[LDAP] Allow to bind to an admin with a different FQDN

By directly providing the full DN Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-11-30 17:53:17 +01:00 · 2020-11-30 17:53:17 +01:00 · 0f5941a046
parent bc8ea10bb0
commit 0f5941a046
2 changed files with 11 additions and 0 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -146,6 +146,8 @@ config :mobilizon, :ldap,
  base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
  uid: System.get_env("LDAP_UID") || "cn",
  require_bind_for_search: !(System.get_env("LDAP_REQUIRE_BIND_FOR_SEARCH") == "false"),
+  # Either the admin UID matching the field in `uid`,
+  # Either a tuple with the fully qualified DN: {:full, uid=admin,dc=example.com,dc=local}
  bind_uid: System.get_env("LDAP_BIND_UID"),
  bind_password: System.get_env("LDAP_BIND_PASSWORD")

--- a/lib/service/auth/ldap_authenticator.ex
+++ b/lib/service/auth/ldap_authenticator.ex
@ -97,6 +97,15 @@ defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
    end
  end

+  # Bind user with full DN
+  @spec bind_user(any(), String.t(), String.t(), {:full, String.t()}, String.t()) ::
+          User.t() | any()
+  defp bind_user(connection, _base, _uid, {:full, field}, password) do
+    Logger.debug("Binding to LDAP with \"#{field}\"")
+    :eldap.simple_bind(connection, field, password)
+  end
+
+  # Bind user with only uid field on top of base
  @spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
          User.t() | any()
  defp bind_user(connection, base, uid, field, password) do