From 324344d11856d3473c7c7aabbb457648a4d68bd4 Mon Sep 17 00:00:00 2001 From: Johannes Zellner Date: Wed, 1 Jul 2020 14:59:26 +0200 Subject: [PATCH] Reusue the single correct ldap.createClient call also in auth --- src/externalldap.js | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/src/externalldap.js b/src/externalldap.js index 63e7852b1..b6e451e35 100644 --- a/src/externalldap.js +++ b/src/externalldap.js @@ -57,8 +57,9 @@ function validUserRequirements(user) { } // performs service bind if required -function getClient(externalLdapConfig, callback) { +function getClient(externalLdapConfig, doBindAuth, callback) { assert.strictEqual(typeof externalLdapConfig, 'object'); + assert.strictEqual(typeof doBindAuth, 'boolean'); assert.strictEqual(typeof callback, 'function'); // ensure we only callback once since we also have to listen to client.error events @@ -88,7 +89,8 @@ function getClient(externalLdapConfig, callback) { callback(new BoxError(BoxError.EXTERNAL_ERROR, error)); }); - if (!externalLdapConfig.bindDn) return callback(null, client); + // skip bind auth if none exist or if not wanted + if (!externalLdapConfig.bindDn || !doBindAuth) return callback(null, client); client.bind(externalLdapConfig.bindDn, externalLdapConfig.bindPassword, function (error) { if (error instanceof ldap.InvalidCredentialsError) return callback(new BoxError(BoxError.INVALID_CREDENTIALS)); @@ -103,7 +105,7 @@ function ldapGetByDN(externalLdapConfig, dn, callback) { assert.strictEqual(typeof dn, 'string'); assert.strictEqual(typeof callback, 'function'); - getClient(externalLdapConfig, function (error, client) { + getClient(externalLdapConfig, true, function (error, client) { if (error) return callback(error); let searchOptions = { @@ -140,7 +142,7 @@ function ldapUserSearch(externalLdapConfig, options, callback) { assert.strictEqual(typeof options, 'object'); assert.strictEqual(typeof callback, 'function'); - getClient(externalLdapConfig, function (error, client) { + getClient(externalLdapConfig, true, function (error, client) { if (error) return callback(error); let searchOptions = { @@ -181,7 +183,7 @@ function ldapGroupSearch(externalLdapConfig, options, callback) { assert.strictEqual(typeof options, 'object'); assert.strictEqual(typeof callback, 'function'); - getClient(externalLdapConfig, function (error, client) { + getClient(externalLdapConfig, true, function (error, client) { if (error) return callback(error); let searchOptions = { @@ -248,7 +250,7 @@ function testConfig(config, callback) { if (!config.groupnameField || typeof config.groupnameField !== 'string') return callback(new BoxError(BoxError.BAD_FIELD, 'groupFilter must not be empty')); } - getClient(config, function (error, client) { + getClient(config, true, function (error, client) { if (error) return callback(error); var opts = { @@ -332,12 +334,15 @@ function verifyPassword(user, password, callback) { if (ldapUsers.length === 0) return callback(new BoxError(BoxError.NOT_FOUND)); if (ldapUsers.length > 1) return callback(new BoxError(BoxError.CONFLICT)); - let client = ldap.createClient({ url: externalLdapConfig.url }); - client.bind(ldapUsers[0].dn, password, function (error) { - if (error instanceof ldap.InvalidCredentialsError) return callback(new BoxError(BoxError.INVALID_CREDENTIALS)); - if (error) return callback(new BoxError(BoxError.EXTERNAL_ERROR, error)); + getClient(externalLdapConfig, false, function (error, client) { + if (error) return callback(error); - callback(null, translateUser(externalLdapConfig, ldapUsers[0])); + client.bind(ldapUsers[0].dn, password, function (error) { + if (error instanceof ldap.InvalidCredentialsError) return callback(new BoxError(BoxError.INVALID_CREDENTIALS)); + if (error) return callback(new BoxError(BoxError.EXTERNAL_ERROR, error)); + + callback(null, translateUser(externalLdapConfig, ldapUsers[0])); + }); }); }); });