trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sources/ldap: fix duplicate bind when authenticating user directly to… (#5927) 

sources/ldap: fix duplicate bind when authenticating user directly to LDAP source

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-06-12 10:24:01 +02:00 committed by GitHub
parent 27be9faf40
commit 4741d8aa0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
authentik/sources/ldap/auth.py
View File

@ -57,13 +57,13 @@ class LDAPBackend(InbuiltBackend):
# Try to bind as new user # Try to bind as new user
LOGGER.debug("Attempting to bind as user", user=user) LOGGER.debug("Attempting to bind as user", user=user)
try: try:
temp_connection = source.connection( # source.connection also attempts to bind
source.connection(
connection_kwargs={ connection_kwargs={
"user": user.attributes.get(LDAP_DISTINGUISHED_NAME), "user": user.attributes.get(LDAP_DISTINGUISHED_NAME),
"password": password, "password": password,
} }
) )
temp_connection.bind()
return user return user
except LDAPInvalidCredentialsResult as exc: except LDAPInvalidCredentialsResult as exc:
LOGGER.debug("invalid LDAP credentials", user=user, exc=exc) LOGGER.debug("invalid LDAP credentials", user=user, exc=exc)

6
authentik/sources/ldap/models.py
View File

@ -145,7 +145,9 @@ class LDAPSource(Source):
if self.start_tls: if self.start_tls:
connection.start_tls(read_server_info=False) connection.start_tls(read_server_info=False)
try: try:
connection.bind() successful = connection.bind()
if successful:
return connection
except LDAPSchemaError as exc: except LDAPSchemaError as exc:
# Schema error, so try connecting without schema info # Schema error, so try connecting without schema info
# See https://github.com/goauthentik/authentik/issues/4590 # See https://github.com/goauthentik/authentik/issues/4590
@ -153,7 +155,7 @@ class LDAPSource(Source):
raise exc raise exc
server_kwargs["get_info"] = NONE server_kwargs["get_info"] = NONE
return self.connection(server_kwargs, connection_kwargs) return self.connection(server_kwargs, connection_kwargs)
return connection return RuntimeError("Failed to bind")
class Meta: class Meta:
verbose_name = _("LDAP Source") verbose_name = _("LDAP Source")

31
authentik/sources/ldap/tests/test_auth.py
View File

@ -29,6 +29,37 @@ class LDAPSyncTests(TestCase):
additional_group_dn="ou=groups", additional_group_dn="ou=groups",
) )
def test_auth_direct_user_ad(self):
"""Test direct auth"""
self.source.property_mappings.set(
LDAPPropertyMapping.objects.filter(
Q(managed__startswith="goauthentik.io/sources/ldap/default-")
| Q(managed__startswith="goauthentik.io/sources/ldap/ms-")
)
)
raw_conn = mock_ad_connection(LDAP_PASSWORD)
bind_mock = Mock(wraps=raw_conn.bind)
raw_conn.bind = bind_mock
connection = MagicMock(return_value=raw_conn)
with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
user_sync = UserLDAPSynchronizer(self.source)
user_sync.sync()
user = User.objects.get(username="user0_sn")
# auth_user_by_bind = Mock(return_value=user)
backend = LDAPBackend()
self.assertEqual(
backend.authenticate(None, username="user0_sn", password=LDAP_PASSWORD),
user,
)
connection.assert_called_with(
connection_kwargs={
"user": "cn=user0,ou=users,dc=goauthentik,dc=io",
"password": LDAP_PASSWORD,
}
)
bind_mock.assert_not_called()
def test_auth_synced_user_ad(self): def test_auth_synced_user_ad(self):
"""Test Cached auth""" """Test Cached auth"""
self.source.property_mappings.set( self.source.property_mappings.set(