func NewLDAPClient(ldapUri, bindDn, bindPass string, searchBase ...string) (ad *LDAPClient, err error) {
protoHostPort := strings.Split(ldapUri, "://")
if len(protoHostPort) != 2 {
err = fmt.Errorf("Invalid LDAP URI: %s", ldapUri)
return
}
ad = &LDAPClient{URI: ldapUri}
if protoHostPort[0] == "ldaps" {
ad.Conn, err = ldap.DialTLS("tcp", protoHostPort[1], &tls.Config{InsecureSkipVerify: true})
} else {
//no ssl port 389
ad.Conn, err = ldap.Dial("tcp", protoHostPort[1])
}
if err != nil {
return
}
if len(searchBase) > 0 {
ad.DefaultSearchBase = searchBase[0]
}
err = ad.Bind(bindDn, bindPass)
return
}
func (a *ldapAuther) Dial() error {
var err error
var certPool *x509.CertPool
if a.server.RootCACert != "" {
certPool := x509.NewCertPool()
for _, caCertFile := range strings.Split(a.server.RootCACert, " ") {
if pem, err := ioutil.ReadFile(caCertFile); err != nil {
return err
} else {
if !certPool.AppendCertsFromPEM(pem) {
return errors.New("Failed to append CA certificate " + caCertFile)
}
}
}
}
for _, host := range strings.Split(a.server.Host, " ") {
address := fmt.Sprintf("%s:%d", host, a.server.Port)
if a.server.UseSSL {
tlsCfg := &tls.Config{
InsecureSkipVerify: a.server.SkipVerifySSL,
ServerName: host,
RootCAs: certPool,
}
a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
} else {
a.conn, err = ldap.Dial("tcp", address)
}
if err == nil {
return nil
}
}
return err
}
func (a *ldapAuther) Dial() error {
address := fmt.Sprintf("%s:%d", a.server.Host, a.server.Port)
var err error
if a.server.UseSSL {
a.conn, err = ldap.DialTLS("tcp", address, nil)
} else {
a.conn, err = ldap.Dial("tcp", address)
}
return err
}
func (lc *LDAPClient) ConnectAndBind() (err error) {
if strings.HasPrefix(lc.URI, "ldaps") {
lc.LdapConn, err = ldap.DialTLS("tcp", lc.hostPort, &tls.Config{InsecureSkipVerify: true})
} else {
//no ssl port 389
lc.LdapConn, err = ldap.Dial("tcp", lc.hostPort)
}
if err != nil {
return
}
err = lc.LdapConn.Bind(lc.UserBindDN, lc.UserBindPass)
return
}
func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
u, err := url.Parse(c.Url)
if err != nil {
return nil, err
}
host, port, err := net.SplitHostPort(u.Host)
if err != nil {
host = u.Host
}
var conn *ldap.Conn
var tlsConfig *tls.Config
switch u.Scheme {
case "ldap":
if port == "" {
port = "389"
}
conn, err = ldap.Dial("tcp", host+":"+port)
if err != nil {
break
}
if conn == nil {
err = fmt.Errorf("empty connection after dialing")
break
}
if c.StartTLS {
tlsConfig, err = c.GetTLSConfig(host)
if err != nil {
break
}
err = conn.StartTLS(tlsConfig)
}
case "ldaps":
if port == "" {
port = "636"
}
tlsConfig, err = c.GetTLSConfig(host)
if err != nil {
break
}
conn, err = ldap.DialTLS("tcp", host+":"+port, tlsConfig)
default:
return nil, fmt.Errorf("invalid LDAP scheme")
}
if err != nil {
return nil, fmt.Errorf("cannot connect to LDAP: %v", err)
}
return conn, nil
}
func (a *ldapAuther) Dial() error {
address := fmt.Sprintf("%s:%d", a.server.Host, a.server.Port)
var err error
if a.server.UseSSL {
tlsCfg := &tls.Config{
InsecureSkipVerify: a.server.SkipVerifySSL,
ServerName: a.server.Host,
}
a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
} else {
a.conn, err = ldap.Dial("tcp", address)
}
return err
}
func initLdap() (*ldap.Conn, error) {
l, err := ldap.DialTLS(
"tcp",
fmt.Sprintf("%s:%d", ldapServer, ldapPort),
&tls.Config{InsecureSkipVerify: true},
)
if err != nil {
return nil, err
}
err = l.Bind(user, passwd)
if err != nil {
return nil, err
}
return l, nil
}
func (sua *LdapAuthConfig) connect() (*ldap.Conn, error) {
if sua.Tls {
tlsConfig := &tls.Config{
ServerName: sua.Host,
}
if sua.Insecure {
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
}
}
l, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", sua.Host, sua.Port), tlsConfig)
return l, err
} else {
l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", sua.Host, sua.Port))
return l, err
}
}
//Connect returns an open connection to an Active Directory server specified by the given config
func (c *Config) Connect() (*ldap.Conn, error) {
if c.TLSConfig == nil {
c.TLSConfig = &tls.Config{
ServerName: c.Server,
}
}
switch c.Security {
case SecurityNone:
conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", c.Server, c.Port))
if err != nil {
if c.Debug {
log.Printf("DEBUG: LDAP Error %v\n", err)
}
return nil, err
}
return conn, nil
case SecurityTLS:
conn, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", c.Server, c.Port), c.TLSConfig)
if err != nil {
if c.Debug {
log.Printf("DEBUG: LDAP Error %v\n", err)
}
return nil, err
}
return conn, nil
case SecurityStartTLS:
conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", c.Server, c.Port))
if err != nil {
if c.Debug {
log.Printf("DEBUG: LDAP Error %v\n", err)
}
return nil, err
}
err = conn.StartTLS(c.TLSConfig)
if err != nil {
if c.Debug {
log.Printf("DEBUG: LDAP Error %v\n", err)
}
return nil, err
}
return conn, nil
default:
return nil, ConfigError("Invalid Security setting")
}
}
// Connect returns an established LDAP connection, or an error if the connection could not
// be made (or successfully upgraded to TLS). If no error is returned, the caller is responsible for
// closing the connection
func (l *LDAPClientConfig) Connect() (*ldap.Conn, error) {
tlsConfig := l.TLSConfig
// Ensure tlsConfig specifies the server we're connecting to
if tlsConfig != nil && !tlsConfig.InsecureSkipVerify && len(tlsConfig.ServerName) == 0 {
// Add to a copy of the tlsConfig to avoid mutating the original
c := *tlsConfig
if host, _, err := net.SplitHostPort(l.Host); err == nil {
c.ServerName = host
} else {
c.ServerName = l.Host
}
tlsConfig = &c
}
switch l.Scheme {
case SchemeLDAP:
con, err := ldap.Dial("tcp", l.Host)
if err != nil {
return nil, err
}
// If an insecure connection is desired, we're done
if l.Insecure {
return con, nil
}
// Attempt to upgrade to TLS
if err := con.StartTLS(tlsConfig); err != nil {
// We're returning an error on a successfully opened connection
// We are responsible for closing the open connection
con.Close()
return nil, err
}
return con, nil
case SchemeLDAPS:
return ldap.DialTLS("tcp", l.Host, tlsConfig)
default:
return nil, fmt.Errorf("unsupported scheme %q", l.Scheme)
}
}
func (la *LDAPAuth) ldapConnection() (*ldap.Conn, error) {
var l *ldap.Conn
var err error
if la.config.TLS == "" || la.config.TLS == "none" || la.config.TLS == "starttls" {
glog.V(2).Infof("Dial: starting...%s", la.config.Addr)
l, err = ldap.Dial("tcp", fmt.Sprintf("%s", la.config.Addr))
if err == nil && la.config.TLS == "starttls" {
glog.V(2).Infof("StartTLS...")
if tlserr := l.StartTLS(&tls.Config{InsecureSkipVerify: la.config.InsecureTLSSkipVerify}); tlserr != nil {
return nil, tlserr
}
}
} else if la.config.TLS == "always" {
glog.V(2).Infof("DialTLS: starting...%s", la.config.Addr)
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s", la.config.Addr), &tls.Config{InsecureSkipVerify: la.config.InsecureTLSSkipVerify})
}
if err != nil {
return nil, err
}
return l, nil
}
func (ls *LdapSource) dial() (*ldap.Conn, error) {
if ls.c != nil {
return ls.c, nil
}
var err error
if ls.UseSSL {
ls.c, err = ldap.DialTLS("tcp", ls.Addr, &tls.Config{InsecureSkipVerify: true})
} else {
ls.c, err = ldap.Dial("tcp", ls.Addr)
}
if err != nil {
log.Printf("LDAP Connect error, %s:%v", ls.Addr, err)
ls.Enabled = false
return nil, err
}
// ls.c.Debug = ls.Debug
return ls.c, nil
}