WIP: ldap_authentication.sh - add explicit check for whoami

d0a1b54c · Timm Fitschen · c508960f · d0a1b54c · d0a1b54c
Verified Commit d0a1b54c authored 3 years ago by Timm Fitschen
--- a/misc/pam_authentication/ldap.env
+++ b/misc/pam_authentication/ldap.env
@@ -13,11 +13,17 @@ export USER_BASE="dc=example,dc=org" # for actual LDAP servers

 # The BIND_DN_PATTERN is used to construct the DN from the USER_NAME and the
 # USER_BASE. Be sure to surround it with single quotation marks "'" because the
-# variable are to be expanded by the script. Defaults to the first
+# variables inside are to be expanded by the script. Defaults to the first
 #export BIND_DN_PATTERN='cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
 #export BIND_DN_PATTERN='${USER_NAME}@${USER_BASE}' # for MS Active Directory

-
+# The WHO_AM_I_PATTERN is used to construct the expected representation of the
+# bound user account. Normal LDAP servers return "dn:<dn>" but MS Active
+# Directory chooses to return "u:<domain>\<user_name>" instead. Be sure to
+# surround it with single quotation marks "'" because the variables inside are
+# to be expanded by the script. Defaults to the first.
+#export WHO_AM_I_PATTERN='dn:cn=${USER_NAME},${USER_BASE}' # for actual LDAP servers.
+#export WHO_AM_I_PATTERN='u:<domain>\${USER_NAME}' # for MS Active Directory

 # TLS SETTINGS

@@ -29,10 +35,14 @@ export USER_BASE="dc=example,dc=org" # for actual LDAP servers
 #export LDAPTLS_REQCERT=try
 #export LDAPTLS_REQCERT=hard

+# In some cases there is no need for specifying the TLS certificates here, e.g.
+# when they are installed system-wide. If that does not work, use these
+# variables:
+
 # Specifies the file that contains certificates for all of the Certificate
 # Authorities the client will recognize.
-export LDAPTLS_CACERT="<filename>"
+#export LDAPTLS_CACERT="<filename>"

 # Specifies the path of a directory that contains Certificate Authority
 # certificates in separate individual files.
-#export LDAPTLS_CACERTDIR=<path>
+#export LDAPTLS_CACERTDIR="<path>"
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -33,22 +33,31 @@ exe_dir=$(dirname "$0")
 . "$exe_dir/ldap.env"
 LDAPTLS_REQCERT="${LDAP_TLS_REQCERT:-hard}"
 BIND_DN_PATTERN="${BIND_DN_PATTERN:-'cn=${USER_NAME},${USER_BASE}'}"
+WHO_AM_I_PATTERN="${WHO_AM_I_PATTERN:-'dn:${USER_NAME},${USER_BASE}'}"

 # If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
-    local USER_NAME bind_dn pwfile pwargs
+    local USER_NAME bind_dn who_am_i pwfile pwargs result
    USER_NAME="$1"
    bind_dn="$(eval "echo \"$BIND_DN_PATTERN\"")"
+    who_am_i="$(eval "echo \"$WHO_AM_I_PATTERN\"")"

    pwfile="$2"
    pwargs=("-y" "$pwfile")
-    if [[ "$pwfile" == "-" ]] ; then
+    if [ "$pwfile" = "-" ] ; then
        pwargs=("-W")
    elif [ -z "$pwfile" ] ; then
        pwargs=("-W")
    fi

-    ldapwhoami -o "nettimeout=10" -x -D "$bind_dn" "${pwargs[@]}"
+    result="$(ldapwhoami -o "nettimeout=10" -x -D "$bind_dn" "${pwargs[@]}")"
+    if [ "$?" -ne "0" ] ; then
+        return 1
+    elif [ "$result" = "$who_am_i" ] ; then
+        return 0
+    fi
+    return 1
+
 }

 if testpw "$1" "$2" ; then