Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs.
Closes#2161
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
* fix(notification): incorrect date header format
The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself.
* test: fix tests and linting issues
* fix: misc issues
* refactor: misc refactoring
* docs: add example for envelope with message id
* refactor: organize smtp notifier
* refactor: move subject interpolation
* refactor: include additional placeholders
* docs: fix missing link
* docs: gravity
* fix: rcpt to command
* refactor: remove mid
* refactor: apply suggestions
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* refactor: include pid
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This fixes the hash-password usage instructions and ensures it uses mostly a configuration source based config. In addition it updates our recommended argon2id parameters with the RFC recommendations.
This fixes an issue when both the username and display name attributes are the same. If the username attribute is the same as the display name attribute previously we only set the display name profile value which is incorrect. We should set the username profile value instead and allow the display name to be blank.
This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user.
This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
This simplifies the interface to just expose the methods from the underlying connection that we need. The addition of gen.go makes creating the generated mocks easy go generate.
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.
Fixes#1337
This adjusts the session ID generator making it use it's own random function rather than using one from the utils lib. This allows us to utilize crypto/rand or math/rand interchangeably. Additionally refactor the utils.RandomString func.
This changes the validation of salts for sha512 to be done by the upstream API rather than locally. This allows the salts used in Linux to be utilized with Authelia provided the hash is a sha512 hash.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This implements both a connection timeout for LDAP connections, and makes it configurable by administrators. The default is 5s. The reason for this commit is currently if a connection to an LDAP server cannot be established it does not timeout in a reasonable period.
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
James Elliott
Arsenović Arsen