Merge pull request #4 from RedWhiteMiko/master

Add option to separate user binding and login authentication
ContainX · Jul 31, 2016 · 496afa9 · 496afa9
2 parents 4dbfc27 + e0bb2e4
commit 496afa9
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 8 deletions.
diff --git a/src/main/java/io/containx/marathon/plugin/auth/type/LDAPConfig.java b/src/main/java/io/containx/marathon/plugin/auth/type/LDAPConfig.java
@@ -25,6 +25,12 @@ public class LDAPConfig {
     @JsonProperty(required = false)
     private String groupSubTree = "ou=Group";
 
+    @JsonProperty(required = false)
+    private String bindUser = null;
+
+    @JsonProperty(required = false)
+    private String bindPassword = null;
+
 
     public LDAPConfig() {}
 
@@ -44,6 +50,14 @@ public void setBase(String base) {
         this.base = base;
     }
 
+    public String getBindUser() {
+        return bindUser;
+    }
+
+    public String getBindPassword() {
+        return bindPassword;
+    }
+
     public String getDn() {
         return dn;
     }
@@ -90,6 +104,8 @@ public String toString() {
                 "url='" + url + '\'' +
                 ", base='" + base + '\'' +
                 ", dn='" + dn + '\'' +
+                ", bindUser='" + bindUser + '\'' +
+                ", bindPassword='" + bindPassword + '\'' +
                 ", userSearch='" + userSearch + '\'' +
                 ", userSubTree='" + userSubTree + '\'' +
                 ", groupSearch='" + groupSearch + '\'' +

diff --git a/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java b/src/main/java/io/containx/marathon/plugin/auth/util/LDAPHelper.java
@@ -20,7 +20,7 @@ public final class LDAPHelper {
     private static final Logger LOGGER = LoggerFactory.getLogger(LDAPHelper.class);
 
 
-    public static Set<String> validate(String username, String password, LDAPConfig config ) {
+    public static Set<String> validate(String username, String userPassword, LDAPConfig config) {
 
         if (config == null) {
             LOGGER.warn("LDAP Configuration not defined.  Skipping LDAP authentication");
@@ -30,22 +30,31 @@ public static Set<String> validate(String username, String password, LDAPConfig
         DirContext context = null;
 
         try {
-            String dn = new StringBuilder(config.getDn().replace("{username}", username))
-                    .append(",")
-                    .append(config.getUserSubTree() != null ? config.getUserSubTree() + "," : "")
-                    .append(config.getBase())
-                    .toString();
+            String dn = "";
+            String bindUser = config.getBindUser();
+            String bindPassword = userPassword;
+
+            if(bindUser != null) {
+                dn = bindUser;
+                bindPassword = config.getBindPassword();
+            } else {
+                dn = new StringBuilder(config.getDn().replace("{username}", username))
+                        .append(",")
+                        .append(config.getUserSubTree() != null ? config.getUserSubTree() + "," : "")
+                        .append(config.getBase())
+                        .toString();
+            }
 
             LOGGER.debug("LDAP trying to connect as {} on {}", dn, config.getUrl());
             Hashtable<String, String> env = new Hashtable<>();
             env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
             env.put(Context.PROVIDER_URL, config.getUrl());
             env.put(Context.SECURITY_PRINCIPAL, dn);
-            env.put(Context.SECURITY_CREDENTIALS, password);
+            env.put(Context.SECURITY_CREDENTIALS, bindPassword);
             context = new InitialDirContext(env);
 
             // if an exception wasn't raised, then we managed to bind to the directory
-            LOGGER.info("LDAP Auth succeeded for user {}", dn);
+            LOGGER.info("LDAP Bind succeeded for user {}", dn);
 
             SearchControls controls = new SearchControls();
             controls.setSearchScope(SUBTREE_SCOPE);
@@ -71,6 +80,23 @@ public static Set<String> validate(String username, String password, LDAPConfig
             SearchResult result = renum.next();
             LOGGER.debug("LDAP user search found {}", result.toString());
 
+            if(bindUser != null) {
+                Attribute realDN = result.getAttributes().get("distinguishedname");
+                dn = realDN.get(0).toString();
+
+                if(userPassword == null || userPassword.isEmpty()) {
+                    return null;
+                }
+
+                LOGGER.debug("Authenticate with DN {}", dn);
+                env.put(Context.SECURITY_PRINCIPAL, dn);
+                env.put(Context.SECURITY_CREDENTIALS, userPassword);
+
+                context = new InitialDirContext(env);
+
+                LOGGER.info("LDAP Auth succeeded for user {}", dn);
+            }
+
             // search group memberships as user attributes
             Attribute memberOf = result.getAttributes().get("memberOf");
             Set<String> memberships = new HashSet<>();

diff --git a/src/main/resources/io/containx/marathon/plugin/auth/plugin-conf.json b/src/main/resources/io/containx/marathon/plugin/auth/plugin-conf.json
@@ -12,6 +12,8 @@
                     "url": "ldap://my.ldapserver.local:389",
                     "base": "dc=example,dc=com",
                     "dn": "uid={username}",
+                    "bindUser": "usernameToBind",
+                    "bindPassword": "passwordToBind",
                     "userSearch": "(&(uid={username})(objectClass=inetOrgPerson))",
                     "userSubTree": "ou=People",
                     "groupSearch": "(&(memberUid={username})(objectClass=posixGroup))",