Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Return generic messages if pre-login ldap operations fail #4700

Merged
merged 1 commit into from
Jun 5, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions builtin/credential/ldap/backend.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
return nil, logical.ErrorResponse("ldap backend not configured"), nil, nil
}

if cfg.DenyNullBind && len(password) == 0 {
return nil, logical.ErrorResponse("password cannot be of zero length when passwordless binds are being denied"), nil, nil
}

ldapClient := ldaputil.Client{
Logger: b.Logger(),
LDAP: ldaputil.NewLDAP(),
Expand All @@ -86,32 +90,37 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri

userBindDN, err := ldapClient.GetUserBindDN(cfg, c, username)
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil, nil
if b.Logger().IsDebug() {
b.Logger().Debug("error getting user bind DN", "error", err)
}
return nil, logical.ErrorResponse("ldap operation failed"), nil, nil
}

if b.Logger().IsDebug() {
b.Logger().Debug("user binddn fetched", "username", username, "binddn", userBindDN)
}

if cfg.DenyNullBind && len(password) == 0 {
return nil, logical.ErrorResponse("password cannot be of zero length when passwordless binds are being denied"), nil, nil
}

// Try to bind as the login user. This is where the actual authentication takes place.
if len(password) > 0 {
err = c.Bind(userBindDN, password)
} else {
err = c.UnauthenticatedBind(userBindDN)
}
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil, nil
if b.Logger().IsDebug() {
b.Logger().Debug("ldap bind failed", "error", err)
}
return nil, logical.ErrorResponse("ldap operation failed"), nil, nil
}

// We re-bind to the BindDN if it's defined because we assume
// the BindDN should be the one to search, not the user logging in.
if cfg.BindDN != "" && cfg.BindPassword != "" {
if err := c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("Encountered an error while attempting to re-bind with the BindDN User: %s", err.Error())), nil, nil
if b.Logger().IsDebug() {
b.Logger().Debug("error while attempting to re-bind with the BindDN User", "error", err)
}
return nil, logical.ErrorResponse("ldap operation failed"), nil, nil
}
if b.Logger().IsDebug() {
b.Logger().Debug("re-bound to original binddn")
Expand Down