Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add anonymous bind option to ldap auth provider #11547

Closed
3 tasks done
schlagmichdoch opened this issue Feb 9, 2022 · 3 comments · Fixed by #11750
Closed
3 tasks done

Add anonymous bind option to ldap auth provider #11547

schlagmichdoch opened this issue Feb 9, 2022 · 3 comments · Fixed by #11750
Labels
🍰 Improvement

Comments

@schlagmichdoch
Copy link
Contributor

schlagmichdoch commented Feb 9, 2022
edited

Preflight Checklist

Describe the Bug

When configuring a ldap provider I do not want to bind to my ldap admin account but bind anonymously.

According to ldap standard, (which is referenced in the directus docs as well, ) this should be possible as follows:

"by sending a Bind request with a name value of zero length and
specifying the simple authentication choice containing a password
value of zero length."

https://datatracker.ietf.org/doc/html/rfc4513#section-5.1

Sadly when configuring directus ldap provider:

AUTH_LDAP_BIND_DN=""
AUTH_LDAP_BIND_PASSWORD=""

does not do the trick.

As every other user has the "permission to query users and groups to perform authentication." (as required by directus docs), I could add a ldap account in the users directory and bind to that.

It would be great if there was the option to bind anonymously by choice or by leaving dn and password empty.

To Reproduce

Adding following config to directus dotenv file:
Not Working Config - binding anonymously:

AUTH_PROVIDERS="ldap"
AUTH_DISABLE_DEFAULT=true

AUTH_LDAP_DRIVER="ldap"
AUTH_LDAP_CLIENT_URL="ldap://127.0.0.1:389"
AUTH_LDAP_BIND_DN=""
AUTH_LDAP_BIND_PASSWORD=""

AUTH_LDAP_USER_DN="ou=users,dc=example,dc=com"
AUTH_LDAP_USER_ATTRIBUTE="uid"
AUTH_LDAP_USER_SCOPE="one"
AUTH_LDAP_MAIL_ATTRIBUTE="mail"

AUTH_LDAP_GROUP_DN="ou=groups,dc=example,dc=com"
AUTH_LDAP_GROUP_ATTRIBUTE="memberUid"

Working Config - binding anonymously to created directus.readonly user:

AUTH_PROVIDERS="ldap"
AUTH_DISABLE_DEFAULT=true

AUTH_LDAP_DRIVER="ldap"
AUTH_LDAP_CLIENT_URL="ldap://127.0.0.1:389"
AUTH_LDAP_BIND_DN="uid=directus.readonly,ou=users,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD="PASSWORD"

AUTH_LDAP_USER_DN="ou=users,dc=example,dc=com"
AUTH_LDAP_USER_ATTRIBUTE="uid"
AUTH_LDAP_USER_SCOPE="one"
AUTH_LDAP_MAIL_ATTRIBUTE="mail"

AUTH_LDAP_GROUP_DN="ou=groups,dc=example,dc=com"
AUTH_LDAP_GROUP_ATTRIBUTE="memberUid"

Working Config - binding to admin

AUTH_PROVIDERS="ldap"
AUTH_DISABLE_DEFAULT=true

AUTH_LDAP_DRIVER="ldap"
AUTH_LDAP_CLIENT_URL="ldap://127.0.0.1:389"
AUTH_LDAP_BIND_DN="cn=admin,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD="PASSWORD"

AUTH_LDAP_USER_DN="ou=users,dc=example,dc=com"
AUTH_LDAP_USER_ATTRIBUTE="uid"
AUTH_LDAP_USER_SCOPE="one"
AUTH_LDAP_MAIL_ATTRIBUTE="mail"

AUTH_LDAP_GROUP_DN="ou=groups,dc=example,dc=com"
AUTH_LDAP_GROUP_ATTRIBUTE="memberUid"

Errors Shown

InvalidConfigException [Error]: Invalid provider config
at new LDAPAuthDriver (/path_to_directus/node_modules/directus/dist/auth/drivers/ldap.js:48:19)
     at getProviderInstance (/path_to_directus/node_modules/directus/dist/auth.js:65:20)
     at /path_to_directus/node_modules/directus/dist/auth.js:47:26
     at Array.forEach (<anonymous>)
     at registerAuthProviders (/path_to_directus/node_modules/directus/dist/auth.js:36:19)
     at processTicksAndRejections (node:internal/process/task_queues:96:5)
     at async createApp (/path_to_directus/node_modules/directus/dist/app.js:97:5)
     at async createServer (/path_to_directus/node_modules/directus/dist/server.js:40:38)
     at async Command.startServer (/path_to_directus/node_modules/directus/dist/server.js:126:20)
     at async Command.parseAsync (/path_to_directus/node_modules/commander/lib/command.js:923:5) {
   status: 503,
   code: 'INVALID_CONFIG',
   extensions: { provider: 'ldap' }

What version of Directus are you using?

9.5.0

What version of Node.js are you using?

v16.13.0

What database are you using?

MySQL Community Server 8.0.27

What browser are you using?

What operating system are you using?

Debian GNU/Linux 10 (buster)

How are you deploying Directus?

locally (pm2)
@aidenfoxx
Copy link
Contributor

I'm not in a position make this change right now, but it would likely be easy enough to implement by updating the following line https://github.com/directus/directus/blob/main/api/src/auth/drivers/ldap.ts#L54 as such:

// from:
if (!bindDn || !bindPassword || ...

// to:
if (bindDn !== undefined || bindPassword !== undefined || ...

If you want to test this and create a PR it would be appreciated.

@schlagmichdoch schlagmichdoch mentioned this issue Feb 20, 2022
Merged
@schlagmichdoch
Copy link
Contributor Author

Thanks for the help! Correct thinking but inverse condition.
Have successfully tested it and created merge request.
Cheers!

@aidenfoxx
Copy link
Contributor

Ah, yeah. Inverse would make sense! Never trust my untested code.😄

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🍰 Improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix anonymous binding ldap schlagmichdoch/directus
3 participants
@aidenfoxx @azrikahar @schlagmichdoch