From d516d74d3f535d3565da0c33a2337fe31bf39054 Mon Sep 17 00:00:00 2001 From: Christoph Haas Date: Sun, 16 May 2021 23:43:47 +0200 Subject: [PATCH] ldap filter: skip empty emails by default, fix ldap sync (case insensitive email comparison, user source difference) --- README.md | 2 +- internal/server/configuration.go | 2 +- internal/server/ldapsync.go | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2fd51b3..f39f108 100644 --- a/README.md +++ b/README.md @@ -145,7 +145,7 @@ The following configuration options are available: | LDAP_USER | user | ldap | company\\\\ldap_wireguard | The bind user. | | LDAP_PASSWORD | pass | ldap | SuperSecret | The bind password. | | LDAP_LOGIN_FILTER | loginFilter | ldap | (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2)) | {{login_identifier}} will be replaced with the login email address. | -| LDAP_SYNC_FILTER | syncFilter | ldap | (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)) | The filter string for the LDAP synchronization service. | +| LDAP_SYNC_FILTER | syncFilter | ldap | (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*)) | The filter string for the LDAP synchronization service. | | LDAP_ADMIN_GROUP | adminGroup | ldap | CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL | Users in this group are marked as administrators. | | LDAP_ATTR_EMAIL | attrEmail | ldap | mail | User email attribute. | | LDAP_ATTR_FIRSTNAME | attrFirstname | ldap | givenName | User firstname attribute. | diff --git a/internal/server/configuration.go b/internal/server/configuration.go index be34c9b..7442a4a 100644 --- a/internal/server/configuration.go +++ b/internal/server/configuration.go @@ -104,7 +104,7 @@ func NewConfig() *Config { cfg.LDAP.GroupMemberAttribute = "memberOf" cfg.LDAP.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL" cfg.LDAP.LoginFilter = "(&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))" - cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2))" + cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))" cfg.WG.DeviceNames = []string{"wg0"} cfg.WG.DefaultDeviceName = "wg0" diff --git a/internal/server/ldapsync.go b/internal/server/ldapsync.go index fd53869..abdecf9 100644 --- a/internal/server/ldapsync.go +++ b/internal/server/ldapsync.go @@ -54,6 +54,9 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) if user.Phone != ldapData.Attributes[s.config.LDAP.PhoneAttribute] { return true } + if user.Source != users.UserSourceLdap { + return true + } if user.DeletedAt.Valid { return true @@ -83,7 +86,7 @@ func (s *Server) disableMissingLdapUsers(ldapUsers []ldap.RawLdapData) { existsInLDAP := false for j := range ldapUsers { - if activeUsers[i].Email == ldapUsers[j].Attributes[s.config.LDAP.EmailAttribute] { + if activeUsers[i].Email == strings.ToLower(ldapUsers[j].Attributes[s.config.LDAP.EmailAttribute]) { existsInLDAP = true break } @@ -129,6 +132,7 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) { // Sync attributes from ldap if s.userChangedInLdap(user, &ldapUsers[i]) { + logrus.Debugf("updating ldap user %s", user.Email) user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute] user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute] user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]