providers/ldap: improve password totp detection (#6006)

* providers/ldap: improve password totp detection Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add flag for totp mfa support Signed-off-by: Jens Langhammer <jens@goauthentik.io> * keep support for static tokens Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix migrations Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-20 12:09:13 +02:00
parent 962cbf9f6a
commit 01311929d1
25 changed files with 272 additions and 59 deletions
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -29,6 +29,7 @@ class LDAPProviderSerializer(ProviderSerializer):
            "outpost_set",
            "search_mode",
            "bind_mode",
+            "mfa_support",
        ]
        extra_kwargs = ProviderSerializer.Meta.extra_kwargs

@ -99,6 +100,7 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            "gid_start_number",
            "search_mode",
            "bind_mode",
+            "mfa_support",
        ]


--- a/authentik/providers/ldap/migrations/0003_ldapprovider_mfa_support_and_more.py
+++ b/authentik/providers/ldap/migrations/0003_ldapprovider_mfa_support_and_more.py
@ -0,0 +1,37 @@
+# Generated by Django 4.1.7 on 2023-06-19 17:30
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_providers_ldap", "0002_ldapprovider_bind_mode"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapprovider",
+            name="mfa_support",
+            field=models.BooleanField(
+                default=True,
+                help_text="When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
+                verbose_name="MFA Support",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="ldapprovider",
+            name="gid_start_number",
+            field=models.IntegerField(
+                default=4000,
+                help_text="The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="ldapprovider",
+            name="uid_start_number",
+            field=models.IntegerField(
+                default=2000,
+                help_text="The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber",
+            ),
+        ),
+    ]
--- a/authentik/providers/ldap/models.py
+++ b/authentik/providers/ldap/models.py
@ -50,7 +50,7 @@ class LDAPProvider(OutpostModel, BackchannelProvider):
    uid_start_number = models.IntegerField(
        default=2000,
        help_text=_(
-            "The start for uidNumbers, this number is added to the user.Pk to make sure that the "
+            "The start for uidNumbers, this number is added to the user.pk to make sure that the "
            "numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't "
            "collide with local users uidNumber"
        ),
@ -60,7 +60,7 @@ class LDAPProvider(OutpostModel, BackchannelProvider):
        default=4000,
        help_text=_(
            "The start for gidNumbers, this number is added to a number generated from the "
-            "group.Pk to make sure that the numbers aren't too low for POSIX groups. Default "
+            "group.pk to make sure that the numbers aren't too low for POSIX groups. Default "
            "is 4000 to ensure that we don't collide with local groups or users "
            "primary groups gidNumber"
        ),
@ -69,6 +69,17 @@ class LDAPProvider(OutpostModel, BackchannelProvider):
    bind_mode = models.TextField(default=APIAccessMode.DIRECT, choices=APIAccessMode.choices)
    search_mode = models.TextField(default=APIAccessMode.DIRECT, choices=APIAccessMode.choices)

+    mfa_support = models.BooleanField(
+        default=True,
+        verbose_name="MFA Support",
+        help_text=_(
+            "When enabled, code-based multi-factor authentication can be used by appending a "
+            "semicolon and the TOTP code to the password. This should only be enabled if all "
+            "users that will bind to this provider have a TOTP device configured, as otherwise "
+            "a password may incorrectly be rejected if it contains a semicolon."
+        ),
+    )
+
    @property
    def launch_url(self) -> Optional[str]:
        """LDAP never has a launch URL"""