LDAP connection code
* Code that connects to LDAP servers and send queries * Helper functions to fetch CA certificates or EE certificates
This commit is contained in:
parent
f971c1e961
commit
0e642c85a6
2 changed files with 212 additions and 0 deletions
4
go.mod
4
go.mod
|
@ -5,12 +5,16 @@ go 1.17
|
|||
require (
|
||||
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
|
||||
github.com/gemnasium/logrus-graylog-hook/v3 v3.0.3
|
||||
github.com/go-ldap/ldap/v3 v3.4.1
|
||||
github.com/karrick/golf v1.4.0
|
||||
github.com/sirupsen/logrus v1.8.1
|
||||
gopkg.in/yaml.v2 v2.4.0
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
|
||||
github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
|
||||
github.com/pkg/errors v0.8.1 // indirect
|
||||
golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
|
||||
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 // indirect
|
||||
)
|
||||
|
|
208
ldap.go
Normal file
208
ldap.go
Normal file
|
@ -0,0 +1,208 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
|
||||
ldap "github.com/go-ldap/ldap/v3"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
type (
|
||||
// LDAP connection encapsulation. This includes the connection itself, as well as a logger
|
||||
// that includes fields related to the LDAP server and a copy of the initial configuration.
|
||||
tLdapConn struct {
|
||||
Config tLdapConfig
|
||||
conn *ldap.Conn
|
||||
log *logrus.Entry
|
||||
server int
|
||||
counter uint
|
||||
}
|
||||
|
||||
// LDAP group members
|
||||
ldapGroupMembers map[string][]string
|
||||
)
|
||||
|
||||
// Try to establish a connection to one of the servers
|
||||
func getLdapConnection(cfg tLdapConfig) *tLdapConn {
|
||||
for i := range cfg.Servers {
|
||||
conn := getLdapServerConnection(cfg, i)
|
||||
if conn != nil {
|
||||
return conn
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Establish a connection to a LDAP server
|
||||
func getLdapServerConnection(cfg tLdapConfig, server int) *tLdapConn {
|
||||
if server < 0 || server >= len(cfg.Servers) {
|
||||
logrus.Panic("Invalid server index %d", server)
|
||||
}
|
||||
|
||||
scfg := cfg.Servers[server]
|
||||
dest := fmt.Sprintf("%s:%d", scfg.Host, scfg.Port)
|
||||
log := log.WithFields(logrus.Fields{
|
||||
"ldap_server": dest,
|
||||
"ldap_tls": scfg.TLS,
|
||||
})
|
||||
log.Trace("Establishing LDAP connection")
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
InsecureSkipVerify: scfg.TLSNoVerify,
|
||||
}
|
||||
if scfg.TLS != "no" && scfg.CaChain != "" {
|
||||
log := log.WithField("cachain", scfg.CaChain)
|
||||
data, err := ioutil.ReadFile(scfg.CaChain)
|
||||
if err != nil {
|
||||
log.WithField("error", err).Error("Failed to read CA certificate chain")
|
||||
return nil
|
||||
}
|
||||
pool := x509.NewCertPool()
|
||||
if !pool.AppendCertsFromPEM(data) {
|
||||
log.Error("Could not add CA certificates")
|
||||
return nil
|
||||
}
|
||||
tlsConfig.RootCAs = pool
|
||||
}
|
||||
|
||||
var err error
|
||||
var lc *ldap.Conn
|
||||
if scfg.TLS == "yes" {
|
||||
lc, err = ldap.DialTLS("tcp", dest, tlsConfig)
|
||||
} else {
|
||||
lc, err = ldap.Dial("tcp", dest)
|
||||
}
|
||||
if err != nil {
|
||||
log.WithField("error", err).Error("Failed to connect to the LDAP server")
|
||||
return nil
|
||||
}
|
||||
|
||||
if scfg.TLS == "starttls" {
|
||||
err = lc.StartTLS(tlsConfig)
|
||||
if err != nil {
|
||||
lc.Close()
|
||||
log.WithField("error", err).Error("StartTLS failed")
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
if scfg.BindUser != "" {
|
||||
log = log.WithField("ldap_user", scfg.BindUser)
|
||||
err := lc.Bind(scfg.BindUser, scfg.BindPassword)
|
||||
if err != nil {
|
||||
lc.Close()
|
||||
log.WithField("error", err).Error("Could not bind")
|
||||
return nil
|
||||
}
|
||||
}
|
||||
log.Debug("LDAP connection established")
|
||||
return &tLdapConn{
|
||||
Config: cfg,
|
||||
conn: lc,
|
||||
log: log,
|
||||
server: server,
|
||||
}
|
||||
}
|
||||
|
||||
// Run a LDAP query to obtain a single object.
|
||||
func (conn *tLdapConn) getObject(dn string, attrs []string) (bool, *ldap.Entry) {
|
||||
log := conn.log.WithFields(logrus.Fields{
|
||||
"dn": dn,
|
||||
"attributes": attrs,
|
||||
})
|
||||
log.Trace("Accessing DN")
|
||||
conn.counter++
|
||||
req := ldap.NewSearchRequest(
|
||||
dn,
|
||||
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 1, 0, false,
|
||||
"(objectClass=*)", attrs, nil)
|
||||
res, err := conn.conn.Search(req)
|
||||
if err != nil {
|
||||
log := log.WithField("error", err)
|
||||
ldapError, ok := err.(*ldap.Error)
|
||||
if ok {
|
||||
log = log.WithFields(logrus.Fields{
|
||||
"ldap_result": ldapError.ResultCode,
|
||||
"ldap_message": ldapError.Error(),
|
||||
})
|
||||
}
|
||||
log.Error("LDAP query failed")
|
||||
return false, nil
|
||||
}
|
||||
if len(res.Entries) > 1 {
|
||||
log.WithField("results", len(res.Entries)).
|
||||
Warning("LDAP search returned more than 1 record")
|
||||
return false, nil
|
||||
}
|
||||
log.Trace("Obtained LDAP object")
|
||||
return true, res.Entries[0]
|
||||
}
|
||||
|
||||
// Close a LDAP connection
|
||||
func (conn *tLdapConn) close() {
|
||||
conn.log.WithField("queries", conn.counter).Debug("Closing LDAP connection")
|
||||
conn.conn.Close()
|
||||
}
|
||||
|
||||
// Get an end entity's certificate from the LDAP
|
||||
func (conn *tLdapConn) getEndEntityCertificate(dn string) ([]byte, error) {
|
||||
eec := conn.Config.Structure.EndEntityCertificate
|
||||
success, entry := conn.getObject(dn, []string{eec})
|
||||
if !success {
|
||||
return nil, fmt.Errorf("Could not read certificate from '%s'", dn)
|
||||
}
|
||||
values := entry.GetRawAttributeValues(eec)
|
||||
nFound := len(values)
|
||||
if nFound != 1 {
|
||||
return nil, fmt.Errorf("DN %s - one value expected for %s, %d values found", dn, eec, nFound)
|
||||
}
|
||||
_, err := x509.ParseCertificate(values[0])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("DN %s - invalid certificate in attribute %s : %w", dn, eec, err)
|
||||
}
|
||||
return values[0], nil
|
||||
}
|
||||
|
||||
// Get a CA certificate, as well as the value of the chaining field, from
|
||||
// the LDAP.
|
||||
func (conn *tLdapConn) getCaCertificate(dn string) ([]byte, string, error) {
|
||||
cc := conn.Config.Structure.CACertificate
|
||||
chain := conn.Config.Structure.CAChaining
|
||||
attrs := []string{cc}
|
||||
if chain != "" {
|
||||
attrs = append(attrs, chain)
|
||||
}
|
||||
|
||||
success, entry := conn.getObject(dn, attrs)
|
||||
if !success {
|
||||
return nil, "", fmt.Errorf("Could not read certificate from '%s'", dn)
|
||||
}
|
||||
|
||||
var ca_cert []byte = nil
|
||||
var chain_dn string = ""
|
||||
|
||||
values := entry.GetRawAttributeValues(cc)
|
||||
nFound := len(values)
|
||||
if nFound > 1 {
|
||||
return ca_cert, chain_dn, fmt.Errorf("DN %s - one value expected for %s, %d values found", dn, cc, nFound)
|
||||
} else if nFound == 1 {
|
||||
ca_cert = values[0]
|
||||
_, err := x509.ParseCertificate(ca_cert)
|
||||
if err != nil {
|
||||
return nil, "", fmt.Errorf("DN %s - invalid certificate in attribute %s : %w", dn, cc, err)
|
||||
}
|
||||
}
|
||||
|
||||
chval := entry.GetAttributeValues(chain)
|
||||
nFound = len(chval)
|
||||
if nFound > 1 {
|
||||
return ca_cert, chain_dn, fmt.Errorf("DN %s - one value expected for %s, %d values found", dn, chain, nFound)
|
||||
} else if nFound == 1 {
|
||||
chain_dn = chval[0]
|
||||
}
|
||||
|
||||
return ca_cert, chain_dn, nil
|
||||
}
|
Loading…
Reference in a new issue