diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2021-07-04 15:44:11 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-04 15:44:11 +1000 |
| commit | 31c5c820f08b26cc9e4831efa02c13ca272e559d (patch) | |
| tree | 5605e4657c118ef771b55d69acfadc32d49231a8 | |
| parent | ef549f851d59ea5911b8ae76d4641c2c9eded6dc (diff) | |
refactor(authentication): log ldap warning on startup in rare condition (#2141)
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
| -rw-r--r-- | cmd/authelia/main.go | 2 | ||||
| -rw-r--r-- | internal/authentication/ldap_user_provider.go | 13 |
2 files changed, 8 insertions, 7 deletions
diff --git a/cmd/authelia/main.go b/cmd/authelia/main.go index 791457410..8b7879cd2 100644 --- a/cmd/authelia/main.go +++ b/cmd/authelia/main.go @@ -103,7 +103,7 @@ func startServer() { case config.AuthenticationBackend.File != nil: userProvider = authentication.NewFileUserProvider(config.AuthenticationBackend.File) case config.AuthenticationBackend.LDAP != nil: - userProvider, err = authentication.NewLDAPUserProvider(*config.AuthenticationBackend.LDAP, autheliaCertPool) + userProvider, err = authentication.NewLDAPUserProvider(config.AuthenticationBackend, autheliaCertPool) if err != nil { logger.Fatalf("Failed to Check LDAP Authentication Backend: %v", err) } diff --git a/internal/authentication/ldap_user_provider.go b/internal/authentication/ldap_user_provider.go index 6fcec587e..0fcc6a874 100644 --- a/internal/authentication/ldap_user_provider.go +++ b/internal/authentication/ldap_user_provider.go @@ -29,18 +29,19 @@ type LDAPUserProvider struct { } // NewLDAPUserProvider creates a new instance of LDAPUserProvider. -func NewLDAPUserProvider(configuration schema.LDAPAuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) { - provider = newLDAPUserProvider(configuration, certPool, nil) +func NewLDAPUserProvider(configuration schema.AuthenticationBackendConfiguration, certPool *x509.CertPool) (provider *LDAPUserProvider, err error) { + provider = newLDAPUserProvider(*configuration.LDAP, certPool, nil) err = provider.checkServer() if err != nil { return provider, err } - if provider.supportExtensionPasswdModify { - provider.logger.Trace("LDAP Server does support passwdModifyOID Extension") - } else { - provider.logger.Trace("LDAP Server does not support passwdModifyOID Extension") + if !provider.supportExtensionPasswdModify && !configuration.DisableResetPassword && + provider.configuration.Implementation != schema.LDAPImplementationActiveDirectory { + provider.logger.Warnf("Your LDAP server implementation may not support a method for password hashing " + + "known to Authelia, it's strongly recommended you ensure your directory server hashes the password " + + "attribute when users reset their password via Authelia.") } return provider, nil |