Nathan Coad
@@ -353,9 +353,8 @@ settings:
|
||||
auth_mode: required
|
||||
ldap_bind_address: ldaps://ad01.example.com:636
|
||||
ldap_base_dn: DC=example,DC=com
|
||||
# Optional performance scopes; default to ldap_base_dn when omitted.
|
||||
# Optional user lookup scope; defaults to ldap_base_dn when omitted.
|
||||
ldap_user_base_dn: OU=Users,DC=example,DC=com
|
||||
ldap_group_base_dn: OU=Groups,DC=example,DC=com
|
||||
auth_group_role_mappings:
|
||||
"CN=vctp-viewers,OU=Groups,DC=example,DC=com": viewer
|
||||
"CN=vctp-admins,OU=Groups,DC=example,DC=com": admin
|
||||
@@ -513,9 +512,8 @@ Authentication:
|
||||
- A user must belong to at least one mapped group to receive any role and log in.
|
||||
- `settings.ldap_groups` empty/omitted means no allowlist filter, but mapped-role requirement still applies.
|
||||
- `settings.ldap_bind_address`: LDAP/LDAPS URL used for authentication.
|
||||
- `settings.ldap_base_dn`: LDAP base DN for user/group lookups.
|
||||
- `settings.ldap_base_dn`: LDAP base DN fallback used for user lookup when `settings.ldap_user_base_dn` is not set.
|
||||
- `settings.ldap_user_base_dn`: optional user lookup base DN; defaults to `settings.ldap_base_dn`.
|
||||
- `settings.ldap_group_base_dn`: optional group lookup base DN; defaults to `settings.ldap_base_dn`.
|
||||
- `settings.ldap_trust_cert_file`: optional CA cert file for LDAP TLS.
|
||||
- `settings.ldap_disable_validation`: disables LDAP TLS cert validation.
|
||||
- `settings.ldap_insecure`: insecure LDAP TLS mode.
|
||||
|
||||
@@ -26,7 +26,6 @@ type LDAPConfig struct {
|
||||
BindAddress string
|
||||
BaseDN string
|
||||
UserBaseDN string
|
||||
GroupBaseDN string
|
||||
TrustCertFile string
|
||||
DisableValidation bool
|
||||
Insecure bool
|
||||
@@ -48,7 +47,6 @@ type LDAPAuthenticator struct {
|
||||
bindAddress string
|
||||
baseDN string
|
||||
userBaseDN string
|
||||
groupBaseDN string
|
||||
trustCertFile string
|
||||
disableValidation bool
|
||||
insecure bool
|
||||
@@ -59,7 +57,6 @@ func NewLDAPAuthenticator(cfg LDAPConfig) (*LDAPAuthenticator, error) {
|
||||
bindAddress := strings.TrimSpace(cfg.BindAddress)
|
||||
baseDN := strings.TrimSpace(cfg.BaseDN)
|
||||
userBaseDN := strings.TrimSpace(cfg.UserBaseDN)
|
||||
groupBaseDN := strings.TrimSpace(cfg.GroupBaseDN)
|
||||
trustCertFile := strings.TrimSpace(cfg.TrustCertFile)
|
||||
|
||||
if bindAddress == "" {
|
||||
@@ -71,9 +68,6 @@ func NewLDAPAuthenticator(cfg LDAPConfig) (*LDAPAuthenticator, error) {
|
||||
if userBaseDN == "" {
|
||||
userBaseDN = baseDN
|
||||
}
|
||||
if groupBaseDN == "" {
|
||||
groupBaseDN = baseDN
|
||||
}
|
||||
if _, err := url.ParseRequestURI(bindAddress); err != nil {
|
||||
return nil, fmt.Errorf("%w: bind address must be a valid URL: %v", ErrInvalidLDAPConfig, err)
|
||||
}
|
||||
@@ -87,7 +81,6 @@ func NewLDAPAuthenticator(cfg LDAPConfig) (*LDAPAuthenticator, error) {
|
||||
bindAddress: bindAddress,
|
||||
baseDN: baseDN,
|
||||
userBaseDN: userBaseDN,
|
||||
groupBaseDN: groupBaseDN,
|
||||
trustCertFile: trustCertFile,
|
||||
disableValidation: cfg.DisableValidation,
|
||||
insecure: cfg.Insecure,
|
||||
@@ -135,7 +128,6 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
|
||||
}
|
||||
identity.Diagnostics = append(identity.Diagnostics,
|
||||
"user_lookup_base_dn="+a.userBaseDN,
|
||||
"group_lookup_base_dn="+a.groupBaseDN,
|
||||
)
|
||||
if whoami, err := conn.WhoAmI(nil); err != nil {
|
||||
identity.Diagnostics = append(identity.Diagnostics, fmt.Sprintf("whoami_failed:%v", err))
|
||||
|
||||
@@ -80,7 +80,6 @@ type SettingsYML struct {
|
||||
LDAPBindAddress string `yaml:"ldap_bind_address"`
|
||||
LDAPBaseDN string `yaml:"ldap_base_dn"`
|
||||
LDAPUserBaseDN string `yaml:"ldap_user_base_dn"`
|
||||
LDAPGroupBaseDN string `yaml:"ldap_group_base_dn"`
|
||||
LDAPTrustCertFile string `yaml:"ldap_trust_cert_file"`
|
||||
LDAPDisableValidation bool `yaml:"ldap_disable_validation"`
|
||||
LDAPInsecure bool `yaml:"ldap_insecure"`
|
||||
@@ -287,7 +286,6 @@ func applyDefaultsAndValidateSettings(cfg *SettingsYML) error {
|
||||
s.LDAPBindAddress = strings.TrimSpace(s.LDAPBindAddress)
|
||||
s.LDAPBaseDN = strings.TrimSpace(s.LDAPBaseDN)
|
||||
s.LDAPUserBaseDN = strings.TrimSpace(s.LDAPUserBaseDN)
|
||||
s.LDAPGroupBaseDN = strings.TrimSpace(s.LDAPGroupBaseDN)
|
||||
s.LDAPTrustCertFile = strings.TrimSpace(s.LDAPTrustCertFile)
|
||||
s.LDAPGroups = compactTrimmedStrings(s.LDAPGroups)
|
||||
|
||||
@@ -347,9 +345,6 @@ func applyDefaultsAndValidateSettings(cfg *SettingsYML) error {
|
||||
if s.LDAPUserBaseDN == "" {
|
||||
s.LDAPUserBaseDN = s.LDAPBaseDN
|
||||
}
|
||||
if s.LDAPGroupBaseDN == "" {
|
||||
s.LDAPGroupBaseDN = s.LDAPBaseDN
|
||||
}
|
||||
if len(s.AuthGroupRoleMappings) == 0 {
|
||||
return errors.New("settings.auth_group_role_mappings must define at least one mapping when settings.auth_enabled=true")
|
||||
}
|
||||
|
||||
@@ -196,9 +196,6 @@ func TestReadYMLSettingsAcceptsValidAuthConfigAndNormalizesMappings(t *testing.T
|
||||
if got.LDAPUserBaseDN != "dc=example,dc=com" {
|
||||
t.Fatalf("expected default ldap_user_base_dn to fall back to ldap_base_dn, got %q", got.LDAPUserBaseDN)
|
||||
}
|
||||
if got.LDAPGroupBaseDN != "dc=example,dc=com" {
|
||||
t.Fatalf("expected default ldap_group_base_dn to fall back to ldap_base_dn, got %q", got.LDAPGroupBaseDN)
|
||||
}
|
||||
if got.AuthGroupRoleMappings["cn=vctp-admins,ou=groups,dc=example,dc=com"] != authRoleAdmin {
|
||||
t.Fatalf("expected admin mapping to normalize role to %q, got %#v", authRoleAdmin, got.AuthGroupRoleMappings)
|
||||
}
|
||||
|
||||
@@ -86,7 +86,6 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
|
||||
"ldap_bind_address", cfg.LDAPBindAddress,
|
||||
"ldap_base_dn", cfg.LDAPBaseDN,
|
||||
"ldap_user_base_dn", cfg.LDAPUserBaseDN,
|
||||
"ldap_group_base_dn", cfg.LDAPGroupBaseDN,
|
||||
"ldap_group_requirements", limitStrings(cfg.LDAPGroups, maxDebugLogListItems),
|
||||
"auth_group_role_mapping_keys", limitStrings(sortedStringMapKeys(cfg.AuthGroupRoleMappings), maxDebugLogListItems),
|
||||
"ldap_insecure", cfg.LDAPInsecure,
|
||||
@@ -98,7 +97,6 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
|
||||
BindAddress: cfg.LDAPBindAddress,
|
||||
BaseDN: cfg.LDAPBaseDN,
|
||||
UserBaseDN: cfg.LDAPUserBaseDN,
|
||||
GroupBaseDN: cfg.LDAPGroupBaseDN,
|
||||
TrustCertFile: cfg.LDAPTrustCertFile,
|
||||
DisableValidation: cfg.LDAPDisableValidation,
|
||||
Insecure: cfg.LDAPInsecure,
|
||||
|
||||
Reference in New Issue
Block a user