This commit is contained in:
@@ -4,10 +4,12 @@ import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/go-ldap/ldap"
|
||||
@@ -22,9 +24,12 @@ type LdapConfig struct {
|
||||
}
|
||||
|
||||
var systemCA *x509.CertPool
|
||||
var ldaps *ldap.Conn
|
||||
|
||||
// var ldaps *ldap.Conn
|
||||
var LdapServer string
|
||||
var CertLoaded bool
|
||||
var LdapEnabled bool
|
||||
var LdapInsecure bool = false
|
||||
var LdapBaseDn string
|
||||
var DefaultDomainSuffix string
|
||||
|
||||
@@ -118,8 +123,8 @@ func LdapSetup() bool {
|
||||
// Load LDAP certificate if necessary
|
||||
loadLdapCert()
|
||||
|
||||
ldapServer := os.Getenv("LDAP_BIND_ADDRESS")
|
||||
if ldapServer == "" {
|
||||
LdapServer = os.Getenv("LDAP_BIND_ADDRESS")
|
||||
if LdapServer == "" {
|
||||
log.Printf("VerifyLdapCreds no LDAP bind address supplied\n")
|
||||
return false
|
||||
} else {
|
||||
@@ -132,6 +137,14 @@ func LdapSetup() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
insecure := os.Getenv("LDAP_INSECURE_VALIDATION")
|
||||
if insecure != "" {
|
||||
LdapInsecure, err = strconv.ParseBool(insecure)
|
||||
if err != nil {
|
||||
log.Printf("LdapSetup could not convert environment variable LDAP_INSECURE_VALIDATION with value of '%s'\n", insecure)
|
||||
}
|
||||
}
|
||||
|
||||
// Set up TLS to use our custom certificate authority passed in cli argument
|
||||
tlsConfig := &tls.Config{
|
||||
RootCAs: systemCA,
|
||||
@@ -139,31 +152,49 @@ func LdapSetup() bool {
|
||||
}
|
||||
|
||||
// Add port if not specified in .env file
|
||||
if !(strings.HasSuffix(ldapServer, ":636")) {
|
||||
ldapServer = fmt.Sprintf("%s:636", ldapServer)
|
||||
log.Printf("VerifyLdapCreds updated ldapServer string '%s'\n", ldapServer)
|
||||
if !(strings.HasSuffix(LdapServer, ":636")) {
|
||||
LdapServer = fmt.Sprintf("%s:636", LdapServer)
|
||||
log.Printf("VerifyLdapCreds updated ldapServer string '%s'\n", LdapServer)
|
||||
}
|
||||
|
||||
// try connecting to AD via TLS and our custom certificate authority
|
||||
ldaps, err = ldap.DialTLS("tcp", ldapServer, tlsConfig)
|
||||
ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
|
||||
if err != nil {
|
||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", ldapServer, err)
|
||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err)
|
||||
return false
|
||||
}
|
||||
|
||||
//defer ldaps.Close()
|
||||
|
||||
LdapEnabled = true
|
||||
|
||||
namingContext := LookupNamingContext()
|
||||
namingContext := LookupNamingContext(ldaps)
|
||||
if namingContext != "" {
|
||||
DefaultDomainSuffix = DomainSuffixFromNamingContext(namingContext)
|
||||
}
|
||||
|
||||
ldaps.Close()
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func LookupNamingContext() string {
|
||||
// LdapConnect sets up the connection to LDAP to be used by other functions
|
||||
func ldapConnect() *ldap.Conn {
|
||||
|
||||
// Set up TLS to use our custom certificate authority passed in cli argument
|
||||
tlsConfig := &tls.Config{
|
||||
RootCAs: systemCA,
|
||||
InsecureSkipVerify: LdapInsecure,
|
||||
}
|
||||
|
||||
ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
|
||||
if err != nil {
|
||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err)
|
||||
return nil
|
||||
}
|
||||
|
||||
return ldaps
|
||||
}
|
||||
|
||||
func LookupNamingContext(ldaps *ldap.Conn) string {
|
||||
// Retrieve the defaultNamingContext
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
"",
|
||||
@@ -194,10 +225,47 @@ func LookupNamingContext() string {
|
||||
return defaultNamingContext
|
||||
}
|
||||
|
||||
func GetLdapGroupMembership(username string, password string) ([]string, error) {
|
||||
var err error
|
||||
username = CheckUsername(username)
|
||||
|
||||
ldaps := ldapConnect()
|
||||
defer ldaps.Close()
|
||||
|
||||
// try an authenticated bind to AD to verify credentials
|
||||
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
|
||||
err = ldaps.Bind(username, password)
|
||||
if err != nil {
|
||||
if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
|
||||
errString := "invalid user credentials"
|
||||
log.Print(errString)
|
||||
return nil, errors.New(errString)
|
||||
} else {
|
||||
errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
|
||||
log.Print(errString)
|
||||
return nil, errors.New(errString)
|
||||
}
|
||||
} else {
|
||||
log.Printf("VerifyLdapCreds successfully bound to LDAP\n")
|
||||
}
|
||||
|
||||
groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps)
|
||||
if err != nil {
|
||||
errString := fmt.Sprintf("VerifyLdapCreds group search error : '%s'\n", err)
|
||||
log.Print(errString)
|
||||
return nil, errors.New(errString)
|
||||
}
|
||||
|
||||
return groups, nil
|
||||
}
|
||||
|
||||
// Deprecated
|
||||
func VerifyLdapCreds(username string, password string) bool {
|
||||
var err error
|
||||
username = CheckUsername(username)
|
||||
|
||||
ldaps := ldapConnect()
|
||||
|
||||
// try an authenticated bind to AD to verify credentials
|
||||
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
|
||||
err = ldaps.Bind(username, password)
|
||||
|
||||
Reference in New Issue
Block a user