mirror of
https://github.com/project-zot/zot.git
synced 2024-12-16 21:56:37 -05:00
authN: first try local htpasswd then LDAP
We are noticing that LDAP connectivity issues and timeouts can affect authN behavior from client side (which can timeout as well). Instead, put local authN first so at least we have a reliable authN method. But, the caveat is that it is best if the local and LDAP user list doesn't overlap.
This commit is contained in:
parent
17ac1be723
commit
d64a3e33cc
1 changed files with 13 additions and 15 deletions
|
@ -142,7 +142,17 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
|
|||
username := pair[0]
|
||||
passphrase := pair[1]
|
||||
|
||||
// prefer LDAP if configured
|
||||
// first, HTTPPassword authN (which is local)
|
||||
passphraseHash, ok := credMap[username]
|
||||
if ok {
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err == nil {
|
||||
// Process request
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// next, LDAP if configured (network-based which can lose connectivity)
|
||||
if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {
|
||||
ok, _, err := ldapClient.Authenticate(username, passphrase)
|
||||
if ok && err == nil {
|
||||
|
@ -152,20 +162,8 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
|
|||
}
|
||||
}
|
||||
|
||||
// fallback to HTTPPassword
|
||||
passphraseHash, ok := credMap[username]
|
||||
if !ok {
|
||||
authFail(w, realm, delay)
|
||||
return
|
||||
}
|
||||
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {
|
||||
authFail(w, realm, delay)
|
||||
return
|
||||
}
|
||||
|
||||
// Process request
|
||||
next.ServeHTTP(w, r)
|
||||
authFail(w, realm, delay)
|
||||
return
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue