Identification via attribute (e.g. email address)

[lorenzschmid]

Currently, authentication is only possible via the uid of the user. Thereby, the uid of the user as well as his password are used to make an authentication call to the LDAP server.

For my setup I wanted authentication to work with the user's mail attribute instead. Thereby, two authentication calls are necessary:

1. Authentication via BIND DN (i.e. an admin account) which fetches the user's uid based on the given mail
2. User authentiaction with the obtained uid

I modified the script accordingly but since I am not fluent in bash I prefer to write it down in this issue instead of a PR. Maybe there is a way to merge it with the existing code? Following my modifications:

• In the ldap_auth_curl() and ldap_auth_ldapsearch() I replaced the variable $password with $PW

• Since two authentication calls are now necessary, I wrapped the code in question in a function

  ldap_auth() {
      case "$CLIENT" in
          "curl")
              ldap_auth_curl
              ;;
          "ldapsearch")
              ldap_auth_ldapsearch
              ;;
          *)
              log "Unsupported client '$CLIENT', revise the configuration."
              exit 2
              ;;
      esac
  
      return $?
  }

• The single authentication call now becomes:

  ...
  [ $err -ne 0 ] && exit 2
  
  # Do authentication via bind_dn to get user_dn
  ldap_auth
  
  # Overwrite parameters for actual authentication without bind_dn
  USERDN=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(uid.*\)$/\2/p")
  PW="$password"
  
  if [ -z "$USERDN" ]; then
      log "User '$username' could not be found."
      exit 1
  fi
  
  # Actual user authentication
  ldap_auth
  
  result=$?
  ...

You can find my update script here (breaking the original functionality of direct authentication). Following an example of the configuration file for the updated script:

SERVER="ldap://ldap.domain.com:389"
USERDN="uid=root,cn=users,dc=ldap,dc=domain,dc=com"
PW="[secret]"

BASEDN="cn=users,dc=ldap,dc=domain,dc=com"
SCOPE="one"
FILTER="(&(objectClass=person)(mail=$(ldap_dn_escape "$username")))"

NAME_ATTR="cn"
ATTRS="$ATTRS $NAME_ATTR"

USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'

[polcape]

Hi @lorenzschmid ,

thanks for the work! I modified a bit your script and finally work the authetication by active directory!!

[joshuaboniface]

I ran into this same issue, and generalized the solution a bit more.

The updated code is in my fork: https://github.com/joshuaboniface/ldap-auth-sh