about summary refs log tree commit diff
diff options
context:
space:
mode:
authorImmae <immae@users.noreply.github.com>2018-08-15 18:12:44 +0200
committerEugen Rochko <eugen@zeonfederated.com>2018-08-15 18:12:44 +0200
commitb0f4fe456b15bfe74b9feca247d0ac67a8ba21fb (patch)
tree943ec75db646369361d72d6464b5715f3cdf59f6
parentaaac14b8ad1a2a9e3d58871feb07b1e78c5316c3 (diff)
Add ldap search filter (#8151)
-rw-r--r--.env.production.sample1
-rw-r--r--config/initializers/devise.rb3
-rw-r--r--lib/devise/ldap_authenticatable.rb3
3 files changed, 6 insertions, 1 deletions
diff --git a/.env.production.sample b/.env.production.sample
index ebb078878..349daedd8 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -162,6 +162,7 @@ STREAMING_CLUSTER_NUM=1
 # LDAP_BIND_DN=
 # LDAP_PASSWORD=
 # LDAP_UID=cn
+# LDAP_SEARCH_FILTER="%{uid}=%{email}"
 
 # PAM authentication (optional)
 # PAM authentication uses for the email generation the "email" pam variable
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 8532c9d9a..cd9bacf68 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -59,6 +59,8 @@ module Devise
   @@ldap_password = nil
   mattr_accessor :ldap_tls_no_verify
   @@ldap_tls_no_verify = false
+  mattr_accessor :ldap_search_filter
+  @@ldap_search_filter = nil
 
   class Strategies::PamAuthenticatable
     def valid?
@@ -362,5 +364,6 @@ Devise.setup do |config|
     config.ldap_password       = ENV.fetch('LDAP_PASSWORD')
     config.ldap_uid            = ENV.fetch('LDAP_UID', 'cn')
     config.ldap_tls_no_verify  = ENV['LDAP_TLS_NO_VERIFY'] == 'true'
+    config.ldap_search_filter  = ENV.fetch('LDAP_SEARCH_FILTER', '%{uid}=%{email}')
   end
 end
diff --git a/lib/devise/ldap_authenticatable.rb b/lib/devise/ldap_authenticatable.rb
index ef786fbb7..534c7a851 100644
--- a/lib/devise/ldap_authenticatable.rb
+++ b/lib/devise/ldap_authenticatable.rb
@@ -24,7 +24,8 @@ module Devise
             connect_timeout: 10
           )
 
-          if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: "(#{Devise.ldap_uid}=#{email})", password: password))
+          filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, email: email)
+          if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: password))
             user = User.ldap_get_user(user_info.first)
             success!(user)
           else