wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
5863 Commits
197 Branches
346 MB
572 Download
Tree: 013db70fce
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '013db70fce'
${ noResults }
aiforge/modules/auth/ldap/ldap.go

ldap.go 9.4 kB
Raw Normal View History

Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
#1637 able to skip verify for LDAP
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
Sanitizing input to LDAP authentication module.
10 years ago
ldap support
11 years ago
Use better LDAP lib and should fix #1139
10 years ago
Update import paths from github.com/go-gitea to code.gitea.io (#135) - Update import paths from github.com/go-gitea to code.gitea.io - Fix import path for travis See https://docs.travis-ci.com/user/languages/go#Go-Import-Path
9 years ago
initial support for LDAP authentication/MSAD
11 years ago
golint fixed for modules/auth
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
Security protocols
9 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
golint fixed for modules/auth
9 years ago
#1637 able to skip verify for LDAP
10 years ago
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name.
10 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name.
10 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
9 years ago
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name.
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
LDAP user synchronization (#1478)
8 years ago
Sanitizing input to LDAP authentication module.
10 years ago
Correct ldap username validation. (#2880) PR #342 was only partially applied. Spaces should not be at the start and end of a username but they can be inside.
8 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
9 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
9 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
work on #986 and fix a LDAP crash
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP: Make a bit more detailed log traces This is useful especially to check whether we fetch right attributes, using right LDAP search base and in right order.
9 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
work on #986 and fix a LDAP crash
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Fix misspelled words
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
LDAP user synchronization (#1478)
8 years ago
golint fixed for modules/auth
9 years ago
LDAP user synchronization (#1478)
8 years ago
Correction LDAP validation (#342) * Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
9 years ago
LDAP user synchronization (#1478)
8 years ago
Correction LDAP validation (#342) * Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
9 years ago
LDAP user synchronization (#1478)
8 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
9 years ago
Added LDAP simple auth support.
10 years ago
revert simple LDAP userDN and update example
10 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP user synchronization (#1478)
8 years ago
Sanitizing input to LDAP authentication module.
10 years ago
Added LDAP simple auth support.
10 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
9 years ago
Added LDAP simple auth support.
10 years ago
LDAP user synchronization (#1478)
8 years ago
Added LDAP simple auth support.
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
9 years ago
LDAP user synchronization (#1478)
8 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
9 years ago
initial support for LDAP authentication/MSAD
11 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP user synchronization (#1478)
8 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP: Make a bit more detailed log traces This is useful especially to check whether we fetch right attributes, using right LDAP search base and in right order.
9 years ago
Remove ldap dep
11 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Fix #2221 LDAP username attribute must be fetched This is fix-up for 573305f. Forgot to fetch AttributeUsername value from the LDAP server, so the setting was effectively not working as intended.
9 years ago
initial support for LDAP authentication/MSAD
11 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
initial support for LDAP authentication/MSAD
11 years ago
work on #986 and fix a LDAP crash
10 years ago
LDAP user synchronization (#1478)
8 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Added LDAP simple auth support.
10 years ago
LDAP user synchronization (#1478)
8 years ago
initial support for LDAP authentication/MSAD
11 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
#2709 validate username attribute fetched from LDAP
9 years ago
LDAP user synchronization (#1478)
8 years ago
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
10 years ago
LDAP user synchronization (#1478)
8 years ago
#1554 check adminFilter length before LDAP search
10 years ago
LDAP user synchronization (#1478)
8 years ago
#1554 check adminFilter length before LDAP search
10 years ago
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
10 years ago
LDAP user synchronization (#1478)
8 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
9 years ago
LDAP user synchronization (#1478)
8 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
9 years ago
LDAP user synchronization (#1478)
8 years ago
initial support for LDAP authentication/MSAD
11 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // Package ldap provide functions & structure to query a LDAP ldap directory

  6. // For now, it's mainly tested again an MS Active Directory service, see README.md for more information

  7. package ldap

  8. 

  9. import (

  10. 	"crypto/tls"

  11. 	"fmt"

  12. 	"strings"

  13. 

  14. 	"gopkg.in/ldap.v2"

  15. 

  16. 	"code.gitea.io/gitea/modules/log"

  17. )

  18. 

  19. // SecurityProtocol protocol type

  20. type SecurityProtocol int

  21. 

  22. // Note: new type must be added at the end of list to maintain compatibility.

  23. const (

  24. 	SecurityProtocolUnencrypted SecurityProtocol = iota

  25. 	SecurityProtocolLDAPS

  26. 	SecurityProtocolStartTLS

  27. )

  28. 

  29. // Source Basic LDAP authentication service

  30. type Source struct {

  31. 	Name              string // canonical name (ie. corporate.ad)

  32. 	Host              string // LDAP host

  33. 	Port              int    // port number

  34. 	SecurityProtocol  SecurityProtocol

  35. 	SkipVerify        bool

  36. 	BindDN            string // DN to bind with

  37. 	BindPassword      string // Bind DN password

  38. 	UserBase          string // Base search path for users

  39. 	UserDN            string // Template for the DN of the user for simple auth

  40. 	AttributeUsername string // Username attribute

  41. 	AttributeName     string // First name attribute

  42. 	AttributeSurname  string // Surname attribute

  43. 	AttributeMail     string // E-mail attribute

  44. 	AttributesInBind  bool   // fetch attributes in bind context (not user)

  45. 	Filter            string // Query filter to validate entry

  46. 	AdminFilter       string // Query filter to check if user is admin

  47. 	Enabled           bool   // if this source is disabled

  48. }

  49. 

  50. // SearchResult : user data

  51. type SearchResult struct {

  52. 	Username string // Username

  53. 	Name     string // Name

  54. 	Surname  string // Surname

  55. 	Mail     string // E-mail address

  56. 	IsAdmin  bool   // if user is administrator

  57. }

  58. 

  59. func (ls *Source) sanitizedUserQuery(username string) (string, bool) {

  60. 	// See http://tools.ietf.org/search/rfc4515

  61. 	badCharacters := "\x00()*\\"

  62. 	if strings.ContainsAny(username, badCharacters) {

  63. 		log.Debug("'%s' contains invalid query characters. Aborting.", username)

  64. 		return "", false

  65. 	}

  66. 

  67. 	return fmt.Sprintf(ls.Filter, username), true

  68. }

  69. 

  70. func (ls *Source) sanitizedUserDN(username string) (string, bool) {

  71. 	// See http://tools.ietf.org/search/rfc4514: "special characters"

  72. 	badCharacters := "\x00()*\\,='\"#+;<>"

  73. 	if strings.ContainsAny(username, badCharacters) {

  74. 		log.Debug("'%s' contains invalid DN characters. Aborting.", username)

  75. 		return "", false

  76. 	}

  77. 

  78. 	return fmt.Sprintf(ls.UserDN, username), true

  79. }

  80. 

  81. func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {

  82. 	log.Trace("Search for LDAP user: %s", name)

  83. 	if ls.BindDN != "" && ls.BindPassword != "" {

  84. 		err := l.Bind(ls.BindDN, ls.BindPassword)

  85. 		if err != nil {

  86. 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)

  87. 			return "", false

  88. 		}

  89. 		log.Trace("Bound as BindDN %s", ls.BindDN)

  90. 	} else {

  91. 		log.Trace("Proceeding with anonymous LDAP search.")

  92. 	}

  93. 

  94. 	// A search for the user.

  95. 	userFilter, ok := ls.sanitizedUserQuery(name)

  96. 	if !ok {

  97. 		return "", false

  98. 	}

  99. 

  100. 	log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)

  101. 	search := ldap.NewSearchRequest(

  102. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,

  103. 		false, userFilter, []string{}, nil)

  104. 

  105. 	// Ensure we found a user

  106. 	sr, err := l.Search(search)

  107. 	if err != nil || len(sr.Entries) < 1 {

  108. 		log.Debug("Failed search using filter[%s]: %v", userFilter, err)

  109. 		return "", false

  110. 	} else if len(sr.Entries) > 1 {

  111. 		log.Debug("Filter '%s' returned more than one user.", userFilter)

  112. 		return "", false

  113. 	}

  114. 

  115. 	userDN := sr.Entries[0].DN

  116. 	if userDN == "" {

  117. 		log.Error(4, "LDAP search was successful, but found no DN!")

  118. 		return "", false

  119. 	}

  120. 

  121. 	return userDN, true

  122. }

  123. 

  124. func dial(ls *Source) (*ldap.Conn, error) {

  125. 	log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", ls.SecurityProtocol, ls.SkipVerify)

  126. 

  127. 	tlsCfg := &tls.Config{

  128. 		ServerName:         ls.Host,

  129. 		InsecureSkipVerify: ls.SkipVerify,

  130. 	}

  131. 	if ls.SecurityProtocol == SecurityProtocolLDAPS {

  132. 		return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), tlsCfg)

  133. 	}

  134. 

  135. 	conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))

  136. 	if err != nil {

  137. 		return nil, fmt.Errorf("Dial: %v", err)

  138. 	}

  139. 

  140. 	if ls.SecurityProtocol == SecurityProtocolStartTLS {

  141. 		if err = conn.StartTLS(tlsCfg); err != nil {

  142. 			conn.Close()

  143. 			return nil, fmt.Errorf("StartTLS: %v", err)

  144. 		}

  145. 	}

  146. 

  147. 	return conn, nil

  148. }

  149. 

  150. func bindUser(l *ldap.Conn, userDN, passwd string) error {

  151. 	log.Trace("Binding with userDN: %s", userDN)

  152. 	err := l.Bind(userDN, passwd)

  153. 	if err != nil {

  154. 		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)

  155. 		return err

  156. 	}

  157. 	log.Trace("Bound successfully with userDN: %s", userDN)

  158. 	return err

  159. }

  160. 

  161. func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool {

  162. 	if len(ls.AdminFilter) > 0 {

  163. 		log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)

  164. 		search := ldap.NewSearchRequest(

  165. 			userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,

  166. 			[]string{ls.AttributeName},

  167. 			nil)

  168. 

  169. 		sr, err := l.Search(search)

  170. 

  171. 		if err != nil {

  172. 			log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)

  173. 		} else if len(sr.Entries) < 1 {

  174. 			log.Error(4, "LDAP Admin Search failed")

  175. 		} else {

  176. 			return true

  177. 		}

  178. 	}

  179. 	return false

  180. }

  181. 

  182. // SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter

  183. func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {

  184. 	// See https://tools.ietf.org/search/rfc4513#section-5.1.2

  185. 	if len(passwd) == 0 {

  186. 		log.Debug("Auth. failed for %s, password cannot be empty")

  187. 		return nil

  188. 	}

  189. 	l, err := dial(ls)

  190. 	if err != nil {

  191. 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)

  192. 		ls.Enabled = false

  193. 		return nil

  194. 	}

  195. 	defer l.Close()

  196. 

  197. 	var userDN string

  198. 	if directBind {

  199. 		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)

  200. 

  201. 		var ok bool

  202. 		userDN, ok = ls.sanitizedUserDN(name)

  203. 		if !ok {

  204. 			return nil

  205. 		}

  206. 	} else {

  207. 		log.Trace("LDAP will use BindDN.")

  208. 

  209. 		var found bool

  210. 		userDN, found = ls.findUserDN(l, name)

  211. 		if !found {

  212. 			return nil

  213. 		}

  214. 	}

  215. 

  216. 	if directBind || !ls.AttributesInBind {

  217. 		// binds user (checking password) before looking-up attributes in user context

  218. 		err = bindUser(l, userDN, passwd)

  219. 		if err != nil {

  220. 			return nil

  221. 		}

  222. 	}

  223. 

  224. 	userFilter, ok := ls.sanitizedUserQuery(name)

  225. 	if !ok {

  226. 		return nil

  227. 	}

  228. 

  229. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)

  230. 	search := ldap.NewSearchRequest(

  231. 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,

  232. 		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},

  233. 		nil)

  234. 

  235. 	sr, err := l.Search(search)

  236. 	if err != nil {

  237. 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)

  238. 		return nil

  239. 	} else if len(sr.Entries) < 1 {

  240. 		if directBind {

  241. 			log.Error(4, "User filter inhibited user login.")

  242. 		} else {

  243. 			log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")

  244. 		}

  245. 

  246. 		return nil

  247. 	}

  248. 

  249. 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)

  250. 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)

  251. 	surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)

  252. 	mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)

  253. 	isAdmin := checkAdmin(l, ls, userDN)

  254. 

  255. 	if !directBind && ls.AttributesInBind {

  256. 		// binds user (checking password) after looking-up attributes in BindDN context

  257. 		err = bindUser(l, userDN, passwd)

  258. 		if err != nil {

  259. 			return nil

  260. 		}

  261. 	}

  262. 

  263. 	return &SearchResult{

  264. 		Username: username,

  265. 		Name:     firstname,

  266. 		Surname:  surname,

  267. 		Mail:     mail,

  268. 		IsAdmin:  isAdmin,

  269. 	}

  270. }

  271. 

  272. // SearchEntries : search an LDAP source for all users matching userFilter

  273. func (ls *Source) SearchEntries() []*SearchResult {

  274. 	l, err := dial(ls)

  275. 	if err != nil {

  276. 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)

  277. 		ls.Enabled = false

  278. 		return nil

  279. 	}

  280. 	defer l.Close()

  281. 

  282. 	if ls.BindDN != "" && ls.BindPassword != "" {

  283. 		err := l.Bind(ls.BindDN, ls.BindPassword)

  284. 		if err != nil {

  285. 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)

  286. 			return nil

  287. 		}

  288. 		log.Trace("Bound as BindDN %s", ls.BindDN)

  289. 	} else {

  290. 		log.Trace("Proceeding with anonymous LDAP search.")

  291. 	}

  292. 

  293. 	userFilter := fmt.Sprintf(ls.Filter, "*")

  294. 

  295. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, ls.UserBase)

  296. 	search := ldap.NewSearchRequest(

  297. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,

  298. 		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},

  299. 		nil)

  300. 

  301. 	sr, err := l.Search(search)

  302. 	if err != nil {

  303. 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)

  304. 		return nil

  305. 	}

  306. 

  307. 	result := make([]*SearchResult, len(sr.Entries))

  308. 

  309. 	for i, v := range sr.Entries {

  310. 		result[i] = &SearchResult{

  311. 			Username: v.GetAttributeValue(ls.AttributeUsername),

  312. 			Name:     v.GetAttributeValue(ls.AttributeName),

  313. 			Surname:  v.GetAttributeValue(ls.AttributeSurname),

  314. 			Mail:     v.GetAttributeValue(ls.AttributeMail),

  315. 			IsAdmin:  checkAdmin(l, ls, v.DN),

  316. 		}

  317. 	}

  318. 

  319. 	return result

  320. }

No Description