From b2fb2ef276e38405e358c6be8a32d41de609ee00 Mon Sep 17 00:00:00 2001 From: Will Rouesnel Date: Wed, 10 May 2023 15:52:02 +1000 Subject: [PATCH] lib/api: Allow BindDN to exclude any username formatting (fixes #8899) (#8900) This allows a syncthing instance to be locked to exactly 1 user without needing search capability on the LDAP instance. --- lib/api/api_auth.go | 11 ++++++++++- lib/api/api_auth_test.go | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/lib/api/api_auth.go b/lib/api/api_auth.go index e84ae645e49..ad3d86638f8 100644 --- a/lib/api/api_auth.go +++ b/lib/api/api_auth.go @@ -161,7 +161,7 @@ func authLDAP(username string, password string, cfg config.LDAPConfiguration) bo defer connection.Close() - err = connection.Bind(fmt.Sprintf(cfg.BindDN, username), password) + err = connection.Bind(ldapTemplateBindDN(cfg.BindDN, username), password) if err != nil { l.Warnln("LDAP Bind:", err) return false @@ -199,6 +199,15 @@ func authLDAP(username string, password string, cfg config.LDAPConfiguration) bo return true } +func ldapTemplateBindDN(bindDN string, username string) string { + // Check if formatting directives are included in the ldapTemplateBindDN - if so add username. + // (%%s is a literal %s - unlikely for LDAP, but easy to handle here). + if strings.Count(bindDN, "%s") != strings.Count(bindDN, "%%s") { + bindDN = fmt.Sprintf(bindDN, username) + } + return bindDN +} + // Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the // principle that ISO-8859-1 bytes are equivalent to unicode code points, // that a rune slice is a list of code points, and that stringifying a slice diff --git a/lib/api/api_auth_test.go b/lib/api/api_auth_test.go index 046b06a0771..be6a0c3a800 100644 --- a/lib/api/api_auth_test.go +++ b/lib/api/api_auth_test.go @@ -45,3 +45,23 @@ func TestStaticAuthPasswordFail(t *testing.T) { t.Fatalf("should fail auth") } } + +func TestAuthLDAPSendsCorrectBindDNWithTemplate(t *testing.T) { + t.Parallel() + + templatedDn := ldapTemplateBindDN("cn=%s,dc=some,dc=example,dc=com", "username") + expectedDn := "cn=username,dc=some,dc=example,dc=com" + if expectedDn != templatedDn { + t.Fatalf("ldapTemplateBindDN should be %s != %s", expectedDn, templatedDn) + } +} + +func TestAuthLDAPSendsCorrectBindDNWithNoTemplate(t *testing.T) { + t.Parallel() + + templatedDn := ldapTemplateBindDN("cn=fixedusername,dc=some,dc=example,dc=com", "username") + expectedDn := "cn=fixedusername,dc=some,dc=example,dc=com" + if expectedDn != templatedDn { + t.Fatalf("ldapTemplateBindDN should be %s != %s", expectedDn, templatedDn) + } +}