authelia/internal/authentication/ldap_user_provider_startup.go

package authentication

import (
	"strings"

	"github.com/go-ldap/ldap/v3"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
)

// StartupCheck implements the startup check provider interface.
func (p *LDAPUserProvider) StartupCheck() (err error) {
	var (
		conn         LDAPConnection
		searchResult *ldap.SearchResult
	)

	if conn, err = p.connect(); err != nil {
		return err
	}

	defer conn.Close()

	searchRequest := ldap.NewSearchRequest("", ldap.ScopeBaseObject, ldap.NeverDerefAliases,
		1, 0, false, "(objectClass=*)", []string{ldapSupportedExtensionAttribute}, nil)

	if searchResult, err = conn.Search(searchRequest); err != nil {
		return err
	}

	if len(searchResult.Entries) != 1 {
		return nil
	}

	// Iterate the attribute values to see what the server supports.
	for _, attr := range searchResult.Entries[0].Attributes {
		if attr.Name == ldapSupportedExtensionAttribute {
			p.log.Tracef("LDAP Supported Extension OIDs: %s", strings.Join(attr.Values, ", "))

			for _, oid := range attr.Values {
				if oid == ldapOIDPasswdModifyExtension {
					p.supportExtensionPasswdModify = true
					break
				}
			}
		}
	}

	if !p.supportExtensionPasswdModify && !p.disableResetPassword &&
		p.config.Implementation != schema.LDAPImplementationActiveDirectory {
		p.log.Warn("Your LDAP server implementation may not support a method for password hashing " +
			"known to Authelia, it's strongly recommended you ensure your directory server hashes the password " +
			"attribute when users reset their password via Authelia.")
	}

	return nil
}

func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{username_attribute}", p.config.UsernameAttribute)
	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{mail_attribute}", p.config.MailAttribute)
	p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{display_name_attribute}", p.config.DisplayNameAttribute)

	p.log.Tracef("Dynamically generated users filter is %s", p.config.UsersFilter)

	p.usersAttributes = []string{
		p.config.DisplayNameAttribute,
		p.config.MailAttribute,
		p.config.UsernameAttribute,
	}

	if p.config.AdditionalUsersDN != "" {
		p.usersBaseDN = p.config.AdditionalUsersDN + "," + p.config.BaseDN
	} else {
		p.usersBaseDN = p.config.BaseDN
	}

	p.log.Tracef("Dynamically generated users BaseDN is %s", p.usersBaseDN)

	if strings.Contains(p.config.UsersFilter, ldapPlaceholderInput) {
		p.usersFilterReplacementInput = true
	}

	p.log.Tracef("Detected user filter replacements that need to be resolved per lookup are: %s=%v",
		ldapPlaceholderInput, p.usersFilterReplacementInput)
}

func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {
	p.groupsAttributes = []string{
		p.config.GroupNameAttribute,
	}

	if p.config.AdditionalGroupsDN != "" {
		p.groupsBaseDN = ldap.EscapeFilter(p.config.AdditionalGroupsDN + "," + p.config.BaseDN)
	} else {
		p.groupsBaseDN = p.config.BaseDN
	}

	p.log.Tracef("Dynamically generated groups BaseDN is %s", p.groupsBaseDN)

	if strings.Contains(p.config.GroupsFilter, ldapPlaceholderInput) {
		p.groupsFilterReplacementInput = true
	}

	if strings.Contains(p.config.GroupsFilter, ldapPlaceholderUsername) {
		p.groupsFilterReplacementUsername = true
	}

	if strings.Contains(p.config.GroupsFilter, ldapPlaceholderDistinguishedName) {
		p.groupsFilterReplacementDN = true
	}

	p.log.Tracef("Detected group filter replacements that need to be resolved per lookup are: input=%v, username=%v, dn=%v", p.groupsFilterReplacementInput, p.groupsFilterReplacementUsername, p.groupsFilterReplacementDN)
}
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`package authentication`

			`import (`
			`"strings"`

			`"github.com/go-ldap/ldap/v3"`
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues 2021-09-17 09:53:59 +00:00
			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`)`

refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues 2021-09-17 09:53:59 +00:00			`// StartupCheck implements the startup check provider interface.`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`func (p *LDAPUserProvider) StartupCheck() (err error) {`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`var (`
			`conn LDAPConnection`
			`searchResult *ldap.SearchResult`
			`)`

			`if conn, err = p.connect(); err != nil {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`return err`
			`}`

			`defer conn.Close()`

			`searchRequest := ldap.NewSearchRequest("", ldap.ScopeBaseObject, ldap.NeverDerefAliases,`
			`1, 0, false, "(objectClass=*)", []string{ldapSupportedExtensionAttribute}, nil)`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if searchResult, err = conn.Search(searchRequest); err != nil {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`return err`
			`}`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if len(searchResult.Entries) != 1 {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`return nil`
			`}`

			`// Iterate the attribute values to see what the server supports.`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`for _, attr := range searchResult.Entries[0].Attributes {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`if attr.Name == ldapSupportedExtensionAttribute {`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`p.log.Tracef("LDAP Supported Extension OIDs: %s", strings.Join(attr.Values, ", "))`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00
			`for _, oid := range attr.Values {`
			`if oid == ldapOIDPasswdModifyExtension {`
			`p.supportExtensionPasswdModify = true`
			`break`
			`}`
			`}`
			`}`
			`}`

refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues 2021-09-17 09:53:59 +00:00			`if !p.supportExtensionPasswdModify && !p.disableResetPassword &&`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.config.Implementation != schema.LDAPImplementationActiveDirectory {`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`p.log.Warn("Your LDAP server implementation may not support a method for password hashing " +`
refactor: factorize startup checks (#2386) * refactor: factorize startup checks * refactor: address linting issues 2021-09-17 09:53:59 +00:00			`"known to Authelia, it's strongly recommended you ensure your directory server hashes the password " +`
			`"attribute when users reset their password via Authelia.")`
			`}`

perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`return nil`
			`}`

			`func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{username_attribute}", p.config.UsernameAttribute)`
			`p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{mail_attribute}", p.config.MailAttribute)`
			`p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{display_name_attribute}", p.config.DisplayNameAttribute)`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.log.Tracef("Dynamically generated users filter is %s", p.config.UsersFilter)`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00
			`p.usersAttributes = []string{`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.config.DisplayNameAttribute,`
			`p.config.MailAttribute,`
			`p.config.UsernameAttribute,`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`}`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if p.config.AdditionalUsersDN != "" {`
			`p.usersBaseDN = p.config.AdditionalUsersDN + "," + p.config.BaseDN`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`} else {`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.usersBaseDN = p.config.BaseDN`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`p.log.Tracef("Dynamically generated users BaseDN is %s", p.usersBaseDN)`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if strings.Contains(p.config.UsersFilter, ldapPlaceholderInput) {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`p.usersFilterReplacementInput = true`
			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`p.log.Tracef("Detected user filter replacements that need to be resolved per lookup are: %s=%v",`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`ldapPlaceholderInput, p.usersFilterReplacementInput)`
			`}`

			`func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {`
			`p.groupsAttributes = []string{`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.config.GroupNameAttribute,`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`}`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if p.config.AdditionalGroupsDN != "" {`
			`p.groupsBaseDN = ldap.EscapeFilter(p.config.AdditionalGroupsDN + "," + p.config.BaseDN)`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`} else {`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`p.groupsBaseDN = p.config.BaseDN`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`p.log.Tracef("Dynamically generated groups BaseDN is %s", p.groupsBaseDN)`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if strings.Contains(p.config.GroupsFilter, ldapPlaceholderInput) {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`p.groupsFilterReplacementInput = true`
			`}`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if strings.Contains(p.config.GroupsFilter, ldapPlaceholderUsername) {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`p.groupsFilterReplacementUsername = true`
			`}`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`if strings.Contains(p.config.GroupsFilter, ldapPlaceholderDistinguishedName) {`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`p.groupsFilterReplacementDN = true`
			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`p.log.Tracef("Detected group filter replacements that need to be resolved per lookup are: input=%v, username=%v, dn=%v", p.groupsFilterReplacementInput, p.groupsFilterReplacementUsername, p.groupsFilterReplacementDN)`
perf(authentication): improve ldap dynamic replacement performance (#2239) This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements. 2021-08-05 04:17:07 +00:00			`}`