conf := ctrl.Cluster.Login.LDAP
errFailed := httpserver.ErrorWithStatus(fmt.Errorf("LDAP: Authentication failure (with username %q and password)", opts.Username), http.StatusUnauthorized)
+ if conf.SearchAttribute == "" {
+ return arvados.APIClientAuthorization{}, errors.New("config error: SearchAttribute is blank")
+ }
if opts.Password == "" {
log.WithField("username", opts.Username).Error("refusing to authenticate with empty password")
return arvados.APIClientAuthorization{}, errFailed
}
}
- if conf.SearchAttribute == "" {
- return arvados.APIClientAuthorization{}, errors.New("config error: must provide SearchAttribute")
+ search := fmt.Sprintf("(%s=%s)", ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username))
+ if conf.SearchFilters != "" {
+ search = fmt.Sprintf("(&%s%s)", conf.SearchFilters, search)
}
-
- search := fmt.Sprintf("(&%s(%s=%s))", conf.SearchFilters, ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username))
log = log.WithField("search", search)
req := ldap.NewSearchRequest(
conf.SearchBase,
if ldap.IsErrorWithCode(err, ldap.LDAPResultNoResultsReturned) ||
ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) ||
(err == nil && len(resp.Entries) == 0) {
- log.WithError(err).Debug("ldap lookup returned no results")
+ log.WithError(err).Info("ldap lookup returned no results")
return arvados.APIClientAuthorization{}, errFailed
} else if err != nil {
log.WithError(err).Error("ldap lookup failed")
// Now that we have the DN, try authenticating.
err = l.Bind(userdn, opts.Password)
if err != nil {
- log.WithError(err).Warn("ldap user authentication failed")
+ log.WithError(err).Info("ldap user authentication failed")
return arvados.APIClientAuthorization{}, errFailed
}
log.Debug("ldap authentication succeeded")