LDAP: Pass through user/pass via `%s` token in BindDN

[galaktor]

Hi guys. First of all, gogs is awesome!

I'm trying to hook it into LDAP at a company. The problems is, I need to use simple LDAP so they login user ("%s") is passed into the LDAP bind credentials (can't store a hard-coded user).

For this, I set the User DN to be DOM\%s, where DOM is the AD domain and the login name in gogs is used as the username for AD. So when a user bob logs into gogs, the ldap binds with his credentials and prepends the domain, i.e. DOM\bob. By doing this, the bind (authentication to the AD server) works.

But the actual query to AD FAILS because the "CN" part of the AD query needs to be in a different format. Gogs seems to re-use the DOM\bob as part of the query, but our servers use Lastname, Firstname instead.

I can reproduce the situation using ldapsearch.

If I do

# uses Lastname and Fistname in query, but DOMAIN\username for binding
ldapsearch -h my.domain.server.com -p 123 -x -b "CN=Builder\, Bob,OU=Users,DC=blah,DC=blah,DC=blah,DC=com" -D "DOM\bob" -W

then I will retrieve the user successfully.

But the simple LDAP settings in gogs force me to use the DOM\bob (via the login screen) as the "CN" part of the query, so it seems to be sending

# uses DOMAIN\username in both query and bind
ldapsearch -h my.domain.server.com -p 123 -x -b "CN=DOM\bob,OU=Users,DC=blah,DC=blah,DC=blah,DC=com" -D "DOM\bob" -W

and the output is an error from the AD server.

LdapErr: DSID-0C09076F, comment: Error processing name, data 0, v2580

I have verified that when I use the BindDN authentication with my credentials hard-coded for the bind, gogs authenticates fine against our AD servers, just as I would expect. But I do not want to use a single persons credentials for this purpose. I want to pass through the username and password from the gogs login for bind in LDAP. When I try to do that in BindDN, it doesn't seem to pass through the username and password via the %s token ( a password token would be needed, too) as it does in simple DN. So I'm stuck.

When I use BindDN, I have to hard-code my credentials in order to successfully bind to LDAP, which I don't want to do.

If I want to pass through user/pass from gogs login, I have to use simple DN, but in that case my query is broken.

What can I do here?

[unknwon]

Do you guys have time to take a look?

cc @nanoant @SergioBenitez

[galaktor]

I think what I need is what kanboard's user mode for Active Directory via LDAP is.

It separates the DN from the LDAP authentication user.

Fwiw I'm no AD or LDAP expert, so if this is already possible using gogs, I'd love to know how to make it work.

Cheers guys

[SergioBenitez]

The BindDN method allows you to accomplish exactly what you'd like, as you've identified. Unfortunately, the way you've tried using it isn't the way it's meant to be used.

The idea behind the BindDN is that there is an unprivileged LDAP user with read-only permissions to a few user fields. That user is used as the BindDN. This way, no privileged information is stored in the database.

[galaktor]

@SergioBenitez The issue is that I do not want BindDN - I want Simple DN, where the login user is used to authenticate on LDAP.

The problem with SImpleDN is that it doesn't allow me to provide a base DN, it only let's me set the User DN for authentication (in my case needs to be "DOMAIN\username"), but then seems to use that for the User query as well (not just authentication).

If the Simple DN had an additional field to specify the query (not filter), like BindDN has, I'd be sorted.

[SergioBenitez]

I understand what it is that you'd like, and it seems reasonable to allow this in the future. I'll look into implementing this.

At the moment, however, assuming you can create users on the LDAP server, using a BindDN should meet your needs. What's holding you back from using a BindDN?

[galaktor]

I'm afraid I can't create users, it's a highly regulated corporate environment, making changes to AD is not done lightly. Plus I use other tools like this already and they support this for AD.

If it's any help, maybe the following images will illustrate my issue. I need to use Simple DN, but that won't allow me to specify query+filter and auth credentials separately.

[galaktor]

Notice the LDAP query bombs out because it won't tolerate "DOMAIN\username" as valid DN syntax - which it isn't. It's the authentication user. If I put in a query, I get credential errors on LDAP because it wants "DOMAIN\username" for auth...

[nanoant]

@galaktor What if Gogs escaped properly the backslash character? Would it work then? I dunno if LDAP spec wants the \ to be escaped but Active Directory apparently does.
Anyways, if yes, then it is just a matter of patching Gogs so it properly escapes the characters, no extra functionality needed.

[galaktor]

I'm not sure what exactly LDAP is tripping over when using "DOMAIN\username" for the query, and if that would even work on AD. When I do try to use a query rather than "DOMAIN\username" for SimpleDN User DN, I get the below credentials error.

What about allowing to specify auth user template and the Base DN query separately? Similar to what kanboard does (and other tools that support AD via LDAP):

Notice how you can specify the user/pass separately from Base DN query and filters at the bottom. Afaik this is a common scenario using LDAP for AD.

[galaktor]

I am willing to try hack this in myself, but don't know the frameworks (macaron etc.). Can anyone point me at the right place to change

• Authentication UI form for simple LDAP
• Backend that operates on LDAP / AD

I am familiar with golang so it's the architecture that I could use some pointers for.

[unknwon]

Here you go:

1. UI: https://github.com/gogits/gogs/tree/master/templates/admin/auth
2. Backend: https://github.com/gogits/gogs/blob/master/routers/admin/auths.go