allow-anon-bind.patch

commit b6d8e26e92b78b58a3dd22fae7b74be27ef2e37a
Author: John Thiltges <jthiltges2@unl.edu>
Date:   Thu Feb 21 16:21:37 2019 -0600

    Remove the checks requiring a bind_dn
    
    The code assumes an Active Directory server. For a non-AD server such as OpenLDAP, it works fine with an anonymous bind.

diff --git a/pkgs/duoauthproxy/duoauthproxy/lib/util.py b/pkgs/duoauthproxy/duoauthproxy/lib/util.py
index a19ad54..c9165cb 100644
--- a/pkgs/duoauthproxy/duoauthproxy/lib/util.py
+++ b/pkgs/duoauthproxy/duoauthproxy/lib/util.py
@@ -344,16 +344,13 @@ def parse_ad_client(config):
         'auth_type', ldap.client.AD_AUTH_TYPES,
         ldap.client.AD_AUTH_TYPE_NTLM_V2, str.lower)
 
-    # service_account_username, service_account_password are optional
-    # for auth_type = AD_AUTH_TYPE_SSPI; mandatory otherwise
-    is_sspi = (auth_type == ldap.client.AD_AUTH_TYPE_SSPI)
     service_account_username = config.get_str(
         'service_account_username',
-        '' if is_sspi else None)
+        '')
     service_account_password = config.get_protected_str(
         'service_account_password_protected',
         'service_account_password',
-        '' if is_sspi else None)
+        '')
 
     timeout = config.get_int('timeout', 10)
     search_dn = config.get_str('search_dn')
@@ -380,11 +377,6 @@ def parse_ad_client(config):
     else:
         ldap_filter = None
 
-    # A blank bind_dn will be rejected with auth-type plain in validation
-    # otherwise we supply a default
-    if not bind_dn:
-        bind_dn = '<ROOT>'
-
     warning_message = warn_insecure_settings(auth_type, transport_type)
     if warning_message:
         log.msg(warning_message)
diff --git a/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py b/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py
index 772e0cb..b85b57c 100644
--- a/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py
+++ b/pkgs/duoauthproxy/duoauthproxy/lib/validation/config/check/ad_client.py
@@ -54,7 +54,7 @@ def check_required_keys(config, toolbox):
     # the value. Validation will happen in check_config_values and we don't
     # want duplicate errors if the auth_type config is invalid.
     auth_type = config.get('auth_type') or ldap.client.AD_AUTH_TYPE_NTLM_V2
-    if auth_type.lower() != ldap.client.AD_AUTH_TYPE_SSPI:
+    if auth_type.lower() not in (ldap.client.AD_AUTH_TYPE_SSPI, ldap.client.AD_AUTH_TYPE_PLAIN):
         if not toolbox.test_config_has_key(config, 'service_account_username'):
             problems.append(MissingKey(key='service_account_username'))
 
@@ -183,9 +183,6 @@ def check_valid_bind_dn_for_auth_type(config, toolbox):
                                     ldap.client.AD_AUTH_TYPES,
                                     ldap.client.AD_AUTH_TYPE_NTLM_V2)
         has_bind_dn = toolbox.test_config_has_value(config, 'bind_dn')
-        if auth_type == ldap.client.AD_AUTH_TYPE_PLAIN and not has_bind_dn:
-            problems.append(UnmetDependency(message='bind_dn is required for '
-                                                    'auth_type %s' % auth_type))
     except ConfigError:
         problems.append(SkippedTest(
             test=check_valid_bind_dn_for_auth_type.__name__, key='auth_type'))