From 9bb084f0a7d944dab1d17dbbf12a7c4c09b68186 Mon Sep 17 00:00:00 2001 From: DenebTM Date: Fri, 25 Oct 2024 12:17:13 +0200 Subject: [PATCH] support LDAP aliases --- src/auth/backends.rs | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/auth/backends.rs b/src/auth/backends.rs index ff05b69..2c8fabc 100644 --- a/src/auth/backends.rs +++ b/src/auth/backends.rs @@ -115,7 +115,7 @@ impl ValidateLogin for LdapBackend { &self.config.search_base, Scope::Subtree, &filter, - ["dn", "uid"], + ["dn", "uid", "aliasedObjectName"], ) .await? .success()? @@ -138,6 +138,16 @@ impl ValidateLogin for LdapBackend { } }; + let real_dn = search_entry + .attrs + .get("aliasedObjectName") + .map(|aliased_objects| { + let aliased_object = &aliased_objects[0]; + event!(Level::INFO, dn = aliased_object, "LDAP entry is alias to"); + aliased_object + }) + .unwrap_or(&search_entry.dn); + let uid = { let uids = search_entry.attrs.get("uid").ok_or_else(|| { event!( @@ -161,7 +171,7 @@ impl ValidateLogin for LdapBackend { event!( Level::TRACE, - dn = search_entry.dn, + dn = real_dn, uid, "Found LDAP user, attempting to bind" ); @@ -171,13 +181,13 @@ impl ValidateLogin for LdapBackend { let (conn, mut ldap) = start_ldap_connection(&self.config).await?; drive!(conn); if let Err(ldap_error) = ldap - .simple_bind(&search_entry.dn, password.0.expose_secret()) + .simple_bind(real_dn, password.0.expose_secret()) .await? .success() { event!( Level::TRACE, - dn = search_entry.dn, + dn = real_dn, ldap_error = ldap_error.to_string(), "LDAP bind failed" ); @@ -185,7 +195,7 @@ impl ValidateLogin for LdapBackend { } } - event!(Level::INFO, dn = search_entry.dn, "LDAP bind succeeded"); + event!(Level::INFO, dn = real_dn, "LDAP bind succeeded"); Ok(uid) } }