Do not use service login/password for AD authentication

This commit is contained in:
Olivier DUMAS 2018-09-12 17:28:05 +02:00
parent 9a4eebfd42
commit bee6d1560f
3 changed files with 87 additions and 22 deletions

View File

@ -132,6 +132,9 @@ class User(db.Model):
try:
conn = self.ldap_init_conn()
if Setting().get('ldap_type') == 'ad':
conn.simple_bind_s("{0}@{1}".format(self.username,Setting().get('ldap_domain')), self.password)
else:
conn.simple_bind_s(Setting().get('ldap_admin_username'), Setting().get('ldap_admin_password'))
ldap_result_id = conn.search(baseDN, searchScope, searchFilter, retrieveAttributes)
result_set = []
@ -189,6 +192,13 @@ class User(db.Model):
LDAP_USER_GROUP = Setting().get('ldap_user_group')
LDAP_GROUP_SECURITY_ENABLED = Setting().get('ldap_sg_enabled')
# validate ldap user password
if Setting().get('ldap_type') == 'ad':
ldap_username = "{0}@{1}".format(self.username,Setting().get('ldap_domain'))
if not self.ldap_auth(ldap_username, self.password):
logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip))
return False
searchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_BASIC)
logging.debug('Ldap searchFilter {0}'.format(searchFilter))
@ -240,6 +250,7 @@ class User(db.Model):
logging.debug(traceback.format_exc())
return False
if Setting().get('ldap_type') != 'ad':
# validate ldap user password
if not self.ldap_auth(ldap_username, self.password):
logging.error('User "{0}" input a wrong LDAP password. Authentication request from {1}'.format(self.username, src_ip))
@ -1825,6 +1836,7 @@ class Setting(db.Model):
'ldap_admin_group': '',
'ldap_operator_group': '',
'ldap_user_group': '',
'ldap_domain': '',
'github_oauth_enabled': False,
'github_oauth_key': '',
'github_oauth_secret': '',

View File

@ -13,6 +13,21 @@
<li><a href="#">Setting</a></li>
<li class="active">Authentication</li>
</ol>
<script>
function ldapSelection() {
if (document.getElementById('ldap').checked) {
document.getElementById('ldap_openldap_fields').style.display = 'block';
document.getElementById('ldap_ad_fields').style.display = 'none';
} else {
document.getElementById('ldap_openldap_fields').style.display = 'none';
document.getElementById('ldap_ad_fields').style.display = 'block';
}
}
window.onload = function() {
ldapSelection();
}
</script>
</section>
{% endblock %}
{% block content %}
@ -70,11 +85,11 @@
<label>Type</label>
<div class="radio">
<label>
<input type="radio" name="ldap_type" id="ldap" value="ldap" {% if SETTING.get('ldap_type')=='ldap' %}checked{% endif %}> OpenLDAP
<input type="radio" name="ldap_type" id="ldap" onclick="javascript:ldapSelection();" value="ldap" {% if SETTING.get('ldap_type')=='ldap' %}checked{% endif %}> OpenLDAP
</label>
&nbsp;&nbsp;&nbsp;
<label>
<input type="radio" name="ldap_type" id="ad" value="ad" {% if SETTING.get('ldap_type')=='ad' %}checked{% endif %}> Active Directory
<input type="radio" name="ldap_type" id="ad" onclick="javascript:ldapSelection();" value="ad" {% if SETTING.get('ldap_type')=='ad' %}checked{% endif %}> Active Directory
</label>
</div>
</div>
@ -90,6 +105,7 @@
<input type="text" class="form-control" name="ldap_base_dn" id="ldap_base_dn" placeholder="e.g. dc=mydomain,dc=com" data-error="Please input LDAP Base DN" value="{{ SETTING.get('ldap_base_dn') }}">
<span class="help-block with-errors"></span>
</div>
<div id="ldap_openldap_fields">
<div class="form-group">
<label for="ldap_admin_username">LDAP admin username</label>
<input type="text" class="form-control" name="ldap_admin_username" id="ldap_admin_username" placeholder="e.g. cn=admin,dc=mydomain,dc=com" data-error="Please input LDAP admin username" value="{{ SETTING.get('ldap_admin_username') }}">
@ -100,6 +116,14 @@
<input type="password" class="form-control" name="ldap_admin_password" id="ldap_admin_password" placeholder="LDAP Admin password" data-error="Please input LDAP admin password" value="{{ SETTING.get('ldap_admin_password') }}">
<span class="help-block with-errors"></span>
</div>
</div>
<div id="ldap_ad_fields">
<div class="form-group">
<label for="ldap_domain">Active Directory domain</label>
<input type="text" class="form-control" name="ldap_domain" id="ldap_domain" placeholder="Active Directory domain" data-error="Please input Actve Directory domain value" value="{{ SETTING.get('ldap_domain') }}">
<span class="help-block with-errors"></span>
</div>
</div>
</fieldset>
<fieldset>
<legend>FILTERS</legend>
@ -175,10 +199,13 @@
LDAP Base DN - The point from where a PDA will search for users.
</li>
<li>
LDAP admin username - Your LDAP administrator user which has permission to query information in the Base DN above.
LDAP admin username - Your LDAP administrator user which has permission to query information in the Base DN above. Not needed for Active Directory authentication.
</li>
<li>
LDAP admin password - The password of LDAP administrator user.
LDAP admin password - The password of LDAP administrator user. Not needed for Active Directory authentication.
</li>
<li>
Active Directory domain - Active Directory domain used.
</li>
</ul>
</dd>
@ -337,7 +364,6 @@
</section>
{% endblock %}
{% block extrascripts %}
{% assets "js_validation" -%}
<script type="text/javascript" src="{{ ASSET_URL }}"></script>
{%- endassets %}
@ -378,8 +404,15 @@
if (is_enabled){
$('#ldap_uri').prop('required', true);
$('#ldap_base_dn').prop('required', true);
if ($('#ldap').is(":checked") ) {
$('#ldap_admin_username').prop('required', true);
$('#ldap_admin_password').prop('required', true);
$('#ldap_domain').prop('required', false);
} else {
$('#ldap_admin_username').prop('required', false);
$('#ldap_admin_password').prop('required', false);
$('#ldap_domain').prop('required', true);
}
$('#ldap_filter_basic').prop('required', true);
$('#ldap_filter_username').prop('required', true);
@ -413,12 +446,31 @@
}
});
$("input[name='ldap_type']" ).change(function(){
if ($('#ldap').is(":checked") && $('#ldap_enabled').is(":checked")) {
$('#ldap_admin_group').prop('required', true);
$('#ldap_user_group').prop('required', true);
$('#ldap_domain').prop('required', false);
} else {
$('#ldap_admin_group').prop('required', false);
$('#ldap_user_group').prop('required', false);
$('#ldap_domain').prop('required', true);
}
});
// init validation reqirement at first time page load
{% if SETTING.get('ldap_enabled') %}
$('#ldap_uri').prop('required', true);
$('#ldap_base_dn').prop('required', true);
if ($('#ldap').is(":checked") ) {
$('#ldap_admin_username').prop('required', true);
$('#ldap_admin_password').prop('required', true);
$('#ldap_domain').prop('required', false);
} else {
$('#ldap_admin_username').prop('required', false);
$('#ldap_admin_password').prop('required', false);
$('#ldap_domain').prop('required', true);
}
$('#ldap_filter_basic').prop('required', true);
$('#ldap_filter_username').prop('required', true);

View File

@ -1482,6 +1482,7 @@ def admin_setting_authentication():
Setting().set('ldap_admin_group', request.form.get('ldap_admin_group'))
Setting().set('ldap_operator_group', request.form.get('ldap_operator_group'))
Setting().set('ldap_user_group', request.form.get('ldap_user_group'))
Setting().set('ldap_domain', request.form.get('ldap_domain'))
result = {'status': True, 'msg': 'Saved successfully'}
elif conf_type == 'google':
Setting().set('google_oauth_enabled', True if request.form.get('google_oauth_enabled') else False)