Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
make ldap eauth 2 factor compatible #42280
Description of Issue/Question
Our Authentication service utilizes 2 factor based tokens.
A common solution for this setup with LDAP is to utilize a dedicated bind user for all authenticated bind requests.
According to the documentation, this is actually by design.
referenced this issue
Jul 20, 2017
Having reviewed this more carefully may I just restate the problem and the desired functionality to make sure I understand?
Currently the problem appears to be the fact that when using LDAP + Salt's eAuth, Salt authenticates with LDAP via the user's name and password at least twice since we use the user's name and PW to bind as well as authenticate. With some 2FA solutions, 2FA tokens may only be used once, so auth always fails.
The desire is to modify the auth process so that a dedicated bind user is used to validate and retrieve the user's DN and associated memberships. After these are verified, only then is the actual user authenticated via 2FA token.
Did I get this right?
Yup essentially. Also all subsequent LDAP connections(for that job) should use the bind credentials(if specified).
I added a check here for the existence of the show_jid key in the payload :https://github.com/saltstack/salt/pull/42426/files#diff-8aa8a7beb3814d772c1830930f3927a9R393