Merge pull request #62 from wiltonsr/fix-issue-61

wiltonsr · web-flow · commit 64fac478480b · 2024-03-20T17:43:47.000-03:00
Use same operation mode to bind validations
diff --git a/ldapauth.go b/ldapauth.go
@@ -175,13 +175,6 @@ func (la *LdapAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	LoggerDEBUG.Println("No session found! Trying to authenticate in LDAP")
 
-	var certPool *x509.CertPool
-
-	if la.config.CertificateAuthority != "" {
-		certPool = x509.NewCertPool()
-		certPool.AppendCertsFromPEM([]byte(la.config.CertificateAuthority))
-	}
-
 	conn, err := Connect(la.config)
 	if err != nil {
 		LoggerERROR.Printf("%s", err)
@@ -270,8 +263,13 @@ func LdapCheckUser(conn *ldap.Conn, config *Config, username, password string) (
 	userDN := result.Entries[0].DN
 	LoggerINFO.Printf("Authenticating User: %s", userDN)
 
+	// Create a new conn to validate user password. This prevents changing the bind made
+	// previously, then LdapCheckUserAuthorized will use same operation mode
+	_nconn, _ := Connect(config)
+	defer _nconn.Close()
+
 	// Bind User and password.
-	err = conn.Bind(userDN, password)
+	err = _nconn.Bind(userDN, password)
 	return err == nil, result.Entries[0], err
 }
 
@@ -354,6 +352,13 @@ func LdapCheckUserGroups(conn *ldap.Conn, config *Config, entry *ldap.Entry, use
 
 	LoggerDEBUG.Printf("Group Filter: '%s'", group_filter.String())
 
+	res, err := conn.WhoAmI(nil)
+	if err != nil {
+		LoggerERROR.Printf("Failed to call WhoAmI(): %s", err)
+	} else {
+		LoggerDEBUG.Printf("Using credential: '%s' for Search Groups", res.AuthzID)
+	}
+
 	for _, g := range config.AllowedGroups {
 
 		LoggerDEBUG.Printf("Searching Group: '%s' with User: '%s'", g, entry.DN)
diff --git a/readme.md b/readme.md
@@ -101,6 +101,8 @@ labels:
 
 ## Operations Mode
 
+The `Operation Mode` detected will be used to perform all subsequent requests.
+
 ### Bind Mode
 
 If no `searchFilter` is specified in its configuration, the middleware runs in the default bind mode, meaning it tries to make a simple bind request to the LDAP server with the credentials provided in the request headers. If the bind succeeds, the middleware forwards the request, otherwise, it returns a 401 Unauthorized status code.
