Improve diagnostic and docs of ldap bind requiring posix password (#1702)

2025-02-23 20:47:01 +01:00 · 2023-06-05 22:08:16 +10:00 · 2023-06-05 22:08:16 +10:00 · 6862a529ab
parent dc418ff351
commit 6862a529ab
2 changed files with 59 additions and 41 deletions
--- a/book/src/integrations/ldap.md
+++ b/book/src/integrations/ldap.md
@ -124,6 +124,15 @@ ldapsearch ... -x '(name=admin)' cn objectClass displayname memberof
 Group membership is defined in rfc2307bis or Active Directory style. This means groups are
 determined from the "memberof" attribute which contains a DN to a group.
 ## People Accounts
 Persons can bind (authenticate) to the LDAP server if they are configured as a posix account and
 have a valid posix password set.
 When a person is bound to the directory, they inherit the permissions of anonymous - not their
 account. This is because a posix password as single factor authentication is not as secure and
 should not grant the same privileges as the accounts standard credentials.
 ## Service Accounts
 If you have
@ -197,7 +206,9 @@ objectclass: account
 objectclass: memberof
 objectclass: object
 objectclass: person
 objectclass: posixaccount
 displayname: Test User
 gidnumber: 12345
 memberof: spn=group240@idm.example.com,dc=idm,dc=example,dc=com
 name: test1
 spn: test1@idm.example.com
@ -205,7 +216,7 @@ entryuuid: 22a65b6c-80c8-4e1a-9b76-3f3afdff8400
 ```
 LDAP binds can use any unique identifier of the account. The following are all valid bind DNs for
-the object listed above (if it was a POSIX account, that is).
+the object listed above.
 ```bash
 ldapwhoami ... -x -D 'name=test1'
@ -243,3 +254,4 @@ This is despite the fact:
 - The third is an incorrect port.
 To diagnose errors like this, you may need to add "-d 1" to your LDAP commands or client.
--- a/server/lib/src/idm/server.rs
+++ b/server/lib/src/idm/server.rs
@ -1297,57 +1297,63 @@ impl<'a> IdmServerAuthTransaction<'a> {
                            slock
                        }
                    };
-                    Some(slock_ref)
+                    Ok(slock_ref)
                }
-                None => None,
+                None => Err(false),
            };
-            let maybe_slock = if let Some(s) = maybe_slock_ref.as_ref() {
+            let maybe_slock = match maybe_slock_ref.as_ref() {
-                Some(s.lock().await)
+                Ok(s) => Ok(s.lock().await),
-            } else {
+                Err(cred_state) => Err(cred_state),
                None
            };
-            let maybe_valid = if let Some(mut slock) = maybe_slock {
+            let maybe_valid = match maybe_slock {
-                // Apply the current time.
+                Ok(mut slock) => {
-                slock.apply_time_step(ct);
+                    // Apply the current time.
-                // Now check the results
+                    slock.apply_time_step(ct);
-                if slock.is_valid() {
+                    // Now check the results
-                    Some(slock)
+                    if slock.is_valid() {
-                } else {
+                        Ok(slock)
-                    None
+                    } else {
                        Err(true)
                    }
                }
-            } else {
+                Err(cred_state) => Err(*cred_state),
                None
            };
-            if let Some(mut slock) = maybe_valid {
+            match maybe_valid {
-                if account
+                Ok(mut slock) => {
-                    .verify_unix_credential(lae.cleartext.as_str(), &self.async_tx, ct)?
+                    if account
-                    .is_some()
+                        .verify_unix_credential(lae.cleartext.as_str(), &self.async_tx, ct)?
-                {
+                        .is_some()
-                    let session_id = Uuid::new_v4();
+                    {
-                    security_info!(
+                        let session_id = Uuid::new_v4();
-                        "Starting session {} for {} {}",
+                        security_info!(
-                        session_id,
+                            "Starting session {} for {} {}",
-                        account.spn,
+                            session_id,
-                        account.uuid
+                            account.spn,
-                    );
+                            account.uuid
                        );
-                    Ok(Some(LdapBoundToken {
+                        Ok(Some(LdapBoundToken {
-                        spn: account.spn,
+                            spn: account.spn,
-                        session_id,
+                            session_id,
-                        effective_session: LdapSession::UnixBind(account.uuid),
+                            effective_session: LdapSession::UnixBind(account.uuid),
-                    }))
+                        }))
-                } else {
+                    } else {
-                    // PW failure, update softlock.
+                        // PW failure, update softlock.
-                    slock.record_failure(ct);
+                        slock.record_failure(ct);
                        Ok(None)
                    }
                }
                Err(true) => {
                    security_info!("Account is softlocked.");
                    Ok(None)
                }
                Err(false) => {
                    security_info!("Account does not have a configured posix password.");
                    Ok(None)
                }
            } else {
                // Account is slocked!
                security_info!("Account is softlocked.");
                Ok(None)
            }
        }
    }