@ -31,6 +31,7 @@ type Source struct {
AttributeName string // First name attribute
AttributeName string // First name attribute
AttributeSurname string // Surname attribute
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
AttributeMail string // E-mail attribute
AttributesInBind bool // fetch attributes in bind context (not user)
Filter string // Query filter to validate entry
Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin
AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
Enabled bool // if this source is disabled
@ -58,18 +59,10 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
return fmt . Sprintf ( ls . UserDN , username ) , true
return fmt . Sprintf ( ls . UserDN , username ) , true
}
}
func ( ls * Source ) FindUserDN ( name string ) ( string , bool ) {
l , err := ldapDial ( ls )
if err != nil {
log . Error ( 4 , "LDAP Connect error, %s:%v" , ls . Host , err )
ls . Enabled = false
return "" , false
}
defer l . Close ( )
func ( ls * Source ) findUserDN ( l * ldap . Conn , name string ) ( string , bool ) {
log . Trace ( "Search for LDAP user: %s" , name )
log . Trace ( "Search for LDAP user: %s" , name )
if ls . BindDN != "" && ls . BindPassword != "" {
if ls . BindDN != "" && ls . BindPassword != "" {
err = l . Bind ( ls . BindDN , ls . BindPassword )
err := l . Bind ( ls . BindDN , ls . BindPassword )
if err != nil {
if err != nil {
log . Debug ( "Failed to bind as BindDN[%s]: %v" , ls . BindDN , err )
log . Debug ( "Failed to bind as BindDN[%s]: %v" , ls . BindDN , err )
return "" , false
return "" , false
@ -85,7 +78,7 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
return "" , false
return "" , false
}
}
log . Trace ( "Searching using filter %s" , userFilter )
log . Trace ( "Searching for DN using filter %s and base %s" , userFilter , ls . UserBase )
search := ldap . NewSearchRequest (
search := ldap . NewSearchRequest (
ls . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 ,
ls . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 ,
false , userFilter , [ ] string { } , nil )
false , userFilter , [ ] string { } , nil )
@ -111,6 +104,14 @@ func (ls *Source) FindUserDN(name string) (string, bool) {
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func ( ls * Source ) SearchEntry ( name , passwd string , directBind bool ) ( string , string , string , string , bool , bool ) {
func ( ls * Source ) SearchEntry ( name , passwd string , directBind bool ) ( string , string , string , string , bool , bool ) {
l , err := ldapDial ( ls )
if err != nil {
log . Error ( 4 , "LDAP Connect error, %s:%v" , ls . Host , err )
ls . Enabled = false
return "" , "" , "" , "" , false , false
}
defer l . Close ( )
var userDN string
var userDN string
if directBind {
if directBind {
log . Trace ( "LDAP will bind directly via UserDN template: %s" , ls . UserDN )
log . Trace ( "LDAP will bind directly via UserDN template: %s" , ls . UserDN )
@ -124,33 +125,26 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
log . Trace ( "LDAP will use BindDN." )
log . Trace ( "LDAP will use BindDN." )
var found bool
var found bool
userDN , found = ls . FindUserDN ( name )
userDN , found = ls . findUserDN ( l , name )
if ! found {
if ! found {
return "" , "" , "" , "" , false , false
return "" , "" , "" , "" , false , false
}
}
}
}
l , err := ldapDial ( ls )
if err != nil {
log . Error ( 4 , "LDAP Connect error (%s): %v" , ls . Host , err )
ls . Enabled = false
return "" , "" , "" , "" , false , false
}
defer l . Close ( )
log . Trace ( "Binding with userDN: %s" , userDN )
err = l . Bind ( userDN , passwd )
if err != nil {
log . Debug ( "LDAP auth. failed for %s, reason: %v" , userDN , err )
return "" , "" , "" , "" , false , false
if directBind || ! ls . AttributesInBind {
// binds user (checking password) before looking-up attributes in user context
err = bindUser ( l , userDN , passwd )
if err != nil {
return "" , "" , "" , "" , false , false
}
}
}
log . Trace ( "Bound successfully with userDN: %s" , userDN )
userFilter , ok := ls . sanitizedUserQuery ( name )
userFilter , ok := ls . sanitizedUserQuery ( name )
if ! ok {
if ! ok {
return "" , "" , "" , "" , false , false
return "" , "" , "" , "" , false , false
}
}
log . Trace ( "Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s" , ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail , userFilter , userDN )
search := ldap . NewSearchRequest (
search := ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
[ ] string { ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail } ,
[ ] string { ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail } ,
@ -177,6 +171,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
admin_attr := false
admin_attr := false
if len ( ls . AdminFilter ) > 0 {
if len ( ls . AdminFilter ) > 0 {
log . Trace ( "Checking admin with filter %s and base %s" , ls . AdminFilter , userDN )
search = ldap . NewSearchRequest (
search = ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . AdminFilter ,
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . AdminFilter ,
[ ] string { ls . AttributeName } ,
[ ] string { ls . AttributeName } ,
@ -192,9 +187,28 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
}
}
}
}
if ! directBind && ls . AttributesInBind {
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser ( l , userDN , passwd )
if err != nil {
return "" , "" , "" , "" , false , false
}
}
return username_attr , name_attr , sn_attr , mail_attr , admin_attr , true
return username_attr , name_attr , sn_attr , mail_attr , admin_attr , true
}
}
func bindUser ( l * ldap . Conn , userDN , passwd string ) error {
log . Trace ( "Binding with userDN: %s" , userDN )
err := l . Bind ( userDN , passwd )
if err != nil {
log . Debug ( "LDAP auth. failed for %s, reason: %v" , userDN , err )
return err
}
log . Trace ( "Bound successfully with userDN: %s" , userDN )
return err
}
func ldapDial ( ls * Source ) ( * ldap . Conn , error ) {
func ldapDial ( ls * Source ) ( * ldap . Conn , error ) {
if ls . UseSSL {
if ls . UseSSL {
log . Debug ( "Using TLS for LDAP without verifying: %v" , ls . SkipVerify )
log . Debug ( "Using TLS for LDAP without verifying: %v" , ls . SkipVerify )