Hacksawfred3232 commented 1 year ago

Feature Request

Feature Information:

TL;DR: Allow users to customize how the filter and the username is passed to the backend LDAP server.

So, revisiting LDAP authentication, I managed to come up with solutions to overcome some of the problems I was encountering before. I'm now able to use my SAMBA AD-DC controller because I should be able to force AMP to use a TLS connection through the helpful use of Stunnel4. And repeating some of the steps using LDAPSearch in the help forums has shown that - unless Novell uses some ass backwards methods vs LDAPSearch - that I should able to set this up without a hitch. One slight problem. This is the code for LDAP login as referenced from here ( https://discourse.cubecoders.com/t/amp-ldap-integration-non-functional-linux/4204/3 ):

using var de = new DirectoryEntry("LDAP://" + domain, username, password, AuthenticationTypes.Encryption);
using var directorySearcher = new DirectorySearcher(de);

directorySearcher.Filter = $"(&(objectClass=user)(sAMAccountName={username}))";
directorySearcher.PropertiesToLoad.Add("SAMAccountName");
directorySearcher.PropertiesToLoad.Add("memberOf");
SearchResult searchResult = directorySearcher.FindOne();

Translated to LDAPSearch...

ldapsearch -H LDAP://domain -D username -w password "(&(objectClass=user)(sAMAccountName=username))" SAMAccountName memberOf

Which, on the surface, looks okay. However, for those using SAMBA AD-DC, this happens instead:

root@alder:/home/Administrator# ldapsearch -H ldaps://localhost:636 -D hsf -W "(&(objectClass=user)(sAMAccountName=hsf))" SAMAccountName memberOf
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

For reference, what I tried is the following:

Username "username" and Filter "username" -> No login.
Username "domain\username" and Filter "username" -> Login successfully, returned 1 result.
Same as 3, but with the Filter being the same as username -> Login successfully, but ldap_search returns bad filter. It's the same if you specified the domain like this: username@domain, only the filter error doesn't come up.

Okay, enough rambling, what should be added?

Two parameters: Login.LDAPUserDomain -> The domain name to prefix/suffix to the user Login.LDAPPre2000k -> If True, "LDAPUserDomain\user", else "user@LDAPUserDomain".

Note that the parameters above should not affect what is passed to the filter. So for example: Let's say the server is hosted at localhost. If LDAPUserDomain is set to "example.com", LDAPPre2000k is to false, the username is "johndoe", and the password is "123546", the resulting search (in LDAPSearch format) should be:

ldapsearch -H LDAP://localhost -D johndoe@example.com -w 123546 "(&(objectClass=user)(sAMAccountName=johndoe))" SAMAccountName memberOf

That seems a little too much. Any other ideas?

Just the one. Login.LDAPStripDomainFromFilter -> If the user passes in a username in the format of "domain\username" or "username@domain", the domain (alongside the "@" and "\") should be stripped from what is passed into the filter.

Might be more complex to code in, but it will be more ubiquitous to end users.

I confirm:

[x] that I have searched for an existing feature request matching the description.

PhonicUK commented 1 year ago

I've implemented this in the development build, so you've now got the following settings:

        public bool UseLDAPLogins = false;
        public string LDAPAuthDomain = "";
        public string LDAPGroupPrefix = "AMP_";
        public string LDAPUserDomain = "";
        public bool LDAPADPre2000 = false;
        public bool LDAPStripDomainFromFilter = false;

sauramel commented 1 year ago

Still unable to get this working. Tested with stock AD