lib/api: Allow BindDN to exclude any username formatting (fixes #8899) (#8900)

This allows a syncthing instance to be locked to exactly 1 user without needing search capability on the LDAP instance.
2026-05-24 08:55:19 -04:00 · 2023-05-10 15:52:02 +10:00
parent e136d11dce
commit b2fb2ef276
2 changed files with 30 additions and 1 deletions
--- a/lib/api/api_auth.go
+++ b/lib/api/api_auth.go
@@ -161,7 +161,7 @@ func authLDAP(username string, password string, cfg config.LDAPConfiguration) bo

 	defer connection.Close()

-	err = connection.Bind(fmt.Sprintf(cfg.BindDN, username), password)
+	err = connection.Bind(ldapTemplateBindDN(cfg.BindDN, username), password)
 	if err != nil {
 		l.Warnln("LDAP Bind:", err)
 		return false
@@ -199,6 +199,15 @@ func authLDAP(username string, password string, cfg config.LDAPConfiguration) bo
 	return true
 }

+func ldapTemplateBindDN(bindDN string, username string) string {
+	// Check if formatting directives are included in the ldapTemplateBindDN - if so add username.
+	// (%%s is a literal %s - unlikely for LDAP, but easy to handle here).
+	if strings.Count(bindDN, "%s") != strings.Count(bindDN, "%%s") {
+		bindDN = fmt.Sprintf(bindDN, username)
+	}
+	return bindDN
+}
+
 // Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the
 // principle that ISO-8859-1 bytes are equivalent to unicode code points,
 // that a rune slice is a list of code points, and that stringifying a slice