Add support for LDAP over TLS.
parent
336276be98
commit
e21da43fd6
|
@ -54,9 +54,10 @@ authentication_backend:
|
||||||
# than one instance and therefore is recommended for
|
# than one instance and therefore is recommended for
|
||||||
# production.
|
# production.
|
||||||
ldap:
|
ldap:
|
||||||
# The url of the ldap server
|
# The url to the ldap server. Scheme can be ldap:// or ldaps://
|
||||||
url: ldap://127.0.0.1
|
url: ldap://127.0.0.1
|
||||||
|
# Skip verifying the server certificate (to allow self-signed certificate).
|
||||||
|
skip_verify: false
|
||||||
# The base dn for every entries
|
# The base dn for every entries
|
||||||
base_dn: dc=example,dc=com
|
base_dn: dc=example,dc=com
|
||||||
|
|
||||||
|
|
|
@ -1,20 +1,20 @@
|
||||||
version: '3'
|
version: "3"
|
||||||
services:
|
services:
|
||||||
openldap:
|
openldap:
|
||||||
image: clems4ever/openldap
|
image: osixia/openldap:1.3.0
|
||||||
|
hostname: ldap.example.com
|
||||||
environment:
|
environment:
|
||||||
- SLAPD_ORGANISATION=MyCompany
|
- LDAP_ORGANISATION=MyCompany
|
||||||
- SLAPD_DOMAIN=example.com
|
- LDAP_DOMAIN=example.com
|
||||||
- SLAPD_PASSWORD=password
|
- LDAP_ADMIN_PASSWORD=password
|
||||||
- SLAPD_CONFIG_PASSWORD=password
|
- LDAP_CONFIG_PASSWORD=password
|
||||||
- SLAPD_ADDITIONAL_MODULES=memberof
|
- LDAP_ADDITIONAL_MODULES=memberof
|
||||||
- SLAPD_ADDITIONAL_SCHEMAS=openldap
|
- LDAP_ADDITIONAL_SCHEMAS=openldap
|
||||||
- SLAPD_FORCE_RECONFIGURE=true
|
- LDAP_FORCE_RECONFIGURE=true
|
||||||
|
- LDAP_TLS_VERIFY_CLIENT=try
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/ldap/base.ldif:/etc/ldap.dist/prepopulate/base.ldif
|
- ./example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom
|
||||||
- ./example/compose/ldap/access.rules:/etc/ldap.dist/prepopulate/access.rules
|
command:
|
||||||
ports:
|
- --copy-service
|
||||||
- "389:389"
|
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- authelianet
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,8 @@ default_redirection_url: https://home.example.com:8080
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
url: ldap-service:389
|
url: ldaps://ldap-service
|
||||||
|
skip_verify: true
|
||||||
base_dn: dc=example,dc=com
|
base_dn: dc=example,dc=com
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: ou=users
|
||||||
users_filter: (cn={0})
|
users_filter: (cn={0})
|
||||||
|
|
|
@ -18,27 +18,35 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: ldap
|
- name: ldap
|
||||||
image: clems4ever/authelia-test-ldap
|
image: osixia/openldap:1.3.0
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 389
|
- containerPort: 389
|
||||||
|
- containerPort: 636
|
||||||
|
args: ["--copy-service", "--loglevel", "debug"]
|
||||||
env:
|
env:
|
||||||
- name: SLAPD_ORGANISATION
|
- name: LDAP_ORGANISATION
|
||||||
value: MyCompany
|
value: MyCompany
|
||||||
- name: SLAPD_DOMAIN
|
- name: LDAP_DOMAIN
|
||||||
value: example.com
|
value: example.com
|
||||||
- name: SLAPD_PASSWORD
|
- name: LDAP_ADMIN_PASSWORD
|
||||||
value: password
|
value: password
|
||||||
- name: SLAPD_CONFIG_PASSWORD
|
- name: LDAP_CONFIG_PASSWORD
|
||||||
value: password
|
value: password
|
||||||
- name: SLAPD_ADDITIONAL_MODULES
|
- name: LDAP_ADDITIONAL_MODULES
|
||||||
value: memberof
|
value: memberof
|
||||||
- name: SLAPD_ADDITIONAL_SCHEMAS
|
- name: LDAP_ADDITIONAL_SCHEMAS
|
||||||
value: openldap
|
value: openldap
|
||||||
- name: SLAPD_FORCE_RECONFIGURE
|
- name: LDAP_FORCE_RECONFIGURE
|
||||||
value: "true"
|
value: "true"
|
||||||
|
- name: LDAP_TLS_VERIFY_CLIENT
|
||||||
|
value: try
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config-volume
|
- name: config-volume
|
||||||
mountPath: /etc/ldap.dist/prepopulate
|
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom/base.ldif
|
||||||
|
subPath: base.ldif
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom/access.rules
|
||||||
|
subPath: access.rules
|
||||||
volumes:
|
volumes:
|
||||||
- name: config-volume
|
- name: config-volume
|
||||||
configMap:
|
configMap:
|
||||||
|
|
|
@ -9,4 +9,4 @@ spec:
|
||||||
app: ldap
|
app: ldap
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 389
|
port: 636
|
||||||
|
|
8
go.sum
8
go.sum
|
@ -1,6 +1,7 @@
|
||||||
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||||
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||||
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
|
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
|
||||||
|
cloud.google.com/go v0.41.0 h1:NFvqUTDnSNYPX5oReekmB+D+90jrJIcVImxQ3qrBVgM=
|
||||||
cloud.google.com/go v0.41.0/go.mod h1:OauMR7DV8fzvZIl2qg6rkaIhD/vmgk4iwEw/h6ercmg=
|
cloud.google.com/go v0.41.0/go.mod h1:OauMR7DV8fzvZIl2qg6rkaIhD/vmgk4iwEw/h6ercmg=
|
||||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802 h1:1BDTz0u9nC3//pOCMdNH+CiXJVYJh5UQNCOBG7jbELc=
|
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802 h1:1BDTz0u9nC3//pOCMdNH+CiXJVYJh5UQNCOBG7jbELc=
|
||||||
|
@ -76,8 +77,10 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi
|
||||||
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||||
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||||
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
||||||
|
github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
|
||||||
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
||||||
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||||
|
github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
|
||||||
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||||
github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
|
github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
|
||||||
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
||||||
|
@ -179,6 +182,7 @@ github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:
|
||||||
go.mongodb.org/mongo-driver v1.1.3 h1:++7u8r9adKhGR+I79NfEtYrk2ktjenErXM99PSufIoI=
|
go.mongodb.org/mongo-driver v1.1.3 h1:++7u8r9adKhGR+I79NfEtYrk2ktjenErXM99PSufIoI=
|
||||||
go.mongodb.org/mongo-driver v1.1.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
|
go.mongodb.org/mongo-driver v1.1.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
|
||||||
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
|
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
|
||||||
|
go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
|
||||||
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
|
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
|
||||||
golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||||
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||||
|
@ -210,6 +214,7 @@ golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297 h1:k7pJ2yAPLPgbskkFdhRCsA77k
|
||||||
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
|
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
|
||||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
@ -250,6 +255,7 @@ golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgw
|
||||||
golang.org/x/tools v0.0.0-20190624190245-7f2218787638 h1:uIfBkD8gLczr4XDgYpt/qJYds2YJwZRNw4zs7wSnNhk=
|
golang.org/x/tools v0.0.0-20190624190245-7f2218787638 h1:uIfBkD8gLczr4XDgYpt/qJYds2YJwZRNw4zs7wSnNhk=
|
||||||
golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
||||||
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
|
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
|
||||||
|
google.golang.org/api v0.7.0 h1:9sdfJOzWlkqPltHAuzT2Cp+yrBeY1KRVYgms8soxMwM=
|
||||||
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
|
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
|
||||||
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
|
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
|
||||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||||
|
@ -263,9 +269,11 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn
|
||||||
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
|
google.golang.org/genproto v0.0.0-20190626174449-989357319d63 h1:UsSJe9fhWNSz6emfIGPpH5DF23t7ALo2Pf3sC+/hsdg=
|
||||||
google.golang.org/genproto v0.0.0-20190626174449-989357319d63/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
|
google.golang.org/genproto v0.0.0-20190626174449-989357319d63/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
|
||||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||||
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||||
|
google.golang.org/grpc v1.21.1 h1:j6XxA85m/6txkUCHvzlV5f+HBNl/1r5cZ2A/3IEFOO8=
|
||||||
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||||
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
|
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
|
||||||
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
|
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
|
||||||
|
|
|
@ -0,0 +1,78 @@
|
||||||
|
package authentication
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
|
||||||
|
"gopkg.in/ldap.v3"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ********************* CONNECTION *********************
|
||||||
|
|
||||||
|
// LDAPConnection interface representing a connection to the ldap.
|
||||||
|
type LDAPConnection interface {
|
||||||
|
Bind(username, password string) error
|
||||||
|
Close()
|
||||||
|
|
||||||
|
Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
|
||||||
|
Modify(modifyRequest *ldap.ModifyRequest) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// LDAPConnectionImpl the production implementation of an ldap connection
|
||||||
|
type LDAPConnectionImpl struct {
|
||||||
|
conn *ldap.Conn
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewLDAPConnectionImpl create a new ldap connection
|
||||||
|
func NewLDAPConnectionImpl(conn *ldap.Conn) *LDAPConnectionImpl {
|
||||||
|
return &LDAPConnectionImpl{conn}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lc *LDAPConnectionImpl) Bind(username, password string) error {
|
||||||
|
return lc.conn.Bind(username, password)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lc *LDAPConnectionImpl) Close() {
|
||||||
|
lc.conn.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lc *LDAPConnectionImpl) Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error) {
|
||||||
|
return lc.conn.Search(searchRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (lc *LDAPConnectionImpl) Modify(modifyRequest *ldap.ModifyRequest) error {
|
||||||
|
return lc.conn.Modify(modifyRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ********************* FACTORY ***********************
|
||||||
|
|
||||||
|
// LDAPConnectionFactory an interface of factory of ldap connections
|
||||||
|
type LDAPConnectionFactory interface {
|
||||||
|
DialTLS(network, addr string, config *tls.Config) (LDAPConnection, error)
|
||||||
|
Dial(network, addr string) (LDAPConnection, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
// LDAPConnectionFactoryImpl the production implementation of an ldap connection factory.
|
||||||
|
type LDAPConnectionFactoryImpl struct{}
|
||||||
|
|
||||||
|
// NewLDAPConnectionFactoryImpl create a concrete ldap connection factory
|
||||||
|
func NewLDAPConnectionFactoryImpl() *LDAPConnectionFactoryImpl {
|
||||||
|
return &LDAPConnectionFactoryImpl{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// DialTLS contact ldap server over TLS.
|
||||||
|
func (lcf *LDAPConnectionFactoryImpl) DialTLS(network, addr string, config *tls.Config) (LDAPConnection, error) {
|
||||||
|
conn, err := ldap.DialTLS(network, addr, config)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return NewLDAPConnectionImpl(conn), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Dial contact ldap server over raw tcp.
|
||||||
|
func (lcf *LDAPConnectionFactoryImpl) Dial(network, addr string) (LDAPConnection, error) {
|
||||||
|
conn, err := ldap.Dial(network, addr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return NewLDAPConnectionImpl(conn), nil
|
||||||
|
}
|
|
@ -0,0 +1,143 @@
|
||||||
|
// Code generated by MockGen. DO NOT EDIT.
|
||||||
|
// Source: internal/authentication/ldap_connection_factory.go
|
||||||
|
|
||||||
|
// Package authentication is a generated GoMock package.
|
||||||
|
package authentication
|
||||||
|
|
||||||
|
import (
|
||||||
|
tls "crypto/tls"
|
||||||
|
gomock "github.com/golang/mock/gomock"
|
||||||
|
ldap_v3 "gopkg.in/ldap.v3"
|
||||||
|
reflect "reflect"
|
||||||
|
)
|
||||||
|
|
||||||
|
// MockLDAPConnection is a mock of LDAPConnection interface
|
||||||
|
type MockLDAPConnection struct {
|
||||||
|
ctrl *gomock.Controller
|
||||||
|
recorder *MockLDAPConnectionMockRecorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// MockLDAPConnectionMockRecorder is the mock recorder for MockLDAPConnection
|
||||||
|
type MockLDAPConnectionMockRecorder struct {
|
||||||
|
mock *MockLDAPConnection
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewMockLDAPConnection creates a new mock instance
|
||||||
|
func NewMockLDAPConnection(ctrl *gomock.Controller) *MockLDAPConnection {
|
||||||
|
mock := &MockLDAPConnection{ctrl: ctrl}
|
||||||
|
mock.recorder = &MockLDAPConnectionMockRecorder{mock}
|
||||||
|
return mock
|
||||||
|
}
|
||||||
|
|
||||||
|
// EXPECT returns an object that allows the caller to indicate expected use
|
||||||
|
func (m *MockLDAPConnection) EXPECT() *MockLDAPConnectionMockRecorder {
|
||||||
|
return m.recorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// Bind mocks base method
|
||||||
|
func (m *MockLDAPConnection) Bind(username, password string) error {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "Bind", username, password)
|
||||||
|
ret0, _ := ret[0].(error)
|
||||||
|
return ret0
|
||||||
|
}
|
||||||
|
|
||||||
|
// Bind indicates an expected call of Bind
|
||||||
|
func (mr *MockLDAPConnectionMockRecorder) Bind(username, password interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Bind", reflect.TypeOf((*MockLDAPConnection)(nil).Bind), username, password)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close mocks base method
|
||||||
|
func (m *MockLDAPConnection) Close() {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
m.ctrl.Call(m, "Close")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close indicates an expected call of Close
|
||||||
|
func (mr *MockLDAPConnectionMockRecorder) Close() *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockLDAPConnection)(nil).Close))
|
||||||
|
}
|
||||||
|
|
||||||
|
// Search mocks base method
|
||||||
|
func (m *MockLDAPConnection) Search(searchRequest *ldap_v3.SearchRequest) (*ldap_v3.SearchResult, error) {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "Search", searchRequest)
|
||||||
|
ret0, _ := ret[0].(*ldap_v3.SearchResult)
|
||||||
|
ret1, _ := ret[1].(error)
|
||||||
|
return ret0, ret1
|
||||||
|
}
|
||||||
|
|
||||||
|
// Search indicates an expected call of Search
|
||||||
|
func (mr *MockLDAPConnectionMockRecorder) Search(searchRequest interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Search", reflect.TypeOf((*MockLDAPConnection)(nil).Search), searchRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Modify mocks base method
|
||||||
|
func (m *MockLDAPConnection) Modify(modifyRequest *ldap_v3.ModifyRequest) error {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "Modify", modifyRequest)
|
||||||
|
ret0, _ := ret[0].(error)
|
||||||
|
return ret0
|
||||||
|
}
|
||||||
|
|
||||||
|
// Modify indicates an expected call of Modify
|
||||||
|
func (mr *MockLDAPConnectionMockRecorder) Modify(modifyRequest interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Modify", reflect.TypeOf((*MockLDAPConnection)(nil).Modify), modifyRequest)
|
||||||
|
}
|
||||||
|
|
||||||
|
// MockLDAPConnectionFactory is a mock of LDAPConnectionFactory interface
|
||||||
|
type MockLDAPConnectionFactory struct {
|
||||||
|
ctrl *gomock.Controller
|
||||||
|
recorder *MockLDAPConnectionFactoryMockRecorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// MockLDAPConnectionFactoryMockRecorder is the mock recorder for MockLDAPConnectionFactory
|
||||||
|
type MockLDAPConnectionFactoryMockRecorder struct {
|
||||||
|
mock *MockLDAPConnectionFactory
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewMockLDAPConnectionFactory creates a new mock instance
|
||||||
|
func NewMockLDAPConnectionFactory(ctrl *gomock.Controller) *MockLDAPConnectionFactory {
|
||||||
|
mock := &MockLDAPConnectionFactory{ctrl: ctrl}
|
||||||
|
mock.recorder = &MockLDAPConnectionFactoryMockRecorder{mock}
|
||||||
|
return mock
|
||||||
|
}
|
||||||
|
|
||||||
|
// EXPECT returns an object that allows the caller to indicate expected use
|
||||||
|
func (m *MockLDAPConnectionFactory) EXPECT() *MockLDAPConnectionFactoryMockRecorder {
|
||||||
|
return m.recorder
|
||||||
|
}
|
||||||
|
|
||||||
|
// DialTLS mocks base method
|
||||||
|
func (m *MockLDAPConnectionFactory) DialTLS(network, addr string, config *tls.Config) (LDAPConnection, error) {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "DialTLS", network, addr, config)
|
||||||
|
ret0, _ := ret[0].(LDAPConnection)
|
||||||
|
ret1, _ := ret[1].(error)
|
||||||
|
return ret0, ret1
|
||||||
|
}
|
||||||
|
|
||||||
|
// DialTLS indicates an expected call of DialTLS
|
||||||
|
func (mr *MockLDAPConnectionFactoryMockRecorder) DialTLS(network, addr, config interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DialTLS", reflect.TypeOf((*MockLDAPConnectionFactory)(nil).DialTLS), network, addr, config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Dial mocks base method
|
||||||
|
func (m *MockLDAPConnectionFactory) Dial(network, addr string) (LDAPConnection, error) {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "Dial", network, addr)
|
||||||
|
ret0, _ := ret[0].(LDAPConnection)
|
||||||
|
ret1, _ := ret[1].(error)
|
||||||
|
return ret0, ret1
|
||||||
|
}
|
||||||
|
|
||||||
|
// Dial indicates an expected call of Dial
|
||||||
|
func (mr *MockLDAPConnectionFactoryMockRecorder) Dial(network, addr interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Dial", reflect.TypeOf((*MockLDAPConnectionFactory)(nil).Dial), network, addr)
|
||||||
|
}
|
|
@ -1,35 +1,70 @@
|
||||||
package authentication
|
package authentication
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/clems4ever/authelia/internal/configuration/schema"
|
"github.com/clems4ever/authelia/internal/configuration/schema"
|
||||||
|
"github.com/clems4ever/authelia/internal/logging"
|
||||||
"gopkg.in/ldap.v3"
|
"gopkg.in/ldap.v3"
|
||||||
)
|
)
|
||||||
|
|
||||||
// LDAPUserProvider is a provider using a LDAP or AD as a user database.
|
// LDAPUserProvider is a provider using a LDAP or AD as a user database.
|
||||||
type LDAPUserProvider struct {
|
type LDAPUserProvider struct {
|
||||||
configuration schema.LDAPAuthenticationBackendConfiguration
|
configuration schema.LDAPAuthenticationBackendConfiguration
|
||||||
}
|
|
||||||
|
|
||||||
func (p *LDAPUserProvider) connect(userDN string, password string) (*ldap.Conn, error) {
|
connectionFactory LDAPConnectionFactory
|
||||||
conn, err := ldap.Dial("tcp", p.configuration.URL)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
err = conn.Bind(userDN, password)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return conn, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
|
// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
|
||||||
func NewLDAPUserProvider(configuration schema.LDAPAuthenticationBackendConfiguration) *LDAPUserProvider {
|
func NewLDAPUserProvider(configuration schema.LDAPAuthenticationBackendConfiguration) *LDAPUserProvider {
|
||||||
return &LDAPUserProvider{configuration}
|
return &LDAPUserProvider{
|
||||||
|
configuration: configuration,
|
||||||
|
connectionFactory: NewLDAPConnectionFactoryImpl(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewLDAPUserProviderWithFactory(configuration schema.LDAPAuthenticationBackendConfiguration,
|
||||||
|
connectionFactory LDAPConnectionFactory) *LDAPUserProvider {
|
||||||
|
return &LDAPUserProvider{
|
||||||
|
configuration: configuration,
|
||||||
|
connectionFactory: connectionFactory,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *LDAPUserProvider) connect(userDN string, password string) (LDAPConnection, error) {
|
||||||
|
var newConnection LDAPConnection
|
||||||
|
|
||||||
|
url, err := url.Parse(p.configuration.URL)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Unable to parse URL to LDAP: %s", url)
|
||||||
|
}
|
||||||
|
|
||||||
|
if url.Scheme == "ldaps" {
|
||||||
|
logging.Logger().Debug("LDAP client starts a TLS session")
|
||||||
|
conn, err := p.connectionFactory.DialTLS("tcp", url.Host, &tls.Config{
|
||||||
|
InsecureSkipVerify: p.configuration.SkipVerify,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
newConnection = conn
|
||||||
|
} else {
|
||||||
|
logging.Logger().Debug("LDAP client starts a session over raw TCP")
|
||||||
|
conn, err := p.connectionFactory.Dial("tcp", url.Host)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
newConnection = conn
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := newConnection.Bind(userDN, password); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return newConnection, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// CheckUserPassword checks if provided password matches for the given user.
|
// CheckUserPassword checks if provided password matches for the given user.
|
||||||
|
@ -54,7 +89,7 @@ func (p *LDAPUserProvider) CheckUserPassword(username string, password string) (
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *LDAPUserProvider) getUserAttribute(conn *ldap.Conn, username string, attribute string) ([]string, error) {
|
func (p *LDAPUserProvider) getUserAttribute(conn LDAPConnection, username string, attribute string) ([]string, error) {
|
||||||
client, err := p.connect(p.configuration.User, p.configuration.Password)
|
client, err := p.connect(p.configuration.User, p.configuration.Password)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -86,7 +121,7 @@ func (p *LDAPUserProvider) getUserAttribute(conn *ldap.Conn, username string, at
|
||||||
return sr.Entries[0].Attributes[0].Values, nil
|
return sr.Entries[0].Attributes[0].Values, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *LDAPUserProvider) getUserDN(conn *ldap.Conn, username string) (string, error) {
|
func (p *LDAPUserProvider) getUserDN(conn LDAPConnection, username string) (string, error) {
|
||||||
values, err := p.getUserAttribute(conn, username, "dn")
|
values, err := p.getUserAttribute(conn, username, "dn")
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -100,7 +135,7 @@ func (p *LDAPUserProvider) getUserDN(conn *ldap.Conn, username string) (string,
|
||||||
return values[0], nil
|
return values[0], nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *LDAPUserProvider) getUserUID(conn *ldap.Conn, username string) (string, error) {
|
func (p *LDAPUserProvider) getUserUID(conn LDAPConnection, username string) (string, error) {
|
||||||
values, err := p.getUserAttribute(conn, username, "uid")
|
values, err := p.getUserAttribute(conn, username, "uid")
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -114,7 +149,7 @@ func (p *LDAPUserProvider) getUserUID(conn *ldap.Conn, username string) (string,
|
||||||
return values[0], nil
|
return values[0], nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *LDAPUserProvider) createGroupsFilter(conn *ldap.Conn, username string) (string, error) {
|
func (p *LDAPUserProvider) createGroupsFilter(conn LDAPConnection, username string) (string, error) {
|
||||||
if strings.Index(p.configuration.GroupsFilter, "{0}") >= 0 {
|
if strings.Index(p.configuration.GroupsFilter, "{0}") >= 0 {
|
||||||
return strings.Replace(p.configuration.GroupsFilter, "{0}", username, -1), nil
|
return strings.Replace(p.configuration.GroupsFilter, "{0}", username, -1), nil
|
||||||
} else if strings.Index(p.configuration.GroupsFilter, "{dn}") >= 0 {
|
} else if strings.Index(p.configuration.GroupsFilter, "{dn}") >= 0 {
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
package authentication
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/clems4ever/authelia/internal/configuration/schema"
|
||||||
|
gomock "github.com/golang/mock/gomock"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestShouldCreateRawConnectionWhenSchemeIsLDAP(t *testing.T) {
|
||||||
|
ctrl := gomock.NewController(t)
|
||||||
|
defer ctrl.Finish()
|
||||||
|
|
||||||
|
mockFactory := NewMockLDAPConnectionFactory(ctrl)
|
||||||
|
mockConn := NewMockLDAPConnection(ctrl)
|
||||||
|
|
||||||
|
ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
|
||||||
|
URL: "ldap://127.0.0.1:389",
|
||||||
|
}, mockFactory)
|
||||||
|
|
||||||
|
mockFactory.EXPECT().
|
||||||
|
Dial(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389")).
|
||||||
|
Return(mockConn, nil)
|
||||||
|
|
||||||
|
mockConn.EXPECT().
|
||||||
|
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
|
||||||
|
Return(nil)
|
||||||
|
|
||||||
|
_, err := ldap.connect("cn=admin,dc=example,dc=com", "password")
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestShouldCreateTLSConnectionWhenSchemeIsLDAPS(t *testing.T) {
|
||||||
|
ctrl := gomock.NewController(t)
|
||||||
|
defer ctrl.Finish()
|
||||||
|
|
||||||
|
mockFactory := NewMockLDAPConnectionFactory(ctrl)
|
||||||
|
mockConn := NewMockLDAPConnection(ctrl)
|
||||||
|
|
||||||
|
ldap := NewLDAPUserProviderWithFactory(schema.LDAPAuthenticationBackendConfiguration{
|
||||||
|
URL: "ldaps://127.0.0.1:389",
|
||||||
|
}, mockFactory)
|
||||||
|
|
||||||
|
mockFactory.EXPECT().
|
||||||
|
DialTLS(gomock.Eq("tcp"), gomock.Eq("127.0.0.1:389"), gomock.Any()).
|
||||||
|
Return(mockConn, nil)
|
||||||
|
|
||||||
|
mockConn.EXPECT().
|
||||||
|
Bind(gomock.Eq("cn=admin,dc=example,dc=com"), gomock.Eq("password")).
|
||||||
|
Return(nil)
|
||||||
|
|
||||||
|
_, err := ldap.connect("cn=admin,dc=example,dc=com", "password")
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
}
|
|
@ -3,6 +3,7 @@ package schema
|
||||||
// LDAPAuthenticationBackendConfiguration represents the configuration related to LDAP server.
|
// LDAPAuthenticationBackendConfiguration represents the configuration related to LDAP server.
|
||||||
type LDAPAuthenticationBackendConfiguration struct {
|
type LDAPAuthenticationBackendConfiguration struct {
|
||||||
URL string `yaml:"url"`
|
URL string `yaml:"url"`
|
||||||
|
SkipVerify bool `yaml:"skip_verify"`
|
||||||
BaseDN string `yaml:"base_dn"`
|
BaseDN string `yaml:"base_dn"`
|
||||||
AdditionalUsersDN string `yaml:"additional_users_dn"`
|
AdditionalUsersDN string `yaml:"additional_users_dn"`
|
||||||
UsersFilter string `yaml:"users_filter"`
|
UsersFilter string `yaml:"users_filter"`
|
||||||
|
|
|
@ -2,12 +2,14 @@ package validator
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"strings"
|
"fmt"
|
||||||
|
"net/url"
|
||||||
|
|
||||||
"github.com/clems4ever/authelia/internal/configuration/schema"
|
"github.com/clems4ever/authelia/internal/configuration/schema"
|
||||||
)
|
)
|
||||||
|
|
||||||
var ldapProtocolPrefix = "ldap://"
|
var ldapProtocolPrefix = "ldap://"
|
||||||
|
var ldapsProtocolPrefix = "ldaps://"
|
||||||
|
|
||||||
func validateFileAuthenticationBackend(configuration *schema.FileAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
func validateFileAuthenticationBackend(configuration *schema.FileAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
||||||
if configuration.Path == "" {
|
if configuration.Path == "" {
|
||||||
|
@ -15,19 +17,30 @@ func validateFileAuthenticationBackend(configuration *schema.FileAuthenticationB
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateLdapURL(url string, validator *schema.StructValidator) string {
|
func validateLdapURL(ldapURL string, validator *schema.StructValidator) string {
|
||||||
if strings.HasPrefix(url, ldapProtocolPrefix) {
|
u, err := url.Parse(ldapURL)
|
||||||
url = url[len(ldapProtocolPrefix):]
|
|
||||||
|
if err != nil {
|
||||||
|
validator.Push(errors.New("Unable to parse URL to ldap server. The scheme is probably missing: ldap:// or ldaps://"))
|
||||||
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
portColons := strings.Index(url, ":")
|
if !(u.Scheme == "ldap" || u.Scheme == "ldaps") {
|
||||||
|
validator.Push(errors.New("Unknown scheme for ldap url, should be ldap:// or ldaps://"))
|
||||||
// if no port is provided, we provide the default LDAP port
|
return ""
|
||||||
// TODO(c.michaud): support LDAP over TLS.
|
|
||||||
if portColons == -1 {
|
|
||||||
url = url + ":389"
|
|
||||||
}
|
}
|
||||||
return url
|
|
||||||
|
if u.Scheme == "ldap" && u.Port() == "" {
|
||||||
|
u.Host += ":389"
|
||||||
|
} else if u.Scheme == "ldaps" && u.Port() == "" {
|
||||||
|
u.Host += ":636"
|
||||||
|
}
|
||||||
|
|
||||||
|
if !u.IsAbs() {
|
||||||
|
validator.Push(fmt.Errorf("URL to LDAP %s is still not absolute, it should be something like ldap://127.0.0.1:389", u.String()))
|
||||||
|
}
|
||||||
|
|
||||||
|
return u.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
||||||
|
|
|
@ -5,6 +5,7 @@ import (
|
||||||
|
|
||||||
"github.com/clems4ever/authelia/internal/configuration/schema"
|
"github.com/clems4ever/authelia/internal/configuration/schema"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
"github.com/stretchr/testify/suite"
|
"github.com/stretchr/testify/suite"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -119,6 +120,24 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute()
|
||||||
assert.Equal(suite.T(), "mail", suite.configuration.Ldap.MailAttribute)
|
assert.Equal(suite.T(), "mail", suite.configuration.Ldap.MailAttribute)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() {
|
||||||
|
assert.Equal(suite.T(), "", validateLdapURL("127.0.0.1", suite.validator))
|
||||||
|
require.Len(suite.T(), suite.validator.Errors(), 1)
|
||||||
|
assert.EqualError(suite.T(), suite.validator.Errors()[0], "Unknown scheme for ldap url, should be ldap:// or ldaps://")
|
||||||
|
|
||||||
|
assert.Equal(suite.T(), "", validateLdapURL("127.0.0.1:636", suite.validator))
|
||||||
|
require.Len(suite.T(), suite.validator.Errors(), 2)
|
||||||
|
assert.EqualError(suite.T(), suite.validator.Errors()[1], "Unable to parse URL to ldap server. The scheme is probably missing: ldap:// or ldaps://")
|
||||||
|
|
||||||
|
assert.Equal(suite.T(), "ldap://127.0.0.1:389", validateLdapURL("ldap://127.0.0.1", suite.validator))
|
||||||
|
assert.Equal(suite.T(), "ldap://127.0.0.1:390", validateLdapURL("ldap://127.0.0.1:390", suite.validator))
|
||||||
|
assert.Equal(suite.T(), "ldap://127.0.0.1:389/abc", validateLdapURL("ldap://127.0.0.1/abc", suite.validator))
|
||||||
|
assert.Equal(suite.T(), "ldap://127.0.0.1:389/abc?test=abc&x=y", validateLdapURL("ldap://127.0.0.1/abc?test=abc&x=y", suite.validator))
|
||||||
|
|
||||||
|
assert.Equal(suite.T(), "ldaps://127.0.0.1:390", validateLdapURL("ldaps://127.0.0.1:390", suite.validator))
|
||||||
|
assert.Equal(suite.T(), "ldaps://127.0.0.1:636", validateLdapURL("ldaps://127.0.0.1", suite.validator))
|
||||||
|
}
|
||||||
|
|
||||||
func TestLdapAuthenticationBackend(t *testing.T) {
|
func TestLdapAuthenticationBackend(t *testing.T) {
|
||||||
suite.Run(t, new(LdapAuthenticationBackendSuite))
|
suite.Run(t, new(LdapAuthenticationBackendSuite))
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,7 +13,10 @@ jwt_secret: very_important_secret
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
# The url of the ldap server
|
# The url of the ldap server
|
||||||
url: ldap://openldap
|
url: ldaps://openldap
|
||||||
|
|
||||||
|
# Skip certificate verification (for self-signed certificates)
|
||||||
|
skip_verify: true
|
||||||
|
|
||||||
# The base dn for every entries
|
# The base dn for every entries
|
||||||
base_dn: dc=example,dc=com
|
base_dn: dc=example,dc=com
|
||||||
|
|
|
@ -17,6 +17,7 @@ func init() {
|
||||||
"example/compose/nginx/portal/docker-compose.yml",
|
"example/compose/nginx/portal/docker-compose.yml",
|
||||||
"example/compose/smtp/docker-compose.yml",
|
"example/compose/smtp/docker-compose.yml",
|
||||||
"example/compose/ldap/docker-compose.yml",
|
"example/compose/ldap/docker-compose.yml",
|
||||||
|
"example/compose/ldap/docker-compose.admin.yml",
|
||||||
})
|
})
|
||||||
|
|
||||||
setup := func(suitePath string) error {
|
setup := func(suitePath string) error {
|
||||||
|
|
Loading…
Reference in New Issue