-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
4 changed files
with
129 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,66 @@ | ||
Remove the check requiring a bind_dn | ||
commit b6d8e26e92b78b58a3dd22fae7b74be27ef2e37a | ||
Author: John Thiltges <[email protected]> | ||
Date: Thu Feb 21 16:21:37 2019 -0600 | ||
|
||
The code assumes an Active Directory server. For a non-AD server, it works | ||
fine with an anonymous bind. | ||
Remove the checks requiring a bind_dn | ||
|
||
The code assumes an Active Directory server. For a non-AD server such as OpenLDAP, it works fine with an anonymous bind. | ||
|
||
diff -r -U3 duoauthproxy-2.4.12-src.orig/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py duoauthproxy-2.4.12-src/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py | ||
--- duoauthproxy-2.4.12-src.orig/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py 2015-08-04 08:39:11.000000000 -0500 | ||
+++ duoauthproxy-2.4.12-src/pkgs/duoauthproxy/duoauthproxy/modules/ad_client.py 2015-10-16 10:53:07.624913666 -0500 | ||
@@ -293,13 +293,6 @@ | ||
ldap_filter = None | ||
diff --git a/pkgs/duoauthproxy/duoauthproxy/lib/util.py b/pkgs/duoauthproxy/duoauthproxy/lib/util.py | ||
index a19ad54..c9165cb 100644 | ||
--- a/pkgs/duoauthproxy/duoauthproxy/lib/util.py | ||
+++ b/pkgs/duoauthproxy/duoauthproxy/lib/util.py | ||
@@ -344,16 +344,13 @@ def parse_ad_client(config): | ||
'auth_type', ldap.client.AD_AUTH_TYPES, | ||
ldap.client.AD_AUTH_TYPE_NTLM_V2, str.lower) | ||
|
||
# validate configuration | ||
- if (auth_type == ldap.client.AD_AUTH_TYPE_PLAIN and not bind_dn): | ||
- raise base.ConfigError( | ||
- 'Missing required configuration item: if \'auth_type\' ' | ||
- 'is \'plain\', then \'bind_dn\' is required') | ||
- else: | ||
- bind_dn = bind_dn or '<ROOT>' | ||
- # service_account_username, service_account_password are optional | ||
- # for auth_type = AD_AUTH_TYPE_SSPI; mandatory otherwise | ||
- is_sspi = (auth_type == ldap.client.AD_AUTH_TYPE_SSPI) | ||
service_account_username = config.get_str( | ||
'service_account_username', | ||
- '' if is_sspi else None) | ||
+ '') | ||
service_account_password = config.get_protected_str( | ||
'service_account_password_protected', | ||
'service_account_password', | ||
- '' if is_sspi else None) | ||
+ '') | ||
|
||
timeout = config.get_int('timeout', 10) | ||
search_dn = config.get_str('search_dn') | ||
@@ -380,11 +377,6 @@ def parse_ad_client(config): | ||
else: | ||
ldap_filter = None | ||
|
||
- # A blank bind_dn will be rejected with auth-type plain in validation | ||
- # otherwise we supply a default | ||
- if not bind_dn: | ||
- bind_dn = '<ROOT>' | ||
- | ||
if (auth_type == ldap.client.AD_AUTH_TYPE_PLAIN | ||
and transport_type == ldap.client.AD_TRANSPORT_CLEAR): | ||
log.msg('WARNING: you have selected cleartext (plain) authentication for Active Directory') | ||
warning_message = warn_insecure_settings(auth_type, transport_type) | ||
if warning_message: | ||
log.msg(warning_message) | ||
diff --git a/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py b/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py | ||
index 772e0cb..b85b57c 100644 | ||
--- a/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py | ||
+++ b/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py | ||
@@ -54,7 +54,7 @@ def check_required_keys(config, toolbox): | ||
# the value. Validation will happen in check_config_values and we don't | ||
# want duplicate errors if the auth_type config is invalid. | ||
auth_type = config.get('auth_type') or ldap.client.AD_AUTH_TYPE_NTLM_V2 | ||
- if auth_type.lower() != ldap.client.AD_AUTH_TYPE_SSPI: | ||
+ if auth_type.lower() not in (ldap.client.AD_AUTH_TYPE_SSPI, ldap.client.AD_AUTH_TYPE_PLAIN): | ||
if not toolbox.test_config_has_key(config, 'service_account_username'): | ||
problems.append(MissingKey(key='service_account_username')) | ||
|
||
@@ -183,9 +183,6 @@ def check_valid_bind_dn_for_auth_type(config, toolbox): | ||
ldap.client.AD_AUTH_TYPES, | ||
ldap.client.AD_AUTH_TYPE_NTLM_V2) | ||
has_bind_dn = toolbox.test_config_has_value(config, 'bind_dn') | ||
- if auth_type == ldap.client.AD_AUTH_TYPE_PLAIN and not has_bind_dn: | ||
- problems.append(UnmetDependency(message='bind_dn is required for ' | ||
- 'auth_type %s' % auth_type)) | ||
except ConfigError: | ||
problems.append(SkippedTest( | ||
test=check_valid_bind_dn_for_auth_type.__name__, key='auth_type')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.