WIP: Fix for SASL binds (!17) · Merge requests · GitLab.org / omniauth-ldap

David Kleszyk requested to merge dkleszyk/omniauth-ldap:21589-ldap-sasl-bind into master Apr 08, 2020

Part of a fix for gitlab#21589.

Two separate issues are addressed here.

First, bind_as was using the wrong parameter when deciding whether to do a SASL bind. The net/ldap library uses "method" in two different contexts: encryption[:method] for ssl/tls/plain and auth[:method] for sasl/simple/anonymous. The omniauth/ldap library maps @method to encryption[:method] and @bind_method to auth[:method]. This change updates bind_as to use the correct parameter: @bind_method.

Second, some LDAP implementations (e.g. Active Directory) pre-calculate digest hashes to avoid storing the user password in a reversible form. This requires clients to use a bind target and digest URI that match those used by the server. The original implementation used fixed values for the bind target and digest URI (:dn and "ldap/#{@host}", respectively). This change updates bind_as and sasl_bind_setup_digest_md5 to use configurable values.

Edited Sep 02, 2020 by 🤖 GitLab Bot 🤖

WIP: Fix for SASL binds

Merge request reports