123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267 |
- // Copyright 2014-2018 Grafana Labs
- // Released under the Apache 2.0 license
-
- // Modification notice:
- // 1. `serverConn` was substituted for `Server` as the type of the server object
- // 2. Debug loglines were altered to work with Oragono's logging system
-
- package ldap
-
- import (
- "crypto/tls"
- "crypto/x509"
- "errors"
- "fmt"
- "io/ioutil"
- "strings"
-
- ldap "github.com/go-ldap/ldap/v3"
- )
-
- var (
- // ErrInvalidCredentials is returned if username and password do not match
- ErrInvalidCredentials = errors.New("Invalid Username or Password")
-
- // ErrCouldNotFindUser is returned when username hasn't been found (not username+password)
- ErrCouldNotFindUser = errors.New("Can't find user in LDAP")
- )
-
- // shouldAdminBind checks if we should use
- // admin username & password for LDAP bind
- func (server *serverConn) shouldAdminBind() bool {
- return server.Config.BindPassword != ""
- }
-
- // singleBindDN combines the bind with the username
- // in order to get the proper path
- func (server *serverConn) singleBindDN(username string) string {
- return fmt.Sprintf(server.Config.BindDN, username)
- }
-
- // shouldSingleBind checks if we can use "single bind" approach
- func (server *serverConn) shouldSingleBind() bool {
- return strings.Contains(server.Config.BindDN, "%s")
- }
-
- // Dial dials in the LDAP
- // TODO: decrease cyclomatic complexity
- func (server *serverConn) Dial() error {
- var err error
- var certPool *x509.CertPool
- if server.Config.RootCACert != "" {
- certPool = x509.NewCertPool()
- for _, caCertFile := range strings.Split(server.Config.RootCACert, " ") {
- pem, err := ioutil.ReadFile(caCertFile)
- if err != nil {
- return err
- }
- if !certPool.AppendCertsFromPEM(pem) {
- return errors.New("Failed to append CA certificate " + caCertFile)
- }
- }
- }
- var clientCert tls.Certificate
- if server.Config.ClientCert != "" && server.Config.ClientKey != "" {
- clientCert, err = tls.LoadX509KeyPair(server.Config.ClientCert, server.Config.ClientKey)
- if err != nil {
- return err
- }
- }
- for _, host := range strings.Split(server.Config.Host, " ") {
- address := fmt.Sprintf("%s:%d", host, server.Config.Port)
- if server.Config.UseSSL {
- tlsCfg := &tls.Config{
- InsecureSkipVerify: server.Config.SkipVerifySSL,
- ServerName: host,
- RootCAs: certPool,
- }
- if len(clientCert.Certificate) > 0 {
- tlsCfg.Certificates = append(tlsCfg.Certificates, clientCert)
- }
- if server.Config.StartTLS {
- server.Connection, err = ldap.Dial("tcp", address)
- if err == nil {
- if err = server.Connection.StartTLS(tlsCfg); err == nil {
- return nil
- }
- }
- } else {
- server.Connection, err = ldap.DialTLS("tcp", address, tlsCfg)
- }
- } else {
- server.Connection, err = ldap.Dial("tcp", address)
- }
-
- if err == nil {
- return nil
- }
- }
- return err
- }
-
- // Close closes the LDAP connection
- // Dial() sets the connection with the server for this Struct. Therefore, we require a
- // call to Dial() before being able to execute this function.
- func (server *serverConn) Close() {
- server.Connection.Close()
- }
-
- // userBind binds the user with the LDAP server
- func (server *serverConn) userBind(path, password string) error {
- err := server.Connection.Bind(path, password)
- if err != nil {
- if ldapErr, ok := err.(*ldap.Error); ok {
- if ldapErr.ResultCode == 49 {
- return ErrInvalidCredentials
- }
- }
- return err
- }
-
- return nil
- }
-
- // users is helper method for the Users()
- func (server *serverConn) users(logins []string) (
- []*ldap.Entry,
- error,
- ) {
- var result *ldap.SearchResult
- var Config = server.Config
- var err error
-
- for _, base := range Config.SearchBaseDNs {
- result, err = server.Connection.Search(
- server.getSearchRequest(base, logins),
- )
- if err != nil {
- return nil, err
- }
-
- if len(result.Entries) > 0 {
- break
- }
- }
-
- return result.Entries, nil
- }
-
- // getSearchRequest returns LDAP search request for users
- func (server *serverConn) getSearchRequest(
- base string,
- logins []string,
- ) *ldap.SearchRequest {
- attributes := []string{}
-
- inputs := server.Config.Attr
- attributes = appendIfNotEmpty(
- attributes,
- inputs.Username,
- inputs.Surname,
- inputs.Email,
- inputs.Name,
- inputs.MemberOf,
-
- // In case for the POSIX LDAP schema server
- server.Config.GroupSearchFilterUserAttribute,
- )
-
- search := ""
- for _, login := range logins {
- query := strings.Replace(
- server.Config.SearchFilter,
- "%s", ldap.EscapeFilter(login),
- -1,
- )
-
- search = search + query
- }
-
- filter := fmt.Sprintf("(|%s)", search)
-
- return &ldap.SearchRequest{
- BaseDN: base,
- Scope: ldap.ScopeWholeSubtree,
- DerefAliases: ldap.NeverDerefAliases,
- Attributes: attributes,
- Filter: filter,
- }
- }
-
- // requestMemberOf use this function when POSIX LDAP
- // schema does not support memberOf, so it manually search the groups
- func (server *serverConn) requestMemberOf(entry *ldap.Entry) ([]string, error) {
- var memberOf []string
- var config = server.Config
-
- for _, groupSearchBase := range config.GroupSearchBaseDNs {
- var filterReplace string
- if config.GroupSearchFilterUserAttribute == "" {
- filterReplace = getAttribute(config.Attr.Username, entry)
- } else {
- filterReplace = getAttribute(
- config.GroupSearchFilterUserAttribute,
- entry,
- )
- }
-
- filter := strings.Replace(
- config.GroupSearchFilter, "%s",
- ldap.EscapeFilter(filterReplace),
- -1,
- )
-
- server.logger.Debug("ldap", "Searching for groups with filter", filter)
-
- // support old way of reading settings
- groupIDAttribute := config.Attr.MemberOf
- // but prefer dn attribute if default settings are used
- if groupIDAttribute == "" || groupIDAttribute == "memberOf" {
- groupIDAttribute = "dn"
- }
-
- groupSearchReq := ldap.SearchRequest{
- BaseDN: groupSearchBase,
- Scope: ldap.ScopeWholeSubtree,
- DerefAliases: ldap.NeverDerefAliases,
- Attributes: []string{groupIDAttribute},
- Filter: filter,
- }
-
- groupSearchResult, err := server.Connection.Search(&groupSearchReq)
- if err != nil {
- return nil, err
- }
-
- if len(groupSearchResult.Entries) > 0 {
- for _, group := range groupSearchResult.Entries {
-
- memberOf = append(
- memberOf,
- getAttribute(groupIDAttribute, group),
- )
- }
- break
- }
- }
-
- return memberOf, nil
- }
-
- // getMemberOf finds memberOf property or request it
- func (server *serverConn) getMemberOf(result *ldap.Entry) (
- []string, error,
- ) {
- if server.Config.GroupSearchFilter == "" {
- memberOf := getArrayAttribute(server.Config.Attr.MemberOf, result)
-
- return memberOf, nil
- }
-
- memberOf, err := server.requestMemberOf(result)
- if err != nil {
- return nil, err
- }
-
- return memberOf, nil
- }
|