Improve diagnostic and docs of ldap bind requiring posix password (#1702)

2025-02-23 20:47:01 +01:00 · 2023-06-05 22:08:16 +10:00 · 2023-06-05 22:08:16 +10:00 · 6862a529ab
parent dc418ff351
commit 6862a529ab
2 changed files with 59 additions and 41 deletions
--- a/book/src/integrations/ldap.md
+++ b/book/src/integrations/ldap.md
@ -124,6 +124,15 @@ ldapsearch ... -x '(name=admin)' cn objectClass displayname memberof
 Group membership is defined in rfc2307bis or Active Directory style. This means groups are
 determined from the "memberof" attribute which contains a DN to a group.

+## People Accounts
+
+Persons can bind (authenticate) to the LDAP server if they are configured as a posix account and
+have a valid posix password set.
+
+When a person is bound to the directory, they inherit the permissions of anonymous - not their
+account. This is because a posix password as single factor authentication is not as secure and
+should not grant the same privileges as the accounts standard credentials.
+
 ## Service Accounts

 If you have
@ -197,7 +206,9 @@ objectclass: account
 objectclass: memberof
 objectclass: object
 objectclass: person
+objectclass: posixaccount
 displayname: Test User
+gidnumber: 12345
 memberof: spn=group240@idm.example.com,dc=idm,dc=example,dc=com
 name: test1
 spn: test1@idm.example.com
@ -205,7 +216,7 @@ entryuuid: 22a65b6c-80c8-4e1a-9b76-3f3afdff8400
 ```

 LDAP binds can use any unique identifier of the account. The following are all valid bind DNs for
-the object listed above (if it was a POSIX account, that is).
+the object listed above.

 ```bash
 ldapwhoami ... -x -D 'name=test1'
@ -243,3 +254,4 @@ This is despite the fact:
 - The third is an incorrect port.

 To diagnose errors like this, you may need to add "-d 1" to your LDAP commands or client.
+
--- a/server/lib/src/idm/server.rs
+++ b/server/lib/src/idm/server.rs
@ -1297,31 +1297,32 @@ impl<'a> IdmServerAuthTransaction<'a> {
                            slock
                        }
                    };
-                    Some(slock_ref)
+                    Ok(slock_ref)
                }
-                None => None,
+                None => Err(false),
            };

-            let maybe_slock = if let Some(s) = maybe_slock_ref.as_ref() {
-                Some(s.lock().await)
-            } else {
-                None
+            let maybe_slock = match maybe_slock_ref.as_ref() {
+                Ok(s) => Ok(s.lock().await),
+                Err(cred_state) => Err(cred_state),
            };

-            let maybe_valid = if let Some(mut slock) = maybe_slock {
+            let maybe_valid = match maybe_slock {
+                Ok(mut slock) => {
                    // Apply the current time.
                    slock.apply_time_step(ct);
                    // Now check the results
                    if slock.is_valid() {
-                    Some(slock)
+                        Ok(slock)
                    } else {
-                    None
+                        Err(true)
                    }
-            } else {
-                None
+                }
+                Err(cred_state) => Err(*cred_state),
            };

-            if let Some(mut slock) = maybe_valid {
+            match maybe_valid {
+                Ok(mut slock) => {
                    if account
                        .verify_unix_credential(lae.cleartext.as_str(), &self.async_tx, ct)?
                        .is_some()
@ -1344,11 +1345,16 @@ impl<'a> IdmServerAuthTransaction<'a> {
                        slock.record_failure(ct);
                        Ok(None)
                    }
-            } else {
-                // Account is slocked!
+                }
+                Err(true) => {
                    security_info!("Account is softlocked.");
                    Ok(None)
                }
+                Err(false) => {
+                    security_info!("Account does not have a configured posix password.");
+                    Ok(None)
+                }
+            }
        }
    }