ldapclient: allow search queries customisation in configuration
This commit is contained in:
parent
938d1939d4
commit
2ad1595a34
@ -48,17 +48,19 @@ type connector interface {
|
|||||||
|
|
||||||
// Config is a LDAP configuration.
|
// Config is a LDAP configuration.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
Endpoints []string `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
|
Endpoints []string `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
|
||||||
BindDN string `envconfig:"binddn" desc:"a LDAP bind DN"`
|
BindDN string `envconfig:"binddn" desc:"a LDAP bind DN"`
|
||||||
BindPass string `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
|
BindPass string `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
|
||||||
BaseDN string `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
|
BaseDN string `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
|
||||||
AttrClaims map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
|
UserSearchQuery string `envconfig:"user_search_query" desc:"the user search query" default:"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"`
|
||||||
RoleBaseDN string `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
|
AttrClaims map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
|
||||||
RoleAttr string `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
|
RoleBaseDN string `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
|
||||||
RoleClaim string `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
|
RoleSearchQuery string `envconfig:"role_search_query" desc:"the role search query" default:"(|(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s)))"`
|
||||||
CacheSize int `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
|
RoleAttr string `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
|
||||||
CacheTTL time.Duration `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
|
RoleClaim string `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
|
||||||
IsTLS bool `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
|
CacheSize int `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
|
||||||
|
CacheTTL time.Duration `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
|
||||||
|
IsTLS bool `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Client is a LDAP client (compatible with Active Directory).
|
// Client is a LDAP client (compatible with Active Directory).
|
||||||
@ -71,9 +73,15 @@ type Client struct {
|
|||||||
// New creates a new LDAP client.
|
// New creates a new LDAP client.
|
||||||
func New(cnf Config) *Client {
|
func New(cnf Config) *Client {
|
||||||
return &Client{
|
return &Client{
|
||||||
Config: cnf,
|
Config: cnf,
|
||||||
connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
|
connector: &ldapConnector{
|
||||||
cache: freecache.NewCache(cnf.CacheSize * 1024),
|
BaseDN: cnf.BaseDN,
|
||||||
|
UserSearchQuery: cnf.UserSearchQuery,
|
||||||
|
RoleBaseDN: cnf.RoleBaseDN,
|
||||||
|
IsTLS: cnf.IsTLS,
|
||||||
|
RoleSearchQuery: cnf.RoleSearchQuery,
|
||||||
|
},
|
||||||
|
cache: freecache.NewCache(cnf.CacheSize * 1024),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -296,9 +304,11 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
|
|||||||
}
|
}
|
||||||
|
|
||||||
type ldapConnector struct {
|
type ldapConnector struct {
|
||||||
BaseDN string
|
BaseDN string
|
||||||
RoleBaseDN string
|
RoleBaseDN string
|
||||||
IsTLS bool
|
IsTLS bool
|
||||||
|
UserSearchQuery string
|
||||||
|
RoleSearchQuery string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
|
func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
|
||||||
@ -319,13 +329,21 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
|
|||||||
ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
|
ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
|
||||||
|
|
||||||
ldapcn.Start()
|
ldapcn.Start()
|
||||||
return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
|
return &ldapConn{
|
||||||
|
Conn: ldapcn,
|
||||||
|
BaseDN: c.BaseDN,
|
||||||
|
UserSearchQuery: c.UserSearchQuery,
|
||||||
|
RoleBaseDN: c.RoleBaseDN,
|
||||||
|
RoleSearchQuery: c.RoleSearchQuery,
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type ldapConn struct {
|
type ldapConn struct {
|
||||||
*ldap.Conn
|
*ldap.Conn
|
||||||
BaseDN string
|
BaseDN string
|
||||||
RoleBaseDN string
|
RoleBaseDN string
|
||||||
|
UserSearchQuery string
|
||||||
|
RoleSearchQuery string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *ldapConn) Bind(bindDN, password string) error {
|
func (c *ldapConn) Bind(bindDN, password string) error {
|
||||||
@ -337,17 +355,12 @@ func (c *ldapConn) Bind(bindDN, password string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
|
func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
|
||||||
query := fmt.Sprintf(
|
query := fmt.Sprintf(c.UserSearchQuery, user)
|
||||||
"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
|
|
||||||
"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
|
|
||||||
return c.searchEntries(c.BaseDN, query, attrs)
|
return c.searchEntries(c.BaseDN, query, attrs)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
|
func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
|
||||||
query := fmt.Sprintf("(|"+
|
query := fmt.Sprintf(c.RoleSearchQuery, user)
|
||||||
"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
|
|
||||||
"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
|
|
||||||
")", user)
|
|
||||||
return c.searchEntries(c.RoleBaseDN, query, attrs)
|
return c.searchEntries(c.RoleBaseDN, query, attrs)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user