F #4924: LDAP auth - capture user part (#74)

OpenNebula · Jul 6, 2020 · c33a610 · c33a610
1 parent 20719b6
commit c33a610
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 7 deletions.
diff --git a/src/authm_mad/remotes/ldap/authenticate b/src/authm_mad/remotes/ldap/authenticate
@@ -63,7 +63,8 @@ end
 
 options=YAML.load(File.read(ETC_LOCATION+'/auth/ldap_auth.conf'))
 
-order = get_server_order(options, user)
+user_full = user
+order,user = get_server_order(options, user)
 
 STDERR.puts "Using group of servers: #{servers.join(', ')}" if order.length>1
 
@@ -119,7 +120,7 @@ order.each do |servers|
                     # authentication success
                     group_list = groups.join(' ')
 
-                    escaped_user = URI_PARSER.escape(user).downcase
+                    escaped_user = URI_PARSER.escape(user_full).downcase
                     escaped_secret = URI_PARSER.escape(user_dn)
 
                     puts "ldap #{escaped_user} #{escaped_secret} #{group_list}"

diff --git a/src/authm_mad/remotes/ldap/ldap_auth.conf b/src/authm_mad/remotes/ldap/ldap_auth.conf
@@ -129,9 +129,14 @@ server 2:
 # Example:
 #
 # :match_user_regex:
-#   "^.*@orgA$": server1
-#   "^.*@orgB$": server2
-#   "^.*@orgC$": ['server3', 'server4']
+#   "^(.*)@orgA$": server1
+#   "^(.*)@orgB$": server2
+#   "^(.*)@orgC$": ['server3', 'server4']
 #
 #  In this example user `joe@orgA` will be searched in server1 and user
 #  `paul@orgC` will be searched in server3 (and server4 if not found)
+#
+#  If the regex contains capture group like here, only this part of the
+#  username is searched  in the LDAP actually. So the user entry only
+#  have attribute like `cn: paul`. The suffix is only used to identify
+#  the server.
diff --git a/src/authm_mad/remotes/ldap/ldap_auth.rb b/src/authm_mad/remotes/ldap/ldap_auth.rb
@@ -267,7 +267,11 @@ def get_server_order(opts, user)
         end
 
         opts[:match_user_regex].each do |regex, server|
-            if user =~ /#{regex}/i
+            if m = user.match(/#{regex}/i)
+
+                # update user with the capture
+                user = m[1] if m[1]
+
                 order << to_array(server)
             end
         end
@@ -281,5 +285,5 @@ def get_server_order(opts, user)
         exit(-1)
     end
 
-    return order
+    return [order, user]
 end