
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
# `policy` and `resources`.
#
# - `domain` defines which domain or set of domains the rule applies to.
#
# - `subject` defines the subject to apply authorizations to. This parameter is
# optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'.
#
# - `policy` is the policy to apply to resources. It must be either `bypass`,
# `one_factor`, `two_factor` or `deny`.
#
# - `resources` is a list of regular expressions that matches a set of resources to
# apply the policy to. This parameter is optional and matches any resource if not
# provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
default_policy: deny
rules:
@ -162,55 +75,23 @@ access_control:
subject: "user:bob"
policy: two_factor
# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session:
# The name of the session cookie. (default: authelia_session).
name: authelia_session
# The secret to encrypt the session cookie.
secret: unsecure_session_secret
# The time in ms before the cookie expires and session is reset.
expiration: 3600 # 1 hour
# The inactivity time in ms before the session is reset.
inactivity: 300 # 5 minutes
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain of the issuer.
domain: example.com
# The redis connection details
redis:
host: redis
port: 6379
password: authelia
# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation:
# The number of failed login attempts before user is banned.
# Set it to 0 to disable regulation.
max_retries: 3
# The time range during which the user can attempt login before being banned.
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8
# The length of time before a banned user can login again.
ban_time: 10
# Configuration of the storage backend used to store data and secrets.
#
# You must use only an available configuration: local, sql
storage:
# Settings to connect to mariadb server
mysql:
host: mariadb
port: 3306
@ -218,13 +99,7 @@ storage:
username: admin
password: password
# Configuration of the notification system.
#
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
# Use only an available configuration: filesystem, gmail
notifier:
# Use a SMTP server for sending notifications
smtp:
host: smtp
port: 1025

View File

@ -12,39 +12,16 @@ jwt_secret: very_important_secret
authentication_backend:
ldap:
# The url of the ldap server
url: ldaps://openldap
# Skip certificate verification (for self-signed certificates)
skip_verify: true
# The base dn for every entries
base_dn: dc=example,dc=com
# An additional dn to define the scope to all users
username_attribute: uid
additional_users_dn: ou=users
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# An additional dn to define the scope of groups
users_filter: (objectClass=person)
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com
password: password
@ -54,15 +31,10 @@ session:
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
local:
path: /var/lib/authelia/db.sqlite3
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: example.com
@ -78,19 +50,12 @@ access_control:
- domain: "singlefactor.example.com"
policy: one_factor
# Configuration of the authentication regulation mechanism.
regulation:
# Set it to 0 to disable max_retries.
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300
# The length of time before a banned user can login again.
ban_time: 900
notifier:
# Use a SMTP server for sending notifications
smtp:
host: smtp
port: 1025

View File

@ -16,5 +16,7 @@ services:
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
command:
- '--copy-service'
- '--loglevel'
- 'debug'
networks:
- authelianet

View File

@ -10,18 +10,19 @@ ou: users
dn: cn=dev,ou=groups,dc=example,dc=com
cn: dev
member: cn=john,ou=users,dc=example,dc=com
member: cn=bob,ou=users,dc=example,dc=com
member: uid=john,ou=users,dc=example,dc=com
member: uid=bob,ou=users,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
dn: cn=admins,ou=groups,dc=example,dc=com
cn: admins
member: cn=john,ou=users,dc=example,dc=com
member: uid=john,ou=users,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
dn: cn=john,ou=users,dc=example,dc=com
dn: uid=john,ou=users,dc=example,dc=com
uid: john
cn: john
objectclass: inetOrgPerson
objectclass: top
@ -29,7 +30,8 @@ mail: john.doe@authelia.com
sn: John Doe
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=harry,ou=users,dc=example,dc=com
dn: uid=harry,ou=users,dc=example,dc=com
uid: harry
cn: harry
objectclass: inetOrgPerson
objectclass: top
@ -37,7 +39,8 @@ mail: harry.potter@authelia.com
sn: Harry Potter
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=bob,ou=users,dc=example,dc=com
dn: uid=bob,ou=users,dc=example,dc=com
uid: bob
cn: bob
objectclass: inetOrgPerson
objectclass: top
@ -45,7 +48,8 @@ mail: bob.dylan@authelia.com
sn: Bob Dylan
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=james,ou=users,dc=example,dc=com
dn: uid=james,ou=users,dc=example,dc=com
uid: james
cn: james
objectclass: inetOrgPerson
objectclass: top
@ -53,7 +57,8 @@ mail: james.dean@authelia.com
sn: James Dean
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=blackhat,ou=users,dc=example,dc=com
dn: uid=blackhat,ou=users,dc=example,dc=com
uid: blackhat
cn: blackhat
objectclass: inetOrgPerson
objectclass: top

View File

@ -12,8 +12,9 @@ authentication_backend:
url: ldaps://ldap-service
skip_verify: true
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (cn={0})
users_filter: (objectClass=person)
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectclass=groupOfNames))
group_name_attribute: cn

View File

@ -10,18 +10,19 @@ ou: users
dn: cn=dev,ou=groups,dc=example,dc=com
cn: dev
member: cn=john,ou=users,dc=example,dc=com
member: cn=bob,ou=users,dc=example,dc=com
member: uid=john,ou=users,dc=example,dc=com
member: uid=bob,ou=users,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
dn: cn=admins,ou=groups,dc=example,dc=com
cn: admins
member: cn=john,ou=users,dc=example,dc=com
member: uid=john,ou=users,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
dn: cn=john,ou=users,dc=example,dc=com
dn: uid=john,ou=users,dc=example,dc=com
uid: john
cn: john
objectclass: inetOrgPerson
objectclass: top
@ -29,7 +30,8 @@ mail: john.doe@authelia.com
sn: John Doe
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=harry,ou=users,dc=example,dc=com
dn: uid=harry,ou=users,dc=example,dc=com
uid: harry
cn: harry
objectclass: inetOrgPerson
objectclass: top
@ -37,7 +39,8 @@ mail: harry.potter@authelia.com
sn: Harry Potter
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=bob,ou=users,dc=example,dc=com
dn: uid=bob,ou=users,dc=example,dc=com
uid: bob
cn: bob
objectclass: inetOrgPerson
objectclass: top
@ -45,7 +48,8 @@ mail: bob.dylan@authelia.com
sn: Bob Dylan
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=james,ou=users,dc=example,dc=com
dn: uid=james,ou=users,dc=example,dc=com
uid: james
cn: james
objectclass: inetOrgPerson
objectclass: top
@ -53,7 +57,8 @@ mail: james.dean@authelia.com
sn: James Dean
userpassword: {CRYPT}$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/
dn: cn=blackhat,ou=users,dc=example,dc=com
dn: uid=blackhat,ou=users,dc=example,dc=com
uid: blackhat
cn: blackhat
objectclass: inetOrgPerson
objectclass: top

View File

@ -31,7 +31,7 @@ func init() {
return waitUntilAutheliaBackendIsReady(haDockerEnvironment)
}
onSetupTimeout := func() error {
displayAutheliaLogs := func() error {
backendLogs, err := haDockerEnvironment.Logs("authelia-backend", nil)
if err != nil {
return err
@ -53,10 +53,11 @@ func init() {
GlobalRegistry.Register(highAvailabilitySuiteName, Suite{
SetUp: setup,
SetUpTimeout: 5 * time.Minute,
OnSetupTimeout: onSetupTimeout,
OnSetupTimeout: displayAutheliaLogs,
TestTimeout: 5 * time.Minute,
TearDown: teardown,
TearDownTimeout: 2 * time.Minute,
OnError: displayAutheliaLogs,
Description: `This suite is made to test Authelia in a *complete*
environment, that is, with all components making Authelia highly available.`,
})

View File

@ -30,7 +30,7 @@ func init() {
return waitUntilAutheliaBackendIsReady(dockerEnvironment)
}
onSetupTimeout := func() error {
displayAutheliaLogs := func() error {
backendLogs, err := dockerEnvironment.Logs("authelia-backend", nil)
if err != nil {
return err
@ -53,9 +53,10 @@ func init() {
GlobalRegistry.Register(ldapSuiteName, Suite{
SetUp: setup,
SetUpTimeout: 5 * time.Minute,
OnSetupTimeout: onSetupTimeout,
OnSetupTimeout: displayAutheliaLogs,
TestTimeout: 1 * time.Minute,
TearDown: teardown,
TearDownTimeout: 2 * time.Minute,
OnError: displayAutheliaLogs,
})
}