From 31c5c820f08b26cc9e4831efa02c13ca272e559d Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 4 Jul 2021 15:44:11 +1000 Subject: [PATCH] refactor(authentication): log ldap warning on startup in rare condition (#2141) This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID. --- cmd/authelia/main.go | 2 +- internal/authentication/ldap_user_provider.go | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/cmd/authelia/main.go b/cmd/authelia/main.go index 79145741..8b7879cd 100644 --- a/cmd/authelia/main.go +++ b/cmd/authelia/main.go @@ -103,7 +103,7 @@ func startServer() { case config.AuthenticationBackend.File != nil: userProvider = authentication.NewFileUserProvider(config.AuthenticationBackend.File) case config.AuthenticationBackend.LDAP != nil: - userProvider, err = authentication.NewLDAPUserProvider(*config.AuthenticationBackend.LDAP, autheliaCertPool) + userProvider, err = authentication.NewLDAPUserProvider(config.AuthenticationBackend, autheliaCertPool) if err != nil { logger.Fatalf("Failed to Check LDAP Authentication Backend: %v", err) } diff --git a/internal/authentication/ldap_user_provider.go b/internal/authentication/ldap_user_provider.go index 6fcec587..0fcc6a87 100644 --- a/internal/authentication/ldap_user_provider.go +++ b/internal/authentication/ldap_user_provider.go @@ -29,18 +29,19 @@ type LDAPUserProvider struct { } // NewLDAPUserProvider creates a new instance of LDAPUserProvider. -func NewLDAPUserProvider(configuration schema.LDAPAuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) { - provider = newLDAPUserProvider(configuration, certPool, nil) +func NewLDAPUserProvider(configuration schema.AuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) { + provider = newLDAPUserProvider(*configuration.LDAP, certPool, nil) err = provider.checkServer() if err != nil { return provider, err } - if provider.supportExtensionPasswdModify { - provider.logger.Trace("LDAP Server does support passwdModifyOID Extension") - } else { - provider.logger.Trace("LDAP Server does not support passwdModifyOID Extension") + if !provider.supportExtensionPasswdModify && !configuration.DisableResetPassword && + provider.configuration.Implementation != schema.LDAPImplementationActiveDirectory { + provider.logger.Warnf("Your LDAP server implementation may not support a method for password hashing " + + "known to Authelia, it's strongly recommended you ensure your directory server hashes the password " + + "attribute when users reset their password via Authelia.") } return provider, nil