FIX: ldap_authentication.sh

ce6095c4 · Timm Fitschen · 28c1ef74 · 28c1ef74 · ce6095c4 · ce6095c4
Verified Commit ce6095c4 authored 3 years ago by Timm Fitschen
--- a/misc/pam_authentication/ldap.conf
+++ b/misc/pam_authentication/ldap.conf
-# This file is sourced by the LDAP authentication script
-# Set the ldap server here.
-# LDAP_SERVER="example.com"
-# Set the ldap domain here. This is used to generate a fully qualified
-# user name: <USER>@$LDAP_DOMAIN
-# LDAP_DOMAIN="example.com"
--- a/misc/pam_authentication/ldap.env
+++ b/misc/pam_authentication/ldap.env
+# ldap.env - This file is sourced by the LDAP authentication script.
+#
+# Please see https://linux.die.net/man/5/ldap.conf for more client
+# configuration variables.
+# REQUIRED - Set the ldap server here,
+export LDAPURI="ldap[s]://<ldap-service>[:<port>]/"
+# REQUIRED - Set the base domain here. This is used to generate a fully qualified
+# user name, a Distinguished Name (DN), with the BIND_DN_PATTERN:
+export USER_BASE="dc=example,dc=org" # for actual LDAP servers
+#export USER_BASE="example.org" # for MS Active Directory
+# REQUIRED if USER_BASE is configured for LDAP servers. The BIND_DN_PATTERN is
+# used to construct the DN from the USER_NAME and the USER_BASE. Be sure to
+# surround it with single quotation marks "'" because the variable are to be
+# expanded by the script. Defaults to the first
+#export BIND_DN_PATTERN='cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
+#export BIND_DN_PATTERN='${USER_NAME}@${USER_BASE}' # for MS Active Directory
+# TLS SETTINGS
+# Specifies what checks to perform on server certificates in a TLS session, if
+# any. Defaults to "hard" which means that a successful TLS-certificate check
+# is necessary.
+#export LDAPTLS_REQCERT=never
+#export LDAPTLS_REQCERT=allow
+#export LDAPTLS_REQCERT=try
+export LDAPTLS_REQCERT=hard
+# Specifies the file that contains certificates for all of the Certificate
+# Authorities the client will recognize.
+export LDAPTLS_CACERT="<filename>"
+# Specifies the path of a directory that contains Certificate Authority
+# certificates in separate individual files.
+#export LDAPTLS_CACERTDIR=<path>
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -24,38 +24,31 @@
 # Try to authenticate a user ($1) via LDAP, either via stdin or a password file ($2, if given).
 [[ "$#" == "1" || "$#" == "2" ]] || {
-    echo "Call this script as: $0 <user> [<password file>]"
+    echo "Call this script as: $0 <user> [-|<password file>]"
    exit 1
 }
-# set LDAP_SERVER here
+# Load all LDAP client settings
-# e.g. `LDAP_SERVER=example.com`
+exe_dir=$(dirname "$0")
-exe_dir=$(dirname $0)
+. "$exe_dir/ldap.env"
-. "$exe_dir/"ldap.conf
+LDAPTLS_REQCERT="${LDAP_TLS_REQCERT:-hard}"
+BIND_DN_PATTERN="${BIND_DN_PATTERN:-'cn=${USER_NAME},${USER_BASE}'}"
 # If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
-    username="${1}@${LDAP_DOMAIN}"
+    local USER_NAME bind_dn pwfile pwargs
+    USER_NAME="$1"
+    bind_dn="$(eval "echo \"$BIND_DN_PATTERN\"")"
    pwfile="$2"
-    pwargs=("-w" "$pwfile")
+    pwargs=("-y" "$pwfile")
-    if [[ $pwfile == "-" ]] ; then
+    if [[ "$pwfile" == "-" ]] ; then
+        pwargs=("-W")
+    elif [ -z "$pwfile" ] ; then
        pwargs=("-W")
    fi
-    export LDAPTLS_REQCERT=ALLOW
+    ldapwhoami -o "nettimeout=10" -x -D "$bind_dn" "${pwargs[@]}"
-    if timeout 5s ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"; then
-        return 0
-    else
-        ret_code="$?"
-    fi
-    # Possibly try a second time
-    if [[ "$ret_code" != "124" ]] ; then
-        return "$ret_code"
-    fi
-    ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"
 }
 if testpw "$1" "$2" ; then