RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: ldap filter (#4329)

pull/4322/merge
James Elliott 2022-11-04 13:42:28 +11:00 committed by GitHub
parent 500410fac3
commit e97a848600
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 36 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/content/en/configuration/first-factor/ldap.md
View File

@ -97,12 +97,12 @@ authentication_backend:
DO NOT USE==
-----END RSA PRIVATE KEY-----
base_dn: DC=example,DC=com
additional_users_dn: ou=users
additional_users_dn: OU=users
users_filter: (&({username_attribute}={input})(objectClass=person))
username_attribute: uid
mail_attribute: mail
display_name_attribute: displayName
additional_groups_dn: ou=groups
additional_groups_dn: OU=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
permit_referrals: false

38
docs/content/en/integration/ldap/introduction.md
View File

@ -37,8 +37,8 @@ In your Authelia configuration you will need to enter and update the following v
* url `ldap://OpenLDAP:1389` - servers dns name & port.
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
* server_name `ldap01.example.com` - servers name
* base_dn `dc=example,dc=com` - common name of domain root.
* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn.
* base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
* user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
@ -52,16 +52,16 @@ In your Authelia configuration you will need to enter and update the following v
server_name: ldap01.example.com
skip_verify: true
minimum_version: TLS1.2
base_dn: dc=example,dc=com
additional_users_dn: ou=users
base_dn: DC=example,DC=com
additional_users_dn: OU=users
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
username_attribute: uid
mail_attribute: mail
display_name_attribute: displayName
additional_groups_dn: ou=groups
groups_filter: (&(member=uid={input},ou=users,dc=example,dc=com)(objectclass=groupofnames))
additional_groups_dn: OU=groups
groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
group_name_attribute: cn
user: uid=authelia,ou=service accounts,dc=example,dc=com
user: UID=authelia,OU=service accounts,DC=example,DC=com
password: "SUPER_COMPLEX_PASSWORD"
```
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
@ -84,8 +84,8 @@ login, and reference it within the filters below.
In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
* server_name `ldap01.example.com` - servers name
* base_dn `dc=example,dc=com` - common name of domain root.
* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn.
* base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
* user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
@ -99,16 +99,16 @@ In your Authelia configuration you will need to enter and update the following v
server_name: ldap.example.com
skip_verify: true
minimum_version: TLS1.2
base_dn: dc=example,dc=com
base_dn: dc=example,DC=com
username_attribute: uid
additional_users_dn: cn=users,cn=accounts
additional_users_dn: CN=users,CN=accounts
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
additional_groups_dn: ou=groups
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=example,dc=com)(objectclass=groupofnames))
additional_groups_dn: OU=groups
groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: uid=authelia,cn=users,cn=accounts,dc=example,dc=com
user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
password: "SUPER_COMPLEX_PASSWORD"
```
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
@ -128,7 +128,7 @@ within the filters below.
In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://OpenLDAP:1389` - servers dns name & port.
*tip: if you have Authelia on a container network that is routable, you can just use the container name*
* base_dn `dc=example,dc=com` - common name of domain root.
* base_dn `DC=example,DC=com` - common name of domain root.
* user `authelia` - username for Authelia service account.
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,
@ -138,19 +138,19 @@ ldap:
url: ldap://lldap:3890
timeout: 5s
start_tls: false
base_dn: dc=example,dc=com
base_dn: dc=example,DC=com
username_attribute: uid
additional_users_dn: ou=people
additional_users_dn: OU=people
# To allow sign in both with username and email, one can use a filter like
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
users_filter: (&({username_attribute}={input})(objectClass=person))
additional_groups_dn: ou=groups
additional_groups_dn: OU=groups
groups_filter: (member={dn})
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
# The username and password of the admin or service user.
user: uid=authelia,ou=people,dc=example,dc=com
user: UID=authelia,OU=people,DC=example,DC=com
password: "SUPER_COMPLEX_PASSWORD"
```
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with

21
docs/content/en/reference/guides/ldap.md
View File

@ -94,11 +94,18 @@ accounts. The active directory example has two attribute filters that accomplish
be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that
value is not 0 which means the password requires changing at the next login.
| Implementation | Users Filter | Groups Filter |
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------:|
| custom | N/A | N/A |
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(objectCategory=group)) |
| Implementation | Users Filter | Groups Filter |
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------:|
| custom | N/A | N/A |
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(sAMAccountType=268435456)) |
*__Note:__* The Active Directory filter `(sAMAccountType=805306368)` is exactly the same as
`(&(objectCategory=person)(objectClass=user))` except that the former is more performant, you can read more about this
and other Active Directory filters on the [TechNet wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx).
##### Microsoft Active Directory sAMAccountType
| Account Type Value | Description | Equivalent Filter |
|:------------------:|:--------------------------:|:----------------------------------------------:|
| 268435456 | Normal Group Objects | N/A |
| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` |
*__References:__*
- Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe).
- LDAP Syntax Filters: [Microsoft TechNet Wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)

2
internal/configuration/schema/authentication.go
View File

@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
UsernameAttribute: "sAMAccountName",
MailAttribute: "mail",
DisplayNameAttribute: "displayName",
GroupsFilter: "(&(member={dn})(objectClass=group))",
GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))",
GroupNameAttribute: "cn",
Timeout: time.Second * 5,
TLS: &TLSConfig{