mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2024-12-25 04:49:05 +01:00
make ldap username attribute configurable
This commit is contained in:
parent
81d9015d59
commit
fd94d30a8e
@ -32,6 +32,7 @@ It is supported to set these by means of a `.env` file in the project root.
|
|||||||
- `search_dn`: Type string. DN for authenticating LDAP admin account with general read rights.
|
- `search_dn`: Type string. DN for authenticating LDAP admin account with general read rights.
|
||||||
- `user_bind`: Type string. Expression used to authenticate users via LDAP bind. Must contain `uid={username}`.
|
- `user_bind`: Type string. Expression used to authenticate users via LDAP bind. Must contain `uid={username}`.
|
||||||
- `user_filter`: Type string. Filter to extract users for syncing.
|
- `user_filter`: Type string. Filter to extract users for syncing.
|
||||||
|
- `username_attr`: Type string. Attribute with full user name. Defaults to `gecos` if not provided.
|
||||||
- `sync_interval`: Type string. Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.
|
- `sync_interval`: Type string. Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.
|
||||||
- `sync_del_old_users`: Type bool. Delete obsolete users in database.
|
- `sync_del_old_users`: Type bool. Delete obsolete users in database.
|
||||||
* `clusters`: Type array of objects
|
* `clusters`: Type array of objects
|
||||||
|
@ -21,6 +21,7 @@ import (
|
|||||||
|
|
||||||
type LdapAuthenticator struct {
|
type LdapAuthenticator struct {
|
||||||
syncPassword string
|
syncPassword string
|
||||||
|
UserAttr string
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ Authenticator = (*LdapAuthenticator)(nil)
|
var _ Authenticator = (*LdapAuthenticator)(nil)
|
||||||
@ -31,11 +32,13 @@ func (la *LdapAuthenticator) Init() error {
|
|||||||
log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync will not work)")
|
log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync will not work)")
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.Keys.LdapConfig.SyncInterval != "" {
|
lc := config.Keys.LdapConfig
|
||||||
interval, err := time.ParseDuration(config.Keys.LdapConfig.SyncInterval)
|
|
||||||
|
if lc.SyncInterval != "" {
|
||||||
|
interval, err := time.ParseDuration(lc.SyncInterval)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Warnf("Could not parse duration for sync interval: %v",
|
log.Warnf("Could not parse duration for sync interval: %v",
|
||||||
config.Keys.LdapConfig.SyncInterval)
|
lc.SyncInterval)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -58,6 +61,12 @@ func (la *LdapAuthenticator) Init() error {
|
|||||||
log.Info("LDAP configuration key sync_interval invalid")
|
log.Info("LDAP configuration key sync_interval invalid")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if lc.UserAttr != "" {
|
||||||
|
la.UserAttr = lc.UserAttr
|
||||||
|
} else {
|
||||||
|
la.UserAttr = "gecos"
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -86,7 +95,7 @@ func (la *LdapAuthenticator) CanLogin(
|
|||||||
lc.UserBase,
|
lc.UserBase,
|
||||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
fmt.Sprintf("(&%s(uid=%s))", lc.UserFilter, username),
|
fmt.Sprintf("(&%s(uid=%s))", lc.UserFilter, username),
|
||||||
[]string{"dn", "uid", "gecos"}, nil)
|
[]string{"dn", "uid", la.UserAttr}, nil)
|
||||||
|
|
||||||
sr, err := l.Search(searchRequest)
|
sr, err := l.Search(searchRequest)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -100,7 +109,7 @@ func (la *LdapAuthenticator) CanLogin(
|
|||||||
}
|
}
|
||||||
|
|
||||||
entry := sr.Entries[0]
|
entry := sr.Entries[0]
|
||||||
name := entry.GetAttributeValue("gecos")
|
name := entry.GetAttributeValue(la.UserAttr)
|
||||||
var roles []string
|
var roles []string
|
||||||
roles = append(roles, schema.GetRoleString(schema.RoleUser))
|
roles = append(roles, schema.GetRoleString(schema.RoleUser))
|
||||||
projects := make([]string, 0)
|
projects := make([]string, 0)
|
||||||
@ -176,7 +185,7 @@ func (la *LdapAuthenticator) Sync() error {
|
|||||||
lc.UserBase,
|
lc.UserBase,
|
||||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
lc.UserFilter,
|
lc.UserFilter,
|
||||||
[]string{"dn", "uid", "gecos"}, nil))
|
[]string{"dn", "uid", la.UserAttr}, nil))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Warn("LDAP search error")
|
log.Warn("LDAP search error")
|
||||||
return err
|
return err
|
||||||
@ -192,7 +201,7 @@ func (la *LdapAuthenticator) Sync() error {
|
|||||||
_, ok := users[username]
|
_, ok := users[username]
|
||||||
if !ok {
|
if !ok {
|
||||||
users[username] = IN_LDAP
|
users[username] = IN_LDAP
|
||||||
newnames[username] = entry.GetAttributeValue("gecos")
|
newnames[username] = entry.GetAttributeValue(la.UserAttr)
|
||||||
} else {
|
} else {
|
||||||
users[username] = IN_BOTH
|
users[username] = IN_BOTH
|
||||||
}
|
}
|
||||||
|
@ -15,6 +15,7 @@ type LdapConfig struct {
|
|||||||
SearchDN string `json:"search_dn"`
|
SearchDN string `json:"search_dn"`
|
||||||
UserBind string `json:"user_bind"`
|
UserBind string `json:"user_bind"`
|
||||||
UserFilter string `json:"user_filter"`
|
UserFilter string `json:"user_filter"`
|
||||||
|
UserAttr string `json:"username_attr"`
|
||||||
SyncInterval string `json:"sync_interval"` // Parsed using time.ParseDuration.
|
SyncInterval string `json:"sync_interval"` // Parsed using time.ParseDuration.
|
||||||
SyncDelOldUsers bool `json:"sync_del_old_users"`
|
SyncDelOldUsers bool `json:"sync_del_old_users"`
|
||||||
|
|
||||||
|
@ -180,6 +180,10 @@
|
|||||||
"description": "Filter to extract users for syncing.",
|
"description": "Filter to extract users for syncing.",
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
|
"username_attr": {
|
||||||
|
"description": "Attribute with full username. Default: gecos",
|
||||||
|
"type": "string"
|
||||||
|
},
|
||||||
"sync_interval": {
|
"sync_interval": {
|
||||||
"description": "Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.",
|
"description": "Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.",
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
Loading…
Reference in New Issue
Block a user