refactor: ldap filter (#4329)

pull/4322/merge
James Elliott 2022-11-04 13:42:28 +11:00 committed by GitHub
parent 500410fac3
commit e97a848600
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 36 additions and 29 deletions

View File

@ -97,12 +97,12 @@ authentication_backend:
DO NOT USE== DO NOT USE==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
base_dn: DC=example,DC=com base_dn: DC=example,DC=com
additional_users_dn: ou=users additional_users_dn: OU=users
users_filter: (&({username_attribute}={input})(objectClass=person)) users_filter: (&({username_attribute}={input})(objectClass=person))
username_attribute: uid username_attribute: uid
mail_attribute: mail mail_attribute: mail
display_name_attribute: displayName display_name_attribute: displayName
additional_groups_dn: ou=groups additional_groups_dn: OU=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn group_name_attribute: cn
permit_referrals: false permit_referrals: false

View File

@ -37,8 +37,8 @@ In your Authelia configuration you will need to enter and update the following v
* url `ldap://OpenLDAP:1389` - servers dns name & port. * url `ldap://OpenLDAP:1389` - servers dns name & port.
*tip: if you have Authelia on a container network that is routable, you can just use the container name* *tip: if you have Authelia on a container network that is routable, you can just use the container name*
* server_name `ldap01.example.com` - servers name * server_name `ldap01.example.com` - servers name
* base_dn `dc=example,dc=com` - common name of domain root. * base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn. * groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
* user `authelia` - username for Authelia service account * user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
@ -52,16 +52,16 @@ In your Authelia configuration you will need to enter and update the following v
server_name: ldap01.example.com server_name: ldap01.example.com
skip_verify: true skip_verify: true
minimum_version: TLS1.2 minimum_version: TLS1.2
base_dn: dc=example,dc=com base_dn: DC=example,DC=com
additional_users_dn: ou=users additional_users_dn: OU=users
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
username_attribute: uid username_attribute: uid
mail_attribute: mail mail_attribute: mail
display_name_attribute: displayName display_name_attribute: displayName
additional_groups_dn: ou=groups additional_groups_dn: OU=groups
groups_filter: (&(member=uid={input},ou=users,dc=example,dc=com)(objectclass=groupofnames)) groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
group_name_attribute: cn group_name_attribute: cn
user: uid=authelia,ou=service accounts,dc=example,dc=com user: UID=authelia,OU=service accounts,DC=example,DC=com
password: "SUPER_COMPLEX_PASSWORD" password: "SUPER_COMPLEX_PASSWORD"
``` ```
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
@ -84,8 +84,8 @@ login, and reference it within the filters below.
In your Authelia configuration you will need to enter and update the following variables - In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed. * url `ldap://ldap` - servers dns name. Port will assume 389 as standard. Specify custom port with `:port` if needed.
* server_name `ldap01.example.com` - servers name * server_name `ldap01.example.com` - servers name
* base_dn `dc=example,dc=com` - common name of domain root. * base_dn `DC=example,DC=com` - common name of domain root.
* groups_filter `dc=example,dc=com` - replace relevant section with your own domain in common name format, same as base_dn. * groups_filter `DC=example,DC=com` - replace relevant section with your own domain in common name format, same as base_dn.
* user `authelia` - username for Authelia service account * user `authelia` - username for Authelia service account
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account
@ -99,16 +99,16 @@ In your Authelia configuration you will need to enter and update the following v
server_name: ldap.example.com server_name: ldap.example.com
skip_verify: true skip_verify: true
minimum_version: TLS1.2 minimum_version: TLS1.2
base_dn: dc=example,dc=com base_dn: dc=example,DC=com
username_attribute: uid username_attribute: uid
additional_users_dn: cn=users,cn=accounts additional_users_dn: CN=users,CN=accounts
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
additional_groups_dn: ou=groups additional_groups_dn: OU=groups
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=example,dc=com)(objectclass=groupofnames)) groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
group_name_attribute: cn group_name_attribute: cn
mail_attribute: mail mail_attribute: mail
display_name_attribute: displayName display_name_attribute: displayName
user: uid=authelia,cn=users,cn=accounts,dc=example,dc=com user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
password: "SUPER_COMPLEX_PASSWORD" password: "SUPER_COMPLEX_PASSWORD"
``` ```
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
@ -128,7 +128,7 @@ within the filters below.
In your Authelia configuration you will need to enter and update the following variables - In your Authelia configuration you will need to enter and update the following variables -
* url `ldap://OpenLDAP:1389` - servers dns name & port. * url `ldap://OpenLDAP:1389` - servers dns name & port.
*tip: if you have Authelia on a container network that is routable, you can just use the container name* *tip: if you have Authelia on a container network that is routable, you can just use the container name*
* base_dn `dc=example,dc=com` - common name of domain root. * base_dn `DC=example,DC=com` - common name of domain root.
* user `authelia` - username for Authelia service account. * user `authelia` - username for Authelia service account.
* password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account, * password `SUPER_COMPLEX_PASSWORD` - password for Authelia service account,
@ -138,19 +138,19 @@ ldap:
url: ldap://lldap:3890 url: ldap://lldap:3890
timeout: 5s timeout: 5s
start_tls: false start_tls: false
base_dn: dc=example,dc=com base_dn: dc=example,DC=com
username_attribute: uid username_attribute: uid
additional_users_dn: ou=people additional_users_dn: OU=people
# To allow sign in both with username and email, one can use a filter like # To allow sign in both with username and email, one can use a filter like
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
users_filter: (&({username_attribute}={input})(objectClass=person)) users_filter: (&({username_attribute}={input})(objectClass=person))
additional_groups_dn: ou=groups additional_groups_dn: OU=groups
groups_filter: (member={dn}) groups_filter: (member={dn})
group_name_attribute: cn group_name_attribute: cn
mail_attribute: mail mail_attribute: mail
display_name_attribute: displayName display_name_attribute: displayName
# The username and password of the admin or service user. # The username and password of the admin or service user.
user: uid=authelia,ou=people,dc=example,dc=com user: UID=authelia,OU=people,DC=example,DC=com
password: "SUPER_COMPLEX_PASSWORD" password: "SUPER_COMPLEX_PASSWORD"
``` ```
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with

View File

@ -95,10 +95,17 @@ be appreciated). The userAccountControl filter checks that the account is not di
value is not 0 which means the password requires changing at the next login. value is not 0 which means the password requires changing at the next login.
| Implementation | Users Filter | Groups Filter | | Implementation | Users Filter | Groups Filter |
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------:| |:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------:|
| custom | N/A | N/A | | custom | N/A | N/A |
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(objectCategory=group)) | | activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(objectClass=group)(sAMAccountType=268435456)) |
*__Note:__* The Active Directory filter `(sAMAccountType=805306368)` is exactly the same as ##### Microsoft Active Directory sAMAccountType
`(&(objectCategory=person)(objectClass=user))` except that the former is more performant, you can read more about this
and other Active Directory filters on the [TechNet wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx). | Account Type Value | Description | Equivalent Filter |
|:------------------:|:--------------------------:|:----------------------------------------------:|
| 268435456 | Normal Group Objects | N/A |
| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` |
*__References:__*
- Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe).
- LDAP Syntax Filters: [Microsoft TechNet Wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)

View File

@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
UsernameAttribute: "sAMAccountName", UsernameAttribute: "sAMAccountName",
MailAttribute: "mail", MailAttribute: "mail",
DisplayNameAttribute: "displayName", DisplayNameAttribute: "displayName",
GroupsFilter: "(&(member={dn})(objectClass=group))", GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))",
GroupNameAttribute: "cn", GroupNameAttribute: "cn",
Timeout: time.Second * 5, Timeout: time.Second * 5,
TLS: &TLSConfig{ TLS: &TLSConfig{