ldap: return actual "cn" value instead of "uid" in LDAP messages

This commit is contained in:
Valentin Tolmer 2022-04-29 09:46:46 +02:00 committed by nitnelave
parent e1e1d6cd20
commit bd90a3a426
7 changed files with 46 additions and 31 deletions

View File

@ -42,6 +42,6 @@ authentication_backend:
display_name_attribute: displayName display_name_attribute: displayName
# The username and password of the admin user. # The username and password of the admin user.
# "admin" should be the admin username you set in the LLDAP configuration # "admin" should be the admin username you set in the LLDAP configuration
user: cn=admin,ou=people,dc=example,dc=com user: uid=admin,ou=people,dc=example,dc=com
# Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
password: 'REPLACE_ME' password: 'REPLACE_ME'

View File

@ -16,13 +16,13 @@ LDAP_BASE_DN=ou=people,dc=example,dc=com
# The full DN and password of the user used to search the server # The full DN and password of the user used to search the server
# Can both be left as false to bind anonymously # Can both be left as false to bind anonymously
LDAP_DN=cn=admin,ou=people,dc=example,dc=com LDAP_DN=uid=admin,ou=people,dc=example,dc=com
LDAP_PASS=YOUR-ADMIN-PASSWORD-HERE LDAP_PASS=YOUR-ADMIN-PASSWORD-HERE
# A filter to use when searching for users # A filter to use when searching for users
# The user-provided user-name used to replace any occurrences of '${user}' # The user-provided user-name used to replace any occurrences of '${user}'
# If you're setting this option via other means, such as within a docker-compose.yml, # If you're setting this option via other means, such as within a docker-compose.yml,
# you may need escape the $, often using $$ or \$ instead. # you may need escape the $, often using $$ or \$ instead.
LDAP_USER_FILTER=(&(uid=${user})) LDAP_USER_FILTER=(&(uid=${user}))
# Set the LDAP version to use when connecting to the server # Set the LDAP version to use when connecting to the server

View File

@ -4,7 +4,7 @@ This example will help you to create user in dolibarr from your users in your ll
## To connect ldap->dolibarr ## To connect ldap->dolibarr
In Dolibarr, install the LDAP module from Home -> Modules/Applications In Dolibarr, install the LDAP module from `Home` -> `Modules/Applications`
Go to the configuration of this module and fill it like this: Go to the configuration of this module and fill it like this:
@ -17,24 +17,23 @@ Go to the configuration of this module and fill it like this:
- Server port: port `3890` - Server port: port `3890`
- Server DN: `dc=example,dc=com` - Server DN: `dc=example,dc=com`
- Use TLS: `No` - Use TLS: `No`
- Administrator DN: `cn=admin,ou=people,dc=example,dc=com` - Administrator DN: `uid=admin,ou=people,dc=example,dc=com`
- Administrator password: `secret` - Administrator password: `secret`
Click on modify then "TEST LDAP CONNECTION". Click on modify then "TEST LDAP CONNECTION".
You should get this result on the bottom: You should get this result on the bottom:
``` ```
TCP connect to LDAP server successful (Server=ldap://example.com, Port=389) TCP connect to LDAP server successful (Server=ldap://example.com, Port=389)
Connect/Authenticate to LDAP server successful (Server=ldap://example.com, Port=389, Admin=cn=admin,ou=people,dc=example,dc=com, Password=**********) Connect/Authenticate to LDAP server successful (Server=ldap://example.com, Port=389, Admin=uid=admin,ou=people,dc=example,dc=com, Password=**********)
LDAP server configured for version 3 LDAP server configured for version 3
``` ```
And two new tabs will appear on the top: And two new tabs will appear on the top: `Users` and `Groups`.
Users and Groups
We will use only Users in this example to get the users we want to import. We will use only `Users` in this example to get the users we want to import.
The tab Groups would be to import groups. The tab `Groups` would be to import groups.
Click on the Users tab and fill it like this: Click on the `Users` tab and fill it like this:
- Users' DN: `ou=people,dc=example,dc=com` - Users' DN: `ou=people,dc=example,dc=com`
- List of objectClass: `person` - List of objectClass: `person`
- Search filter: `memberOf=cn=yournamegroup,ou=groups,dc=example,dc=com` - Search filter: `memberOf=cn=yournamegroup,ou=groups,dc=example,dc=com`
@ -47,20 +46,20 @@ Click on the Users tab and fill it like this:
- Login `uid` - Login `uid`
- Email address `mail` - Email address `mail`
Click on "MODIFY" and then on "TEST A LDAP SEARCH" Click on "MODIFY" and then on "TEST A LDAP SEARCH".
You should get the number of users in the group or all users if you didn't use a filter. You should get the number of users in the group or all users if you didn't use a filter.
## To import ldap users into the dolibarr database (needed to login with those users): ## To import ldap users into the dolibarr database (needed to login with those users):
Navigate to Users & Groups -> New Users Navigate to `Users & Groups` -> `New Users`.
Click on the blank form "Users in LDAP database", you will get the list of the users in the group filled above. With the "GET" button, you will import the selected user. Click on the blank form "Users in LDAP database", you will get the list of the users in the group filled above. With the "GET" button, you will import the selected user.
## To enable LDAP login: ## To enable LDAP login:
Modify your `conf.php` in your dolibarr folder in `htdocs/conf` Modify your `conf.php` in your dolibarr folder in `htdocs/conf`.
Replace Replace
``` ```
// Authentication settings // Authentication settings
@ -76,9 +75,9 @@ $dolibarr_main_auth_ldap_host='ldap://127.0.0.1:3890';
$dolibarr_main_auth_ldap_port='3890'; $dolibarr_main_auth_ldap_port='3890';
$dolibarr_main_auth_ldap_version='3'; $dolibarr_main_auth_ldap_version='3';
$dolibarr_main_auth_ldap_servertype='openldap'; $dolibarr_main_auth_ldap_servertype='openldap';
$dolibarr_main_auth_ldap_login_attribute='cn'; $dolibarr_main_auth_ldap_login_attribute='uid';
$dolibarr_main_auth_ldap_dn='ou=people,dc=example,dc=com'; $dolibarr_main_auth_ldap_dn='ou=people,dc=example,dc=com';
$dolibarr_main_auth_ldap_admin_login='cn=admin,ou=people,dc=example,dc=com'; $dolibarr_main_auth_ldap_admin_login='uid=admin,ou=people,dc=example,dc=com';
$dolibarr_main_auth_ldap_admin_pass='secret'; $dolibarr_main_auth_ldap_admin_pass='secret';
``` ```

View File

@ -4,7 +4,7 @@ Replace `dc=example,dc=com` with your LLDAP configured domain.
### LDAP Bind User ### LDAP Bind User
``` ```
cn=admin,ou=people,dc=example,dc=com uid=admin,ou=people,dc=example,dc=com
``` ```
### LDAP Base DN for searches ### LDAP Base DN for searches
@ -12,6 +12,18 @@ cn=admin,ou=people,dc=example,dc=com
ou=people,dc=example,dc=com ou=people,dc=example,dc=com
``` ```
### LDAP Attributes
```
uid, mail
```
### LDAP Name Attribute
```
uid
```
### User Filter ### User Filter
If you have a `media` group, you can use: If you have a `media` group, you can use:

View File

@ -18,7 +18,7 @@ LDAP_URL=ldap://IP:3890
LDAP_BASE=ou=people,dc=example,dc=com LDAP_BASE=ou=people,dc=example,dc=com
# LDAP user DN. # LDAP user DN.
LDAP_BINDDN=cn=admin,ou=people,dc=example,dc=com LDAP_BINDDN=uid=admin,ou=people,dc=example,dc=com
# LLDAP admin password. # LLDAP admin password.
LDAP_BINDPW=password LDAP_BINDPW=password

View File

@ -25,7 +25,7 @@ The key settings are:
- Connection URL: `ldap://<your-lldap-container>:3890` - Connection URL: `ldap://<your-lldap-container>:3890`
- Users DN: `ou=people,dc=example,dc=com` (or whatever `dc` you have) - Users DN: `ou=people,dc=example,dc=com` (or whatever `dc` you have)
- Bind Type: `simple` - Bind Type: `simple`
- Bind DN: `cn=admin,ou=people,dc=example,dc=com` (replace with your admin user and `dc`) - Bind DN: `uid=admin,ou=people,dc=example,dc=com` (replace with your admin user and `dc`)
- Bind Credential: your LLDAP admin password - Bind Credential: your LLDAP admin password
Test the connection and authentication, it should work. Test the connection and authentication, it should work.

View File

@ -85,7 +85,7 @@ fn get_user_id_from_distinguished_name(
|| (parts[0].0 != "cn" && parts[0].0 != "uid") || (parts[0].0 != "cn" && parts[0].0 != "uid")
{ {
bail!( bail!(
r#"Unexpected user DN format. Got "{}", expected: "cn=username,ou=people,{}""#, r#"Unexpected user DN format. Got "{}", expected: "uid=username,ou=people,{}""#,
dn, dn,
base_dn_str base_dn_str
); );
@ -93,7 +93,7 @@ fn get_user_id_from_distinguished_name(
Ok(UserId::new(&parts[0].1)) Ok(UserId::new(&parts[0].1))
} else { } else {
bail!( bail!(
r#"Unexpected user DN format. Got "{}", expected: "cn=username,ou=people,{}""#, r#"Unexpected user DN format. Got "{}", expected: "uid=username,ou=people,{}""#,
dn, dn,
base_dn_str base_dn_str
); );
@ -125,7 +125,11 @@ fn make_ldap_search_user_result_entry(
base_dn_str: &str, base_dn_str: &str,
attributes: &[String], attributes: &[String],
) -> Result<LdapSearchResultEntry> { ) -> Result<LdapSearchResultEntry> {
let dn = format!("cn={},ou=people,{}", user.user_id.as_str(), base_dn_str); let dn = format!(
"cn={},ou=people,{}",
user.display_name.as_str(),
base_dn_str
);
Ok(LdapSearchResultEntry { Ok(LdapSearchResultEntry {
dn: dn.clone(), dn: dn.clone(),
attributes: attributes attributes: attributes
@ -864,7 +868,7 @@ mod tests {
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![User { Ok(vec![User {
user_id: UserId::new("test"), display_name: "test".to_string(),
..Default::default() ..Default::default()
}]) }])
}); });
@ -1009,7 +1013,7 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![ vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=bob_1,ou=people,dc=example,dc=com".to_string(), dn: "cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string(),
attributes: vec![ attributes: vec![
LdapPartialAttribute { LdapPartialAttribute {
atype: "objectClass".to_string(), atype: "objectClass".to_string(),
@ -1022,7 +1026,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "dn".to_string(), atype: "dn".to_string(),
vals: vec!["cn=bob_1,ou=people,dc=example,dc=com".to_string()] vals: vec!["cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string()]
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "uid".to_string(), atype: "uid".to_string(),
@ -1051,7 +1055,7 @@ mod tests {
], ],
}), }),
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=jim,ou=people,dc=example,dc=com".to_string(), dn: "cn=Jimminy Cricket,ou=people,dc=example,dc=com".to_string(),
attributes: vec![ attributes: vec![
LdapPartialAttribute { LdapPartialAttribute {
atype: "objectClass".to_string(), atype: "objectClass".to_string(),
@ -1064,7 +1068,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "dn".to_string(), atype: "dn".to_string(),
vals: vec!["cn=jim,ou=people,dc=example,dc=com".to_string()] vals: vec!["cn=Jimminy Cricket,ou=people,dc=example,dc=com".to_string()]
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "uid".to_string(), atype: "uid".to_string(),
@ -1409,7 +1413,7 @@ mod tests {
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![User { Ok(vec![User {
user_id: UserId::new("bob_1"), display_name: "bob_1".to_string(),
..Default::default() ..Default::default()
}]) }])
}); });
@ -1473,7 +1477,7 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![ vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=bob_1,ou=people,dc=example,dc=com".to_string(), dn: "cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string(),
attributes: vec![ attributes: vec![
LdapPartialAttribute { LdapPartialAttribute {
atype: "objectClass".to_string(), atype: "objectClass".to_string(),
@ -1486,7 +1490,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "dn".to_string(), atype: "dn".to_string(),
vals: vec!["cn=bob_1,ou=people,dc=example,dc=com".to_string()] vals: vec!["cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string()]
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "cn".to_string(), atype: "cn".to_string(),
@ -1623,7 +1627,7 @@ mod tests {
ldap_handler.handle_ldap_message(request).await, ldap_handler.handle_ldap_message(request).await,
Some(vec![make_extended_response( Some(vec![make_extended_response(
LdapResultCode::InvalidDNSyntax, LdapResultCode::InvalidDNSyntax,
r#"Invalid username: "Unexpected user DN format. Got \"cn=bob,ou=groups,ou=people,dc=example,dc=com\", expected: \"cn=username,ou=people,dc=example,dc=com\"""#.to_string(), r#"Invalid username: "Unexpected user DN format. Got \"cn=bob,ou=groups,ou=people,dc=example,dc=com\", expected: \"uid=username,ou=people,dc=example,dc=com\"""#.to_string(),
)]) )])
); );
let request = LdapOp::ExtendedRequest(LdapExtendedRequest { let request = LdapOp::ExtendedRequest(LdapExtendedRequest {