2021-02-11 20:44:07 +01:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/go-ldap/ldap"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
type (
|
|
|
|
// LDAP connection encapsulation. This includes the connection itself, as well as a logger
|
|
|
|
// that includes fields related to the LDAP server and a copy of the initial configuration.
|
|
|
|
ldapConn struct {
|
2021-02-11 22:46:29 +01:00
|
|
|
conn *ldap.Conn
|
|
|
|
log *logrus.Entry
|
2021-02-13 18:26:37 +01:00
|
|
|
cfg ldapConfig
|
2021-02-11 22:46:29 +01:00
|
|
|
usernames map[string]string
|
|
|
|
counter uint
|
2021-02-11 20:44:07 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// LDAP group members
|
2021-02-13 18:26:37 +01:00
|
|
|
ldapGroupMembers map[string][]string
|
2021-02-11 20:44:07 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// Establish a connection to the LDAP server
|
2021-02-13 18:26:37 +01:00
|
|
|
func getLdapConnection(cfg ldapConfig) *ldapConn {
|
2021-02-11 20:44:07 +01:00
|
|
|
dest := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
|
|
|
|
log := log.WithFields(logrus.Fields{
|
|
|
|
"ldap_server": dest,
|
2021-02-13 18:26:37 +01:00
|
|
|
"ldap_tls": cfg.TLS,
|
2021-02-11 20:44:07 +01:00
|
|
|
})
|
|
|
|
log.Trace("Establishing LDAP connection")
|
|
|
|
|
|
|
|
tlsConfig := &tls.Config{
|
2021-02-13 18:26:37 +01:00
|
|
|
InsecureSkipVerify: cfg.TLSNoVerify,
|
2021-02-11 20:44:07 +01:00
|
|
|
}
|
2021-02-13 18:26:37 +01:00
|
|
|
if cfg.TLS != "no" && cfg.CaChain != "" {
|
2021-02-11 20:44:07 +01:00
|
|
|
log := log.WithField("cachain", cfg.CaChain)
|
|
|
|
data, err := ioutil.ReadFile(cfg.CaChain)
|
|
|
|
if err != nil {
|
|
|
|
log.WithField("error", err).Fatal("Failed to read CA certificate chain")
|
|
|
|
}
|
|
|
|
pool := x509.NewCertPool()
|
|
|
|
if !pool.AppendCertsFromPEM(data) {
|
|
|
|
log.Fatal("Could not add CA certificates")
|
|
|
|
}
|
|
|
|
tlsConfig.RootCAs = pool
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
var lc *ldap.Conn
|
2021-02-13 18:26:37 +01:00
|
|
|
if cfg.TLS == "yes" {
|
2021-02-11 20:44:07 +01:00
|
|
|
lc, err = ldap.DialTLS("tcp", dest, tlsConfig)
|
|
|
|
} else {
|
|
|
|
lc, err = ldap.Dial("tcp", dest)
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
log.WithField("error", err).Fatal("Failed to connect to the LDAP server")
|
|
|
|
}
|
|
|
|
|
2021-02-13 18:26:37 +01:00
|
|
|
if cfg.TLS == "starttls" {
|
2021-02-11 20:44:07 +01:00
|
|
|
err = lc.StartTLS(tlsConfig)
|
|
|
|
if err != nil {
|
|
|
|
lc.Close()
|
|
|
|
log.WithField("error", err).Fatal("StartTLS failed")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if cfg.BindUser != "" {
|
|
|
|
log = log.WithField("ldap_user", cfg.BindUser)
|
|
|
|
err := lc.Bind(cfg.BindUser, cfg.BindPassword)
|
|
|
|
if err != nil {
|
|
|
|
lc.Close()
|
|
|
|
log.WithField("error", err).Fatal("Could not bind")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
log.Debug("LDAP connection established")
|
2021-02-11 22:46:29 +01:00
|
|
|
return &ldapConn{
|
|
|
|
conn: lc,
|
|
|
|
log: log,
|
|
|
|
cfg: cfg,
|
|
|
|
usernames: make(map[string]string),
|
2021-02-11 20:44:07 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Run a LDAP query to obtain a single object.
|
2021-02-11 22:46:29 +01:00
|
|
|
func (conn *ldapConn) query(dn string, attrs []string) (bool, *ldap.Entry) {
|
2021-02-11 20:44:07 +01:00
|
|
|
log := conn.log.WithFields(logrus.Fields{
|
|
|
|
"dn": dn,
|
|
|
|
"attributes": attrs,
|
|
|
|
})
|
|
|
|
log.Trace("Accessing DN")
|
2021-02-11 22:46:29 +01:00
|
|
|
conn.counter++
|
2021-02-11 20:44:07 +01:00
|
|
|
req := ldap.NewSearchRequest(
|
|
|
|
dn,
|
|
|
|
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 1, 0, false,
|
|
|
|
"(objectClass=*)", attrs, nil)
|
|
|
|
res, err := conn.conn.Search(req)
|
|
|
|
if err != nil {
|
|
|
|
ldapError, ok := err.(*ldap.Error)
|
|
|
|
if ok && ldapError.ResultCode == ldap.LDAPResultNoSuchObject {
|
|
|
|
log.Trace("DN not found")
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
log.WithField("error", err).Fatal("LDAP query failed")
|
|
|
|
}
|
|
|
|
if len(res.Entries) > 1 {
|
|
|
|
log.WithField("results", len(res.Entries)).
|
|
|
|
Warning("LDAP search returned more than 1 record")
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
log.Trace("Obtained LDAP object")
|
|
|
|
return true, res.Entries[0]
|
|
|
|
}
|
|
|
|
|
|
|
|
// Close a LDAP connection
|
2021-02-11 22:46:29 +01:00
|
|
|
func (conn *ldapConn) close() {
|
|
|
|
conn.log.WithField("queries", conn.counter).Debug("Closing LDAP connection")
|
2021-02-11 20:44:07 +01:00
|
|
|
conn.conn.Close()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read a username from a LDAP record based on a DN.
|
2021-02-11 22:46:29 +01:00
|
|
|
func (conn *ldapConn) readUsername(dn string) (bool, string) {
|
|
|
|
log := conn.log.WithField("dn", dn)
|
|
|
|
log.Debug("LDAP username lookup")
|
2021-02-11 20:44:07 +01:00
|
|
|
ok, res := conn.query(dn, []string{conn.cfg.UsernameAttr})
|
|
|
|
if !ok {
|
|
|
|
return false, ""
|
|
|
|
}
|
|
|
|
values := res.GetAttributeValues(conn.cfg.UsernameAttr)
|
|
|
|
if len(values) != 1 {
|
|
|
|
log.WithField("count", len(values)).
|
|
|
|
Warning("Attribute does not have 1 value exactly.")
|
|
|
|
return false, ""
|
|
|
|
}
|
|
|
|
log.WithField("username", values[0]).Trace("Mapped DN to username")
|
|
|
|
return true, values[0]
|
|
|
|
}
|
|
|
|
|
|
|
|
// Extract an username from something that may be an username or a DN.
|
2021-02-11 22:46:29 +01:00
|
|
|
func (conn *ldapConn) usernameFromMember(member string) (bool, string) {
|
2021-02-11 20:44:07 +01:00
|
|
|
eqPos := strings.Index(member, "=")
|
|
|
|
if eqPos == -1 {
|
|
|
|
return true, member
|
|
|
|
}
|
|
|
|
if conn.cfg.UsernameAttr != "" {
|
|
|
|
return conn.readUsername(member)
|
|
|
|
}
|
|
|
|
commaPos := strings.Index(member, ",")
|
|
|
|
if commaPos == -1 {
|
|
|
|
return true, member[eqPos+1:]
|
|
|
|
}
|
|
|
|
if eqPos > commaPos {
|
|
|
|
log.WithField("member", member).Warning("Couldn't extract user name")
|
|
|
|
return false, ""
|
|
|
|
}
|
|
|
|
return true, member[eqPos+1 : commaPos]
|
|
|
|
}
|
|
|
|
|
2021-02-11 22:46:29 +01:00
|
|
|
// Read a username from the cache. If the username is not cached, extract it or request it from
|
|
|
|
// the LDAP.
|
|
|
|
func (conn *ldapConn) getUsername(member string) (bool, string) {
|
|
|
|
name, ok := conn.usernames[member]
|
|
|
|
if ok {
|
|
|
|
return true, name
|
|
|
|
}
|
|
|
|
ok, name = conn.usernameFromMember(member)
|
|
|
|
if ok {
|
|
|
|
conn.usernames[member] = name
|
|
|
|
}
|
|
|
|
return ok, name
|
|
|
|
}
|
|
|
|
|
2021-02-11 20:44:07 +01:00
|
|
|
// Read the list of members from a LDAP group
|
2021-02-11 22:46:29 +01:00
|
|
|
func (conn *ldapConn) getGroupMembers(group string) (members []string) {
|
2021-02-11 20:44:07 +01:00
|
|
|
log := conn.log.WithField("group", group)
|
|
|
|
log.Trace("Obtaining group members")
|
|
|
|
ok, entry := conn.query(group, conn.cfg.MemberFields)
|
|
|
|
if !ok {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
for _, attr := range conn.cfg.MemberFields {
|
|
|
|
values := entry.GetAttributeValues(attr)
|
|
|
|
if len(values) == 0 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
for _, value := range values {
|
2021-02-11 22:46:29 +01:00
|
|
|
ok, name := conn.getUsername(value)
|
2021-02-11 20:44:07 +01:00
|
|
|
if ok {
|
|
|
|
members = append(members, name)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
break
|
|
|
|
}
|
|
|
|
log.WithField("members", members).Info("Obtained group members")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read the list of group members from the LDAP server for all groups in the mapping section.
|
2021-02-13 18:26:37 +01:00
|
|
|
func readLdapGroups(cfg configuration) ldapGroupMembers {
|
|
|
|
conn := getLdapConnection(cfg.LDAP)
|
2021-02-11 20:44:07 +01:00
|
|
|
defer conn.close()
|
2021-02-13 18:26:37 +01:00
|
|
|
groups := make(ldapGroupMembers)
|
|
|
|
for group := range cfg.Mapping {
|
2021-02-11 20:44:07 +01:00
|
|
|
groups[group] = conn.getGroupMembers(group)
|
|
|
|
}
|
|
|
|
return groups
|
|
|
|
}
|