Use client provided credentials to operated LDAP queries

This commit is contained in:
yo 2022-11-12 14:00:06 +01:00
parent c4e980834d
commit f8a8c1a0c8
3 changed files with 150 additions and 38 deletions

View File

@ -1,9 +1,11 @@
LISTEN="0.0.0.0:8081"
LISTEN="0.0.0.0:8080"
LDAP_HOST="ldap://ldap.example.org"
LDAP_BASE_DN="dc=example,dc=org"
# Credentials used for every op in ldap, so this account needs write access if you want to update ldap
LDAP_USER="cn=ldapuser,dc=example,dc=org"
# This account search for valid user provided by authenticating client.
# Then glapi bind with client provided credentials to operate LDAP.
# Thus this account only needs bind privilege, and read access to users organizational unit
LDAP_USER="cn=ldapreaduser,dc=example,dc=org"
LDAP_PASS='here_lies_the_password'
# Https support

22
ldap.go
View File

@ -31,13 +31,13 @@ func connectLdap(myldap *MyLdap) (*MyLdap, error) {
myldap.Conn, err = ldap.DialURL(myldap.Host)
if err != nil {
log.Errorf("Error dialing LDAP: %v", err)
//log.Errorf("Error dialing LDAP: %v", err)
return conLdap, err
}
err = myldap.Conn.Bind(myldap.User, myldap.Pass)
if err != nil {
log.Errorf("Error binding LDAP: ", err)
//log.Errorf("Error binding LDAP: %v", err)
return conLdap, err
}
return myldap, err
@ -91,7 +91,7 @@ func doLdapSearch(myldap *MyLdap, baseDn, cn, class, attributes string) (*ldap.S
log.Debugf("LDAP search filter: %s", filter)
// Build absolute search base DN from configuration & provided DN (which is relative)
if strings.EqualFold(baseDn, "ALL") {
if strings.EqualFold(baseDn, "ALL") || len(baseDn) == 0 {
realBaseDn = fmt.Sprintf("%s", myldap.BaseDN)
} else {
realBaseDn = fmt.Sprintf("%s,%s", baseDn, myldap.BaseDN)
@ -118,3 +118,19 @@ func doLdapSearch(myldap *MyLdap, baseDn, cn, class, attributes string) (*ldap.S
return result, nil
}
func findUserFullDN(myldap *MyLdap, username string) (string, error) {
sr, err := doLdapSearch(myldap, "", username, "ALL", "")
if err != nil {
return "", err
}
if len(sr.Entries) == 0 {
return "", fmt.Errorf("User not found with cn=%s", username)
} else if len(sr.Entries) > 1 {
return "", fmt.Errorf("More than one object (%d) found with cn=%s", len(sr.Entries), username)
}
result := sr.Entries[0].DN
return result, nil
}

158
main.go
View File

@ -9,6 +9,7 @@ import (
"fmt"
"flag"
"time"
"errors"
"strings"
"net/http"
"encoding/json"
@ -20,7 +21,9 @@ import (
)
var (
gVersion = "0.5.1"
gVersion = "0.5.2"
gRoLdap *MyLdap
)
func marshalResultToText(res *ldap.SearchResult, delimiter string, showValueName, showDN bool) string {
@ -143,8 +146,7 @@ func checkIfModifiedSince(c *gin.Context, myldap *MyLdap, baseDn, cn, class, att
}
// Basic Authentication handler
// TODO: Where to store accounts?
// Basic Authentication handler with local hardcoded account - do not use
func basicAuth(c *gin.Context) {
user, password, hasAuth := c.Request.BasicAuth()
if hasAuth && user == "admin" && password == "admin" {
@ -156,52 +158,121 @@ func basicAuth(c *gin.Context) {
}
}
// Basic Authentication handler to ldap
func ldapBasicAuth(c *gin.Context) {
var err error
// Get user & password from http client
user, password, hasAuth := c.Request.BasicAuth()
if hasAuth {
// First find the full DN for provided username
if gRoLdap.Conn == nil {
gRoLdap, err = connectLdap(gRoLdap)
if err != nil {
log.Errorf("[%s]: Cannot connect to LDAP: %v", c.Request.RemoteAddr, err)
c.AbortWithStatus(http.StatusUnauthorized)
c.Writer.Header().Set("WWW-Authenticate", "Basic realm=Restricted")
return
}
}
userDn, err := findUserFullDN(gRoLdap, user)
if err != nil {
log.Errorf("[%s]: Cannot connect to LDAP: %v", c.Request.RemoteAddr, err)
c.AbortWithStatus(http.StatusUnauthorized)
c.Writer.Header().Set("WWW-Authenticate", "Basic realm=Restricted")
return
}
// Then open this ldap connection bound to client credentials, using found full Dn
cl, err := connectLdap(&MyLdap{Host: gRoLdap.Host, User: userDn, Pass: password, BaseDN: gRoLdap.BaseDN})
if err != nil {
log.Errorf("[%s]: Cannot connect to LDAP: %v", c.Request.RemoteAddr, err)
c.AbortWithStatus(http.StatusUnauthorized)
c.Writer.Header().Set("WWW-Authenticate", "Basic realm=Restricted")
return
} else {
log.Infof("[%s]: User %s successfully authenticated with bind DN %s", c.Request.RemoteAddr, user, userDn)
// Store LDAP connection into gin context
c.Set("ldapCon", cl)
}
} else {
c.AbortWithStatus(http.StatusUnauthorized)
c.Writer.Header().Set("WWW-Authenticate", "Basic realm=Restricted")
return
}
}
func initRouter(r *gin.Engine, myldap *MyLdap) {
func getLdapConFromContext(c *gin.Context) (*MyLdap, error) {
ldapCon, exist := c.Get("ldapCon")
if exist != true {
return nil, errors.New("Cannot get connection from context")
}
return ldapCon.(*MyLdap), nil
}
func initRouter(r *gin.Engine) {
r.GET("/ping", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{
"message": "pong",
})
return
})
// All following routes need authentication
r.GET("/:ou/:cn/:class", basicAuth, func(c *gin.Context) {
r.GET("/:ou/:cn/:class", ldapBasicAuth, func(c *gin.Context) {
ou := c.Param("ou")
cn := c.Param("cn")
class := c.Param("class")
// Get user authenticated LDAP connection from context
ldapCon, err := getLdapConFromContext(c)
if err != nil {
log.Error(err)
c.AbortWithError(http.StatusInternalServerError, nil)
return
}
// json format is the default
format := c.DefaultQuery("format", "json")
log.Printf("Format : %s", format)
res, err := doLdapSearch(myldap, ou, cn, class, "ALL")
// If OU does not exist, we'll get err='LDAP Result Code 32 "No Such Object"'
if err != nil {
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
c.AbortWithError(http.StatusInternalServerError, err)
return
}
sendResponse(c, res, format)
res, err := doLdapSearch(ldapCon, ou, cn, class, "ALL")
// If OU does not exist, we'll get err='LDAP Result Code 32 "No Such Object"'
if err != nil {
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
c.AbortWithError(http.StatusInternalServerError, err)
return
}
sendResponse(c, res, format)
return
})
r.HEAD("/:ou/:cn/:class", basicAuth, func(c *gin.Context) {
r.HEAD("/:ou/:cn/:class", ldapBasicAuth, func(c *gin.Context) {
ou := c.Param("ou")
cn := c.Param("cn")
class := c.Param("class")
format := c.DefaultQuery("format", "json")
log.Printf("Format : %s", format)
modified, err := checkIfModifiedSince(c, myldap, ou, cn, class, "ALL")
// Get user authenticated LDAP connection from context
ldapCon, err := getLdapConFromContext(c)
if err != nil {
log.Error(err)
c.AbortWithError(http.StatusInternalServerError, nil)
return
}
modified, err := checkIfModifiedSince(c, ldapCon, ou, cn, class, "ALL")
if err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
if modified {
res, err := doLdapSearch(myldap, ou, cn, class, "ALL")
res, err := doLdapSearch(ldapCon, ou, cn, class, "ALL")
if err != nil {
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
c.AbortWithError(http.StatusInternalServerError, err)
@ -214,16 +285,23 @@ func initRouter(r *gin.Engine, myldap *MyLdap) {
return
})
r.GET("/:ou/:cn/:class/:attribute", basicAuth, func(c *gin.Context) {
r.GET("/:ou/:cn/:class/:attribute", ldapBasicAuth, func(c *gin.Context) {
ou := c.Param("ou")
cn := c.Param("cn")
attr := c.Param("attribute")
class := c.Param("class")
format := c.DefaultQuery("format", "json")
log.Printf("Format : %s", format)
// Get user authenticated LDAP connection from context
ldapCon, err := getLdapConFromContext(c)
if err != nil {
log.Error(err)
c.AbortWithError(http.StatusInternalServerError, nil)
return
}
res, err := doLdapSearch(myldap, ou, cn, class, attr)
res, err := doLdapSearch(ldapCon, ou, cn, class, attr)
if err != nil {
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
c.AbortWithError(http.StatusInternalServerError, err)
@ -233,23 +311,30 @@ func initRouter(r *gin.Engine, myldap *MyLdap) {
return
})
r.HEAD("/:ou/:cn/:class/:attribute", basicAuth, func(c *gin.Context) {
r.HEAD("/:ou/:cn/:class/:attribute", ldapBasicAuth, func(c *gin.Context) {
ou := c.Param("ou")
cn := c.Param("cn")
attr := c.Param("attribute")
class := c.Param("class")
format := c.DefaultQuery("format", "json")
log.Printf("Format : %s", format)
modified, err := checkIfModifiedSince(c, myldap, ou, cn, class, attr)
// Get user authenticated LDAP connection from context
ldapCon, err := getLdapConFromContext(c)
if err != nil {
log.Error(err)
c.AbortWithError(http.StatusInternalServerError, nil)
return
}
modified, err := checkIfModifiedSince(c, ldapCon, ou, cn, class, attr)
if err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
if modified {
res, err := doLdapSearch(myldap, ou, cn, class, attr)
res, err := doLdapSearch(ldapCon, ou, cn, class, attr)
if err != nil {
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
c.AbortWithError(http.StatusInternalServerError, err)
@ -278,7 +363,7 @@ func main() {
flag.StringVar(&confFile, "config", "", "Path to the config file (optional)")
flag.StringVar(&listen, "listen-addr", "0.0.0.0:8080", "listen address for server")
flag.StringVar(&ldapHost, "ldap-host", "", "ldap host to connect to")
flag.StringVar(&ldapUser, "ldap-user", "", "ldap username")
flag.StringVar(&ldapUser, "ldap-user", "", "ldap read-only username")
flag.StringVar(&ldapPass, "ldap-pass", "", "ldap password")
flag.StringVar(&ldapBaseDN, "ldap-base-dn", "", "ldap base DN")
flag.BoolVar(&doTls, "https", false, "Serve over TLS")
@ -295,6 +380,10 @@ func main() {
os.Exit(1)
}
}
if false == debug {
debug = viper.GetBool("DEBUG")
}
if strings.EqualFold(listen, "0.0.0.0:8080") && len(confFile) > 0 {
l := viper.GetString("LISTEN")
@ -362,9 +451,14 @@ func main() {
r := gin.Default()
ldap := MyLdap{Host: ldapHost, User: ldapUser, Pass: ldapPass, BaseDN: ldapBaseDN}
initRouter(r, &ldap)
gRoLdap = &MyLdap{Host: ldapHost, User: ldapUser, Pass: ldapPass, BaseDN: ldapBaseDN}
_, err := connectLdap(gRoLdap)
if err != nil {
log.Fatalf("Cannot connect to ldap: %v", err)
}
initRouter(r)
if doTls {
r.RunTLS(listen, tlsCert, tlsPrivKey)