X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5763409818cd2ab68c0f59b6a97d0c3df090907f..7000c1ebd170001e10807b583a29e9e7e9570b23:/lib/controller/localdb/login_ldap.go?ds=sidebyside diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go index 44e42ac405..3f13c7b27a 100644 --- a/lib/controller/localdb/login_ldap.go +++ b/lib/controller/localdb/login_ldap.go @@ -21,12 +21,12 @@ import ( ) type ldapLoginController struct { - Cluster *arvados.Cluster - RailsProxy *railsProxy + Cluster *arvados.Cluster + Parent *Conn } func (ctrl *ldapLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - return noopLogout(ctrl.Cluster, opts) + return logout(ctx, ctrl.Cluster, opts) } func (ctrl *ldapLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) { @@ -38,6 +38,9 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva conf := ctrl.Cluster.Login.LDAP errFailed := httpserver.ErrorWithStatus(fmt.Errorf("LDAP: Authentication failure (with username %q and password)", opts.Username), http.StatusUnauthorized) + if conf.SearchAttribute == "" { + return arvados.APIClientAuthorization{}, errors.New("config error: SearchAttribute is blank") + } if opts.Password == "" { log.WithField("username", opts.Username).Error("refusing to authenticate with empty password") return arvados.APIClientAuthorization{}, errFailed @@ -89,11 +92,10 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva } } - if conf.SearchAttribute == "" { - return arvados.APIClientAuthorization{}, errors.New("config error: must provide SearchAttribute") + search := fmt.Sprintf("(%s=%s)", ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username)) + if conf.SearchFilters != "" { + search = fmt.Sprintf("(&%s%s)", conf.SearchFilters, search) } - - search := fmt.Sprintf("(&%s(%s=%s))", conf.SearchFilters, ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username)) log = log.WithField("search", search) req := ldap.NewSearchRequest( conf.SearchBase, @@ -105,7 +107,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva if ldap.IsErrorWithCode(err, ldap.LDAPResultNoResultsReturned) || ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) || (err == nil && len(resp.Entries) == 0) { - log.WithError(err).Debug("ldap lookup returned no results") + log.WithError(err).Info("ldap lookup returned no results") return arvados.APIClientAuthorization{}, errFailed } else if err != nil { log.WithError(err).Error("ldap lookup failed") @@ -130,7 +132,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva // Now that we have the DN, try authenticating. err = l.Bind(userdn, opts.Password) if err != nil { - log.WithError(err).Warn("ldap user authentication failed") + log.WithError(err).Info("ldap user authentication failed") return arvados.APIClientAuthorization{}, errFailed } log.Debug("ldap authentication succeeded") @@ -141,7 +143,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva return arvados.APIClientAuthorization{}, errors.New("authentication succeeded but ldap returned no email address") } - return createAPIClientAuthorization(ctx, ctrl.RailsProxy, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{ + return ctrl.Parent.CreateAPIClientAuthorization(ctx, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{ Email: email, FirstName: attrs["givenname"], LastName: attrs["sn"],