ff3dbe1ea9
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131
38 lines
1.5 KiB
Diff
38 lines
1.5 KiB
Diff
From 6c85da9a53e9dd022c96a199be4e3bdd280543d6 Mon Sep 17 00:00:00 2001
|
|
From: "Gareth J. Greenaway" <gareth@wiked.org>
|
|
Date: Thu, 2 Aug 2018 15:35:24 -0700
|
|
Subject: [PATCH] Fixing issue when a valid token is generated even when
|
|
invalid user credentials are passed. This change verifies that the binddn
|
|
credentials are valid, then verifies that the username & password (if not
|
|
None) are also valid.
|
|
|
|
---
|
|
salt/auth/ldap.py | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/salt/auth/ldap.py b/salt/auth/ldap.py
|
|
index cbfb03a2f2..0b9aa69fe4 100644
|
|
--- a/salt/auth/ldap.py
|
|
+++ b/salt/auth/ldap.py
|
|
@@ -283,9 +283,15 @@ def auth(username, password):
|
|
log.error('LDAP authentication requires python-ldap module')
|
|
return False
|
|
|
|
- # If bind credentials are configured, use them instead of user's
|
|
+ # If bind credentials are configured, verify that we can a valid bind
|
|
if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
|
|
bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
|
|
+
|
|
+ # If username & password are not None, attempt to verify they are valid
|
|
+ if bind and username and password:
|
|
+ bind = _bind(username, password,
|
|
+ anonymous=_config('auth_by_group_membership_only', mandatory=False)
|
|
+ and _config('anonymous', mandatory=False))
|
|
else:
|
|
bind = _bind(username, password,
|
|
anonymous=_config('auth_by_group_membership_only', mandatory=False)
|
|
--
|
|
2.19.0
|
|
|
|
|