wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
6243 Commits
197 Branches
346 MB
2777 Download
Tree: 2174663285
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2174663285'
${ noResults }
aiforge/modules/auth/ldap/ldap.go

ldap.go 9.7 kB
Raw Normal View History

Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
#1637 able to skip verify for LDAP
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Sanitizing input to LDAP authentication module.
10 years ago
ldap support
12 years ago
Use better LDAP lib and should fix #1139
10 years ago
Update import paths from github.com/go-gitea to code.gitea.io (#135) - Update import paths from github.com/go-gitea to code.gitea.io - Fix import path for travis See https://docs.travis-ci.com/user/languages/go#Go-Import-Path
9 years ago
initial support for LDAP authentication/MSAD
12 years ago
golint fixed for modules/auth
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
Security protocols
9 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
golint fixed for modules/auth
9 years ago
#1637 able to skip verify for LDAP
10 years ago
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name.
10 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name.
10 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
10 years ago
Add option to use paged LDAP search when synchronizing users (#3895)
8 years ago
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name.
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
LDAP user synchronization (#1478)
9 years ago
Sanitizing input to LDAP authentication module.
10 years ago
Correct ldap username validation. (#2880) PR #342 was only partially applied. Spaces should not be at the start and end of a username but they can be inside.
8 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
work on #986 and fix a LDAP crash
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP: Make a bit more detailed log traces This is useful especially to check whether we fetch right attributes, using right LDAP search base and in right order.
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
work on #986 and fix a LDAP crash
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Fix misspelled words
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
Fix type in unused constant name (#111) * Write LDAP, SMTP, PAM, DLDAP back to all uppercase * Fix type in unused constant name * Other MixCased fixes * Complete MixerCasing of template constants * Re uppercase LTS and LDAPS suffixes * Uppercase JSON suffix in constant names * Proper case LoginNoType * Prefix unexported template path constants with "tpl"
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
LDAP user synchronization (#1478)
9 years ago
golint fixed for modules/auth
9 years ago
LDAP user synchronization (#1478)
9 years ago
Correction LDAP validation (#342) * Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
9 years ago
LDAP user synchronization (#1478)
9 years ago
Correction LDAP validation (#342) * Correction LDAP username validation As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it. * Check for zero length passwords in LDAP module. According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD. * Clearing the login/email spaces at the [start/end]
9 years ago
Use SecurityProtocol to replace UseSSL in LDAP config Initially proposed by #2376 and fixes #3068 as well.
9 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
10 years ago
LDAP user synchronization (#1478)
9 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
10 years ago
Added LDAP simple auth support.
10 years ago
revert simple LDAP userDN and update example
10 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP user synchronization (#1478)
9 years ago
Sanitizing input to LDAP authentication module.
10 years ago
Added LDAP simple auth support.
10 years ago
LDAP: Use single connection in BindDN mode auth According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored." Therefore we should not use 2 connections, but single one just sending two bind requests.
10 years ago
Added LDAP simple auth support.
10 years ago
LDAP user synchronization (#1478)
9 years ago
Added LDAP simple auth support.
10 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
10 years ago
LDAP user synchronization (#1478)
9 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP user synchronization (#1478)
9 years ago
Sanitizing input to LDAP authentication module.
10 years ago
LDAP: Make a bit more detailed log traces This is useful especially to check whether we fetch right attributes, using right LDAP search base and in right order.
10 years ago
Remove ldap dep
11 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Fix #2221 LDAP username attribute must be fetched This is fix-up for 573305f. Forgot to fetch AttributeUsername value from the LDAP server, so the setting was effectively not working as intended.
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
initial support for LDAP authentication/MSAD
12 years ago
work on #986 and fix a LDAP crash
10 years ago
LDAP user synchronization (#1478)
9 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
Added LDAP simple auth support.
10 years ago
LDAP user synchronization (#1478)
9 years ago
initial support for LDAP authentication/MSAD
12 years ago
Significantly enhanced LDAP support in Gogs.
10 years ago
#2709 validate username attribute fetched from LDAP
9 years ago
LDAP user synchronization (#1478)
9 years ago
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
10 years ago
LDAP user synchronization (#1478)
9 years ago
#1554 check adminFilter length before LDAP search
10 years ago
LDAP user synchronization (#1478)
9 years ago
#1554 check adminFilter length before LDAP search
10 years ago
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation.
10 years ago
LDAP user synchronization (#1478)
9 years ago
Add option to use paged LDAP search when synchronizing users (#3895)
8 years ago
LDAP user synchronization (#1478)
9 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
10 years ago
LDAP user synchronization (#1478)
9 years ago
Add option to use paged LDAP search when synchronizing users (#3895)
8 years ago
LDAP user synchronization (#1478)
9 years ago
LDAP: Fetch attributes in Bind DN context option This is feature is workaround for #2628 (JumpCloud) and some other services that allow LDAP search only under BindDN user account, but not allow any LDAP search query in logged user DN context. Such approach is an alternative to minimal permissions security pattern for BindDN user.
10 years ago
LDAP user synchronization (#1478)
9 years ago
initial support for LDAP authentication/MSAD
12 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // Package ldap provide functions & structure to query a LDAP ldap directory

  6. // For now, it's mainly tested again an MS Active Directory service, see README.md for more information

  7. package ldap

  8. 

  9. import (

  10. 	"crypto/tls"

  11. 	"fmt"

  12. 	"strings"

  13. 

  14. 	"gopkg.in/ldap.v2"

  15. 

  16. 	"code.gitea.io/gitea/modules/log"

  17. )

  18. 

  19. // SecurityProtocol protocol type

  20. type SecurityProtocol int

  21. 

  22. // Note: new type must be added at the end of list to maintain compatibility.

  23. const (

  24. 	SecurityProtocolUnencrypted SecurityProtocol = iota

  25. 	SecurityProtocolLDAPS

  26. 	SecurityProtocolStartTLS

  27. )

  28. 

  29. // Source Basic LDAP authentication service

  30. type Source struct {

  31. 	Name              string // canonical name (ie. corporate.ad)

  32. 	Host              string // LDAP host

  33. 	Port              int    // port number

  34. 	SecurityProtocol  SecurityProtocol

  35. 	SkipVerify        bool

  36. 	BindDN            string // DN to bind with

  37. 	BindPassword      string // Bind DN password

  38. 	UserBase          string // Base search path for users

  39. 	UserDN            string // Template for the DN of the user for simple auth

  40. 	AttributeUsername string // Username attribute

  41. 	AttributeName     string // First name attribute

  42. 	AttributeSurname  string // Surname attribute

  43. 	AttributeMail     string // E-mail attribute

  44. 	AttributesInBind  bool   // fetch attributes in bind context (not user)

  45. 	SearchPageSize    uint32 // Search with paging page size

  46. 	Filter            string // Query filter to validate entry

  47. 	AdminFilter       string // Query filter to check if user is admin

  48. 	Enabled           bool   // if this source is disabled

  49. }

  50. 

  51. // SearchResult : user data

  52. type SearchResult struct {

  53. 	Username string // Username

  54. 	Name     string // Name

  55. 	Surname  string // Surname

  56. 	Mail     string // E-mail address

  57. 	IsAdmin  bool   // if user is administrator

  58. }

  59. 

  60. func (ls *Source) sanitizedUserQuery(username string) (string, bool) {

  61. 	// See http://tools.ietf.org/search/rfc4515

  62. 	badCharacters := "\x00()*\\"

  63. 	if strings.ContainsAny(username, badCharacters) {

  64. 		log.Debug("'%s' contains invalid query characters. Aborting.", username)

  65. 		return "", false

  66. 	}

  67. 

  68. 	return fmt.Sprintf(ls.Filter, username), true

  69. }

  70. 

  71. func (ls *Source) sanitizedUserDN(username string) (string, bool) {

  72. 	// See http://tools.ietf.org/search/rfc4514: "special characters"

  73. 	badCharacters := "\x00()*\\,='\"#+;<>"

  74. 	if strings.ContainsAny(username, badCharacters) {

  75. 		log.Debug("'%s' contains invalid DN characters. Aborting.", username)

  76. 		return "", false

  77. 	}

  78. 

  79. 	return fmt.Sprintf(ls.UserDN, username), true

  80. }

  81. 

  82. func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {

  83. 	log.Trace("Search for LDAP user: %s", name)

  84. 	if ls.BindDN != "" && ls.BindPassword != "" {

  85. 		err := l.Bind(ls.BindDN, ls.BindPassword)

  86. 		if err != nil {

  87. 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)

  88. 			return "", false

  89. 		}

  90. 		log.Trace("Bound as BindDN %s", ls.BindDN)

  91. 	} else {

  92. 		log.Trace("Proceeding with anonymous LDAP search.")

  93. 	}

  94. 

  95. 	// A search for the user.

  96. 	userFilter, ok := ls.sanitizedUserQuery(name)

  97. 	if !ok {

  98. 		return "", false

  99. 	}

  100. 

  101. 	log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)

  102. 	search := ldap.NewSearchRequest(

  103. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,

  104. 		false, userFilter, []string{}, nil)

  105. 

  106. 	// Ensure we found a user

  107. 	sr, err := l.Search(search)

  108. 	if err != nil || len(sr.Entries) < 1 {

  109. 		log.Debug("Failed search using filter[%s]: %v", userFilter, err)

  110. 		return "", false

  111. 	} else if len(sr.Entries) > 1 {

  112. 		log.Debug("Filter '%s' returned more than one user.", userFilter)

  113. 		return "", false

  114. 	}

  115. 

  116. 	userDN := sr.Entries[0].DN

  117. 	if userDN == "" {

  118. 		log.Error(4, "LDAP search was successful, but found no DN!")

  119. 		return "", false

  120. 	}

  121. 

  122. 	return userDN, true

  123. }

  124. 

  125. func dial(ls *Source) (*ldap.Conn, error) {

  126. 	log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", ls.SecurityProtocol, ls.SkipVerify)

  127. 

  128. 	tlsCfg := &tls.Config{

  129. 		ServerName:         ls.Host,

  130. 		InsecureSkipVerify: ls.SkipVerify,

  131. 	}

  132. 	if ls.SecurityProtocol == SecurityProtocolLDAPS {

  133. 		return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), tlsCfg)

  134. 	}

  135. 

  136. 	conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))

  137. 	if err != nil {

  138. 		return nil, fmt.Errorf("Dial: %v", err)

  139. 	}

  140. 

  141. 	if ls.SecurityProtocol == SecurityProtocolStartTLS {

  142. 		if err = conn.StartTLS(tlsCfg); err != nil {

  143. 			conn.Close()

  144. 			return nil, fmt.Errorf("StartTLS: %v", err)

  145. 		}

  146. 	}

  147. 

  148. 	return conn, nil

  149. }

  150. 

  151. func bindUser(l *ldap.Conn, userDN, passwd string) error {

  152. 	log.Trace("Binding with userDN: %s", userDN)

  153. 	err := l.Bind(userDN, passwd)

  154. 	if err != nil {

  155. 		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)

  156. 		return err

  157. 	}

  158. 	log.Trace("Bound successfully with userDN: %s", userDN)

  159. 	return err

  160. }

  161. 

  162. func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool {

  163. 	if len(ls.AdminFilter) > 0 {

  164. 		log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)

  165. 		search := ldap.NewSearchRequest(

  166. 			userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,

  167. 			[]string{ls.AttributeName},

  168. 			nil)

  169. 

  170. 		sr, err := l.Search(search)

  171. 

  172. 		if err != nil {

  173. 			log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)

  174. 		} else if len(sr.Entries) < 1 {

  175. 			log.Error(4, "LDAP Admin Search failed")

  176. 		} else {

  177. 			return true

  178. 		}

  179. 	}

  180. 	return false

  181. }

  182. 

  183. // SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter

  184. func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {

  185. 	// See https://tools.ietf.org/search/rfc4513#section-5.1.2

  186. 	if len(passwd) == 0 {

  187. 		log.Debug("Auth. failed for %s, password cannot be empty")

  188. 		return nil

  189. 	}

  190. 	l, err := dial(ls)

  191. 	if err != nil {

  192. 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)

  193. 		ls.Enabled = false

  194. 		return nil

  195. 	}

  196. 	defer l.Close()

  197. 

  198. 	var userDN string

  199. 	if directBind {

  200. 		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)

  201. 

  202. 		var ok bool

  203. 		userDN, ok = ls.sanitizedUserDN(name)

  204. 		if !ok {

  205. 			return nil

  206. 		}

  207. 	} else {

  208. 		log.Trace("LDAP will use BindDN.")

  209. 

  210. 		var found bool

  211. 		userDN, found = ls.findUserDN(l, name)

  212. 		if !found {

  213. 			return nil

  214. 		}

  215. 	}

  216. 

  217. 	if directBind || !ls.AttributesInBind {

  218. 		// binds user (checking password) before looking-up attributes in user context

  219. 		err = bindUser(l, userDN, passwd)

  220. 		if err != nil {

  221. 			return nil

  222. 		}

  223. 	}

  224. 

  225. 	userFilter, ok := ls.sanitizedUserQuery(name)

  226. 	if !ok {

  227. 		return nil

  228. 	}

  229. 

  230. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, userDN)

  231. 	search := ldap.NewSearchRequest(

  232. 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,

  233. 		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},

  234. 		nil)

  235. 

  236. 	sr, err := l.Search(search)

  237. 	if err != nil {

  238. 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)

  239. 		return nil

  240. 	} else if len(sr.Entries) < 1 {

  241. 		if directBind {

  242. 			log.Error(4, "User filter inhibited user login.")

  243. 		} else {

  244. 			log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")

  245. 		}

  246. 

  247. 		return nil

  248. 	}

  249. 

  250. 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)

  251. 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)

  252. 	surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)

  253. 	mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)

  254. 	isAdmin := checkAdmin(l, ls, userDN)

  255. 

  256. 	if !directBind && ls.AttributesInBind {

  257. 		// binds user (checking password) after looking-up attributes in BindDN context

  258. 		err = bindUser(l, userDN, passwd)

  259. 		if err != nil {

  260. 			return nil

  261. 		}

  262. 	}

  263. 

  264. 	return &SearchResult{

  265. 		Username: username,

  266. 		Name:     firstname,

  267. 		Surname:  surname,

  268. 		Mail:     mail,

  269. 		IsAdmin:  isAdmin,

  270. 	}

  271. }

  272. 

  273. // UsePagedSearch returns if need to use paged search

  274. func (ls *Source) UsePagedSearch() bool {

  275. 	return ls.SearchPageSize > 0

  276. }

  277. 

  278. // SearchEntries : search an LDAP source for all users matching userFilter

  279. func (ls *Source) SearchEntries() []*SearchResult {

  280. 	l, err := dial(ls)

  281. 	if err != nil {

  282. 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)

  283. 		ls.Enabled = false

  284. 		return nil

  285. 	}

  286. 	defer l.Close()

  287. 

  288. 	if ls.BindDN != "" && ls.BindPassword != "" {

  289. 		err := l.Bind(ls.BindDN, ls.BindPassword)

  290. 		if err != nil {

  291. 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)

  292. 			return nil

  293. 		}

  294. 		log.Trace("Bound as BindDN %s", ls.BindDN)

  295. 	} else {

  296. 		log.Trace("Proceeding with anonymous LDAP search.")

  297. 	}

  298. 

  299. 	userFilter := fmt.Sprintf(ls.Filter, "*")

  300. 

  301. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, userFilter, ls.UserBase)

  302. 	search := ldap.NewSearchRequest(

  303. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,

  304. 		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},

  305. 		nil)

  306. 

  307. 	var sr *ldap.SearchResult

  308. 	if ls.UsePagedSearch() {

  309. 		sr, err = l.SearchWithPaging(search, ls.SearchPageSize)

  310. 	} else {

  311. 		sr, err = l.Search(search)

  312. 	}

  313. 	if err != nil {

  314. 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)

  315. 		return nil

  316. 	}

  317. 

  318. 	result := make([]*SearchResult, len(sr.Entries))

  319. 

  320. 	for i, v := range sr.Entries {

  321. 		result[i] = &SearchResult{

  322. 			Username: v.GetAttributeValue(ls.AttributeUsername),

  323. 			Name:     v.GetAttributeValue(ls.AttributeName),

  324. 			Surname:  v.GetAttributeValue(ls.AttributeSurname),

  325. 			Mail:     v.GetAttributeValue(ls.AttributeMail),

  326. 			IsAdmin:  checkAdmin(l, ls, v.DN),

  327. 		}

  328. 	}

  329. 

  330. 	return result

  331. }

No Description