forked from mystiq/dex
LDAP connector - add emailSuffix config option
This commit is contained in:
parent
27f66e795e
commit
ee54a50956
2 changed files with 74 additions and 5 deletions
|
@ -107,6 +107,10 @@ type Config struct {
|
||||||
IDAttr string `json:"idAttr"` // Defaults to "uid"
|
IDAttr string `json:"idAttr"` // Defaults to "uid"
|
||||||
EmailAttr string `json:"emailAttr"` // Defaults to "mail"
|
EmailAttr string `json:"emailAttr"` // Defaults to "mail"
|
||||||
NameAttr string `json:"nameAttr"` // No default.
|
NameAttr string `json:"nameAttr"` // No default.
|
||||||
|
|
||||||
|
// If this is set, the email claim of the id token will be constructed from the idAttr and
|
||||||
|
// value of emailSuffix. This should not include the @ character.
|
||||||
|
EmailSuffix string `json:"emailSuffix"` // No default.
|
||||||
} `json:"userSearch"`
|
} `json:"userSearch"`
|
||||||
|
|
||||||
// Group search configuration.
|
// Group search configuration.
|
||||||
|
@ -331,11 +335,6 @@ func (c *ldapConnector) identityFromEntry(user ldap.Entry) (ident connector.Iden
|
||||||
if ident.UserID = getAttr(user, c.UserSearch.IDAttr); ident.UserID == "" {
|
if ident.UserID = getAttr(user, c.UserSearch.IDAttr); ident.UserID == "" {
|
||||||
missing = append(missing, c.UserSearch.IDAttr)
|
missing = append(missing, c.UserSearch.IDAttr)
|
||||||
}
|
}
|
||||||
if ident.Email = getAttr(user, c.UserSearch.EmailAttr); ident.Email == "" {
|
|
||||||
missing = append(missing, c.UserSearch.EmailAttr)
|
|
||||||
}
|
|
||||||
// TODO(ericchiang): Let this value be set from an attribute.
|
|
||||||
ident.EmailVerified = true
|
|
||||||
|
|
||||||
if c.UserSearch.NameAttr != "" {
|
if c.UserSearch.NameAttr != "" {
|
||||||
if ident.Username = getAttr(user, c.UserSearch.NameAttr); ident.Username == "" {
|
if ident.Username = getAttr(user, c.UserSearch.NameAttr); ident.Username == "" {
|
||||||
|
@ -343,6 +342,14 @@ func (c *ldapConnector) identityFromEntry(user ldap.Entry) (ident connector.Iden
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.UserSearch.EmailSuffix != "" {
|
||||||
|
ident.Email = ident.Username + "@" + c.UserSearch.EmailSuffix
|
||||||
|
} else if ident.Email = getAttr(user, c.UserSearch.EmailAttr); ident.Email == "" {
|
||||||
|
missing = append(missing, c.UserSearch.EmailAttr)
|
||||||
|
}
|
||||||
|
// TODO(ericchiang): Let this value be set from an attribute.
|
||||||
|
ident.EmailVerified = true
|
||||||
|
|
||||||
if len(missing) != 0 {
|
if len(missing) != 0 {
|
||||||
err := fmt.Errorf("ldap: entry %q missing following required attribute(s): %q", user.DN, missing)
|
err := fmt.Errorf("ldap: entry %q missing following required attribute(s): %q", user.DN, missing)
|
||||||
return connector.Identity{}, err
|
return connector.Identity{}, err
|
||||||
|
|
|
@ -123,6 +123,68 @@ userpassword: bar
|
||||||
runTests(t, schema, connectLDAP, c, tests)
|
runTests(t, schema, connectLDAP, c, tests)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestQueryWithEmailSuffix(t *testing.T) {
|
||||||
|
schema := `
|
||||||
|
dn: dc=example,dc=org
|
||||||
|
objectClass: dcObject
|
||||||
|
objectClass: organization
|
||||||
|
o: Example Company
|
||||||
|
dc: example
|
||||||
|
|
||||||
|
dn: ou=People,dc=example,dc=org
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: People
|
||||||
|
|
||||||
|
dn: cn=jane,ou=People,dc=example,dc=org
|
||||||
|
objectClass: person
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
sn: doe
|
||||||
|
cn: jane
|
||||||
|
mail: janedoe@example.com
|
||||||
|
userpassword: foo
|
||||||
|
|
||||||
|
dn: cn=john,ou=People,dc=example,dc=org
|
||||||
|
objectClass: person
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
sn: doe
|
||||||
|
cn: john
|
||||||
|
userpassword: bar
|
||||||
|
`
|
||||||
|
c := &Config{}
|
||||||
|
c.UserSearch.BaseDN = "ou=People,dc=example,dc=org"
|
||||||
|
c.UserSearch.NameAttr = "cn"
|
||||||
|
c.UserSearch.EmailSuffix = "test.example.com"
|
||||||
|
c.UserSearch.IDAttr = "DN"
|
||||||
|
c.UserSearch.Username = "cn"
|
||||||
|
|
||||||
|
tests := []subtest{
|
||||||
|
{
|
||||||
|
name: "ignoremailattr",
|
||||||
|
username: "jane",
|
||||||
|
password: "foo",
|
||||||
|
want: connector.Identity{
|
||||||
|
UserID: "cn=jane,ou=People,dc=example,dc=org",
|
||||||
|
Username: "jane",
|
||||||
|
Email: "jane@test.example.com",
|
||||||
|
EmailVerified: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "nomailattr",
|
||||||
|
username: "john",
|
||||||
|
password: "bar",
|
||||||
|
want: connector.Identity{
|
||||||
|
UserID: "cn=john,ou=People,dc=example,dc=org",
|
||||||
|
Username: "john",
|
||||||
|
Email: "john@test.example.com",
|
||||||
|
EmailVerified: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
runTests(t, schema, connectLDAP, c, tests)
|
||||||
|
}
|
||||||
|
|
||||||
func TestGroupQuery(t *testing.T) {
|
func TestGroupQuery(t *testing.T) {
|
||||||
schema := `
|
schema := `
|
||||||
dn: dc=example,dc=org
|
dn: dc=example,dc=org
|
||||||
|
|
Loading…
Reference in a new issue