nathan/vctp2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improve ldap
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2026-04-21 14:40:10 +10:00
parent 4fca10795e
commit 35840697fa
5 changed files with 2 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/ldap.go
-8
View File
@@ -26,7 +26,6 @@ type LDAPConfig struct {
BindAddress string
BaseDN string
UserBaseDN string
GroupBaseDN string
TrustCertFile string
DisableValidation bool
Insecure bool
@@ -48,7 +47,6 @@ type LDAPAuthenticator struct {
bindAddress string
baseDN string
userBaseDN string
groupBaseDN string
trustCertFile string
disableValidation bool
insecure bool
@@ -59,7 +57,6 @@ func NewLDAPAuthenticator(cfg LDAPConfig) (*LDAPAuthenticator, error) {
bindAddress := strings.TrimSpace(cfg.BindAddress)
baseDN := strings.TrimSpace(cfg.BaseDN)
userBaseDN := strings.TrimSpace(cfg.UserBaseDN)
groupBaseDN := strings.TrimSpace(cfg.GroupBaseDN)
trustCertFile := strings.TrimSpace(cfg.TrustCertFile)
if bindAddress == "" {
@@ -71,9 +68,6 @@ func NewLDAPAuthenticator(cfg LDAPConfig) (*LDAPAuthenticator, error) {
if userBaseDN == "" {
userBaseDN = baseDN
}
if groupBaseDN == "" {
groupBaseDN = baseDN
}
if _, err := url.ParseRequestURI(bindAddress); err != nil {
return nil, fmt.Errorf("%w: bind address must be a valid URL: %v", ErrInvalidLDAPConfig, err)
}
@@ -87,7 +81,6 @@ func NewLDAPAuthenticator(cfg LDAPConfig) (*LDAPAuthenticator, error) {
bindAddress: bindAddress,
baseDN: baseDN,
userBaseDN: userBaseDN,
groupBaseDN: groupBaseDN,
trustCertFile: trustCertFile,
disableValidation: cfg.DisableValidation,
insecure: cfg.Insecure,
@@ -135,7 +128,6 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
}
identity.Diagnostics = append(identity.Diagnostics,
"user_lookup_base_dn="+a.userBaseDN,
"group_lookup_base_dn="+a.groupBaseDN,
)
if whoami, err := conn.WhoAmI(nil); err != nil {
identity.Diagnostics = append(identity.Diagnostics, fmt.Sprintf("whoami_failed:%v", err))
internal/settings/settings.go
-5
View File
@@ -80,7 +80,6 @@ type SettingsYML struct {
LDAPBindAddress string `yaml:"ldap_bind_address"`
LDAPBaseDN string `yaml:"ldap_base_dn"`
LDAPUserBaseDN string `yaml:"ldap_user_base_dn"`
LDAPGroupBaseDN string `yaml:"ldap_group_base_dn"`
LDAPTrustCertFile string `yaml:"ldap_trust_cert_file"`
LDAPDisableValidation bool `yaml:"ldap_disable_validation"`
LDAPInsecure bool `yaml:"ldap_insecure"`
@@ -287,7 +286,6 @@ func applyDefaultsAndValidateSettings(cfg *SettingsYML) error {
s.LDAPBindAddress = strings.TrimSpace(s.LDAPBindAddress)
s.LDAPBaseDN = strings.TrimSpace(s.LDAPBaseDN)
s.LDAPUserBaseDN = strings.TrimSpace(s.LDAPUserBaseDN)
s.LDAPGroupBaseDN = strings.TrimSpace(s.LDAPGroupBaseDN)
s.LDAPTrustCertFile = strings.TrimSpace(s.LDAPTrustCertFile)
s.LDAPGroups = compactTrimmedStrings(s.LDAPGroups)
@@ -347,9 +345,6 @@ func applyDefaultsAndValidateSettings(cfg *SettingsYML) error {
if s.LDAPUserBaseDN == "" {
s.LDAPUserBaseDN = s.LDAPBaseDN
}
if s.LDAPGroupBaseDN == "" {
s.LDAPGroupBaseDN = s.LDAPBaseDN
}
if len(s.AuthGroupRoleMappings) == 0 {
return errors.New("settings.auth_group_role_mappings must define at least one mapping when settings.auth_enabled=true")
}
internal/settings/settings_strict_test.go
-3
View File
@@ -196,9 +196,6 @@ func TestReadYMLSettingsAcceptsValidAuthConfigAndNormalizesMappings(t *testing.T
if got.LDAPUserBaseDN != "dc=example,dc=com" {
t.Fatalf("expected default ldap_user_base_dn to fall back to ldap_base_dn, got %q", got.LDAPUserBaseDN)
}
if got.LDAPGroupBaseDN != "dc=example,dc=com" {
t.Fatalf("expected default ldap_group_base_dn to fall back to ldap_base_dn, got %q", got.LDAPGroupBaseDN)
}
if got.AuthGroupRoleMappings["cn=vctp-admins,ou=groups,dc=example,dc=com"] != authRoleAdmin {
t.Fatalf("expected admin mapping to normalize role to %q, got %#v", authRoleAdmin, got.AuthGroupRoleMappings)
}