Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP - can't login if domain controller password is needed #9518

Open
peponi opened this issue Apr 25, 2024 · 0 comments
Open

LDAP - can't login if domain controller password is needed #9518

peponi opened this issue Apr 25, 2024 · 0 comments
Labels
enhancement New features or improvements of some kind, as opposed to a problem (bug)

Comments

@peponi
Copy link

peponi commented Apr 25, 2024
edited

What happened?

Problem:

The current implementation of LDAP in Syncthing has a bug that makes it impossible for users to log in with their LDAP account if a domain controller password is needed, because there is no way to specify a DC password for the DC user ID request.

Details:

When configuring Syncthing to use LDAP authentication, it is necessary to send a request to the domain controller to retrieve the user ID. Normally, this would require entering a domain controller password to authenticate the request. However, Syncthing does not currently provide a way to specify such a password, which causes authentication to fail and prevents users from logging in with their LDAP accounts.

Expected behavior:

The LDAP integration should provide an option to specify a domain controller password to perform authentication for the user ID query. This way, users can successfully access their LDAP accounts and log in via Syncthing.

It should work like in the ldapsearch example below for the user John Doe

# request all users and filter for 'John Doe' to find out the distinguished name (dn)
ldapsearch -x -D 'CN=ldapquery,OU=Service Accounts,OU=User,DC=YOUR_DOMAIN,DC=ads' -b DC=YOUR_DOMAIN,DC=ads -w 'DC_PASSWORD' -H ldap://xxx.xxx.xxx.xxx "(CN=John Doe)"

# this returns something like 
# dn: CN=John Doe,OU=CH,OU=User,DC=YOUR_DOMAIN,DC=ads

# the return will be used  after the -D
ldapsearch -x -D 'CN=John Doe,OU=CH,OU=User,DC=YOUR_DOMAIN,DC=ads' -w 'USER_PASSWORD' -H ldap://xxx.xxx.xxx.xxx

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
text: 0000208D: NameErr: DSID-03100221, problem 2001 (NO_OBJECT), data 0, best 
 match of:
        ''

something like this
10 20 60 3_8384_ (1)

Bonus:

It would be nice if you can configure the filter "(CN=John Doe)", so you can filter for every LDAP object key you want,
i.e. "(EMAIL=john.doe.mail.com)".

So people could log in with their e-mail or whatever.

This is where the "Search Filter" field comes into play, right?

Syncthing version

v1.27.18

Platform & operating system

Linux amd64

Browser version

No response

Relevant log output

No response
@peponi peponi added bug A problem with current functionality, as opposed to missing functionality (enhancement) needs-triage New issues needed to be validated labels Apr 25, 2024
@calmh calmh added enhancement New features or improvements of some kind, as opposed to a problem (bug) and removed bug A problem with current functionality, as opposed to missing functionality (enhancement) needs-triage New issues needed to be validated labels Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New features or improvements of some kind, as opposed to a problem (bug)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@calmh @peponi