add binddn/bindpath to search for the users bind DN

2025-11-02 11:38:02 +00:00 · 2016-01-26 15:56:41 +01:00
parent 1dc52267a8
commit 11aee85c0b
2 changed files with 50 additions and 14 deletions
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -98,13 +98,29 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 	if err != nil {
 		return nil, logical.ErrorResponse(err.Error()), nil
 	}
-
-	// Try to authenticate to the server using the provided credentials
 	binddn := ""
-	if cfg.UPNDomain != "" {
-		binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
+	if cfg.BindDN != "" && cfg.BindPassword != "" {
+		if err = c.Bind(binddn, password); err != nil {
+			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err)), nil
+		}
+		sresult, err := c.Search(&ldap.SearchRequest{
+			BaseDN: cfg.UserDN,
+			Scope:  2, // subtree
+			Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, EscapeLDAPValue(username)),
+		})
+		if err != nil {
+			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err)), nil
+		}
+		if len(sresult.Entries) != 1 {
+			return nil, logical.ErrorResponse("LDAP search for binddn 0 or not uniq"), nil
+		}
+		binddn = sresult.Entries[0].DN
 	} else {
-		binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
+		if cfg.UPNDomain != "" {
+			binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
+		} else {
+			binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
+		}
 	}
 	if err = c.Bind(binddn, password); err != nil {
 		return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@@ -25,6 +25,14 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
 			},
+			"binddn": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "LDAP DN for searching for the user DN",
+			},
+			"bindpass": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "LDAP password for searching for the user DN",
+			},
 			"groupdn": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "LDAP domain to use for groups (eg: ou=Groups,dc=example,dc=org)",
@@ -52,7 +60,7 @@ func pathConfig(b *backend) *framework.Path {
 		},

 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.ReadOperation:  b.pathConfigRead,
+			logical.ReadOperation:   b.pathConfigRead,
 			logical.UpdateOperation: b.pathConfigWrite,
 		},

@@ -98,6 +106,8 @@ func (b *backend) pathConfigRead(
 			"certificate":  cfg.Certificate,
 			"insecure_tls": cfg.InsecureTLS,
 			"starttls":     cfg.StartTLS,
+			"binddn":       cfg.BindDN,
+			"bindpass":     cfg.BindPassword,
 		},
 	}, nil
 }
@@ -138,6 +148,14 @@ func (b *backend) pathConfigWrite(
 	if startTLS {
 		cfg.StartTLS = startTLS
 	}
+	bindDN := d.Get("binddn").(string)
+	if bindDN != "" {
+		cfg.BindDN = bindDN
+	}
+	bindPass := d.Get("bindpass").(string)
+	if bindPass != "" {
+		cfg.BindPassword = bindPass
+	}

 	// Try to connect to the LDAP server, to validate the URL configuration
 	// We can also check the URL at this stage, as anything else would probably
@@ -160,14 +178,16 @@ func (b *backend) pathConfigWrite(
 }

 type ConfigEntry struct {
-	Url         string
-	UserDN      string
-	GroupDN     string
-	UPNDomain   string
-	UserAttr    string
-	Certificate string
-	InsecureTLS bool
-	StartTLS    bool
+	Url          string
+	UserDN       string
+	GroupDN      string
+	UPNDomain    string
+	UserAttr     string
+	Certificate  string
+	InsecureTLS  bool
+	StartTLS     bool
+	BindDN       string
+	BindPassword string
 }

 func (c *ConfigEntry) GetTLSConfig(host string) (*tls.Config, error) {