Identification via attribute (e.g. email address) #2
Description
Currently, authentication is only possible via the uid of the user. Thereby, the uid of the user as well as his password are used to make an authentication call to the LDAP server.
For my setup I wanted authentication to work with the user's mail attribute instead. Thereby, two authentication calls are necessary:
- Authentication via BIND DN (i.e. an admin account) which fetches the user's
uidbased on the givenmail - User authentiaction with the obtained
uid
I modified the script accordingly but since I am not fluent in bash I prefer to write it down in this issue instead of a PR. Maybe there is a way to merge it with the existing code? Following my modifications:
-
In the
ldap_auth_curl()andldap_auth_ldapsearch()I replaced the variable$passwordwith$PW -
Since two authentication calls are now necessary, I wrapped the code in question in a function
ldap_auth() { case "$CLIENT" in "curl") ldap_auth_curl ;; "ldapsearch") ldap_auth_ldapsearch ;; *) log "Unsupported client '$CLIENT', revise the configuration." exit 2 ;; esac return $? }
-
The single authentication call now becomes:
... [ $err -ne 0 ] && exit 2 # Do authentication via bind_dn to get user_dn ldap_auth # Overwrite parameters for actual authentication without bind_dn USERDN=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(uid.*\)$/\2/p") PW="$password" if [ -z "$USERDN" ]; then log "User '$username' could not be found." exit 1 fi # Actual user authentication ldap_auth result=$? ...
You can find my update script here (breaking the original functionality of direct authentication).
Following an example of the configuration file for the updated script:
SERVER="ldap://ldap.domain.com:389"
USERDN="uid=root,cn=users,dc=ldap,dc=domain,dc=com"
PW="[secret]"
BASEDN="cn=users,dc=ldap,dc=domain,dc=com"
SCOPE="one"
FILTER="(&(objectClass=person)(mail=$(ldap_dn_escape "$username")))"
NAME_ATTR="cn"
ATTRS="$ATTRS $NAME_ATTR"
USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'