mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 19:47:54 +00:00
- updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func
This commit is contained in:
leon
@@ -103,23 +103,23 @@ func (b *backend) Login(req *logical.Request, username string, password string)
|
|||||||
return nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil
|
return nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
bindDN, response := getBindDN(cfg, c, username)
|
bindDN, err := getBindDN(cfg, c, username)
|
||||||
if response != nil {
|
if err != nil {
|
||||||
return nil, response, nil
|
return nil, logical.ErrorResponse(err.Error()), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = c.Bind(bindDN, password); err != nil {
|
if err = c.Bind(bindDN, password); err != nil {
|
||||||
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
|
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
userDN, response := getUserDN(cfg, c, bindDN)
|
userDN, err := getUserDN(cfg, c, bindDN)
|
||||||
if response != nil {
|
if err != nil {
|
||||||
return nil, response, nil
|
return nil, logical.ErrorResponse(err.Error()), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
ldapGroups, response := getLdapGroups(cfg, c, userDN, username)
|
ldapGroups, err := getLdapGroups(cfg, c, userDN, username)
|
||||||
if response != nil {
|
if err != nil {
|
||||||
return nil, response, nil
|
return nil, logical.ErrorResponse(err.Error()), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
ldapResponse := &logical.Response{
|
ldapResponse := &logical.Response{
|
||||||
@@ -164,11 +164,11 @@ func (b *backend) Login(req *logical.Request, username string, password string)
|
|||||||
return policies, ldapResponse, nil
|
return policies, ldapResponse, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getBindDN(cfg *ConfigEntry, c *ldap.Conn, username string) (string, *logical.Response) {
|
func getBindDN(cfg *ConfigEntry, c *ldap.Conn, username string) (string, error) {
|
||||||
bindDN := ""
|
bindDN := ""
|
||||||
if cfg.DiscoverDN || (cfg.BindDN != "" && cfg.BindPassword != "") {
|
if cfg.DiscoverDN || (cfg.BindDN != "" && cfg.BindPassword != "") {
|
||||||
if err := c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
|
if err := c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
|
||||||
return bindDN, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err))
|
return bindDN, fmt.Errorf("LDAP bind (service) failed: %v", err)
|
||||||
}
|
}
|
||||||
result, err := c.Search(&ldap.SearchRequest{
|
result, err := c.Search(&ldap.SearchRequest{
|
||||||
BaseDN: cfg.UserDN,
|
BaseDN: cfg.UserDN,
|
||||||
@@ -176,10 +176,10 @@ func getBindDN(cfg *ConfigEntry, c *ldap.Conn, username string) (string, *logica
|
|||||||
Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username)),
|
Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username)),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return bindDN, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err))
|
return bindDN, fmt.Errorf("LDAP search for binddn failed: %v", err)
|
||||||
}
|
}
|
||||||
if len(result.Entries) != 1 {
|
if len(result.Entries) != 1 {
|
||||||
return bindDN, logical.ErrorResponse("LDAP search for binddn 0 or not unique")
|
return bindDN, fmt.Errorf("LDAP search for binddn 0 or not unique")
|
||||||
}
|
}
|
||||||
bindDN = result.Entries[0].DN
|
bindDN = result.Entries[0].DN
|
||||||
} else {
|
} else {
|
||||||
@@ -193,61 +193,61 @@ func getBindDN(cfg *ConfigEntry, c *ldap.Conn, username string) (string, *logica
|
|||||||
return bindDN, nil
|
return bindDN, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getUserDN(cfg *ConfigEntry,c *ldap.Conn, binddn string) (string , *logical.Response) {
|
func getUserDN(cfg *ConfigEntry,c *ldap.Conn, bindDN string) (string , error) {
|
||||||
userDN := ""
|
userDN := ""
|
||||||
if cfg.UPNDomain != "" {
|
if cfg.UPNDomain != "" {
|
||||||
// Find the distinguished name for the user if userPrincipalName used for login
|
// Find the distinguished name for the user if userPrincipalName used for login
|
||||||
result, err := c.Search(&ldap.SearchRequest{
|
result, err := c.Search(&ldap.SearchRequest{
|
||||||
BaseDN: cfg.UserDN,
|
BaseDN: cfg.UserDN,
|
||||||
Scope: 2, // subtree
|
Scope: 2, // subtree
|
||||||
Filter: fmt.Sprintf("(userPrincipalName=%s)", ldap.EscapeFilter(binddn)),
|
Filter: fmt.Sprintf("(userPrincipalName=%s)", ldap.EscapeFilter(bindDN)),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return userDN, logical.ErrorResponse(fmt.Sprintf("LDAP search failed for detecting user: %v", err))
|
return userDN, fmt.Errorf("LDAP search failed for detecting user: %v", err)
|
||||||
}
|
}
|
||||||
for _, e := range result.Entries {
|
for _, e := range result.Entries {
|
||||||
userDN = e.DN
|
userDN = e.DN
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
userDN = binddn
|
userDN = bindDN
|
||||||
}
|
}
|
||||||
|
|
||||||
return userDN, nil
|
return userDN, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userdn string, username string) ([]string, *logical.Response) {
|
func getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userDN string, username string) ([]string, error) {
|
||||||
// retrieve the groups in a string/bool map as a structure to avoid duplicates inside
|
// retrieve the groups in a string/bool map as a structure to avoid duplicates inside
|
||||||
ldapMap := make(map[string]bool)
|
ldapMap := make(map[string]bool)
|
||||||
// Fetch the optional memberOf property values on the user object
|
// Fetch the optional memberOf property values on the user object
|
||||||
// This is the most common method used in Active Directory setup to retrieve the groups
|
// This is the most common method used in Active Directory setup to retrieve the groups
|
||||||
result, err := c.Search(&ldap.SearchRequest{
|
result, err := c.Search(&ldap.SearchRequest{
|
||||||
BaseDN: userdn,
|
BaseDN: userDN,
|
||||||
Scope: 0, // base scope to fetch only the userdn
|
Scope: 0, // base scope to fetch only the userDN
|
||||||
Filter: "(cn=*)", // bogus filter, required to fetch the userdn
|
Filter: "(cn=*)", // bogus filter, required to fetch the CN from userDN
|
||||||
Attributes: []string{
|
Attributes: []string{
|
||||||
"memberOf",
|
"memberOf",
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
// this check remains in case something happens with the ldap query or connection
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP fetch of distinguishedName=%s failed: %v", userdn, err))
|
return nil, fmt.Errorf("LDAP fetch of distinguishedName=%s failed: %v", userDN, err)
|
||||||
}
|
|
||||||
if len(result.Entries) != 1 {
|
|
||||||
return nil, logical.ErrorResponse("LDAP search for binddn 0 or not unique")
|
|
||||||
}
|
}
|
||||||
|
// if there are more than one entry, we consider the results irrelevant and ignore them
|
||||||
|
if len(result.Entries) == 1 {
|
||||||
|
for _, attr := range result.Entries[0].Attributes {
|
||||||
|
// Find the groups the user is member of from the 'memberOf' attribute extracting the CN
|
||||||
|
if attr.Name == "memberOf" {
|
||||||
|
for _, value := range attr.Values {
|
||||||
|
memberOfDN, err := ldap.ParseDN(value)
|
||||||
|
if err != nil || len(memberOfDN.RDNs) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
for _, attr := range result.Entries[0].Attributes {
|
for _, rdn := range memberOfDN.RDNs {
|
||||||
// Find the groups the user is member of from the 'memberOf' attribute extracting the CN
|
for _, rdnTypeAndValue := range rdn.Attributes {
|
||||||
if attr.Name == "memberOf" {
|
if strings.EqualFold(rdnTypeAndValue.Type, "CN") {
|
||||||
for _,value := range attr.Values {
|
ldapMap[rdnTypeAndValue.Value] = true
|
||||||
memberOfDN, err := ldap.ParseDN(value)
|
}
|
||||||
if err != nil || len(memberOfDN.RDNs) == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, rdn := range memberOfDN.RDNs {
|
|
||||||
for _, rdnTypeAndValue := range rdn.Attributes {
|
|
||||||
if strings.EqualFold(rdnTypeAndValue.Type, "CN") {
|
|
||||||
ldapMap[rdnTypeAndValue.Value] = true
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -261,10 +261,10 @@ func getLdapGroups(cfg *ConfigEntry, c *ldap.Conn, userdn string, username strin
|
|||||||
result, err := c.Search(&ldap.SearchRequest{
|
result, err := c.Search(&ldap.SearchRequest{
|
||||||
BaseDN: cfg.GroupDN,
|
BaseDN: cfg.GroupDN,
|
||||||
Scope: 2, // subtree
|
Scope: 2, // subtree
|
||||||
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", ldap.EscapeFilter(username), ldap.EscapeFilter(userdn), ldap.EscapeFilter(userdn)),
|
Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", ldap.EscapeFilter(username), ldap.EscapeFilter(userDN), ldap.EscapeFilter(userDN)),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err))
|
return nil, fmt.Errorf("LDAP search failed: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, e := range result.Entries {
|
for _, e := range result.Entries {
|
||||||
|
|||||||
Reference in New Issue
Block a user