add binddn/bindpath to search for the users bind DN

2025-11-03 12:07:54 +00:00 · 2016-01-26 15:56:41 +01:00
parent 1dc52267a8
commit 11aee85c0b
2 changed files with 50 additions and 14 deletions
--- a/builtin/credential/ldap/backend.go
+++ b/builtin/credential/ldap/backend.go
@@ -98,14 +98,30 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 	if err != nil {
 		return nil, logical.ErrorResponse(err.Error()), nil
 	}
-
-	// Try to authenticate to the server using the provided credentials
 	binddn := ""
+	if cfg.BindDN != "" && cfg.BindPassword != "" {
+		if err = c.Bind(binddn, password); err != nil {
+			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err)), nil
+		}
+		sresult, err := c.Search(&ldap.SearchRequest{
+			BaseDN: cfg.UserDN,
+			Scope:  2, // subtree
+			Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, EscapeLDAPValue(username)),
+		})
+		if err != nil {
+			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err)), nil
+		}
+		if len(sresult.Entries) != 1 {
+			return nil, logical.ErrorResponse("LDAP search for binddn 0 or not uniq"), nil
+		}
+		binddn = sresult.Entries[0].DN
+	} else {
 		if cfg.UPNDomain != "" {
 			binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
 		} else {
 			binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
 		}
+	}
 	if err = c.Bind(binddn, password); err != nil {
 		return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
 	}
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@@ -25,6 +25,14 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
 			},
+			"binddn": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "LDAP DN for searching for the user DN",
+			},
+			"bindpass": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "LDAP password for searching for the user DN",
+			},
 			"groupdn": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "LDAP domain to use for groups (eg: ou=Groups,dc=example,dc=org)",
@@ -98,6 +106,8 @@ func (b *backend) pathConfigRead(
 			"certificate":  cfg.Certificate,
 			"insecure_tls": cfg.InsecureTLS,
 			"starttls":     cfg.StartTLS,
+			"binddn":       cfg.BindDN,
+			"bindpass":     cfg.BindPassword,
 		},
 	}, nil
 }
@@ -138,6 +148,14 @@ func (b *backend) pathConfigWrite(
 	if startTLS {
 		cfg.StartTLS = startTLS
 	}
+	bindDN := d.Get("binddn").(string)
+	if bindDN != "" {
+		cfg.BindDN = bindDN
+	}
+	bindPass := d.Get("bindpass").(string)
+	if bindPass != "" {
+		cfg.BindPassword = bindPass
+	}

 	// Try to connect to the LDAP server, to validate the URL configuration
 	// We can also check the URL at this stage, as anything else would probably
@@ -168,6 +186,8 @@ type ConfigEntry struct {
 	Certificate  string
 	InsecureTLS  bool
 	StartTLS     bool
+	BindDN       string
+	BindPassword string
 }

 func (c *ConfigEntry) GetTLSConfig(host string) (*tls.Config, error) {