diff --git a/go.mod b/go.mod index 995953e783..ccbb900847 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module goauthentik.io go 1.26.0 require ( - beryju.io/ldap v0.1.0 + beryju.io/ldap v0.2.1 beryju.io/radius-eap v0.1.0 github.com/avast/retry-go/v4 v4.7.0 github.com/coreos/go-oidc/v3 v3.17.0 diff --git a/go.sum b/go.sum index 43deb7490b..d8bf87b9ee 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -beryju.io/ldap v0.1.0 h1:rPjGE3qR1Klbvn9N+iECWdzt/tK87XHgz8W5wZJg9B8= -beryju.io/ldap v0.1.0/go.mod h1:sOrYV+ZlDTDu/IvIiEiuAaXzjcpMBE+XXr4V+NJ0pWI= +beryju.io/ldap v0.2.1 h1:rhTAP2CXqrKZy/UycLC/aPSSBMcgJMzooKqk3TwVFxY= +beryju.io/ldap v0.2.1/go.mod h1:GJSw3pVOON/3+L5att3Eysmj7j0GmjLvA6/WNmPajD4= beryju.io/radius-eap v0.1.0 h1:5M3HwkzH3nIEBcKDA2z5+sb4nCY3WdKL/SDDKTBvoqw= beryju.io/radius-eap v0.1.0/go.mod h1:yYtO59iyoLNEepdyp1gZ0i1tGdjPbrR2M/v5yOz7Fkc= github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A= diff --git a/internal/outpost/ldap/bind.go b/internal/outpost/ldap/bind.go index ae79f69f83..bb4810d255 100644 --- a/internal/outpost/ldap/bind.go +++ b/internal/outpost/ldap/bind.go @@ -12,8 +12,8 @@ import ( "goauthentik.io/internal/outpost/ldap/metrics" ) -func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) { - req, span := bind.NewRequest(bindDN, bindPW, conn) +func (ls *LDAPServer) Bind(r ldap.BindRequest, conn net.Conn) (ldap.LDAPResultCode, error) { + req, span := bind.NewRequest(r, conn) selectedApp := "" defer func() { span.Finish() @@ -35,7 +35,7 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD }() for _, instance := range ls.providers { - username, err := instance.binder.GetUsername(bindDN) + username, err := instance.binder.GetUsername(r.BindDN) if err == nil { selectedApp = instance.GetAppSlug() c, err := instance.binder.Bind(username, req) diff --git a/internal/outpost/ldap/bind/direct/bind.go b/internal/outpost/ldap/bind/direct/bind.go index fe794a5df1..0c3bddc07c 100644 --- a/internal/outpost/ldap/bind/direct/bind.go +++ b/internal/outpost/ldap/bind/direct/bind.go @@ -23,7 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul fe.Params.Add("goauthentik.io/outpost/ldap", "true") fe.Answers[flow.StageIdentification] = username - fe.SetSecrets(req.BindPW, db.si.GetMFASupport()) + fe.SetSecrets(req.Password, db.si.GetMFASupport()) passed, err := fe.Execute() flags := flags.UserFlags{ diff --git a/internal/outpost/ldap/bind/memory/memory.go b/internal/outpost/ldap/bind/memory/memory.go index 97080cf582..ef8b691d2b 100644 --- a/internal/outpost/ldap/bind/memory/memory.go +++ b/internal/outpost/ldap/bind/memory/memory.go @@ -46,7 +46,7 @@ func NewSessionBinder(si server.LDAPServerInstance, oldBinder bind.Binder) *Sess func (sb *SessionBinder) Bind(username string, req *bind.Request) (ldap.LDAPResultCode, error) { item := sb.sessions.Get(Credentials{ DN: req.BindDN, - Password: req.BindPW, + Password: req.Password, }) if item != nil { sb.log.WithField("bindDN", req.BindDN).Info("authenticated from session") @@ -63,7 +63,7 @@ func (sb *SessionBinder) Bind(username string, req *bind.Request) (ldap.LDAPResu } sb.sessions.Set(Credentials{ DN: req.BindDN, - Password: req.BindPW, + Password: req.Password, }, result, time.Until(flags.Session.Expires)) } return result, err diff --git a/internal/outpost/ldap/bind/request.go b/internal/outpost/ldap/bind/request.go index 9ea810e115..76e845af82 100644 --- a/internal/outpost/ldap/bind/request.go +++ b/internal/outpost/ldap/bind/request.go @@ -5,6 +5,7 @@ import ( "net" "strings" + "beryju.io/ldap" "github.com/getsentry/sentry-go" "github.com/google/uuid" log "github.com/sirupsen/logrus" @@ -12,15 +13,17 @@ import ( ) type Request struct { - BindDN string - BindPW string - id string - conn net.Conn - log *log.Entry - ctx context.Context + ldap.BindRequest + id string + conn net.Conn + log *log.Entry + ctx context.Context } -func NewRequest(bindDN string, bindPW string, conn net.Conn) (*Request, *sentry.Span) { +func NewRequest(req ldap.BindRequest, conn net.Conn) (*Request, *sentry.Span) { + bindDN := strings.ToLower(req.BindDN) + req.BindDN = bindDN + span := sentry.StartSpan(context.TODO(), "authentik.providers.ldap.bind", sentry.WithTransactionName("authentik.providers.ldap.bind")) span.Description = bindDN @@ -38,12 +41,11 @@ func NewRequest(bindDN string, bindPW string, conn net.Conn) (*Request, *sentry. bindDN = strings.ToLower(bindDN) return &Request{ - BindDN: bindDN, - BindPW: bindPW, - conn: conn, - log: log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("client", utils.GetIP(conn.RemoteAddr())), - id: rid, - ctx: span.Context(), + BindRequest: req, + conn: conn, + log: log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("client", utils.GetIP(conn.RemoteAddr())), + id: rid, + ctx: span.Context(), }, span } diff --git a/internal/outpost/ldap/unbind.go b/internal/outpost/ldap/unbind.go index b293cb2c0d..caa9531d87 100644 --- a/internal/outpost/ldap/unbind.go +++ b/internal/outpost/ldap/unbind.go @@ -13,7 +13,9 @@ import ( ) func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode, error) { - req, span := bind.NewRequest(boundDN, "", conn) + req, span := bind.NewRequest(ldap.BindRequest{ + BindDN: boundDN, + }, conn) selectedApp := "" defer func() { span.Finish()