public_git
/
nginx-ldap-auth
mirror of https://github.com/nginxinc/nginx-ldap-auth.git
1
0
Fork 1
Code Issues Releases Wiki Activity

Added additional tests for user search results. 

This fixes https://github.com/nginxinc/nginx-ldap-auth/issues/55.

It was possible to perform successful bind with unknown user with recent
versions of python-ldap, in case when LDAP server returned continuation
object and allowed anonymous bind.
This commit is contained in:
Vladimir Homutov 2018-10-29 11:42:22 +03:00
parent 57fb98b528
commit 86687e2887
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nginx-ldap-auth-daemon.py
View File

@ -228,13 +228,27 @@ class LDAPAuthHandler(AuthHandler):
searchfilter, ['objectclass'], 1) searchfilter, ['objectclass'], 1)
ctx['action'] = 'verifying search query results' ctx['action'] = 'verifying search query results'
if len(results) < 1:
nres = len(results)
if nres < 1:
self.auth_failed(ctx, 'no objects found') self.auth_failed(ctx, 'no objects found')
return return
ctx['action'] = 'binding as an existing user' if nres > 1:
ldap_dn = results[0][0] self.log_message("note: filter match multiple objects: %d, using first" % nres)
ctx['action'] += ' "%s"' % ldap_dn
user_entry = results[0]
ldap_dn = user_entry[0]
if ldap_dn == None:
self.auth_failed(ctx, 'matched object has no dn')
return
self.log_message('attempting to bind using dn "%s"' % (ldap_dn))
ctx['action'] = 'binding as an existing user "%s"' % ldap_dn
ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE) ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE)
self.log_message('Auth OK for user "%s"' % (ctx['user'])) self.log_message('Auth OK for user "%s"' % (ctx['user']))