mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-12-30 15:05:39 +00:00
Do not use service login/password for AD authentication
This commit is contained in:
parent
9a4eebfd42
commit
bee6d1560f
@ -132,7 +132,10 @@ class User(db.Model):
|
||||
|
||||
try:
|
||||
conn = self.ldap_init_conn()
|
||||
conn.simple_bind_s(Setting().get('ldap_admin_username'), Setting().get('ldap_admin_password'))
|
||||
if Setting().get('ldap_type') == 'ad':
|
||||
conn.simple_bind_s("{0}@{1}".format(self.username,Setting().get('ldap_domain')), self.password)
|
||||
else:
|
||||
conn.simple_bind_s(Setting().get('ldap_admin_username'), Setting().get('ldap_admin_password'))
|
||||
ldap_result_id = conn.search(baseDN, searchScope, searchFilter, retrieveAttributes)
|
||||
result_set = []
|
||||
|
||||
@ -189,6 +192,13 @@ class User(db.Model):
|
||||
LDAP_USER_GROUP = Setting().get('ldap_user_group')
|
||||
LDAP_GROUP_SECURITY_ENABLED = Setting().get('ldap_sg_enabled')
|
||||
|
||||
# validate ldap user password
|
||||
if Setting().get('ldap_type') == 'ad':
|
||||
ldap_username = "{0}@{1}".format(self.username,Setting().get('ldap_domain'))
|
||||
if not self.ldap_auth(ldap_username, self.password):
|
||||
logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip))
|
||||
return False
|
||||
|
||||
searchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_BASIC)
|
||||
logging.debug('Ldap searchFilter {0}'.format(searchFilter))
|
||||
|
||||
@ -240,10 +250,11 @@ class User(db.Model):
|
||||
logging.debug(traceback.format_exc())
|
||||
return False
|
||||
|
||||
# validate ldap user password
|
||||
if not self.ldap_auth(ldap_username, self.password):
|
||||
logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip))
|
||||
return False
|
||||
if Setting().get('ldap_type') != 'ad':
|
||||
# validate ldap user password
|
||||
if not self.ldap_auth(ldap_username, self.password):
|
||||
logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip))
|
||||
return False
|
||||
|
||||
except Exception as e:
|
||||
logging.error('Wrong LDAP configuration. {0}'.format(e))
|
||||
@ -1825,6 +1836,7 @@ class Setting(db.Model):
|
||||
'ldap_admin_group': '',
|
||||
'ldap_operator_group': '',
|
||||
'ldap_user_group': '',
|
||||
'ldap_domain': '',
|
||||
'github_oauth_enabled': False,
|
||||
'github_oauth_key': '',
|
||||
'github_oauth_secret': '',
|
||||
|
@ -13,6 +13,21 @@
|
||||
<li><a href="#">Setting</a></li>
|
||||
<li class="active">Authentication</li>
|
||||
</ol>
|
||||
<script>
|
||||
function ldapSelection() {
|
||||
if (document.getElementById('ldap').checked) {
|
||||
document.getElementById('ldap_openldap_fields').style.display = 'block';
|
||||
document.getElementById('ldap_ad_fields').style.display = 'none';
|
||||
} else {
|
||||
document.getElementById('ldap_openldap_fields').style.display = 'none';
|
||||
document.getElementById('ldap_ad_fields').style.display = 'block';
|
||||
}
|
||||
}
|
||||
|
||||
window.onload = function() {
|
||||
ldapSelection();
|
||||
}
|
||||
</script>
|
||||
</section>
|
||||
{% endblock %}
|
||||
{% block content %}
|
||||
@ -70,11 +85,11 @@
|
||||
<label>Type</label>
|
||||
<div class="radio">
|
||||
<label>
|
||||
<input type="radio" name="ldap_type" id="ldap" value="ldap" {% if SETTING.get('ldap_type')=='ldap' %}checked{% endif %}> OpenLDAP
|
||||
<input type="radio" name="ldap_type" id="ldap" onclick="javascript:ldapSelection();" value="ldap" {% if SETTING.get('ldap_type')=='ldap' %}checked{% endif %}> OpenLDAP
|
||||
</label>
|
||||
|
||||
<label>
|
||||
<input type="radio" name="ldap_type" id="ad" value="ad" {% if SETTING.get('ldap_type')=='ad' %}checked{% endif %}> Active Directory
|
||||
<input type="radio" name="ldap_type" id="ad" onclick="javascript:ldapSelection();" value="ad" {% if SETTING.get('ldap_type')=='ad' %}checked{% endif %}> Active Directory
|
||||
</label>
|
||||
</div>
|
||||
</div>
|
||||
@ -90,15 +105,24 @@
|
||||
<input type="text" class="form-control" name="ldap_base_dn" id="ldap_base_dn" placeholder="e.g. dc=mydomain,dc=com" data-error="Please input LDAP Base DN" value="{{ SETTING.get('ldap_base_dn') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="ldap_admin_username">LDAP admin username</label>
|
||||
<input type="text" class="form-control" name="ldap_admin_username" id="ldap_admin_username" placeholder="e.g. cn=admin,dc=mydomain,dc=com" data-error="Please input LDAP admin username" value="{{ SETTING.get('ldap_admin_username') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
<div id="ldap_openldap_fields">
|
||||
<div class="form-group">
|
||||
<label for="ldap_admin_username">LDAP admin username</label>
|
||||
<input type="text" class="form-control" name="ldap_admin_username" id="ldap_admin_username" placeholder="e.g. cn=admin,dc=mydomain,dc=com" data-error="Please input LDAP admin username" value="{{ SETTING.get('ldap_admin_username') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="ldap_admin_password">LDAP admin password</label>
|
||||
<input type="password" class="form-control" name="ldap_admin_password" id="ldap_admin_password" placeholder="LDAP Admin password" data-error="Please input LDAP admin password" value="{{ SETTING.get('ldap_admin_password') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<label for="ldap_admin_password">LDAP admin password</label>
|
||||
<input type="password" class="form-control" name="ldap_admin_password" id="ldap_admin_password" placeholder="LDAP Admin password" data-error="Please input LDAP admin password" value="{{ SETTING.get('ldap_admin_password') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
<div id="ldap_ad_fields">
|
||||
<div class="form-group">
|
||||
<label for="ldap_domain">Active Directory domain</label>
|
||||
<input type="text" class="form-control" name="ldap_domain" id="ldap_domain" placeholder="Active Directory domain" data-error="Please input Actve Directory domain value" value="{{ SETTING.get('ldap_domain') }}">
|
||||
<span class="help-block with-errors"></span>
|
||||
</div>
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset>
|
||||
@ -175,10 +199,13 @@
|
||||
LDAP Base DN - The point from where a PDA will search for users.
|
||||
</li>
|
||||
<li>
|
||||
LDAP admin username - Your LDAP administrator user which has permission to query information in the Base DN above.
|
||||
LDAP admin username - Your LDAP administrator user which has permission to query information in the Base DN above. Not needed for Active Directory authentication.
|
||||
</li>
|
||||
<li>
|
||||
LDAP admin password - The password of LDAP administrator user.
|
||||
LDAP admin password - The password of LDAP administrator user. Not needed for Active Directory authentication.
|
||||
</li>
|
||||
<li>
|
||||
Active Directory domain - Active Directory domain used.
|
||||
</li>
|
||||
</ul>
|
||||
</dd>
|
||||
@ -337,7 +364,6 @@
|
||||
</section>
|
||||
{% endblock %}
|
||||
{% block extrascripts %}
|
||||
|
||||
{% assets "js_validation" -%}
|
||||
<script type="text/javascript" src="{{ ASSET_URL }}"></script>
|
||||
{%- endassets %}
|
||||
@ -378,8 +404,15 @@
|
||||
if (is_enabled){
|
||||
$('#ldap_uri').prop('required', true);
|
||||
$('#ldap_base_dn').prop('required', true);
|
||||
$('#ldap_admin_username').prop('required', true);
|
||||
$('#ldap_admin_password').prop('required', true);
|
||||
if ($('#ldap').is(":checked") ) {
|
||||
$('#ldap_admin_username').prop('required', true);
|
||||
$('#ldap_admin_password').prop('required', true);
|
||||
$('#ldap_domain').prop('required', false);
|
||||
} else {
|
||||
$('#ldap_admin_username').prop('required', false);
|
||||
$('#ldap_admin_password').prop('required', false);
|
||||
$('#ldap_domain').prop('required', true);
|
||||
}
|
||||
$('#ldap_filter_basic').prop('required', true);
|
||||
$('#ldap_filter_username').prop('required', true);
|
||||
|
||||
@ -413,12 +446,31 @@
|
||||
}
|
||||
});
|
||||
|
||||
$("input[name='ldap_type']" ).change(function(){
|
||||
if ($('#ldap').is(":checked") && $('#ldap_enabled').is(":checked")) {
|
||||
$('#ldap_admin_group').prop('required', true);
|
||||
$('#ldap_user_group').prop('required', true);
|
||||
$('#ldap_domain').prop('required', false);
|
||||
} else {
|
||||
$('#ldap_admin_group').prop('required', false);
|
||||
$('#ldap_user_group').prop('required', false);
|
||||
$('#ldap_domain').prop('required', true);
|
||||
}
|
||||
});
|
||||
|
||||
// init validation reqirement at first time page load
|
||||
{% if SETTING.get('ldap_enabled') %}
|
||||
$('#ldap_uri').prop('required', true);
|
||||
$('#ldap_base_dn').prop('required', true);
|
||||
$('#ldap_admin_username').prop('required', true);
|
||||
$('#ldap_admin_password').prop('required', true);
|
||||
if ($('#ldap').is(":checked") ) {
|
||||
$('#ldap_admin_username').prop('required', true);
|
||||
$('#ldap_admin_password').prop('required', true);
|
||||
$('#ldap_domain').prop('required', false);
|
||||
} else {
|
||||
$('#ldap_admin_username').prop('required', false);
|
||||
$('#ldap_admin_password').prop('required', false);
|
||||
$('#ldap_domain').prop('required', true);
|
||||
}
|
||||
$('#ldap_filter_basic').prop('required', true);
|
||||
$('#ldap_filter_username').prop('required', true);
|
||||
|
||||
|
@ -1482,6 +1482,7 @@ def admin_setting_authentication():
|
||||
Setting().set('ldap_admin_group', request.form.get('ldap_admin_group'))
|
||||
Setting().set('ldap_operator_group', request.form.get('ldap_operator_group'))
|
||||
Setting().set('ldap_user_group', request.form.get('ldap_user_group'))
|
||||
Setting().set('ldap_domain', request.form.get('ldap_domain'))
|
||||
result = {'status': True, 'msg': 'Saved successfully'}
|
||||
elif conf_type == 'google':
|
||||
Setting().set('google_oauth_enabled', True if request.form.get('google_oauth_enabled') else False)
|
||||
|
Loading…
Reference in New Issue
Block a user