handle ldap usernames that don't include domain name
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@@ -26,6 +26,7 @@ var ldaps *ldap.Conn
|
||||
var CertLoaded bool
|
||||
var LdapEnabled bool
|
||||
var LdapBaseDn string
|
||||
var DefaultDomainSuffix string
|
||||
|
||||
func GetFilePath(path string) string {
|
||||
// Check for empty filename
|
||||
@@ -48,6 +49,30 @@ func GetFilePath(path string) string {
|
||||
return path
|
||||
}
|
||||
|
||||
// DomainSuffixFromNamingContext will convert DC=example,DC=com to example.com
|
||||
func DomainSuffixFromNamingContext(input string) string {
|
||||
tokens := strings.Split(input, ",")
|
||||
var args []string
|
||||
for _, token := range tokens {
|
||||
parts := strings.Split(token, "=")
|
||||
if len(parts) == 2 && parts[0] == "DC" {
|
||||
args = append(args, parts[1])
|
||||
}
|
||||
}
|
||||
return strings.Join(args, ".")
|
||||
}
|
||||
|
||||
func CheckUsername(username string) string {
|
||||
if strings.ContainsAny(username, "/@") {
|
||||
// Username contains forward slash or at symbol
|
||||
return username
|
||||
}
|
||||
|
||||
// Append suffix to the username
|
||||
log.Printf("CheckUsername appending default domain suffix '%s'\n", DefaultDomainSuffix)
|
||||
return username + "@" + DefaultDomainSuffix
|
||||
}
|
||||
|
||||
func loadLdapCert() {
|
||||
var err error
|
||||
// Get a copy of the system defined CA's
|
||||
@@ -130,12 +155,15 @@ func LdapSetup() bool {
|
||||
|
||||
LdapEnabled = true
|
||||
|
||||
LookupNamingContext()
|
||||
namingContext := LookupNamingContext()
|
||||
if namingContext != "" {
|
||||
DefaultDomainSuffix = DomainSuffixFromNamingContext(namingContext)
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func LookupNamingContext() {
|
||||
func LookupNamingContext() string {
|
||||
// Retrieve the defaultNamingContext
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
"",
|
||||
@@ -148,25 +176,27 @@ func LookupNamingContext() {
|
||||
searchResult, err := ldaps.Search(searchRequest)
|
||||
if err != nil {
|
||||
log.Printf("LookupNamingContext unable to perform unauthenticated search : '%s'\n", err)
|
||||
return
|
||||
return ""
|
||||
}
|
||||
|
||||
if len(searchResult.Entries) != 1 {
|
||||
log.Printf("LookupNamingContext unable to retrieve defaultNamingContext\n")
|
||||
return
|
||||
return ""
|
||||
}
|
||||
|
||||
defaultNamingContext := searchResult.Entries[0].GetAttributeValue("defaultNamingContext")
|
||||
if defaultNamingContext == "" {
|
||||
log.Printf("LookupNamingContext defaultNamingContext attribute not found\n")
|
||||
return
|
||||
return ""
|
||||
}
|
||||
|
||||
log.Printf("Default Naming Context: '%s'\n", defaultNamingContext)
|
||||
return defaultNamingContext
|
||||
}
|
||||
|
||||
func VerifyLdapCreds(username string, password string) bool {
|
||||
var err error
|
||||
username = CheckUsername(username)
|
||||
|
||||
// try an authenticated bind to AD to verify credentials
|
||||
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
|
||||
|
||||
Reference in New Issue
Block a user