From fd94d30a8e0d75cd48f197e4f769d1d562a701e5 Mon Sep 17 00:00:00 2001 From: Pay Giesselmann Date: Tue, 29 Aug 2023 09:30:57 +0200 Subject: [PATCH] make ldap username attribute configurable --- configs/README.md | 1 + internal/auth/ldap.go | 23 ++++++++++++++++------- pkg/schema/config.go | 1 + pkg/schema/schemas/config.schema.json | 4 ++++ 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/configs/README.md b/configs/README.md index 19c3e47..944d0d3 100644 --- a/configs/README.md +++ b/configs/README.md @@ -32,6 +32,7 @@ It is supported to set these by means of a `.env` file in the project root. - `search_dn`: Type string. DN for authenticating LDAP admin account with general read rights. - `user_bind`: Type string. Expression used to authenticate users via LDAP bind. Must contain `uid={username}`. - `user_filter`: Type string. Filter to extract users for syncing. + - `username_attr`: Type string. Attribute with full user name. Defaults to `gecos` if not provided. - `sync_interval`: Type string. Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration. - `sync_del_old_users`: Type bool. Delete obsolete users in database. * `clusters`: Type array of objects diff --git a/internal/auth/ldap.go b/internal/auth/ldap.go index f89aede..b800ca7 100644 --- a/internal/auth/ldap.go +++ b/internal/auth/ldap.go @@ -21,6 +21,7 @@ import ( type LdapAuthenticator struct { syncPassword string + UserAttr string } var _ Authenticator = (*LdapAuthenticator)(nil) @@ -31,11 +32,13 @@ func (la *LdapAuthenticator) Init() error { log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync will not work)") } - if config.Keys.LdapConfig.SyncInterval != "" { - interval, err := time.ParseDuration(config.Keys.LdapConfig.SyncInterval) + lc := config.Keys.LdapConfig + + if lc.SyncInterval != "" { + interval, err := time.ParseDuration(lc.SyncInterval) if err != nil { log.Warnf("Could not parse duration for sync interval: %v", - config.Keys.LdapConfig.SyncInterval) + lc.SyncInterval) return err } @@ -58,6 +61,12 @@ func (la *LdapAuthenticator) Init() error { log.Info("LDAP configuration key sync_interval invalid") } + if lc.UserAttr != "" { + la.UserAttr = lc.UserAttr + } else { + la.UserAttr = "gecos" + } + return nil } @@ -86,7 +95,7 @@ func (la *LdapAuthenticator) CanLogin( lc.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, fmt.Sprintf("(&%s(uid=%s))", lc.UserFilter, username), - []string{"dn", "uid", "gecos"}, nil) + []string{"dn", "uid", la.UserAttr}, nil) sr, err := l.Search(searchRequest) if err != nil { @@ -100,7 +109,7 @@ func (la *LdapAuthenticator) CanLogin( } entry := sr.Entries[0] - name := entry.GetAttributeValue("gecos") + name := entry.GetAttributeValue(la.UserAttr) var roles []string roles = append(roles, schema.GetRoleString(schema.RoleUser)) projects := make([]string, 0) @@ -176,7 +185,7 @@ func (la *LdapAuthenticator) Sync() error { lc.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, lc.UserFilter, - []string{"dn", "uid", "gecos"}, nil)) + []string{"dn", "uid", la.UserAttr}, nil)) if err != nil { log.Warn("LDAP search error") return err @@ -192,7 +201,7 @@ func (la *LdapAuthenticator) Sync() error { _, ok := users[username] if !ok { users[username] = IN_LDAP - newnames[username] = entry.GetAttributeValue("gecos") + newnames[username] = entry.GetAttributeValue(la.UserAttr) } else { users[username] = IN_BOTH } diff --git a/pkg/schema/config.go b/pkg/schema/config.go index 443fad7..50260ca 100644 --- a/pkg/schema/config.go +++ b/pkg/schema/config.go @@ -15,6 +15,7 @@ type LdapConfig struct { SearchDN string `json:"search_dn"` UserBind string `json:"user_bind"` UserFilter string `json:"user_filter"` + UserAttr string `json:"username_attr"` SyncInterval string `json:"sync_interval"` // Parsed using time.ParseDuration. SyncDelOldUsers bool `json:"sync_del_old_users"` diff --git a/pkg/schema/schemas/config.schema.json b/pkg/schema/schemas/config.schema.json index 84983ec..ee64b5a 100644 --- a/pkg/schema/schemas/config.schema.json +++ b/pkg/schema/schemas/config.schema.json @@ -180,6 +180,10 @@ "description": "Filter to extract users for syncing.", "type": "string" }, + "username_attr": { + "description": "Attribute with full username. Default: gecos", + "type": "string" + }, "sync_interval": { "description": "Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.", "type": "string"