0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00

authN: first try local htpasswd then LDAP

We are noticing that LDAP connectivity issues and timeouts can affect
authN behavior from client side (which can timeout as well).

Instead, put local authN first so at least we have a reliable authN
method.

But, the caveat is that it is best if the local and LDAP user list
doesn't overlap.
This commit is contained in:
Ramkumar Chinchani 2020-01-15 09:37:17 -08:00
parent 17ac1be723
commit d64a3e33cc

View file

@ -142,7 +142,17 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
username := pair[0]
passphrase := pair[1]
// prefer LDAP if configured
// first, HTTPPassword authN (which is local)
passphraseHash, ok := credMap[username]
if ok {
if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err == nil {
// Process request
next.ServeHTTP(w, r)
return
}
}
// next, LDAP if configured (network-based which can lose connectivity)
if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {
ok, _, err := ldapClient.Authenticate(username, passphrase)
if ok && err == nil {
@ -152,20 +162,8 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
}
}
// fallback to HTTPPassword
passphraseHash, ok := credMap[username]
if !ok {
authFail(w, realm, delay)
return
}
if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {
authFail(w, realm, delay)
return
}
// Process request
next.ServeHTTP(w, r)
})
}
}