SHA256
1
0
forked from pool/salt
salt/fixing-issue-when-a-valid-token-is-generated-even-wh.patch

38 lines
1.5 KiB
Diff
Raw Normal View History

From 6c85da9a53e9dd022c96a199be4e3bdd280543d6 Mon Sep 17 00:00:00 2001
From: "Gareth J. Greenaway" <gareth@wiked.org>
Date: Thu, 2 Aug 2018 15:35:24 -0700
Subject: [PATCH] Fixing issue when a valid token is generated even when
invalid user credentials are passed. This change verifies that the binddn
credentials are valid, then verifies that the username & password (if not
None) are also valid.
---
salt/auth/ldap.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/salt/auth/ldap.py b/salt/auth/ldap.py
index cbfb03a2f2..0b9aa69fe4 100644
--- a/salt/auth/ldap.py
+++ b/salt/auth/ldap.py
@@ -283,9 +283,15 @@ def auth(username, password):
log.error('LDAP authentication requires python-ldap module')
return False
- # If bind credentials are configured, use them instead of user's
+ # If bind credentials are configured, verify that we can a valid bind
if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+
+ # If username & password are not None, attempt to verify they are valid
+ if bind and username and password:
+ bind = _bind(username, password,
+ anonymous=_config('auth_by_group_membership_only', mandatory=False)
+ and _config('anonymous', mandatory=False))
else:
bind = _bind(username, password,
anonymous=_config('auth_by_group_membership_only', mandatory=False)
--
2.19.0