rowdy icon indicating copy to clipboard operation
rowdy copied to clipboard

Published 20 hours ago verified publisher icon lawliet89

Allow user to pass in the scope he wants returned

Open xkjyeah opened this issue 7 years ago • 2 comments

Here's a sample of the fields available:

('CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
  {'accountExpires': ['9223372036854775807'],
   'badPasswordTime': ['131408687478170480'],
   'badPwdCount': ['0'],
   'cn': ['Daniel Sim'],
   'codePage': ['0'],
   'company': ['GovTech'],
   'countryCode': ['0'],
   'dSCorePropagationData': ['20160928023533.0Z',
    '20160928020831.0Z',
    '16010101000001.0Z'],
   'department': ['DSD'],
   'displayName': ['Daniel Sim'],
   'distinguishedName': ['CN=Daniel Sim,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'givenName': ['Daniel Sim'],
   'instanceType': ['4'],
   'lastLogoff': ['0'],
   'lastLogon': ['131408688359644108'],
   'lastLogonTimestamp': ['131408636685082554'],
   'lockoutTime': ['0'],
   'logonCount': ['0'],
   'mail': ['[email protected]'],
   'memberOf': ['CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
    'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'],
   'name': ['Daniel Sim'],
   'objectCategory': ['CN=Person,CN=Schema,CN=Configuration,DC=dsd,DC=example,DC=gov,DC=sg'],
   'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
   'objectGUID': ['P\xebV\xe5\xaebYB\xa5)\xf6\x93[ \x12^'],
   'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x1c\xcf\x13\x90\n\xfe,\xe0\xb7y\x98\xa5\\\x04\x00\x00'],
   'physicalDeliveryOfficeName': ['X'],
   'primaryGroupID': ['513'],
   'pwdLastSet': ['131408636244939448'],
   'sAMAccountName': ['daniel_sim'],
   'sAMAccountType': ['805306368'],
   'uSNChanged': ['55404'],
   'uSNCreated': ['12915'],
   'userAccountControl': ['512'],
   'userPrincipalName': ['[email protected]'],
   'whenChanged': ['20170602075428.0Z'],
   'whenCreated': ['20160928020831.0Z']}),

If the user specifies scope=userPrincipalName,memberOf,mail, the JSON web token should also include the following fields:

{
    userPrincipalName: ['[email protected]'],
    memberOf: [
        'CN=DanielTesting2,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg',
        'CN=DanielTesting,CN=Users,DC=dsd,DC=example,DC=gov,DC=sg'
    ],
    mail: ['[email protected]']
}

This way, we can perform group checks without hitting the LDAP server

Relevant line of code: https://github.com/lawliet89/rowdy/blob/master/src/auth/ldap.rs#L101

xkjyeah avatar Jun 02 '17 09:06 xkjyeah