From e97a84860044cd88f0d63ec139945a6df8761828 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Fri, 4 Nov 2022 13:42:28 +1100 Subject: [PATCH] refactor: ldap filter (#4329) --- .../en/configuration/first-factor/ldap.md | 4 +- .../en/integration/ldap/introduction.md | 38 +++++++++---------- docs/content/en/reference/guides/ldap.md | 21 ++++++---- .../configuration/schema/authentication.go | 2 +- 4 files changed, 36 insertions(+), 29 deletions(-) diff --git a/docs/content/en/configuration/first-factor/ldap.md b/docs/content/en/configuration/first-factor/ldap.md index a46710169..9fb9127f3 100644 --- a/docs/content/en/configuration/first-factor/ldap.md +++ b/docs/content/en/configuration/first-factor/ldap.md @@ -97,12 +97,12 @@ authentication_backend: DO NOT USE== -----END RSA PRIVATE KEY----- base_dn: DC=example,DC=com - additional_users_dn: ou=users + additional_users_dn: OU=users users_filter: (&({username_attribute}={input})(objectClass=person)) username_attribute: uid mail_attribute: mail display_name_attribute: displayName - additional_groups_dn: ou=groups + additional_groups_dn: OU=groups groups_filter: (&(member={dn})(objectClass=groupOfNames)) group_name_attribute: cn permit_referrals: false diff --git a/docs/content/en/integration/ldap/introduction.md b/docs/content/en/integration/ldap/introduction.md index 1ce1172b3..596caa125 100644 --- a/docs/content/en/integration/ldap/introduction.md +++ b/docs/content/en/integration/ldap/introduction.md @@ -37,8 +37,8 @@ In your Authelia configuration you will need to enter and update the following v * url `ldap://OpenLDAP:1389` - servers dns name & port. *tip: if you have Authelia on a container network that is routable, you can just use the container name* * server_name `ldap01.example.com` - servers name -* base_dn `dc=example,dc=com` - common name of domain root. -* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn. +* base_dn `DC=example,DC=com` - common name of domain root. +* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn. * user `authelia` - username for Authelia service account * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account @@ -52,16 +52,16 @@ In your Authelia configuration you will need to enter and update the following v server_name: ldap01.example.com skip_verify: true minimum_version: TLS1.2 - base_dn: dc=example,dc=com - additional_users_dn: ou=users + base_dn: DC=example,DC=com + additional_users_dn: OU=users users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) username_attribute: uid mail_attribute: mail display_name_attribute: displayName - additional_groups_dn: ou=groups - groups_filter: (&(member=uid={input},ou=users,dc=example,dc=com)(objectclass=groupofnames)) + additional_groups_dn: OU=groups + groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames)) group_name_attribute: cn - user: uid=authelia,ou=service accounts,dc=example,dc=com + user: UID=authelia,OU=service accounts,DC=example,DC=com password: "SUPER_COMPLEX_PASSWORD" ``` Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with @@ -84,8 +84,8 @@ login, and reference it within the filters below. In your Authelia configuration you will need to enter and update the following variables - * url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed. * server_name `ldap01.example.com` - servers name -* base_dn `dc=example,dc=com` - common name of domain root. -* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn. +* base_dn `DC=example,DC=com` - common name of domain root. +* groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn. * user `authelia` - username for Authelia service account * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account @@ -99,16 +99,16 @@ In your Authelia configuration you will need to enter and update the following v server_name: ldap.example.com skip_verify: true minimum_version: TLS1.2 - base_dn: dc=example,dc=com + base_dn: dc=example,DC=com username_attribute: uid - additional_users_dn: cn=users,cn=accounts + additional_users_dn: CN=users,CN=accounts users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) - additional_groups_dn: ou=groups - groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=example,dc=com)(objectclass=groupofnames)) + additional_groups_dn: OU=groups + groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames)) group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName - user: uid=authelia,cn=users,cn=accounts,dc=example,dc=com + user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com password: "SUPER_COMPLEX_PASSWORD" ``` Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with @@ -128,7 +128,7 @@ within the filters below. In your Authelia configuration you will need to enter and update the following variables - * url `ldap://OpenLDAP:1389` - servers dns name & port. *tip: if you have Authelia on a container network that is routable, you can just use the container name* -* base_dn `dc=example,dc=com` - common name of domain root. +* base_dn `DC=example,DC=com` - common name of domain root. * user `authelia` - username for Authelia service account. * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account, @@ -138,19 +138,19 @@ ldap: url: ldap://lldap:3890 timeout: 5s start_tls: false - base_dn: dc=example,dc=com + base_dn: dc=example,DC=com username_attribute: uid - additional_users_dn: ou=people + additional_users_dn: OU=people # To allow sign in both with username and email, one can use a filter like # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: (&({username_attribute}={input})(objectClass=person)) - additional_groups_dn: ou=groups + additional_groups_dn: OU=groups groups_filter: (member={dn}) group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName # The username and password of the admin or service user. - user: uid=authelia,ou=people,dc=example,dc=com + user: UID=authelia,OU=people,DC=example,DC=com password: "SUPER_COMPLEX_PASSWORD" ``` Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with diff --git a/docs/content/en/reference/guides/ldap.md b/docs/content/en/reference/guides/ldap.md index 0867471b8..1e581b23e 100644 --- a/docs/content/en/reference/guides/ldap.md +++ b/docs/content/en/reference/guides/ldap.md @@ -94,11 +94,18 @@ accounts. The active directory example has two attribute filters that accomplish be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that value is not 0 which means the password requires changing at the next login. -| Implementation | Users Filter | Groups Filter | -|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------:| -| custom | N/A | N/A | -| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(objectCategory=group)) | +| Implementation | Users Filter | Groups Filter | +|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------:| +| custom | N/A | N/A | +| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(sAMAccountType=268435456)) | -*__Note:__* The Active Directory filter `(sAMAccountType=805306368)` is exactly the same as -`(&(objectCategory=person)(objectClass=user))` except that the former is more performant, you can read more about this -and other Active Directory filters on the [TechNet wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx). +##### Microsoft Active Directory sAMAccountType + +| Account Type Value | Description | Equivalent Filter | +|:------------------:|:--------------------------:|:----------------------------------------------:| +| 268435456 | Normal Group Objects | N/A | +| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` | + +*__References:__* +- Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe). +- LDAP Syntax Filters: [Microsoft TechNet Wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx) diff --git a/internal/configuration/schema/authentication.go b/internal/configuration/schema/authentication.go index e070a503a..9d118c091 100644 --- a/internal/configuration/schema/authentication.go +++ b/internal/configuration/schema/authentication.go @@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = UsernameAttribute: "sAMAccountName", MailAttribute: "mail", DisplayNameAttribute: "displayName", - GroupsFilter: "(&(member={dn})(objectClass=group))", + GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))", GroupNameAttribute: "cn", Timeout: time.Second * 5, TLS: &TLSConfig{