Commit e1dc55a6 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS

fix: the binding was not working on LDAP servers

parent 65e685a4
......@@ -86,7 +86,10 @@ class LdapLoader:
for record in r:
if record[self.attr][0] == searchval:
dn = record['distinguishedname'][0]
if 'distinguishedname' in record:
dn = record['distinguishedname'][0]
else:
dn = record['uid'][0]
self.app.logger.info('Found DN: {0}'.format(dn))
return {'dn': dn, 'cn': record['cn'][0]}
......@@ -104,7 +107,7 @@ class LdapLoader:
:returns: True if bind was successful, otherwise False
"""
try:
l = simpleldap.Connection(self.host, dn='{0}'.format(dn), password=passwd)
l = simpleldap.Connection(self.host, dn='uid={0},{1}'.format(dn, self.base), password=passwd)
self.app.logger.info('Bound as user: {0}'.format(dn))
except Exception, e:
self.app.logger.error('Failed to authenticate user: {0}, {1}'.format(dn, str(e)))
......
  • That's going to break on any object found in a sub-tree, which was the point of using the DN instead, as that is the canonical path to the object we are binding as.

  • I think the attribute should actually be 'dn' instead of 'distinguishedname', but I think I tried that and it didn't work. I will test again.

  • Here is the content of the returned record on my setup:

     cn: Benjamin Ziirish Sans
    uid: ziirish

    Maybe I should build the dn line 92 instead?

  • Nope, that's because I'm and idiot and you didn't request the dn attribute to be returned. You should never need to construct a DN as it is the canonical name of the object. Every object in the repo has a unique DN, it's provided by the 'top' objectClass.

    My stupidity was that I tried a search using 'dn=*' and it failed, so I took it to mean AD wasn't going to work with it and I should use distinguishedName instead. In fact, it should never work, as explained in this thread.

    I'll commit the fix again.

Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment