Not all LDAP servers have entryDN available as an attribute. Reading up on
https://tools.ietf.org/html/rfc5020 tells me that entryDN is intended for
making the DN available for attribute value assertions. Thus it is not
mandatory for a LDAP server to make it available as an retrievable
attribute.
The DN is always a part of the entry returned in a search result, just use
it.
Fixes#314
Authentication is performed by binding to the configured LDAP server using
the user supplied credentials. Successfull bind equals authenticated user.
Optionally the connector can be configured to search before authentication.
The entryDN found will be used to bind to the LDAP server.
This feature must be enabled to get supplementary information from the
directory (ID, Name, Email). This feature can also be used to limit access
to the service.
Example use case: Allow your users to log in with e-mail address instead of
the identification string in your DNs (typically username).
To make re-use of HTTP form handling code from the Local connector possible:
- Implemented IdentityProvider interface
- Moved the re-used functions to login_local.go
Fixes#119
HTTP code 307 aka. StatusTemporaryRedirect is used throughout the
project. However, the endpoints redirected to explicitly expects
the client to make a GET request.
If a HTTP client issues a POST request to a server and receives a
HTTP 307 redirect, it forwards the POST request to the new URL.
When using 302 the HTTP client will issue a GET request.
Fixes#287
TestResetPasswordHandler depended on makeToken begin called twice
during the initialization of a single test case and later assuming
the result would match. Because the token has a timestamp accurate
to the second, occasionally the timestamps would be slightly off
within a single test case and cause the test to fail.
Adding a sleep statement to makeToken would cause the test to fail
reliably.
Define a single token for each test case outside of the struct
initializer so test cases compare the same token.
Closes#274
Additionally remove logging statements that dump entire HTML pages.
Move client authentication into its own middleware and provide
differentiation between HTTP requests that do not provide
credentials (401) and requests that authenticate as a non-admin
user (403).
Closes#152
The "redirectURLs" field in the client metadata has been updated
to the correct "redirect_uris". To allow backwards compatibility
use Postgres' JSON features to update the actual JSON in the text
field.
json_build_object was introduced in Postgres 9.4. So update the
documentations to require at least this version.
These tests aren't included in the top level test script so have
unintentionally been ignored and currently don't compile. Until
this is fixed (see #257) add a build tag so tools ignore them.
