ldap-auth-sh icon indicating copy to clipboard operation
ldap-auth-sh copied to clipboard
verified publisher icon bob1de

Identification via attribute (e.g. email address)

Open lorenzschmid opened this issue 6 years ago • 2 comments

Currently, authentication is only possible via the uid of the user. Thereby, the uid of the user as well as his password are used to make an authentication call to the LDAP server.

For my setup I wanted authentication to work with the user's mail attribute instead. Thereby, two authentication calls are necessary:

  1. Authentication via BIND DN (i.e. an admin account) which fetches the user's uid based on the given mail
  2. User authentiaction with the obtained uid

I modified the script accordingly but since I am not fluent in bash I prefer to write it down in this issue instead of a PR. Maybe there is a way to merge it with the existing code? Following my modifications:

  • In the ldap_auth_curl() and ldap_auth_ldapsearch() I replaced the variable $password with $PW

  • Since two authentication calls are now necessary, I wrapped the code in question in a function

    ldap_auth() {
    case "$CLIENT" in
        "curl")
            ldap_auth_curl
            ;;
        "ldapsearch")
            ldap_auth_ldapsearch
            ;;
        *)
            log "Unsupported client '$CLIENT', revise the configuration."
            exit 2
            ;;
    esac

    return $?
}

  • The single authentication call now becomes:

    ...
[ $err -ne 0 ] && exit 2

# Do authentication via bind_dn to get user_dn
ldap_auth

# Overwrite parameters for actual authentication without bind_dn
USERDN=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(uid.*\)$/\2/p")
PW="$password"

if [ -z "$USERDN" ]; then
    log "User '$username' could not be found."
    exit 1
fi

# Actual user authentication
ldap_auth

result=$?
...

You can find my update script here (breaking the original functionality of direct authentication). Following an example of the configuration file for the updated script:

SERVER="ldap://ldap.domain.com:389"
USERDN="uid=root,cn=users,dc=ldap,dc=domain,dc=com"
PW="[secret]"

BASEDN="cn=users,dc=ldap,dc=domain,dc=com"
SCOPE="one"
FILTER="(&(objectClass=person)(mail=$(ldap_dn_escape "$username")))"

NAME_ATTR="cn"
ATTRS="$ATTRS $NAME_ATTR"

USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'

lorenzschmid avatar Jun 30 '19 10:06 lorenzschmid

Hi @lorenzschmid ,

thanks for the work! I modified a bit your script and finally work the authetication by active directory!!

polcape avatar Mar 26 '20 17:03 polcape

I ran into this same issue, and generalized the solution a bit more.

The updated code is in my fork: https://github.com/joshuaboniface/ldap-auth-sh

joshuaboniface avatar Aug 11 '21 09:08 joshuaboniface