Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP: Allow anonymous bind for initial search #1536

Closed
TVerse opened this issue Dec 30, 2020 · 3 comments
Closed

LDAP: Allow anonymous bind for initial search #1536

TVerse opened this issue Dec 30, 2020 · 3 comments
Labels
stale

Comments

@TVerse
Copy link

TVerse commented Dec 30, 2020

For LDAP, I would like to do the initial bind with an anonymous user. This is the flow I'm after:

  • Anonymous bind
  • Search for given user (deny login if not found)
  • Bind with given user (deny login if fail)

This flow is already supported for non-anonymous binds through AUTH_LDAP_BIND_USER, but it does not work for anonymous binds. Anonymous binds are done with zero-length user and password, which are falsey, so the initial bind is skipped (manager.py _bind_indirect_user and _bind_ldap). I would love a difference between '' and None, or some flag allow_anonymous_bind.

(Sidenote: python-ldap anonymous binds can be done with con.simple_bind_s())

There is a partial workaround by "guessing" the user's distinguished name and immediately binding as that user (through AUTH_LDAP_USERNAME_FORMAT), but that leads to two problems:

  • The distinguished name is not guaranteed to be stable, requiring configuration changes to fix, and causing issues if your LDAP names aren't predictable.
  • The search is only performed once, during initial registration. If the search filter contains for example memberOf= clauses, these are not checked on subsequent logins, which means that even after revoking groups, app access remains.

Environment

Flask-Appbuilder version: 3.1.1

Partial pip freeze output (modified airflow:2.0.0-python3.8 Docker image with added ldap support):

Flask==1.1.2
Flask-AppBuilder==3.1.1
Flask-Babel==1.0.0
Flask-Caching==1.9.0
Flask-JWT-Extended==3.25.0
Flask-Login==0.4.1
Flask-OpenID==1.2.5
Flask-SQLAlchemy==2.4.4
flask-swagger==0.2.13
Flask-WTF==0.14.3
python-ldap==3.3.1
@thesuperzapper
Copy link
Contributor

@TVerse I believe this was resolved by my PR: #1374, a version with this PR is yet to be released

@dpgaspar says sometime this week #1374 (comment)

@thesuperzapper
Copy link
Contributor

@TVerse this should be fixed in 3.2.0, please see the docs for the anonymous LDAP bind path:
https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap

@stale
Copy link

stale bot commented Jun 20, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Feel free to reopen it if it's still relevant to you. Thank you

@stale stale bot added the stale label Jun 20, 2021
@stale stale bot closed this as completed Jun 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thesuperzapper @TVerse