2021-08-05 04:17:07 +00:00
package authentication
import (
2022-10-01 20:44:18 +00:00
"fmt"
2021-08-05 04:17:07 +00:00
"strings"
"github.com/go-ldap/ldap/v3"
2021-09-17 09:53:59 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
2022-05-15 06:37:23 +00:00
"github.com/authelia/authelia/v4/internal/utils"
2021-08-05 04:17:07 +00:00
)
2021-09-17 09:53:59 +00:00
// StartupCheck implements the startup check provider interface.
2021-11-23 09:45:38 +00:00
func ( p * LDAPUserProvider ) StartupCheck ( ) ( err error ) {
2022-05-10 04:38:36 +00:00
var client LDAPClient
2022-05-02 01:51:38 +00:00
2022-05-10 04:38:36 +00:00
if client , err = p . connect ( ) ; err != nil {
2021-08-05 04:17:07 +00:00
return err
}
2022-05-10 04:38:36 +00:00
defer client . Close ( )
2021-08-05 04:17:07 +00:00
2022-05-10 04:38:36 +00:00
if p . features , err = p . getServerSupportedFeatures ( client ) ; err != nil {
2021-08-05 04:17:07 +00:00
return err
}
2022-05-10 04:38:36 +00:00
if ! p . features . Extensions . PwdModifyExOp && ! p . disableResetPassword &&
p . config . Implementation != schema . LDAPImplementationActiveDirectory {
p . log . Warn ( "Your LDAP server implementation may not support a method for password hashing " +
"known to Authelia, it's strongly recommended you ensure your directory server hashes the password " +
"attribute when users reset their password via Authelia." )
}
if p . features . Extensions . TLS && ! p . config . StartTLS && ! strings . HasPrefix ( p . config . URL , "ldaps://" ) {
2022-06-21 00:56:20 +00:00
p . log . Error ( "Your LDAP Server supports TLS but you don't appear to be utilizing it. We strongly " +
"recommend using the scheme 'ldaps://' or enabling the StartTLS option to secure connections with your " +
2022-05-10 04:38:36 +00:00
"LDAP Server." )
}
if ! p . features . Extensions . TLS && p . config . StartTLS {
2022-07-18 00:56:09 +00:00
p . log . Info ( "Your LDAP Server does not appear to support TLS but you enabled StartTLS which may result " +
2022-05-10 04:38:36 +00:00
"in an error." )
}
return nil
}
func ( p * LDAPUserProvider ) getServerSupportedFeatures ( client LDAPClient ) ( features LDAPSupportedFeatures , err error ) {
var (
2022-10-17 10:51:59 +00:00
request * ldap . SearchRequest
result * ldap . SearchResult
2022-05-10 04:38:36 +00:00
)
2022-10-17 10:51:59 +00:00
request = ldap . NewSearchRequest ( "" , ldap . ScopeBaseObject , ldap . NeverDerefAliases ,
1 , 0 , false , ldapBaseObjectFilter , [ ] string { ldapSupportedExtensionAttribute , ldapSupportedControlAttribute } , nil )
2022-05-10 04:38:36 +00:00
2022-10-17 10:51:59 +00:00
if result , err = client . Search ( request ) ; err != nil {
2022-10-01 20:44:18 +00:00
if p . config . PermitFeatureDetectionFailure {
p . log . WithError ( err ) . Warnf ( "Error occurred during RootDSE search. This may result in reduced functionality." )
return features , nil
}
return features , fmt . Errorf ( "error occurred during RootDSE search: %w" , err )
2022-05-10 04:38:36 +00:00
}
2022-10-17 10:51:59 +00:00
if len ( result . Entries ) != 1 {
2022-05-10 04:38:36 +00:00
p . log . Errorf ( "The LDAP Server did not respond appropriately to a RootDSE search. This may result in reduced functionality." )
return features , nil
2021-08-05 04:17:07 +00:00
}
2022-05-10 04:38:36 +00:00
var controlTypeOIDs , extensionOIDs [ ] string
2022-10-17 10:51:59 +00:00
controlTypeOIDs , extensionOIDs , features = ldapGetFeatureSupportFromEntry ( result . Entries [ 0 ] )
2021-08-05 04:17:07 +00:00
2022-05-10 04:38:36 +00:00
controlTypes , extensions := none , none
if len ( controlTypeOIDs ) != 0 {
controlTypes = strings . Join ( controlTypeOIDs , ", " )
2021-08-05 04:17:07 +00:00
}
2022-05-10 04:38:36 +00:00
if len ( extensionOIDs ) != 0 {
extensions = strings . Join ( extensionOIDs , ", " )
2021-09-17 09:53:59 +00:00
}
2022-05-10 04:38:36 +00:00
p . log . Debugf ( "LDAP Supported OIDs. Control Types: %s. Extensions: %s" , controlTypes , extensions )
return features , nil
2021-08-05 04:17:07 +00:00
}
func ( p * LDAPUserProvider ) parseDynamicUsersConfiguration ( ) {
2022-05-02 01:51:38 +00:00
p . config . UsersFilter = strings . ReplaceAll ( p . config . UsersFilter , "{username_attribute}" , p . config . UsernameAttribute )
p . config . UsersFilter = strings . ReplaceAll ( p . config . UsersFilter , "{mail_attribute}" , p . config . MailAttribute )
p . config . UsersFilter = strings . ReplaceAll ( p . config . UsersFilter , "{display_name_attribute}" , p . config . DisplayNameAttribute )
2021-08-05 04:17:07 +00:00
2022-05-02 01:51:38 +00:00
p . log . Tracef ( "Dynamically generated users filter is %s" , p . config . UsersFilter )
2021-08-05 04:17:07 +00:00
2022-05-15 06:37:23 +00:00
if ! utils . IsStringInSlice ( p . config . UsernameAttribute , p . usersAttributes ) {
p . usersAttributes = append ( p . usersAttributes , p . config . UsernameAttribute )
}
if ! utils . IsStringInSlice ( p . config . MailAttribute , p . usersAttributes ) {
p . usersAttributes = append ( p . usersAttributes , p . config . MailAttribute )
}
if ! utils . IsStringInSlice ( p . config . DisplayNameAttribute , p . usersAttributes ) {
p . usersAttributes = append ( p . usersAttributes , p . config . DisplayNameAttribute )
2021-08-05 04:17:07 +00:00
}
2022-05-02 01:51:38 +00:00
if p . config . AdditionalUsersDN != "" {
p . usersBaseDN = p . config . AdditionalUsersDN + "," + p . config . BaseDN
2021-08-05 04:17:07 +00:00
} else {
2022-05-02 01:51:38 +00:00
p . usersBaseDN = p . config . BaseDN
2021-08-05 04:17:07 +00:00
}
2021-11-23 09:45:38 +00:00
p . log . Tracef ( "Dynamically generated users BaseDN is %s" , p . usersBaseDN )
2021-08-05 04:17:07 +00:00
2022-05-02 01:51:38 +00:00
if strings . Contains ( p . config . UsersFilter , ldapPlaceholderInput ) {
2021-08-05 04:17:07 +00:00
p . usersFilterReplacementInput = true
}
2022-12-21 10:31:21 +00:00
if strings . Contains ( p . config . UsersFilter , ldapPlaceholderDateTimeGeneralized ) {
p . usersFilterReplacementDateTimeGeneralized = true
}
if strings . Contains ( p . config . UsersFilter , ldapPlaceholderDateTimeUnixEpoch ) {
p . usersFilterReplacementDateTimeUnixEpoch = true
}
if strings . Contains ( p . config . UsersFilter , ldapPlaceholderDateTimeMicrosoftNTTimeEpoch ) {
p . usersFilterReplacementDateTimeMicrosoftNTTimeEpoch = true
}
2021-11-23 09:45:38 +00:00
p . log . Tracef ( "Detected user filter replacements that need to be resolved per lookup are: %s=%v" ,
2021-08-05 04:17:07 +00:00
ldapPlaceholderInput , p . usersFilterReplacementInput )
}
func ( p * LDAPUserProvider ) parseDynamicGroupsConfiguration ( ) {
p . groupsAttributes = [ ] string {
2022-05-02 01:51:38 +00:00
p . config . GroupNameAttribute ,
2021-08-05 04:17:07 +00:00
}
2022-05-02 01:51:38 +00:00
if p . config . AdditionalGroupsDN != "" {
2022-10-28 09:21:43 +00:00
p . groupsBaseDN = p . config . AdditionalGroupsDN + "," + p . config . BaseDN
2021-08-05 04:17:07 +00:00
} else {
2022-05-02 01:51:38 +00:00
p . groupsBaseDN = p . config . BaseDN
2021-08-05 04:17:07 +00:00
}
2021-11-23 09:45:38 +00:00
p . log . Tracef ( "Dynamically generated groups BaseDN is %s" , p . groupsBaseDN )
2021-08-05 04:17:07 +00:00
2022-05-02 01:51:38 +00:00
if strings . Contains ( p . config . GroupsFilter , ldapPlaceholderInput ) {
2021-08-05 04:17:07 +00:00
p . groupsFilterReplacementInput = true
}
2022-05-02 01:51:38 +00:00
if strings . Contains ( p . config . GroupsFilter , ldapPlaceholderUsername ) {
2021-08-05 04:17:07 +00:00
p . groupsFilterReplacementUsername = true
}
2022-05-02 01:51:38 +00:00
if strings . Contains ( p . config . GroupsFilter , ldapPlaceholderDistinguishedName ) {
2021-08-05 04:17:07 +00:00
p . groupsFilterReplacementDN = true
}
2021-11-23 09:45:38 +00:00
p . log . Tracef ( "Detected group filter replacements that need to be resolved per lookup are: input=%v, username=%v, dn=%v" , p . groupsFilterReplacementInput , p . groupsFilterReplacementUsername , p . groupsFilterReplacementDN )
2021-08-05 04:17:07 +00:00
}