From 18b3db336a0de5a536cd2db2b27a6f2b9e7add94 Mon Sep 17 00:00:00 2001 From: firest Date: Thu, 3 Aug 2023 11:00:42 +0800 Subject: [PATCH] fix(ldap-authn): remove slat-related configs since they conflict with RFC 3123 --- .../src/emqx_authn_password_hashing.erl | 3 +-- apps/emqx_ldap/src/emqx_ldap_authn.erl | 24 +++++-------------- 2 files changed, 7 insertions(+), 20 deletions(-) diff --git a/apps/emqx_authn/src/emqx_authn_password_hashing.erl b/apps/emqx_authn/src/emqx_authn_password_hashing.erl index 80f6cfdcb..4954cd66e 100644 --- a/apps/emqx_authn/src/emqx_authn_password_hashing.erl +++ b/apps/emqx_authn/src/emqx_authn_password_hashing.erl @@ -53,8 +53,7 @@ -export([ type_ro/1, - type_rw/1, - salt_position/1 + type_rw/1 ]). -export([ diff --git a/apps/emqx_ldap/src/emqx_ldap_authn.erl b/apps/emqx_ldap/src/emqx_ldap_authn.erl index 6ad441c45..fd09778a7 100644 --- a/apps/emqx_ldap/src/emqx_ldap_authn.erl +++ b/apps/emqx_ldap/src/emqx_ldap_authn.erl @@ -50,8 +50,6 @@ fields(ldap) -> {mechanism, emqx_authn_schema:mechanism(password_based)}, {backend, emqx_authn_schema:backend(ldap)}, {password_attribute, fun password_attribute/1}, - {salt_attribute, fun salt_attribute/1}, - {salt_position, fun emqx_authn_password_hashing:salt_position/1}, {is_superuser_attribute, fun is_superuser_attribute/1}, {query_timeout, fun query_timeout/1} ] ++ emqx_authn_schema:common_fields() ++ emqx_ldap:fields(config). @@ -66,11 +64,6 @@ password_attribute(desc) -> ?DESC(?FUNCTION_NAME); password_attribute(default) -> <<"userPassword">>; password_attribute(_) -> undefined. -salt_attribute(type) -> string(); -salt_attribute(desc) -> ?DESC(?FUNCTION_NAME); -salt_attribute(default) -> <<"passwordSalt">>; -salt_attribute(_) -> undefined. - is_superuser_attribute(type) -> string(); is_superuser_attribute(desc) -> ?DESC(?FUNCTION_NAME); is_superuser_attribute(default) -> <<"isSuperuser">>; @@ -116,7 +109,6 @@ authenticate( #{password := Password} = Credential, #{ password_attribute := PasswordAttr, - salt_attribute := SaltAttr, is_superuser_attribute := IsSuperuserAttr, query_timeout := Timeout, resource_id := ResourceId @@ -125,7 +117,7 @@ authenticate( case emqx_resource:simple_sync_query( ResourceId, - {query, Credential, [PasswordAttr, SaltAttr, IsSuperuserAttr, ?ISENABLED_ATTR], Timeout} + {query, Credential, [PasswordAttr, IsSuperuserAttr, ?ISENABLED_ATTR], Timeout} ) of {ok, []} -> @@ -154,7 +146,7 @@ parse_config(Config) -> Acc#{Key => Value} end, #{}, - [password_attribute, salt_attribute, salt_position, is_superuser_attribute, query_timeout] + [password_attribute, is_superuser_attribute, query_timeout] ), {Config, State}. @@ -200,6 +192,7 @@ extract_hash_algorithm(LDAPPassword, Password, OnFail, Entry, State) -> OnFail(LDAPPassword, Password, Entry, State) end. +%% this password is in LDIF format which is base64 encoding try_decode_passowrd(LDAPPassword, Password, Entry, State) -> case safe_base64_decode(LDAPPassword) of {ok, Decode} -> @@ -218,7 +211,7 @@ try_decode_passowrd(LDAPPassword, Password, Entry, State) -> verify_password(ssha, PasswordData, Password, Entry, State) -> case safe_base64_decode(PasswordData) of - {ok, <>} -> + {ok, <>} -> verify_password(sha, PasswordHash, Salt, suffix, Password, Entry, State); {ok, _} -> {error, invalid_ssha_password}; @@ -230,10 +223,9 @@ verify_password( PasswordHash, Password, Entry, - #{salt_attribute := Attr, salt_position := Position} = State + State ) -> - Salt = get_bin_value(Attr, Entry#eldap_entry.attributes, <<>>), - verify_password(Algorithm, PasswordHash, Salt, Position, Password, Entry, State). + verify_password(Algorithm, PasswordHash, <<>>, disable, Password, Entry, State). verify_password(Algorithm, PasswordHash, Salt, Position, Password, Entry, State) -> Result = emqx_passwd:check_pass( @@ -265,9 +257,5 @@ get_lower_bin_value(Key, Proplists, Default) -> [Value | _] = get_value(Key, Proplists, [Default]), to_binary(string:to_lower(Value)). -get_bin_value(Key, Proplists, Default) -> - [Value | _] = get_value(Key, Proplists, [Default]), - to_binary(Value). - to_binary(Value) -> erlang:list_to_binary(Value).