diff --git a/app/models.py b/app/models.py index 4869608..d1fd97d 100644 --- a/app/models.py +++ b/app/models.py @@ -132,7 +132,10 @@ class User(db.Model): try: conn = self.ldap_init_conn() - conn.simple_bind_s(Setting().get('ldap_admin_username'), Setting().get('ldap_admin_password')) + if Setting().get('ldap_type') == 'ad': + conn.simple_bind_s("{0}@{1}".format(self.username,Setting().get('ldap_domain')), self.password) + else: + conn.simple_bind_s(Setting().get('ldap_admin_username'), Setting().get('ldap_admin_password')) ldap_result_id = conn.search(baseDN, searchScope, searchFilter, retrieveAttributes) result_set = [] @@ -189,6 +192,13 @@ class User(db.Model): LDAP_USER_GROUP = Setting().get('ldap_user_group') LDAP_GROUP_SECURITY_ENABLED = Setting().get('ldap_sg_enabled') + # validate ldap user password + if Setting().get('ldap_type') == 'ad': + ldap_username = "{0}@{1}".format(self.username,Setting().get('ldap_domain')) + if not self.ldap_auth(ldap_username, self.password): + logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip)) + return False + searchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_BASIC) logging.debug('Ldap searchFilter {0}'.format(searchFilter)) @@ -240,10 +250,11 @@ class User(db.Model): logging.debug(traceback.format_exc()) return False - # validate ldap user password - if not self.ldap_auth(ldap_username, self.password): - logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip)) - return False + if Setting().get('ldap_type') != 'ad': + # validate ldap user password + if not self.ldap_auth(ldap_username, self.password): + logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip)) + return False except Exception as e: logging.error('Wrong LDAP configuration. {0}'.format(e)) @@ -1825,6 +1836,7 @@ class Setting(db.Model): 'ldap_admin_group': '', 'ldap_operator_group': '', 'ldap_user_group': '', + 'ldap_domain': '', 'github_oauth_enabled': False, 'github_oauth_key': '', 'github_oauth_secret': '', diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html index e522178..11c44b5 100644 --- a/app/templates/admin_setting_authentication.html +++ b/app/templates/admin_setting_authentication.html @@ -13,6 +13,21 @@
  • Setting
  • Authentication
    • + {% endblock %} {% block content %} @@ -70,11 +85,11 @@
       
    @@ -90,15 +105,24 @@ -
    - - - +
    +
    + + + +
    +
    + + + +
    -
    - - - +
    +
    + + + +
    @@ -175,10 +199,13 @@ LDAP Base DN - The point from where a PDA will search for users.
  • - LDAP admin username - Your LDAP administrator user which has permission to query information in the Base DN above. + LDAP admin username - Your LDAP administrator user which has permission to query information in the Base DN above. Not needed for Active Directory authentication.
  • - LDAP admin password - The password of LDAP administrator user. + LDAP admin password - The password of LDAP administrator user. Not needed for Active Directory authentication. +
    • +
  • + Active Directory domain - Active Directory domain used.
    • @@ -337,7 +364,6 @@ {% endblock %} {% block extrascripts %} - {% assets "js_validation" -%} {%- endassets %} @@ -378,8 +404,15 @@ if (is_enabled){ $('#ldap_uri').prop('required', true); $('#ldap_base_dn').prop('required', true); - $('#ldap_admin_username').prop('required', true); - $('#ldap_admin_password').prop('required', true); + if ($('#ldap').is(":checked") ) { + $('#ldap_admin_username').prop('required', true); + $('#ldap_admin_password').prop('required', true); + $('#ldap_domain').prop('required', false); + } else { + $('#ldap_admin_username').prop('required', false); + $('#ldap_admin_password').prop('required', false); + $('#ldap_domain').prop('required', true); + } $('#ldap_filter_basic').prop('required', true); $('#ldap_filter_username').prop('required', true); @@ -413,12 +446,31 @@ } }); + $("input[name='ldap_type']" ).change(function(){ + if ($('#ldap').is(":checked") && $('#ldap_enabled').is(":checked")) { + $('#ldap_admin_group').prop('required', true); + $('#ldap_user_group').prop('required', true); + $('#ldap_domain').prop('required', false); + } else { + $('#ldap_admin_group').prop('required', false); + $('#ldap_user_group').prop('required', false); + $('#ldap_domain').prop('required', true); + } + }); + // init validation reqirement at first time page load {% if SETTING.get('ldap_enabled') %} $('#ldap_uri').prop('required', true); $('#ldap_base_dn').prop('required', true); - $('#ldap_admin_username').prop('required', true); - $('#ldap_admin_password').prop('required', true); + if ($('#ldap').is(":checked") ) { + $('#ldap_admin_username').prop('required', true); + $('#ldap_admin_password').prop('required', true); + $('#ldap_domain').prop('required', false); + } else { + $('#ldap_admin_username').prop('required', false); + $('#ldap_admin_password').prop('required', false); + $('#ldap_domain').prop('required', true); + } $('#ldap_filter_basic').prop('required', true); $('#ldap_filter_username').prop('required', true); diff --git a/app/views.py b/app/views.py index 3311997..aa3999e 100644 --- a/app/views.py +++ b/app/views.py @@ -1482,6 +1482,7 @@ def admin_setting_authentication(): Setting().set('ldap_admin_group', request.form.get('ldap_admin_group')) Setting().set('ldap_operator_group', request.form.get('ldap_operator_group')) Setting().set('ldap_user_group', request.form.get('ldap_user_group')) + Setting().set('ldap_domain', request.form.get('ldap_domain')) result = {'status': True, 'msg': 'Saved successfully'} elif conf_type == 'google': Setting().set('google_oauth_enabled', True if request.form.get('google_oauth_enabled') else False)