Add ability to bind with token with a dn=token marker (#1225)

2025-02-23 20:47:01 +01:00 · 2022-11-23 16:02:11 +10:00 · 2022-11-23 16:02:11 +10:00 · a611fa101a
parent 9a9f61ff2b
commit a611fa101a
2 changed files with 27 additions and 2 deletions
--- a/kanidmd/lib/src/ldap.rs
+++ b/kanidmd/lib/src/ldap.rs
@ -374,6 +374,24 @@ impl LdapServer {
                });
            }
        } else {
+            // Is the passed dn requesting token auth?
+            // We use dn= here since these are attr=value, and dn is a phantom so it will
+            // never be present or match a real value. We also make it an ava so that clients
+            // that over-zealously validate dn syntax are happy.
+            if dn == "dn=token" {
+                let lae = LdapTokenAuthEvent::from_parts(pw.to_string())?;
+                return idm_auth.token_auth_ldap(&lae, ct).await.and_then(|r| {
+                    idm_auth.commit().map(|_| {
+                        if r.is_some() {
+                            security_info!(%dn, "✅ LDAP Bind success");
+                        } else {
+                            security_info!(%dn, "❌ LDAP Bind failure");
+                        };
+                        r
+                    })
+                });
+            };
+
            let rdn = match self
                .binddnre
                .captures(dn)
@ -999,7 +1017,13 @@ mod tests {

                let apitoken_inner = apitoken_inner.into_inner();

-                // Bind using the token
+                // Bind using the token as a DN
+                let sa_lbt = task::block_on(ldaps.do_bind(idms, "dn=token", &apitoken))
+                    .unwrap()
+                    .unwrap();
+                assert!(sa_lbt.effective_session == LdapSession::ApiToken(apitoken_inner.clone()));
+
+                // Bind using the token as a pw
                let sa_lbt = task::block_on(ldaps.do_bind(idms, "", &apitoken))
                    .unwrap()
                    .unwrap();
--- a/kanidmd_web_ui/src/views/mod.rs
+++ b/kanidmd_web_ui/src/views/mod.rs
@ -357,7 +357,8 @@ impl ViewsApp {
            .expect_throw("failed to set header");

        let window = utils::window();
-        let resp_value = JsFuture::from(window.fetch_with_request(&request)).await
+        let resp_value = JsFuture::from(window.fetch_with_request(&request))
+            .await
            .map_err(|e| {
                console::error!(&format!("fetch request failed {:?}", e));
                e