Commit 262a09bb by Torkel Ödegaard

feat(ldap): added support for binding initially with an admin user searching for…

feat(ldap): added support for binding initially with an admin user searching for user and then binding again to authenticate current user, #1450
parent 0320baeb
...@@ -3,6 +3,7 @@ package auth ...@@ -3,6 +3,7 @@ package auth
import ( import (
"errors" "errors"
"fmt" "fmt"
"strings"
"github.com/go-ldap/ldap" "github.com/go-ldap/ldap"
"github.com/grafana/grafana/pkg/bus" "github.com/grafana/grafana/pkg/bus"
...@@ -18,7 +19,8 @@ func init() { ...@@ -18,7 +19,8 @@ func init() {
UseSSL: false, UseSSL: false,
Host: "127.0.0.1", Host: "127.0.0.1",
Port: "389", Port: "389",
BindDN: "cn=%s,dc=grafana,dc=org", BindDN: "cn=admin,dc=grafana,dc=org",
BindPassword: "grafana",
AttrName: "givenName", AttrName: "givenName",
AttrSurname: "sn", AttrSurname: "sn",
AttrUsername: "cn", AttrUsername: "cn",
...@@ -74,6 +76,13 @@ func (a *ldapAuther) login(query *AuthenticateUserQuery) error { ...@@ -74,6 +76,13 @@ func (a *ldapAuther) login(query *AuthenticateUserQuery) error {
log.Info("email: %s", ldapUser.Email) log.Info("email: %s", ldapUser.Email)
log.Info("memberOf: %s", ldapUser.MemberOf) log.Info("memberOf: %s", ldapUser.MemberOf)
// check if a second user bind is needed
if a.server.BindPassword != "" {
if err := a.secondBind(ldapUser, query.Password); err != nil {
return err
}
}
if grafanaUser, err := a.getGrafanaUserFor(ldapUser); err != nil { if grafanaUser, err := a.getGrafanaUserFor(ldapUser); err != nil {
return err return err
} else { } else {
...@@ -190,12 +199,28 @@ func (a *ldapAuther) syncOrgRoles(user *m.User, ldapUser *ldapUserInfo) error { ...@@ -190,12 +199,28 @@ func (a *ldapAuther) syncOrgRoles(user *m.User, ldapUser *ldapUserInfo) error {
return nil return nil
} }
func (a *ldapAuther) secondBind(ldapUser *ldapUserInfo, userPassword string) error {
if err := a.conn.Bind(ldapUser.DN, userPassword); err != nil {
if ldapErr, ok := err.(*ldap.Error); ok {
if ldapErr.ResultCode == 49 {
return ErrInvalidCredentials
}
}
return err
}
return nil
}
func (a *ldapAuther) initialBind(username, userPassword string) error { func (a *ldapAuther) initialBind(username, userPassword string) error {
if a.server.BindPassword != "" { if a.server.BindPassword != "" {
userPassword = a.server.BindPassword userPassword = a.server.BindPassword
} }
bindPath := fmt.Sprintf(a.server.BindDN, username) bindPath := a.server.BindDN
if strings.Contains(bindPath, "%s") {
bindPath = fmt.Sprintf(a.server.BindDN, username)
}
if err := a.conn.Bind(bindPath, userPassword); err != nil { if err := a.conn.Bind(bindPath, userPassword); err != nil {
if ldapErr, ok := err.(*ldap.Error); ok { if ldapErr, ok := err.(*ldap.Error); ok {
...@@ -247,6 +272,7 @@ func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) { ...@@ -247,6 +272,7 @@ func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) {
} }
return &ldapUserInfo{ return &ldapUserInfo{
DN: searchResult.Entries[0].DN,
LastName: getLdapAttr(a.server.AttrSurname, searchResult), LastName: getLdapAttr(a.server.AttrSurname, searchResult),
FirstName: getLdapAttr(a.server.AttrName, searchResult), FirstName: getLdapAttr(a.server.AttrName, searchResult),
Username: getLdapAttr(a.server.AttrUsername, searchResult), Username: getLdapAttr(a.server.AttrUsername, searchResult),
......
package auth package auth
type ldapUserInfo struct { type ldapUserInfo struct {
DN string
FirstName string FirstName string
LastName string LastName string
Username string Username string
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment