refactor(authentication): log ldap warning on startup in rare condition (#2141)

This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
This commit is contained in:
James Elliott 2021-07-04 15:44:11 +10:00 committed by GitHub
parent ef549f851d
commit 31c5c820f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 7 deletions

View File

@ -103,7 +103,7 @@ func startServer() {
case config.AuthenticationBackend.File != nil:
userProvider = authentication.NewFileUserProvider(config.AuthenticationBackend.File)
case config.AuthenticationBackend.LDAP != nil:
userProvider, err = authentication.NewLDAPUserProvider(*config.AuthenticationBackend.LDAP, autheliaCertPool)
userProvider, err = authentication.NewLDAPUserProvider(config.AuthenticationBackend, autheliaCertPool)
if err != nil {
logger.Fatalf("Failed to Check LDAP Authentication Backend: %v", err)
}

View File

@ -29,18 +29,19 @@ type LDAPUserProvider struct {
}
// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
func NewLDAPUserProvider(configuration schema.LDAPAuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) {
provider = newLDAPUserProvider(configuration, certPool, nil)
func NewLDAPUserProvider(configuration schema.AuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) {
provider = newLDAPUserProvider(*configuration.LDAP, certPool, nil)
err = provider.checkServer()
if err != nil {
return provider, err
}
if provider.supportExtensionPasswdModify {
provider.logger.Trace("LDAP Server does support passwdModifyOID Extension")
} else {
provider.logger.Trace("LDAP Server does not support passwdModifyOID Extension")
if !provider.supportExtensionPasswdModify && !configuration.DisableResetPassword &&
provider.configuration.Implementation != schema.LDAPImplementationActiveDirectory {
provider.logger.Warnf("Your LDAP server implementation may not support a method for password hashing " +
"known to Authelia, it's strongly recommended you ensure your directory server hashes the password " +
"attribute when users reset their password via Authelia.")
}
return provider, nil