closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10113 Commits
2 Branches
178 MiB
Tree: c3e8c9441a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c3e8c9441a'
${ noResults }
gitea/modules/auth/ldap/ldap.go

485 lines
14 KiB
Raw Normal View History

Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
initial support for LDAP authentication/MSAD
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
initial support for LDAP authentication/MSAD
10 years ago
#1637 able to skip verify for LDAP
8 years ago
initial support for LDAP authentication/MSAD
10 years ago
Sanitizing input to LDAP authentication module.
8 years ago
ldap support
10 years ago
Update import paths from github.com/go-gitea to code.gitea.io (#135) - Update import paths from github.com/go-gitea to code.gitea.io - Fix import path for travis See https://docs.travis-ci.com/user/languages/go#Go-Import-Path
7 years ago
Move to ldap.v3 to fix #5928 (#6105) Signed-off-by: Andrew Thornton <art27@cantab.net>
5 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
initial support for LDAP authentication/MSAD
10 years ago
golint fixed for modules/auth
7 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
8 years ago
Security protocols
7 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
7 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
8 years ago
golint fixed for modules/auth
7 years ago
#1637 able to skip verify for LDAP
8 years ago
LDAP Public SSH Keys synchronization (#1844) * Add LDAP Key Synchronization feature Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Add migration: add login source id column for public_key table * Only update keys if needed * Add function to only list pubkey synchronized from ldap * Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it. * Only get keys belonging to current login source id * Set default login source id to 0 * Some minor cleanup. Add integration tests (updete dep testify)
6 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
LDAP Public SSH Keys synchronization (#1844) * Add LDAP Key Synchronization feature Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Add migration: add login source id column for public_key table * Only update keys if needed * Add function to only list pubkey synchronized from ldap * Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it. * Only get keys belonging to current login source id * Set default login source id to 0 * Some minor cleanup. Add integration tests (updete dep testify)
6 years ago
Add option to prevent LDAP from deactivating everything on empty search (#9879) * Add option to prevent LDAP from deactivating everything on empty search * Update options/locale/locale_en-US.ini Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
4 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
initial support for LDAP authentication/MSAD
10 years ago
LDAP user synchronization (#1478)
7 years ago
LDAP Public SSH Keys synchronization (#1844) * Add LDAP Key Synchronization feature Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Add migration: add login source id column for public_key table * Only update keys if needed * Add function to only list pubkey synchronized from ldap * Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it. * Only get keys belonging to current login source id * Set default login source id to 0 * Some minor cleanup. Add integration tests (updete dep testify)
6 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
LDAP user synchronization (#1478)
7 years ago
Sanitizing input to LDAP authentication module.
8 years ago
Correct ldap username validation. (#2880) PR #342 was only partially applied. Spaces should not be at the start and end of a username but they can be inside.
6 years ago
Sanitizing input to LDAP authentication module.
8 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
8 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Sanitizing input to LDAP authentication module.
8 years ago
LDAP: Make a bit more detailed log traces This is useful especially to check whether we fetch right attributes, using right LDAP search base and in right order.
8 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
work on #986 and fix a LDAP crash
8 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
initial support for LDAP authentication/MSAD
10 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
8 years ago
initial support for LDAP authentication/MSAD
10 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
8 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
7 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
8 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
7 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
8 years ago
LDAP user synchronization (#1478)
7 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
LDAP user synchronization (#1478)
7 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
LDAP user synchronization (#1478)
7 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
LDAP user synchronization (#1478)
7 years ago
golint fixed for modules/auth
7 years ago
LDAP user synchronization (#1478)
7 years ago
Correction LDAP validation (#342) * Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
7 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
LDAP user synchronization (#1478)
7 years ago
Correction LDAP validation (#342) * Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
7 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
8 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
8 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
8 years ago
LDAP user synchronization (#1478)
7 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
8 years ago
Added LDAP simple auth support.
8 years ago
revert simple LDAP userDN and update example
8 years ago
Sanitizing input to LDAP authentication module.
8 years ago
LDAP via simple auth separate bind user and search base (#5055)
5 years ago
Sanitizing input to LDAP authentication module.
8 years ago
LDAP user synchronization (#1478)
7 years ago
Sanitizing input to LDAP authentication module.
8 years ago
LDAP via simple auth separate bind user and search base (#5055)
5 years ago
Added LDAP simple auth support.
8 years ago
LDAP via simple auth separate bind user and search base (#5055)
5 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
8 years ago
Added LDAP simple auth support.
8 years ago
LDAP user synchronization (#1478)
7 years ago
Added LDAP simple auth support.
8 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
LDAP via simple auth separate bind user and search base (#5055)
5 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
8 years ago
LDAP user synchronization (#1478)
7 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
8 years ago
initial support for LDAP authentication/MSAD
10 years ago
Sanitizing input to LDAP authentication module.
8 years ago
LDAP user synchronization (#1478)
7 years ago
Sanitizing input to LDAP authentication module.
8 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
Remove ldap dep
9 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
initial support for LDAP authentication/MSAD
10 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
LDAP user synchronization (#1478)
7 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Added LDAP simple auth support.
8 years ago
ldap: Adjust log settings when a user is not found. (#5771) Fixes: #3849.
5 years ago
Added LDAP simple auth support.
8 years ago
ldap: Adjust log settings when a user is not found. (#5771) Fixes: #3849.
5 years ago
Added LDAP simple auth support.
8 years ago
LDAP user synchronization (#1478)
7 years ago
initial support for LDAP authentication/MSAD
10 years ago
Significantly enhanced LDAP support in Gogs.
8 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
#2709 validate username attribute fetched from LDAP
8 years ago
Add check for LDAP group membership (#10869) This is a port of gogs/gogs#4398 The only changes made by myself are: Add locales Add some JS to the UI Otherwise all code credit goes to @aboron Resolves #10829 Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
3 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
LDAP user synchronization (#1478)
7 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
8 years ago
LDAP user synchronization (#1478)
7 years ago
#1554 check adminFilter length before LDAP search
8 years ago
LDAP user synchronization (#1478)
7 years ago
#1554 check adminFilter length before LDAP search
8 years ago
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
8 years ago
LDAP user synchronization (#1478)
7 years ago
Synchronize SSH keys on login with LDAP + Fix SQLite deadlock on ldap ssh key deletion (#5557) * Synchronize SSH keys on login with LDAP * BUG: Fix hang on sqlite during LDAP key deletion
5 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
LDAP user synchronization (#1478)
7 years ago
Add option to use paged LDAP search when synchronizing users (#3895)
6 years ago
LDAP user synchronization (#1478)
7 years ago
Abort syncrhonization from LDAP source if there is some error. (#7960) Signed-off-by: David Svantesson <davidsvantesson@gmail.com>
4 years ago
LDAP user synchronization (#1478)
7 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
LDAP user synchronization (#1478)
7 years ago
Abort syncrhonization from LDAP source if there is some error. (#7960) Signed-off-by: David Svantesson <davidsvantesson@gmail.com>
4 years ago
LDAP user synchronization (#1478)
7 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
8 years ago
LDAP user synchronization (#1478)
7 years ago
Abort syncrhonization from LDAP source if there is some error. (#7960) Signed-off-by: David Svantesson <davidsvantesson@gmail.com>
4 years ago
LDAP user synchronization (#1478)
7 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
LDAP Public SSH Keys synchronization (#1844) * Add LDAP Key Synchronization feature Signed-off-by: Magnus Lindvall <magnus@dnmgns.com> * Add migration: add login source id column for public_key table * Only update keys if needed * Add function to only list pubkey synchronized from ldap * Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it. * Only get keys belonging to current login source id * Set default login source id to 0 * Some minor cleanup. Add integration tests (updete dep testify)
6 years ago
LDAP user synchronization (#1478)
7 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
LDAP user synchronization (#1478)
7 years ago
Add option to use paged LDAP search when synchronizing users (#3895)
6 years ago
LDAP user synchronization (#1478)
7 years ago
Better logging (#6038) (#6095) * Panic don't fatal on create new logger Fixes #5854 Signed-off-by: Andrew Thornton <art27@cantab.net> * partial broken * Update the logging infrastrcture Signed-off-by: Andrew Thornton <art27@cantab.net> * Reset the skip levels for Fatal and Error Signed-off-by: Andrew Thornton <art27@cantab.net> * broken ncsa * More log.Error fixes Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove nal * set log-levels to lowercase * Make console_test test all levels * switch to lowercased levels * OK now working * Fix vetting issues * Fix lint * Fix tests * change default logging to match current gitea * Improve log testing Signed-off-by: Andrew Thornton <art27@cantab.net> * reset error skip levels to 0 * Update documentation and access logger configuration * Redirect the router log back to gitea if redirect macaron log but also allow setting the log level - i.e. TRACE * Fix broken level caching * Refactor the router log * Add Router logger * Add colorizing options * Adjust router colors * Only create logger if they will be used * update app.ini.sample * rename Attribute ColorAttribute * Change from white to green for function * Set fatal/error levels * Restore initial trace logger * Fix Trace arguments in modules/auth/auth.go * Properly handle XORMLogger * Improve admin/config page * fix fmt * Add auto-compression of old logs * Update error log levels * Remove the unnecessary skip argument from Error, Fatal and Critical * Add stacktrace support * Fix tests * Remove x/sync from vendors? * Add stderr option to console logger * Use filepath.ToSlash to protect against Windows in tests * Remove prefixed underscores from names in colors.go * Remove not implemented database logger This was removed from Gogs on 4 Mar 2016 but left in the configuration since then. * Ensure that log paths are relative to ROOT_PATH * use path.Join * rename jsonConfig to logConfig * Rename "config" to "jsonConfig" to make it clearer * Requested changes * Requested changes: XormLogger * Try to color the windows terminal If successful default to colorizing the console logs * fixup * Colorize initially too * update vendor * Colorize logs on default and remove if this is not a colorizing logger * Fix documentation * fix test * Use go-isatty to detect if on windows we are on msys or cygwin * Fix spelling mistake * Add missing vendors * More changes * Rationalise the ANSI writer protection * Adjust colors on advice from @0x5c * Make Flags a comma separated list * Move to use the windows constant for ENABLE_VIRTUAL_TERMINAL_PROCESSING * Ensure matching is done on the non-colored message - to simpify EXPRESSION
5 years ago
Abort syncrhonization from LDAP source if there is some error. (#7960) Signed-off-by: David Svantesson <davidsvantesson@gmail.com>
4 years ago
LDAP user synchronization (#1478)
7 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
Add restricted user filter to LDAP authentication (#10600) * Add restricted user filter to LDAP authentification * Fix unit test cases
4 years ago
Request for public keys only if LDAP attribute is set (#5816) * Update go-ldap dependency * Request for public keys only if attribute is set
5 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
8 years ago
Abort syncrhonization from LDAP source if there is some error. (#7960) Signed-off-by: David Svantesson <davidsvantesson@gmail.com>
4 years ago
initial support for LDAP authentication/MSAD
10 years ago
 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2020 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. // Package ldap provide functions & structure to query a LDAP ldap directory

  7. // For now, it's mainly tested again an MS Active Directory service, see README.md for more information

  8. package ldap
  9. 

  10. import (
  11. 	"crypto/tls"
  12. 	"fmt"
  13. 	"strings"
  14. 

  15. 	"code.gitea.io/gitea/modules/log"
  16. 

  17. 	"gopkg.in/ldap.v3"
  18. )
  19. 

  20. // SecurityProtocol protocol type

  21. type SecurityProtocol int
  22. 

  23. // Note: new type must be added at the end of list to maintain compatibility.

  24. const (
  25. 	SecurityProtocolUnencrypted SecurityProtocol = iota
  26. 	SecurityProtocolLDAPS
  27. 	SecurityProtocolStartTLS
  28. )
  29. 

  30. // Source Basic LDAP authentication service

  31. type Source struct {
  32. 	Name                  string // canonical name (ie. corporate.ad)

  33. 	Host                  string // LDAP host

  34. 	Port                  int    // port number

  35. 	SecurityProtocol      SecurityProtocol
  36. 	SkipVerify            bool
  37. 	BindDN                string // DN to bind with

  38. 	BindPassword          string // Bind DN password

  39. 	UserBase              string // Base search path for users

  40. 	UserDN                string // Template for the DN of the user for simple auth

  41. 	AttributeUsername     string // Username attribute

  42. 	AttributeName         string // First name attribute

  43. 	AttributeSurname      string // Surname attribute

  44. 	AttributeMail         string // E-mail attribute

  45. 	AttributesInBind      bool   // fetch attributes in bind context (not user)

  46. 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute

  47. 	SearchPageSize        uint32 // Search with paging page size

  48. 	Filter                string // Query filter to validate entry

  49. 	AdminFilter           string // Query filter to check if user is admin

  50. 	RestrictedFilter      string // Query filter to check if user is restricted

  51. 	Enabled               bool   // if this source is disabled

  52. 	AllowDeactivateAll    bool   // Allow an empty search response to deactivate all users from this source

  53. 	GroupsEnabled         bool   // if the group checking is enabled

  54. 	GroupDN               string // Group Search Base

  55. 	GroupFilter           string // Group Name Filter

  56. 	GroupMemberUID        string // Group Attribute containing array of UserUID

  57. 	UserUID               string // User Attribute listed in Group

  58. }
  59. 

  60. // SearchResult : user data

  61. type SearchResult struct {
  62. 	Username     string   // Username

  63. 	Name         string   // Name

  64. 	Surname      string   // Surname

  65. 	Mail         string   // E-mail address

  66. 	SSHPublicKey []string // SSH Public Key

  67. 	IsAdmin      bool     // if user is administrator

  68. 	IsRestricted bool     // if user is restricted

  69. }
  70. 

  71. func (ls *Source) sanitizedUserQuery(username string) (string, bool) {
  72. 	// See http://tools.ietf.org/search/rfc4515

  73. 	badCharacters := "\x00()*\\"
  74. 	if strings.ContainsAny(username, badCharacters) {
  75. 		log.Debug("'%s' contains invalid query characters. Aborting.", username)
  76. 		return "", false
  77. 	}
  78. 

  79. 	return fmt.Sprintf(ls.Filter, username), true
  80. }
  81. 

  82. func (ls *Source) sanitizedUserDN(username string) (string, bool) {
  83. 	// See http://tools.ietf.org/search/rfc4514: "special characters"

  84. 	badCharacters := "\x00()*\\,='\"#+;<>"
  85. 	if strings.ContainsAny(username, badCharacters) {
  86. 		log.Debug("'%s' contains invalid DN characters. Aborting.", username)
  87. 		return "", false
  88. 	}
  89. 

  90. 	return fmt.Sprintf(ls.UserDN, username), true
  91. }
  92. 

  93. func (ls *Source) sanitizedGroupFilter(group string) (string, bool) {
  94. 	// See http://tools.ietf.org/search/rfc4515

  95. 	badCharacters := "\x00*\\"
  96. 	if strings.ContainsAny(group, badCharacters) {
  97. 		log.Trace("Group filter invalid query characters: %s", group)
  98. 		return "", false
  99. 	}
  100. 

  101. 	return group, true
  102. }
  103. 

  104. func (ls *Source) sanitizedGroupDN(groupDn string) (string, bool) {
  105. 	// See http://tools.ietf.org/search/rfc4514: "special characters"

  106. 	badCharacters := "\x00()*\\'\"#+;<>"
  107. 	if strings.ContainsAny(groupDn, badCharacters) || strings.HasPrefix(groupDn, " ") || strings.HasSuffix(groupDn, " ") {
  108. 		log.Trace("Group DN contains invalid query characters: %s", groupDn)
  109. 		return "", false
  110. 	}
  111. 

  112. 	return groupDn, true
  113. }
  114. 

  115. func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
  116. 	log.Trace("Search for LDAP user: %s", name)
  117. 

  118. 	// A search for the user.

  119. 	userFilter, ok := ls.sanitizedUserQuery(name)
  120. 	if !ok {
  121. 		return "", false
  122. 	}
  123. 

  124. 	log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)
  125. 	search := ldap.NewSearchRequest(
  126. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
  127. 		false, userFilter, []string{}, nil)
  128. 

  129. 	// Ensure we found a user

  130. 	sr, err := l.Search(search)
  131. 	if err != nil || len(sr.Entries) < 1 {
  132. 		log.Debug("Failed search using filter[%s]: %v", userFilter, err)
  133. 		return "", false
  134. 	} else if len(sr.Entries) > 1 {
  135. 		log.Debug("Filter '%s' returned more than one user.", userFilter)
  136. 		return "", false
  137. 	}
  138. 

  139. 	userDN := sr.Entries[0].DN
  140. 	if userDN == "" {
  141. 		log.Error("LDAP search was successful, but found no DN!")
  142. 		return "", false
  143. 	}
  144. 

  145. 	return userDN, true
  146. }
  147. 

  148. func dial(ls *Source) (*ldap.Conn, error) {
  149. 	log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", ls.SecurityProtocol, ls.SkipVerify)
  150. 

  151. 	tlsCfg := &tls.Config{
  152. 		ServerName:         ls.Host,
  153. 		InsecureSkipVerify: ls.SkipVerify,
  154. 	}
  155. 	if ls.SecurityProtocol == SecurityProtocolLDAPS {
  156. 		return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), tlsCfg)
  157. 	}
  158. 

  159. 	conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))
  160. 	if err != nil {
  161. 		return nil, fmt.Errorf("Dial: %v", err)
  162. 	}
  163. 

  164. 	if ls.SecurityProtocol == SecurityProtocolStartTLS {
  165. 		if err = conn.StartTLS(tlsCfg); err != nil {
  166. 			conn.Close()
  167. 			return nil, fmt.Errorf("StartTLS: %v", err)
  168. 		}
  169. 	}
  170. 

  171. 	return conn, nil
  172. }
  173. 

  174. func bindUser(l *ldap.Conn, userDN, passwd string) error {
  175. 	log.Trace("Binding with userDN: %s", userDN)
  176. 	err := l.Bind(userDN, passwd)
  177. 	if err != nil {
  178. 		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
  179. 		return err
  180. 	}
  181. 	log.Trace("Bound successfully with userDN: %s", userDN)
  182. 	return err
  183. }
  184. 

  185. func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool {
  186. 	if len(ls.AdminFilter) == 0 {
  187. 		return false
  188. 	}
  189. 	log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
  190. 	search := ldap.NewSearchRequest(
  191. 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
  192. 		[]string{ls.AttributeName},
  193. 		nil)
  194. 

  195. 	sr, err := l.Search(search)
  196. 

  197. 	if err != nil {
  198. 		log.Error("LDAP Admin Search failed unexpectedly! (%v)", err)
  199. 	} else if len(sr.Entries) < 1 {
  200. 		log.Trace("LDAP Admin Search found no matching entries.")
  201. 	} else {
  202. 		return true
  203. 	}
  204. 	return false
  205. }
  206. 

  207. func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool {
  208. 	if len(ls.RestrictedFilter) == 0 {
  209. 		return false
  210. 	}
  211. 	if ls.RestrictedFilter == "*" {
  212. 		return true
  213. 	}
  214. 	log.Trace("Checking restricted with filter %s and base %s", ls.RestrictedFilter, userDN)
  215. 	search := ldap.NewSearchRequest(
  216. 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.RestrictedFilter,
  217. 		[]string{ls.AttributeName},
  218. 		nil)
  219. 

  220. 	sr, err := l.Search(search)
  221. 

  222. 	if err != nil {
  223. 		log.Error("LDAP Restrictred Search failed unexpectedly! (%v)", err)
  224. 	} else if len(sr.Entries) < 1 {
  225. 		log.Trace("LDAP Restricted Search found no matching entries.")
  226. 	} else {
  227. 		return true
  228. 	}
  229. 	return false
  230. }
  231. 

  232. // SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter

  233. func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {
  234. 	// See https://tools.ietf.org/search/rfc4513#section-5.1.2

  235. 	if len(passwd) == 0 {
  236. 		log.Debug("Auth. failed for %s, password cannot be empty", name)
  237. 		return nil
  238. 	}
  239. 	l, err := dial(ls)
  240. 	if err != nil {
  241. 		log.Error("LDAP Connect error, %s:%v", ls.Host, err)
  242. 		ls.Enabled = false
  243. 		return nil
  244. 	}
  245. 	defer l.Close()
  246. 

  247. 	var userDN string
  248. 	if directBind {
  249. 		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)
  250. 

  251. 		var ok bool
  252. 		userDN, ok = ls.sanitizedUserDN(name)
  253. 

  254. 		if !ok {
  255. 			return nil
  256. 		}
  257. 

  258. 		err = bindUser(l, userDN, passwd)
  259. 		if err != nil {
  260. 			return nil
  261. 		}
  262. 

  263. 		if ls.UserBase != "" {
  264. 			// not everyone has a CN compatible with input name so we need to find

  265. 			// the real userDN in that case

  266. 

  267. 			userDN, ok = ls.findUserDN(l, name)
  268. 			if !ok {
  269. 				return nil
  270. 			}
  271. 		}
  272. 	} else {
  273. 		log.Trace("LDAP will use BindDN.")
  274. 

  275. 		var found bool
  276. 

  277. 		if ls.BindDN != "" && ls.BindPassword != "" {
  278. 			err := l.Bind(ls.BindDN, ls.BindPassword)
  279. 			if err != nil {
  280. 				log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
  281. 				return nil
  282. 			}
  283. 			log.Trace("Bound as BindDN %s", ls.BindDN)
  284. 		} else {
  285. 			log.Trace("Proceeding with anonymous LDAP search.")
  286. 		}
  287. 

  288. 		userDN, found = ls.findUserDN(l, name)
  289. 		if !found {
  290. 			return nil
  291. 		}
  292. 	}
  293. 

  294. 	if !ls.AttributesInBind {
  295. 		// binds user (checking password) before looking-up attributes in user context

  296. 		err = bindUser(l, userDN, passwd)
  297. 		if err != nil {
  298. 			return nil
  299. 		}
  300. 	}
  301. 

  302. 	userFilter, ok := ls.sanitizedUserQuery(name)
  303. 	if !ok {
  304. 		return nil
  305. 	}
  306. 

  307. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0
  308. 

  309. 	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}
  310. 	if len(strings.TrimSpace(ls.UserUID)) > 0 {
  311. 		attribs = append(attribs, ls.UserUID)
  312. 	}
  313. 	if isAttributeSSHPublicKeySet {
  314. 		attribs = append(attribs, ls.AttributeSSHPublicKey)
  315. 	}
  316. 

  317. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, ls.UserUID, userFilter, userDN)
  318. 	search := ldap.NewSearchRequest(
  319. 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
  320. 		attribs, nil)
  321. 

  322. 	sr, err := l.Search(search)
  323. 	if err != nil {
  324. 		log.Error("LDAP Search failed unexpectedly! (%v)", err)
  325. 		return nil
  326. 	} else if len(sr.Entries) < 1 {
  327. 		if directBind {
  328. 			log.Trace("User filter inhibited user login.")
  329. 		} else {
  330. 			log.Trace("LDAP Search found no matching entries.")
  331. 		}
  332. 

  333. 		return nil
  334. 	}
  335. 

  336. 	var sshPublicKey []string
  337. 

  338. 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)
  339. 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)
  340. 	surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
  341. 	mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
  342. 	uid := sr.Entries[0].GetAttributeValue(ls.UserUID)
  343. 

  344. 	// Check group membership

  345. 	if ls.GroupsEnabled {
  346. 		groupFilter, ok := ls.sanitizedGroupFilter(ls.GroupFilter)
  347. 		if !ok {
  348. 			return nil
  349. 		}
  350. 		groupDN, ok := ls.sanitizedGroupDN(ls.GroupDN)
  351. 		if !ok {
  352. 			return nil
  353. 		}
  354. 

  355. 		log.Trace("Fetching groups '%v' with filter '%s' and base '%s'", ls.GroupMemberUID, groupFilter, groupDN)
  356. 		groupSearch := ldap.NewSearchRequest(
  357. 			groupDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, groupFilter,
  358. 			[]string{ls.GroupMemberUID},
  359. 			nil)
  360. 

  361. 		srg, err := l.Search(groupSearch)
  362. 		if err != nil {
  363. 			log.Error("LDAP group search failed: %v", err)
  364. 			return nil
  365. 		} else if len(srg.Entries) < 1 {
  366. 			log.Error("LDAP group search failed: 0 entries")
  367. 			return nil
  368. 		}
  369. 

  370. 		isMember := false
  371. 	Entries:
  372. 		for _, group := range srg.Entries {
  373. 			for _, member := range group.GetAttributeValues(ls.GroupMemberUID) {
  374. 				if (ls.UserUID == "dn" && member == sr.Entries[0].DN) || member == uid {
  375. 					isMember = true
  376. 					break Entries
  377. 				}
  378. 			}
  379. 		}
  380. 

  381. 		if !isMember {
  382. 			log.Error("LDAP group membership test failed")
  383. 			return nil
  384. 		}
  385. 	}
  386. 

  387. 	if isAttributeSSHPublicKeySet {
  388. 		sshPublicKey = sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey)
  389. 	}
  390. 	isAdmin := checkAdmin(l, ls, userDN)
  391. 	var isRestricted bool
  392. 	if !isAdmin {
  393. 		isRestricted = checkRestricted(l, ls, userDN)
  394. 	}
  395. 

  396. 	if !directBind && ls.AttributesInBind {
  397. 		// binds user (checking password) after looking-up attributes in BindDN context

  398. 		err = bindUser(l, userDN, passwd)
  399. 		if err != nil {
  400. 			return nil
  401. 		}
  402. 	}
  403. 

  404. 	return &SearchResult{
  405. 		Username:     username,
  406. 		Name:         firstname,
  407. 		Surname:      surname,
  408. 		Mail:         mail,
  409. 		SSHPublicKey: sshPublicKey,
  410. 		IsAdmin:      isAdmin,
  411. 		IsRestricted: isRestricted,
  412. 	}
  413. }
  414. 

  415. // UsePagedSearch returns if need to use paged search

  416. func (ls *Source) UsePagedSearch() bool {
  417. 	return ls.SearchPageSize > 0
  418. }
  419. 

  420. // SearchEntries : search an LDAP source for all users matching userFilter

  421. func (ls *Source) SearchEntries() ([]*SearchResult, error) {
  422. 	l, err := dial(ls)
  423. 	if err != nil {
  424. 		log.Error("LDAP Connect error, %s:%v", ls.Host, err)
  425. 		ls.Enabled = false
  426. 		return nil, err
  427. 	}
  428. 	defer l.Close()
  429. 

  430. 	if ls.BindDN != "" && ls.BindPassword != "" {
  431. 		err := l.Bind(ls.BindDN, ls.BindPassword)
  432. 		if err != nil {
  433. 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
  434. 			return nil, err
  435. 		}
  436. 		log.Trace("Bound as BindDN %s", ls.BindDN)
  437. 	} else {
  438. 		log.Trace("Proceeding with anonymous LDAP search.")
  439. 	}
  440. 

  441. 	userFilter := fmt.Sprintf(ls.Filter, "*")
  442. 

  443. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0
  444. 

  445. 	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}
  446. 	if isAttributeSSHPublicKeySet {
  447. 		attribs = append(attribs, ls.AttributeSSHPublicKey)
  448. 	}
  449. 

  450. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, ls.UserBase)
  451. 	search := ldap.NewSearchRequest(
  452. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
  453. 		attribs, nil)
  454. 

  455. 	var sr *ldap.SearchResult
  456. 	if ls.UsePagedSearch() {
  457. 		sr, err = l.SearchWithPaging(search, ls.SearchPageSize)
  458. 	} else {
  459. 		sr, err = l.Search(search)
  460. 	}
  461. 	if err != nil {
  462. 		log.Error("LDAP Search failed unexpectedly! (%v)", err)
  463. 		return nil, err
  464. 	}
  465. 

  466. 	result := make([]*SearchResult, len(sr.Entries))
  467. 

  468. 	for i, v := range sr.Entries {
  469. 		result[i] = &SearchResult{
  470. 			Username: v.GetAttributeValue(ls.AttributeUsername),
  471. 			Name:     v.GetAttributeValue(ls.AttributeName),
  472. 			Surname:  v.GetAttributeValue(ls.AttributeSurname),
  473. 			Mail:     v.GetAttributeValue(ls.AttributeMail),
  474. 			IsAdmin:  checkAdmin(l, ls, v.DN),
  475. 		}
  476. 		if !result[i].IsAdmin {
  477. 			result[i].IsRestricted = checkRestricted(l, ls, v.DN)
  478. 		}
  479. 		if isAttributeSSHPublicKeySet {
  480. 			result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey)
  481. 		}
  482. 	}
  483. 

  484. 	return result, nil
  485. }