ldap: return uids instead of cns for users

This commit is contained in:
Valentin Tolmer 2022-05-02 15:29:52 +02:00 committed by nitnelave
parent 4f89b73fe5
commit f1b86a16ee

View File

@ -125,11 +125,7 @@ fn make_ldap_search_user_result_entry(
base_dn_str: &str, base_dn_str: &str,
attributes: &[String], attributes: &[String],
) -> Result<LdapSearchResultEntry> { ) -> Result<LdapSearchResultEntry> {
let dn = format!( let dn = format!("uid={},ou=people,{}", user.user_id.as_str(), base_dn_str);
"cn={},ou=people,{}",
user.display_name.as_str(),
base_dn_str
);
Ok(LdapSearchResultEntry { Ok(LdapSearchResultEntry {
dn: dn.clone(), dn: dn.clone(),
attributes: attributes attributes: attributes
@ -165,7 +161,7 @@ fn get_group_attribute(
.users .users
.iter() .iter()
.filter(|u| user_filter.map(|f| *u == f).unwrap_or(true)) .filter(|u| user_filter.map(|f| *u == f).unwrap_or(true))
.map(|u| format!("cn={},ou=people,{}", u, base_dn_str)) .map(|u| format!("uid={},ou=people,{}", u, base_dn_str))
.collect(), .collect(),
"1.1" => return Ok(None), "1.1" => return Ok(None),
_ => bail!("Unsupported group attribute: {}", attribute), _ => bail!("Unsupported group attribute: {}", attribute),
@ -311,7 +307,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
ldap_base_dn ldap_base_dn
) )
}), }),
ldap_user_dn: LdapDn(format!("cn={},ou=people,{}", ldap_user_dn, &ldap_base_dn)), ldap_user_dn: LdapDn(format!("uid={},ou=people,{}", ldap_user_dn, &ldap_base_dn)),
base_dn_str: ldap_base_dn, base_dn_str: ldap_base_dn,
} }
} }
@ -786,7 +782,7 @@ mod tests {
let mut ldap_handler = let mut ldap_handler =
LdapHandler::new(mock, "dc=example,dc=com".to_string(), UserId::new("test")); LdapHandler::new(mock, "dc=example,dc=com".to_string(), UserId::new("test"));
let request = LdapBindRequest { let request = LdapBindRequest {
dn: "cn=test,ou=people,dc=example,dc=com".to_string(), dn: "uid=test,ou=people,dc=example,dc=com".to_string(),
cred: LdapBindCred::Simple("pass".to_string()), cred: LdapBindCred::Simple("pass".to_string()),
}; };
assert_eq!( assert_eq!(
@ -841,7 +837,7 @@ mod tests {
LdapHandler::new(mock, "dc=example,dc=com".to_string(), UserId::new("test")); LdapHandler::new(mock, "dc=example,dc=com".to_string(), UserId::new("test"));
let request = LdapBindRequest { let request = LdapBindRequest {
dn: "cn=test,ou=people,dc=example,dc=com".to_string(), dn: "uid=test,ou=people,dc=example,dc=com".to_string(),
cred: LdapBindCred::Simple("pass".to_string()), cred: LdapBindCred::Simple("pass".to_string()),
}; };
assert_eq!( assert_eq!(
@ -868,7 +864,7 @@ mod tests {
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![User { Ok(vec![User {
display_name: "test".to_string(), user_id: UserId::new("test"),
..Default::default() ..Default::default()
}]) }])
}); });
@ -876,7 +872,7 @@ mod tests {
LdapHandler::new(mock, "dc=example,dc=com".to_string(), UserId::new("admin")); LdapHandler::new(mock, "dc=example,dc=com".to_string(), UserId::new("admin"));
let request = LdapBindRequest { let request = LdapBindRequest {
dn: "cn=test,ou=people,dc=example,dc=com".to_string(), dn: "uid=test,ou=people,dc=example,dc=com".to_string(),
cred: LdapBindCred::Simple("pass".to_string()), cred: LdapBindCred::Simple("pass".to_string()),
}; };
assert_eq!( assert_eq!(
@ -890,7 +886,7 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![ vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=test,ou=people,dc=example,dc=com".to_string(), dn: "uid=test,ou=people,dc=example,dc=com".to_string(),
attributes: vec![], attributes: vec![],
}), }),
make_search_success() make_search_success()
@ -913,7 +909,7 @@ mod tests {
LdapResultCode::NamingViolation, LdapResultCode::NamingViolation,
); );
let request = LdapBindRequest { let request = LdapBindRequest {
dn: "cn=bob,ou=groups,dc=example,dc=com".to_string(), dn: "uid=bob,dc=example,dc=com".to_string(),
cred: LdapBindCred::Simple("pass".to_string()), cred: LdapBindCred::Simple("pass".to_string()),
}; };
assert_eq!( assert_eq!(
@ -921,7 +917,7 @@ mod tests {
LdapResultCode::NamingViolation, LdapResultCode::NamingViolation,
); );
let request = LdapBindRequest { let request = LdapBindRequest {
dn: "cn=bob,ou=people,dc=example,dc=fr".to_string(), dn: "uid=bob,ou=groups,dc=example,dc=com".to_string(),
cred: LdapBindCred::Simple("pass".to_string()), cred: LdapBindCred::Simple("pass".to_string()),
}; };
assert_eq!( assert_eq!(
@ -929,7 +925,15 @@ mod tests {
LdapResultCode::NamingViolation, LdapResultCode::NamingViolation,
); );
let request = LdapBindRequest { let request = LdapBindRequest {
dn: "cn=bob=test,ou=people,dc=example,dc=com".to_string(), dn: "uid=bob,ou=people,dc=example,dc=fr".to_string(),
cred: LdapBindCred::Simple("pass".to_string()),
};
assert_eq!(
ldap_handler.do_bind(&request).await.0,
LdapResultCode::NamingViolation,
);
let request = LdapBindRequest {
dn: "uid=bob=test,ou=people,dc=example,dc=com".to_string(),
cred: LdapBindCred::Simple("pass".to_string()), cred: LdapBindCred::Simple("pass".to_string()),
}; };
assert_eq!( assert_eq!(
@ -1013,7 +1017,7 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![ vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string(), dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(),
attributes: vec![ attributes: vec![
LdapPartialAttribute { LdapPartialAttribute {
atype: "objectClass".to_string(), atype: "objectClass".to_string(),
@ -1026,7 +1030,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "dn".to_string(), atype: "dn".to_string(),
vals: vec!["cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string()] vals: vec!["uid=bob_1,ou=people,dc=example,dc=com".to_string()]
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "uid".to_string(), atype: "uid".to_string(),
@ -1055,7 +1059,7 @@ mod tests {
], ],
}), }),
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=Jimminy Cricket,ou=people,dc=example,dc=com".to_string(), dn: "uid=jim,ou=people,dc=example,dc=com".to_string(),
attributes: vec![ attributes: vec![
LdapPartialAttribute { LdapPartialAttribute {
atype: "objectClass".to_string(), atype: "objectClass".to_string(),
@ -1068,7 +1072,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "dn".to_string(), atype: "dn".to_string(),
vals: vec!["cn=Jimminy Cricket,ou=people,dc=example,dc=com".to_string()] vals: vec!["uid=jim,ou=people,dc=example,dc=com".to_string()]
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "uid".to_string(), atype: "uid".to_string(),
@ -1148,8 +1152,8 @@ mod tests {
LdapPartialAttribute { LdapPartialAttribute {
atype: "uniqueMember".to_string(), atype: "uniqueMember".to_string(),
vals: vec![ vals: vec![
"cn=bob,ou=people,dc=example,dc=com".to_string(), "uid=bob,ou=people,dc=example,dc=com".to_string(),
"cn=john,ou=people,dc=example,dc=com".to_string(), "uid=john,ou=people,dc=example,dc=com".to_string(),
] ]
}, },
], ],
@ -1171,7 +1175,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "uniqueMember".to_string(), atype: "uniqueMember".to_string(),
vals: vec!["cn=john,ou=people,dc=example,dc=com".to_string()] vals: vec!["uid=john,ou=people,dc=example,dc=com".to_string()]
}, },
], ],
}), }),
@ -1205,7 +1209,7 @@ mod tests {
LdapFilter::Equality("cn".to_string(), "group_1".to_string()), LdapFilter::Equality("cn".to_string(), "group_1".to_string()),
LdapFilter::Equality( LdapFilter::Equality(
"uniqueMember".to_string(), "uniqueMember".to_string(),
"cn=bob,ou=people,dc=example,dc=com".to_string(), "uid=bob,ou=people,dc=example,dc=com".to_string(),
), ),
LdapFilter::Equality("objectclass".to_string(), "groupOfUniqueNames".to_string()), LdapFilter::Equality("objectclass".to_string(), "groupOfUniqueNames".to_string()),
LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()), LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()),
@ -1413,7 +1417,7 @@ mod tests {
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![User { Ok(vec![User {
display_name: "bob_1".to_string(), user_id: UserId::new("bob_1"),
..Default::default() ..Default::default()
}]) }])
}); });
@ -1428,7 +1432,7 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![ vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=bob_1,ou=people,dc=example,dc=com".to_string(), dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(),
attributes: vec![LdapPartialAttribute { attributes: vec![LdapPartialAttribute {
atype: "objectclass".to_string(), atype: "objectclass".to_string(),
vals: vec![ vals: vec![
@ -1477,7 +1481,7 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![ vec![
LdapOp::SearchResultEntry(LdapSearchResultEntry { LdapOp::SearchResultEntry(LdapSearchResultEntry {
dn: "cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string(), dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(),
attributes: vec![ attributes: vec![
LdapPartialAttribute { LdapPartialAttribute {
atype: "objectClass".to_string(), atype: "objectClass".to_string(),
@ -1490,7 +1494,7 @@ mod tests {
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "dn".to_string(), atype: "dn".to_string(),
vals: vec!["cn=Bôb Böbberson,ou=people,dc=example,dc=com".to_string()] vals: vec!["uid=bob_1,ou=people,dc=example,dc=com".to_string()]
}, },
LdapPartialAttribute { LdapPartialAttribute {
atype: "cn".to_string(), atype: "cn".to_string(),
@ -1582,7 +1586,7 @@ mod tests {
let mut ldap_handler = setup_bound_handler(mock).await; let mut ldap_handler = setup_bound_handler(mock).await;
let request = LdapOp::ExtendedRequest( let request = LdapOp::ExtendedRequest(
LdapPasswordModifyRequest { LdapPasswordModifyRequest {
user_identity: Some("cn=bob,ou=people,dc=example,dc=com".to_string()), user_identity: Some("uid=bob,ou=people,dc=example,dc=com".to_string()),
old_password: None, old_password: None,
new_password: Some("password".to_string()), new_password: Some("password".to_string()),
} }
@ -1617,7 +1621,7 @@ mod tests {
); );
let request = LdapOp::ExtendedRequest( let request = LdapOp::ExtendedRequest(
LdapPasswordModifyRequest { LdapPasswordModifyRequest {
user_identity: Some("cn=bob,ou=groups,ou=people,dc=example,dc=com".to_string()), user_identity: Some("uid=bob,ou=groups,ou=people,dc=example,dc=com".to_string()),
old_password: None, old_password: None,
new_password: Some("password".to_string()), new_password: Some("password".to_string()),
} }
@ -1627,7 +1631,7 @@ mod tests {
ldap_handler.handle_ldap_message(request).await, ldap_handler.handle_ldap_message(request).await,
Some(vec![make_extended_response( Some(vec![make_extended_response(
LdapResultCode::InvalidDNSyntax, LdapResultCode::InvalidDNSyntax,
r#"Invalid username: "Unexpected user DN format. Got \"cn=bob,ou=groups,ou=people,dc=example,dc=com\", expected: \"uid=username,ou=people,dc=example,dc=com\"""#.to_string(), r#"Invalid username: "Unexpected user DN format. Got \"uid=bob,ou=groups,ou=people,dc=example,dc=com\", expected: \"uid=username,ou=people,dc=example,dc=com\"""#.to_string(),
)]) )])
); );
let request = LdapOp::ExtendedRequest(LdapExtendedRequest { let request = LdapOp::ExtendedRequest(LdapExtendedRequest {