2017-08-10 08:35:23 +00:00
|
|
|
package ldap
|
|
|
|
|
|
|
|
import (
|
2020-07-07 21:57:52 +00:00
|
|
|
"errors"
|
2017-08-10 08:35:23 +00:00
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
|
2020-04-29 02:25:25 +00:00
|
|
|
ldap "github.com/go-ldap/ldap/v3"
|
2020-02-17 23:25:30 +00:00
|
|
|
portainer "github.com/portainer/portainer/api"
|
2019-03-21 01:20:14 +00:00
|
|
|
"github.com/portainer/portainer/api/crypto"
|
2020-07-07 21:57:52 +00:00
|
|
|
httperrors "github.com/portainer/portainer/api/http/errors"
|
2017-08-10 08:35:23 +00:00
|
|
|
)
|
|
|
|
|
2020-07-07 21:57:52 +00:00
|
|
|
var (
|
|
|
|
// errUserNotFound defines an error raised when the user is not found via LDAP search
|
2017-08-10 08:35:23 +00:00
|
|
|
// or that too many entries (> 1) are returned.
|
2020-07-07 21:57:52 +00:00
|
|
|
errUserNotFound = errors.New("User not found or too many entries returned")
|
2017-08-10 08:35:23 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Service represents a service used to authenticate users against a LDAP/AD.
|
|
|
|
type Service struct{}
|
|
|
|
|
|
|
|
func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearchSettings) (string, error) {
|
|
|
|
var userDN string
|
|
|
|
found := false
|
2018-09-24 23:10:41 +00:00
|
|
|
usernameEscaped := ldap.EscapeFilter(username)
|
|
|
|
|
2017-08-10 08:35:23 +00:00
|
|
|
for _, searchSettings := range settings {
|
|
|
|
searchRequest := ldap.NewSearchRequest(
|
|
|
|
searchSettings.BaseDN,
|
|
|
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
2018-09-24 23:10:41 +00:00
|
|
|
fmt.Sprintf("(&%s(%s=%s))", searchSettings.Filter, searchSettings.UserNameAttribute, usernameEscaped),
|
2017-08-10 08:35:23 +00:00
|
|
|
[]string{"dn"},
|
|
|
|
nil,
|
|
|
|
)
|
|
|
|
|
|
|
|
// Deliberately skip errors on the search request so that we can jump to other search settings
|
|
|
|
// if any issue arise with the current one.
|
2017-09-20 18:58:09 +00:00
|
|
|
sr, err := conn.Search(searchRequest)
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
2017-08-10 08:35:23 +00:00
|
|
|
|
|
|
|
if len(sr.Entries) == 1 {
|
|
|
|
found = true
|
|
|
|
userDN = sr.Entries[0].DN
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !found {
|
2020-07-07 21:57:52 +00:00
|
|
|
return "", errUserNotFound
|
2017-08-10 08:35:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return userDN, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func createConnection(settings *portainer.LDAPSettings) (*ldap.Conn, error) {
|
|
|
|
|
|
|
|
if settings.TLSConfig.TLS || settings.StartTLS {
|
2018-05-19 14:25:11 +00:00
|
|
|
config, err := crypto.CreateTLSConfigurationFromDisk(settings.TLSConfig.TLSCACertPath, settings.TLSConfig.TLSCertPath, settings.TLSConfig.TLSKeyPath, settings.TLSConfig.TLSSkipVerify)
|
2017-08-10 08:35:23 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
config.ServerName = strings.Split(settings.URL, ":")[0]
|
|
|
|
|
|
|
|
if settings.TLSConfig.TLS {
|
|
|
|
return ldap.DialTLS("tcp", settings.URL, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
conn, err := ldap.Dial("tcp", settings.URL)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = conn.StartTLS(config)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return conn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return ldap.Dial("tcp", settings.URL)
|
|
|
|
}
|
|
|
|
|
|
|
|
// AuthenticateUser is used to authenticate a user against a LDAP/AD.
|
|
|
|
func (*Service) AuthenticateUser(username, password string, settings *portainer.LDAPSettings) error {
|
|
|
|
|
|
|
|
connection, err := createConnection(settings)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer connection.Close()
|
|
|
|
|
2020-01-21 22:14:07 +00:00
|
|
|
if !settings.AnonymousMode {
|
|
|
|
err = connection.Bind(settings.ReaderDN, settings.Password)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-08-10 08:35:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
userDN, err := searchUser(username, connection, settings.SearchSettings)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = connection.Bind(userDN, password)
|
|
|
|
if err != nil {
|
2020-07-07 21:57:52 +00:00
|
|
|
return httperrors.ErrUnauthorized
|
2017-08-10 08:35:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-07-23 04:57:38 +00:00
|
|
|
// GetUserGroups is used to retrieve user groups from LDAP/AD.
|
|
|
|
func (*Service) GetUserGroups(username string, settings *portainer.LDAPSettings) ([]string, error) {
|
|
|
|
connection, err := createConnection(settings)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer connection.Close()
|
|
|
|
|
2020-01-21 22:14:07 +00:00
|
|
|
if !settings.AnonymousMode {
|
|
|
|
err = connection.Bind(settings.ReaderDN, settings.Password)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-07-23 04:57:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
userDN, err := searchUser(username, connection, settings.SearchSettings)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
userGroups := getGroups(userDN, connection, settings.GroupSearchSettings)
|
|
|
|
|
|
|
|
return userGroups, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get a list of group names for specified user from LDAP/AD
|
|
|
|
func getGroups(userDN string, conn *ldap.Conn, settings []portainer.LDAPGroupSearchSettings) []string {
|
|
|
|
groups := make([]string, 0)
|
2018-09-24 23:10:41 +00:00
|
|
|
userDNEscaped := ldap.EscapeFilter(userDN)
|
2018-07-23 04:57:38 +00:00
|
|
|
|
|
|
|
for _, searchSettings := range settings {
|
|
|
|
searchRequest := ldap.NewSearchRequest(
|
|
|
|
searchSettings.GroupBaseDN,
|
|
|
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
2018-09-24 23:10:41 +00:00
|
|
|
fmt.Sprintf("(&%s(%s=%s))", searchSettings.GroupFilter, searchSettings.GroupAttribute, userDNEscaped),
|
2018-07-23 04:57:38 +00:00
|
|
|
[]string{"cn"},
|
|
|
|
nil,
|
|
|
|
)
|
|
|
|
|
|
|
|
// Deliberately skip errors on the search request so that we can jump to other search settings
|
|
|
|
// if any issue arise with the current one.
|
|
|
|
sr, err := conn.Search(searchRequest)
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, entry := range sr.Entries {
|
|
|
|
for _, attr := range entry.Attributes {
|
|
|
|
groups = append(groups, attr.Values[0])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return groups
|
|
|
|
}
|
|
|
|
|
2017-08-10 08:35:23 +00:00
|
|
|
// TestConnectivity is used to test a connection against the LDAP server using the credentials
|
|
|
|
// specified in the LDAPSettings.
|
|
|
|
func (*Service) TestConnectivity(settings *portainer.LDAPSettings) error {
|
|
|
|
|
|
|
|
connection, err := createConnection(settings)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer connection.Close()
|
|
|
|
|
2020-02-17 23:25:30 +00:00
|
|
|
err = connection.Bind(settings.ReaderDN, settings.Password)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2017-08-10 08:35:23 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|