func ValidateLDAPQuery(query api.LDAPQuery) ValidationResults {
validationResults := ValidationResults{}
if _, err := ldap.ParseDN(query.BaseDN); err != nil {
validationResults.AddErrors(fielderrors.NewFieldInvalid("baseDN", query.BaseDN,
fmt.Sprintf("invalid base DN for search: %v", err)))
}
if len(query.Scope) > 0 {
if _, err := ldaputil.DetermineLDAPScope(query.Scope); err != nil {
validationResults.AddErrors(fielderrors.NewFieldInvalid("scope", query.Scope,
"invalid LDAP search scope"))
}
}
if len(query.DerefAliases) > 0 {
if _, err := ldaputil.DetermineDerefAliasesBehavior(query.DerefAliases); err != nil {
validationResults.AddErrors(fielderrors.NewFieldInvalid("derefAliases",
query.DerefAliases, "LDAP alias dereferencing instruction invalid"))
}
}
if query.TimeLimit < 0 {
validationResults.AddErrors(fielderrors.NewFieldInvalid("timeout", query.TimeLimit,
"timeout must be equal to or greater than zero"))
}
if _, err := ldap.CompileFilter(query.Filter); err != nil {
validationResults.AddErrors(fielderrors.NewFieldInvalid("filter", query.Filter,
fmt.Sprintf("invalid query filter: %v", err)))
}
return validationResults
}
func (b *backend) Login(req *logical.Request, username string, password string) ([]string, *logical.Response, error) {
cfg, err := b.Config(req)
if err != nil {
return nil, nil, err
}
if cfg == nil {
return nil, logical.ErrorResponse("ldap backend not configured"), nil
}
c, err := cfg.DialLDAP()
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil
}
// Try to authenticate to the server using the provided credentials
binddn := fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
if err = c.Bind(binddn, password); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
}
// Enumerate all groups the user is member of. The search filter should
// work with both openldap and MS AD standard schemas.
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.GroupDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", username, binddn, binddn),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
var allgroups []string
var policies []string
for _, e := range sresult.Entries {
dn, err := ldap.ParseDN(e.DN)
if err != nil || len(dn.RDNs) == 0 || len(dn.RDNs[0].Attributes) == 0 {
continue
}
gname := dn.RDNs[0].Attributes[0].Value
allgroups = append(allgroups, gname)
group, err := b.Group(req.Storage, gname)
if err == nil && group != nil {
policies = append(policies, group.Policies...)
}
}
if len(policies) == 0 {
return nil, logical.ErrorResponse("user is not member of any authorized group"), nil
}
return policies, nil, nil
}
// NewSearchRequest creates a new search request from the identifying query by internalizing the value of
// the attribute to be filtered as well as any attributes that need to be recovered
func (o *LDAPQueryOnAttribute) NewSearchRequest(attributeValue string, attributes []string) (*ldap.SearchRequest, error) {
if strings.EqualFold(o.QueryAttribute, "dn") {
if !strings.Contains(attributeValue, o.BaseDN) {
return nil, &errQueryOutOfBounds{QueryDN: attributeValue, BaseDN: o.BaseDN}
}
if _, err := ldap.ParseDN(attributeValue); err != nil {
return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err)
}
return o.buildDNQuery(attributeValue, attributes), nil
} else {
return o.buildAttributeQuery(attributeValue, attributes), nil
}
}
/*
* Parses a distinguished name and returns the CN portion.
* Given a non-conforming string (such as an already-extracted CN),
* it will be returned as-is.
*/
func (b *backend) getCN(dn string) string {
parsedDN, err := ldap.ParseDN(dn)
if err != nil || len(parsedDN.RDNs) == 0 {
// It was already a CN, return as-is
return dn
}
for _, rdn := range parsedDN.RDNs {
for _, rdnAttr := range rdn.Attributes {
if rdnAttr.Type == "CN" {
return rdnAttr.Value
}
}
}
// Default, return self
return dn
}
func (b *backend) Login(req *logical.Request, username string, password string) ([]string, *logical.Response, error) {
cfg, err := b.Config(req)
if err != nil {
return nil, nil, err
}
if cfg == nil {
return nil, logical.ErrorResponse("ldap backend not configured"), nil
}
c, err := cfg.DialLDAP()
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil
}
binddn := ""
if cfg.UPNDomain != "" {
binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
} else {
binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
}
var binduser string
var bindpassword string
configuredBinding := false
if cfg.BindDN == "" { //Bind with requesting credentials
binduser = binddn
bindpassword = password
} else { //Bind with configured credentials
binduser = cfg.BindDN
bindpassword = cfg.BindDNPassword
configuredBinding = true
}
//Attempt bind
if err = c.Bind(binduser, bindpassword); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (%s) failed: %v", binduser, err)), nil
}
//If using cofigured binding credentials, we need to make sure
//the requesting credentials are correct
if configuredBinding {
filter := fmt.Sprintf("(%s=%s)", cfg.UserAttr, username)
//Find the user requesting to login
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.UserDN,
Scope: 2, // subtree
Filter: filter,
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP user search (%s) failed: %v", filter, err)), nil
}
//Requesting user wasn't found
if len(sresult.Entries) == 0 {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP user search (%s) failed to find user: %s", filter, username)), nil
}
discoveredUserDN := sresult.Entries[0].DN
//Check requesting credentials
if err = c.Bind(discoveredUserDN, password); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (%s) failed: %v", discoveredUserDN, err)), nil
}
//User the user dn to perform group searches
binddn = discoveredUserDN
}
userdn := ""
if cfg.UPNDomain != "" {
// Find the distinguished name for the user if userPrincipalName used for login
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.UserDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(userPrincipalName=%s)", binddn),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
for _, e := range sresult.Entries {
userdn = e.DN
}
} else {
userdn = binddn
}
// Enumerate all groups the user is member of. The search filter should
// work with both openldap and MS AD standard schemas.
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.GroupDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", username, userdn, userdn),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
var allgroups []string
var policies []string
user, err := b.User(req.Storage, username)
if err == nil && user != nil {
allgroups = append(allgroups, user.Groups...)
}
for _, e := range sresult.Entries {
dn, err := ldap.ParseDN(e.DN)
if err != nil || len(dn.RDNs) == 0 || len(dn.RDNs[0].Attributes) == 0 {
continue
}
gname := dn.RDNs[0].Attributes[0].Value
allgroups = append(allgroups, gname)
}
for _, gname := range allgroups {
group, err := b.Group(req.Storage, gname)
if err == nil && group != nil {
policies = append(policies, group.Policies...)
}
}
if len(policies) == 0 {
return nil, logical.ErrorResponse(fmt.Sprintf("user (%s) is not member of any authorized group", binddn)), nil
}
return policies, nil, nil
}
func (b *backend) Login(req *logical.Request, username string, password string) ([]string, *logical.Response, error) {
cfg, err := b.Config(req)
if err != nil {
return nil, nil, err
}
if cfg == nil {
return nil, logical.ErrorResponse("ldap backend not configured"), nil
}
c, err := cfg.DialLDAP()
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil
}
binddn := ""
if cfg.DiscoverDN || (cfg.BindDN != "" && cfg.BindPassword != "") {
if err = c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err)), nil
}
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.UserDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, EscapeLDAPValue(username)),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err)), nil
}
if len(sresult.Entries) != 1 {
return nil, logical.ErrorResponse("LDAP search for binddn 0 or not uniq"), nil
}
binddn = sresult.Entries[0].DN
} else {
if cfg.UPNDomain != "" {
binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
} else {
binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
}
}
if err = c.Bind(binddn, password); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
}
userdn := ""
if cfg.UPNDomain != "" {
// Find the distinguished name for the user if userPrincipalName used for login
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.UserDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(userPrincipalName=%s)", binddn),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
for _, e := range sresult.Entries {
userdn = e.DN
}
} else {
userdn = binddn
}
// Enumerate all groups the user is member of. The search filter should
// work with both openldap and MS AD standard schemas.
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.GroupDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", username, userdn, userdn),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
var allgroups []string
var policies []string
user, err := b.User(req.Storage, username)
if err == nil && user != nil {
allgroups = append(allgroups, user.Groups...)
}
for _, e := range sresult.Entries {
dn, err := ldap.ParseDN(e.DN)
if err != nil || len(dn.RDNs) == 0 || len(dn.RDNs[0].Attributes) == 0 {
continue
}
gname := dn.RDNs[0].Attributes[0].Value
allgroups = append(allgroups, gname)
}
for _, gname := range allgroups {
group, err := b.Group(req.Storage, gname)
if err == nil && group != nil {
policies = append(policies, group.Policies...)
}
}
if len(policies) == 0 {
return nil, logical.ErrorResponse("user is not member of any authorized group"), nil
}
return policies, nil, nil
}
func getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, username string) ([]string, error) {
// retrieve the groups in a string/bool map as a structure to avoid duplicates inside
ldapMap := make(map[string]bool)
// Fetch the optional memberOf property values on the user object
// This is the most common method used in Active Directory setup to retrieve the groups
result, err := c.Search(&ldap.SearchRequest{
BaseDN: userDN,
Scope: 0, // base scope to fetch only the userDN
Filter: "(cn=*)", // bogus filter, required to fetch the CN from userDN
Attributes: []string{
"memberOf",
},
})
// this check remains in case something happens with the ldap query or connection
if err != nil {
return nil, fmt.Errorf("LDAP fetch of distinguishedName=%s failed: %v", userDN, err)
}
// if there are more than one entry, we consider the results irrelevant and ignore them
if len(result.Entries) == 1 {
for _, attr := range result.Entries[0].Attributes {
// Find the groups the user is member of from the 'memberOf' attribute extracting the CN
if attr.Name == "memberOf" {
for _, value := range attr.Values {
memberOfDN, err := ldap.ParseDN(value)
if err != nil || len(memberOfDN.RDNs) == 0 {
continue
}
for _, rdn := range memberOfDN.RDNs {
for _, rdnTypeAndValue := range rdn.Attributes {
if strings.EqualFold(rdnTypeAndValue.Type, "CN") {
ldapMap[rdnTypeAndValue.Value] = true
}
}
}
}
}
}
}
// Find groups by searching in groupDN for any of the memberUid, member or uniqueMember attributes
// and retrieving the CN in the DN result
if cfg.GroupDN != "" {
result, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.GroupDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", ldap.EscapeFilter(username), ldap.EscapeFilter(userDN), ldap.EscapeFilter(userDN)),
})
if err != nil {
return nil, fmt.Errorf("LDAP search failed: %v", err)
}
for _, e := range result.Entries {
dn, err := ldap.ParseDN(e.DN)
if err != nil || len(dn.RDNs) == 0 {
continue
}
for _, rdn := range dn.RDNs {
for _, rdnTypeAndValue := range rdn.Attributes {
if strings.EqualFold(rdnTypeAndValue.Type, "CN") {
ldapMap[rdnTypeAndValue.Value] = true
}
}
}
}
}
ldapGroups := make([]string, len(ldapMap))
for key, _ := range ldapMap {
ldapGroups = append(ldapGroups, key)
}
return ldapGroups, nil
}
/*
* getLdapGroups queries LDAP and returns a slice describing the set of groups the authenticated user is a member of.
*
* The search query is constructed according to cfg.GroupFilter, and run in context of cfg.GroupDN.
* Groups will be resolved from the query results by following the attribute defined in cfg.GroupAttr.
*
* cfg.GroupFilter is a go template and is compiled with the following context: [UserDN, Username]
* UserDN - The DN of the authenticated user
* Username - The Username of the authenticated user
*
* Example:
* cfg.GroupFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
* cfg.GroupDN = "OU=Groups,DC=myorg,DC=com"
* cfg.GroupAttr = "cn"
*
* NOTE - If cfg.GroupFilter is empty, no query is performed and an empty result slice is returned.
*
*/
func (b *backend) getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, username string) ([]string, error) {
// retrieve the groups in a string/bool map as a structure to avoid duplicates inside
ldapMap := make(map[string]bool)
if cfg.GroupFilter == "" {
b.Logger().Warn("auth/ldap: GroupFilter is empty, will not query server")
return make([]string, 0), nil
}
if cfg.GroupDN == "" {
b.Logger().Warn("auth/ldap: GroupDN is empty, will not query server")
return make([]string, 0), nil
}
// If groupfilter was defined, resolve it as a Go template and use the query for
// returning the user's groups
if b.Logger().IsDebug() {
b.Logger().Debug("auth/ldap: Compiling group filter", "group_filter", cfg.GroupFilter)
}
// Parse the configuration as a template.
// Example template "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
t, err := template.New("queryTemplate").Parse(cfg.GroupFilter)
if err != nil {
return nil, fmt.Errorf("LDAP search failed due to template compilation error: %v", err)
}
// Build context to pass to template - we will be exposing UserDn and Username.
context := struct {
UserDN string
Username string
}{
ldap.EscapeFilter(userDN),
ldap.EscapeFilter(username),
}
var renderedQuery bytes.Buffer
t.Execute(&renderedQuery, context)
if b.Logger().IsDebug() {
b.Logger().Debug("auth/ldap: Searching", "groupdn", cfg.GroupDN, "rendered_query", renderedQuery.String())
}
result, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.GroupDN,
Scope: 2, // subtree
Filter: renderedQuery.String(),
Attributes: []string{
cfg.GroupAttr,
},
})
if err != nil {
return nil, fmt.Errorf("LDAP search failed: %v", err)
}
for _, e := range result.Entries {
dn, err := ldap.ParseDN(e.DN)
if err != nil || len(dn.RDNs) == 0 {
continue
}
// Enumerate attributes of each result, parse out CN and add as group
values := e.GetAttributeValues(cfg.GroupAttr)
if len(values) > 0 {
for _, val := range values {
groupCN := b.getCN(val)
ldapMap[groupCN] = true
}
} else {
// If groupattr didn't resolve, use self (enumerating group objects)
groupCN := b.getCN(e.DN)
ldapMap[groupCN] = true
}
}
ldapGroups := make([]string, 0, len(ldapMap))
for key, _ := range ldapMap {
ldapGroups = append(ldapGroups, key)
}
return ldapGroups, nil
}
func (b *backend) Login(req *logical.Request, username string, password string) ([]string, *logical.Response, error) {
cfg, err := b.Config(req)
if err != nil {
return nil, nil, err
}
if cfg == nil {
return nil, logical.ErrorResponse("ldap backend not configured"), nil
}
c, err := cfg.DialLDAP()
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil
}
if c == nil {
return nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil
}
binddn := ""
if cfg.DiscoverDN || (cfg.BindDN != "" && cfg.BindPassword != "") {
if err = c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err)), nil
}
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.UserDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username)),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err)), nil
}
if len(sresult.Entries) != 1 {
return nil, logical.ErrorResponse("LDAP search for binddn 0 or not uniq"), nil
}
binddn = sresult.Entries[0].DN
} else {
if cfg.UPNDomain != "" {
binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
} else {
binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
}
}
if err = c.Bind(binddn, password); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
}
userdn := ""
if cfg.UPNDomain != "" {
// Find the distinguished name for the user if userPrincipalName used for login
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.UserDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(userPrincipalName=%s)", ldap.EscapeFilter(binddn)),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
for _, e := range sresult.Entries {
userdn = e.DN
}
} else {
userdn = binddn
}
var allgroups []string
var policies []string
resp := &logical.Response{
Data: map[string]interface{}{},
}
// Fetch custom (local) groups the user has been added to
user, err := b.User(req.Storage, username)
if err == nil && user != nil {
allgroups = append(allgroups, user.Groups...)
}
if cfg.GroupDN != "" {
// Enumerate all groups the user is member of. The search filter should
// work with both openldap and MS AD standard schemas.
sresult, err := c.Search(&ldap.SearchRequest{
BaseDN: cfg.GroupDN,
Scope: 2, // subtree
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", ldap.EscapeFilter(username), ldap.EscapeFilter(userdn), ldap.EscapeFilter(userdn)),
})
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
}
for _, e := range sresult.Entries {
dn, err := ldap.ParseDN(e.DN)
if err != nil || len(dn.RDNs) == 0 || len(dn.RDNs[0].Attributes) == 0 {
continue
}
gname := dn.RDNs[0].Attributes[0].Value
allgroups = append(allgroups, gname)
}
} else {
resp.AddWarning("no group DN configured; only policies from locally-defined groups available")
}
for _, gname := range allgroups {
group, err := b.Group(req.Storage, gname)
if err == nil && group != nil {
policies = append(policies, group.Policies...)
}
}
if len(policies) == 0 {
errStr := "user is not a member of any authorized group"
if len(resp.Warnings()) > 0 {
errStr = fmt.Sprintf("%s; additionally, %s", errStr, resp.Warnings()[0])
}
resp.Data["error"] = errStr
return nil, resp, nil
}
return policies, resp, nil
}