yammer / dropwizard-auth-ldap Goto Github PK

I need to connect to foxpass which does not allow anonymous binds, so I created this PR to allow one to specify a bind username/password. #12 If you think it looks ok I'd love if it was merged in and released.

Thank you so much

In LdapAuthenticator::authenticate() - if restrictedGroups is not configured, then intersection of user groups with restrcitedGroups is skipped. As a result user is authenticated successfully.

But, LdapAuthenticator:authenticateAndReturnPermittedGroups - if restrictedGroups is not configured, then intersection is still enforced and resultantly authentication is denied.

IMO, the behavior doesn't match and should be changed from:

   private Set<String> getGroupMembershipsIntersectingWithRestrictedGroups(
   ::
                if (configuration.getRestrictToGroups().contains(group)) {
                        overlappingGroups.add(group);
                }

to:

   private Set<String> getGroupMembershipsIntersectingWithRestrictedGroups(
   ::
                if (configuration.getRestrictToGroups().isEmpty() ||
                            configuration.getRestrictToGroups().contains(group)) {
                        overlappingGroups.add(group);
                }

Hello Yammer team,
can you please provide a more detailed description in the configuration chapter of your Readme file? Please describe in a few sentences the parameters or provide a link that describes the parameter.

FYI: you have a dead link to dropwizard.
http://www.dropwizard.io/manual/auth.html

Hey,

I need to access our internal LDAP server and hence want to switch trust all connections as the current certificate is causing issues (tried adding it as certificate via keytool too).

There are ways to set trust all connections for HTTPS protocol, can someone help in doing the same for ldaps ?

Regards,
Durga

If my ldap configuration contains restrictedToGroups data, the method "authentication" is not working. I debug the code and found in method filterByGroup this statement:

final String filter = String.format("(&(%s=%s)(|%s))", configuration.getGroupMembershipAttribute(), sanitizedUsername, groupFilter.toString());

This statement I changed to:

    final String filter = String.format("(&(%s=%s=%s,%s)(|%s))", configuration.getGroupMembershipAttribute(), configuration.getUserNameAttribute(), sanitizedUsername, configuration.getUserFilter(), groupFilter.toString());

Now it is working on my ldap (or maybe my ldap knowledge is insufficient).

Just parametrizing the SearchControls used in com.yammer.dropwizard.authenticator.LdapAuthenticator

        SearchControls searchControls = new SearchControls();
        searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);

Bad luck, I cannot override easily the class com.yammer.dropwizard.authenticator.LdapAuthenticator because all methods are private :( I had to clone quite all of this class...

Hi,

I am not sure if this is my issue or if this is a bug. I can authenticate my user correctly by using:

user/password.

This is because in authenticat you create the username like:

final String userDN = String.format("%s=%s,%s", configuration.getUserNameAttribute(), sanitizedUsername, configuration.getUserFilter());

However, in authenticateAndReturnPermittedGroups this code does not apply, so it actually adds the username (not the entire usernameAttributes) at which point no groups are returned and therefore authentication fails.

Thanks,

Artur

With LDAPS being deprecated [1] in favour of negotiating TLS over port 386 * I'm assuming * that if the TLS negotiation fails then the attempt to authenticate against the LDAP server on port 386 should also fail.

What I'm experiencing with the dropwizard-auth-ldap module (v1.0.3) is that if the client is returned a LDAP server security certificate which is not found in the client trust store (that is, the TLS negotiate fails) the DW LdapAuthenticator method authenticate() logs the error as LOGGER.info("Could not negotiate TLS", err); and then continues to pass the user credentials as plain text to the LDAP server. I would have thought the AutoclosingLdapContext constructor should log the error [2] and also throw an exception.

What are your thoughts?

Thanks.

[1]

https://books.google.com.au/books?id=utsMgEfnPSEC&pg=PT38&lpg=PT38&dq=RFC+2830+ldaps+deprecated&source=bl&ots=LomwCLOS0g&sig=T9cFF26ahPbzJUg5Hh-gp2ybA-s&hl=en&sa=X&ved=0ahUKEwjf6r69sq_SAhVJG5QKHX8RDqEQ6AEIODAE#v=onepage&q=RFC%202830%20ldaps%20deprecated&f=false

[2]

` public class AutoclosingLdapContext extends InitialLdapContext implements AutoCloseable {
private static final Logger LOGGER = LoggerFactory.getLogger(AutoclosingLdapContext.class);
private StartTlsResponse tls = null;

protected AutoclosingLdapContext() throws NamingException {
    this(new Hashtable<>(), true);
}

public AutoclosingLdapContext(Hashtable<?, ?> environment, boolean negotiateTls) throws NamingException {
    super(environment, null);
    if (negotiateTls) {
        try {
            tls = (StartTlsResponse) this.extendedOperation(new StartTlsRequest());
            tls.negotiate();
        } catch (Exception err) {
            LOGGER.info("Could not negotiate TLS", err);
        }
    }
}`

Please update for dropwizard 1.x. Current instructions appear to be for 0.x. After some work I have been able to get it to work for logging in, but the @Auth annotation does not provide access to the User object.

The current instructions do not appear to work at all with 1.x and results in various errors.

Can you add TLS support? SSL versions are no longer recommended in many environments due to security concerns.

Can you please provide an option to enable multiple LDAP server in the URI Parameter set?

Currently you just can provide one Server:
uri: ldaps://myldap.com:636

Please enable the option that you can provide multiple server:
uri: ldaps://myldap1.com:636; uri: ldaps://myldap2.com:636

Here detail:

LdapConfiguration ldapConfiguration = configuration.getLdapConfiguration()**[ERROR HERE = create a variable in configuration and alter .yml]**;
Authenticator<BasicCredentials, BasicCredentials**[ERROR HERE = maybe a class implements Personal ??]**> ldapAuthenticator = new CachingAuthenticator<**[ERROR HERE = cannot infer arguments]**>(
                environment.metrics(),
                new ResourceAuthenticator(new LdapAuthenticator(ldapConfiguration)),
                ldapConfiguration.getCachePolicy());
environment.jersey().register(new AuthDynamicFeature(
                new BasicCredentialAuthFilter.Builder<User>()
                        .setAuthenticator(ldapAuthenticator)
                        .setRealm("LDAP")
                        .buildAuthFilter()));
environment.jersey().register(new AuthValueFactoryProvider.Binder<>(BasicCredentials.class**[ERROR HERE = maybe a class implements Personal ??]**));
environment.healthChecks().register("ldap", new LdapHealthCheck<**[ERROR HERE = cannot infer arguments]**>(new LdapCanAuthenticate(ldapConfiguration)))

Are there any plans to add a feature to lookup the userDN before trying the bind?
In the current implementation the authentication will only work if all users trying to logon are placed in the same OU (namely the one specified via userFilter).

I would welcome something like something like:
-making userFilter an actiual user (RFC compliant) LDAP Filter like eg "(objectClass=User)"
-adding an option for a base dn for searches
-adding an option for search Scope
-adding an option for bindDN
-adding an option for bindPW
-replacing the toUserDN function with a function that searches for the user with the above options and returns the dn of the user if found.
-using the returned dn for checking the password by opening another LDAP connection.