From 2ba195adaae844af5ac64508b3047e54984e6bb8 Mon Sep 17 00:00:00 2001 From: Hugo Hromic Date: Tue, 21 Jan 2020 22:14:07 +0000 Subject: [PATCH] feat(api): implement anonymous mode for LDAP connection (#3460) * When enabled, ReaderDN and Password will not be used * Anonymous mode is set to `true` by default on fresh installations --- api/cmd/portainer/main.go | 1 + api/ldap/ldap.go | 24 +++++++++++++++--------- api/portainer.go | 1 + api/swagger.yaml | 4 ++++ 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go index d5ab7cd59..236b64d35 100644 --- a/api/cmd/portainer/main.go +++ b/api/cmd/portainer/main.go @@ -259,6 +259,7 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL LogoURL: *flags.Logo, AuthenticationMethod: portainer.AuthenticationInternal, LDAPSettings: portainer.LDAPSettings{ + AnonymousMode: true, AutoCreateUsers: true, TLSConfig: portainer.TLSConfiguration{}, SearchSettings: []portainer.LDAPSearchSettings{ diff --git a/api/ldap/ldap.go b/api/ldap/ldap.go index c86f75508..83ef7b025 100644 --- a/api/ldap/ldap.go +++ b/api/ldap/ldap.go @@ -92,9 +92,11 @@ func (*Service) AuthenticateUser(username, password string, settings *portainer. } defer connection.Close() - err = connection.Bind(settings.ReaderDN, settings.Password) - if err != nil { - return err + if !settings.AnonymousMode { + err = connection.Bind(settings.ReaderDN, settings.Password) + if err != nil { + return err + } } userDN, err := searchUser(username, connection, settings.SearchSettings) @@ -118,9 +120,11 @@ func (*Service) GetUserGroups(username string, settings *portainer.LDAPSettings) } defer connection.Close() - err = connection.Bind(settings.ReaderDN, settings.Password) - if err != nil { - return nil, err + if !settings.AnonymousMode { + err = connection.Bind(settings.ReaderDN, settings.Password) + if err != nil { + return nil, err + } } userDN, err := searchUser(username, connection, settings.SearchSettings) @@ -174,9 +178,11 @@ func (*Service) TestConnectivity(settings *portainer.LDAPSettings) error { } defer connection.Close() - err = connection.Bind(settings.ReaderDN, settings.Password) - if err != nil { - return err + if !settings.AnonymousMode { + err = connection.Bind(settings.ReaderDN, settings.Password) + if err != nil { + return err + } } return nil } diff --git a/api/portainer.go b/api/portainer.go index 58fc409b4..14a96799f 100644 --- a/api/portainer.go +++ b/api/portainer.go @@ -50,6 +50,7 @@ type ( // LDAPSettings represents the settings used to connect to a LDAP server LDAPSettings struct { + AnonymousMode bool `json:"AnonymousMode"` ReaderDN string `json:"ReaderDN"` Password string `json:"Password,omitempty"` URL string `json:"URL"` diff --git a/api/swagger.yaml b/api/swagger.yaml index a9f21e8a3..0d0a60a89 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -3296,6 +3296,10 @@ definitions: LDAPSettings: type: "object" properties: + AnonymousMode: + type: "boolean" + example: true + description: "Enable this option if the server is configured for Anonymous access. When enabled, ReaderDN and Password will not be used." ReaderDN: type: "string" example: "cn=readonly-account,dc=ldap,dc=domain,dc=tld"