// populateCache queries all users to build a map of all the groups. If the cache has already been // populated, this is a no-op. func (e *ADLDAPInterface) populateCache() error { if e.cachePopulated { return nil } searchRequest := e.userQuery.NewSearchRequest(e.requiredUserAttributes()) userEntries, err := ldaputil.QueryForEntries(e.clientConfig, searchRequest) if err != nil { return err } for i := range userEntries { userEntry := userEntries[i] if userEntry == nil { continue } for _, groupAttribute := range e.groupMembershipAttributes { for _, groupUID := range userEntry.GetAttributeValues(groupAttribute) { if _, exists := e.ldapGroupToLDAPMembers[groupUID]; !exists { e.ldapGroupToLDAPMembers[groupUID] = []*ldap.Entry{} } if !isEntryPresent(e.ldapGroupToLDAPMembers[groupUID], userEntry) { e.ldapGroupToLDAPMembers[groupUID] = append(e.ldapGroupToLDAPMembers[groupUID], userEntry) } } } } e.cachePopulated = true return nil }
// ExtractMembers returns the LDAP member entries for a group specified with a ldapGroupUID func (e *ADLDAPInterface) ExtractMembers(ldapGroupUID string) ([]*ldap.Entry, error) { // if we already have it cached, return the cached value if members, present := e.ldapGroupToLDAPMembers[ldapGroupUID]; present { return members, nil } // This happens in cases where we did not list out every group. In that case, we're going to be asked about specific groups. usersInGroup := []*ldap.Entry{} // check for all users with ldapGroupUID in any of the allowed member attributes for _, currAttribute := range e.groupMembershipAttributes { currQuery := ldaputil.LDAPQueryOnAttribute{LDAPQuery: e.userQuery, QueryAttribute: currAttribute} searchRequest, err := currQuery.NewSearchRequest(ldapGroupUID, e.requiredUserAttributes()) if err != nil { return nil, err } currEntries, err := ldaputil.QueryForEntries(e.clientConfig, searchRequest) if err != nil { return nil, err } for _, currEntry := range currEntries { if !isEntryPresent(usersInGroup, currEntry) { usersInGroup = append(usersInGroup, currEntry) } } } e.ldapGroupToLDAPMembers[ldapGroupUID] = usersInGroup return usersInGroup, nil }
// ListGroups queries for all groups as configured with the common group filter and returns their // LDAP group UIDs. This also satisfies the LDAPGroupLister interface func (e *LDAPInterface) ListGroups() ([]string, error) { searchRequest := e.groupQuery.LDAPQuery.NewSearchRequest(e.requiredGroupAttributes()) groups, err := ldaputil.QueryForEntries(e.clientConfig, searchRequest) if err != nil { return nil, err } ldapGroupUIDs := []string{} for _, group := range groups { ldapGroupUID := ldaputil.GetAttributeValue(group, []string{e.groupQuery.QueryAttribute}) if len(ldapGroupUID) == 0 { return nil, fmt.Errorf("unable to find LDAP group UID for %s", group) } e.cachedGroups[ldapGroupUID] = group ldapGroupUIDs = append(ldapGroupUIDs, ldapGroupUID) } return ldapGroupUIDs, nil }
// queryForGroups queries for all groups identified by a common filter in the query config stored // in a GroupListerDataExtractor func (e *LDAPInterface) queryForGroups() ([]*ldap.Entry, error) { // create the search request searchRequest := e.groupQuery.LDAPQuery.NewSearchRequest(e.requiredGroupAttributes()) return ldaputil.QueryForEntries(e.clientConfig, searchRequest) }