outposts/ldap: add support for base scope and domain info
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
parent
674bd9e05c
commit
c7e6eb8896
|
|
@ -79,6 +79,11 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
|
||||||
}).Inc()
|
}).Inc()
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if req.SearchRequest.Scope == ldap.ScopeBaseObject {
|
||||||
|
pi.log.Debug("base scope, showing domain info")
|
||||||
|
return pi.SearchBase(req, flags.CanSearch)
|
||||||
|
}
|
||||||
if !flags.CanSearch {
|
if !flags.CanSearch {
|
||||||
pi.log.Debug("User can't search, showing info about user")
|
pi.log.Debug("User can't search, showing info about user")
|
||||||
return pi.SearchMe(req, flags)
|
return pi.SearchMe(req, flags)
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,53 @@
|
||||||
|
package ldap
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/nmcclain/ldap"
|
||||||
|
"goauthentik.io/internal/constants"
|
||||||
|
)
|
||||||
|
|
||||||
|
func (pi *ProviderInstance) SearchBase(req SearchRequest, authz bool) (ldap.ServerSearchResult, error) {
|
||||||
|
dn := ""
|
||||||
|
if authz {
|
||||||
|
dn = req.SearchRequest.BaseDN
|
||||||
|
}
|
||||||
|
return ldap.ServerSearchResult{
|
||||||
|
Entries: []*ldap.Entry{
|
||||||
|
{
|
||||||
|
DN: dn,
|
||||||
|
Attributes: []*ldap.EntryAttribute{
|
||||||
|
{
|
||||||
|
Name: "distinguishedName",
|
||||||
|
Values: []string{pi.BaseDN},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "objectClass",
|
||||||
|
Values: []string{"top", "domain"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "supportedLDAPVersion",
|
||||||
|
Values: []string{"3"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "namingContexts",
|
||||||
|
Values: []string{
|
||||||
|
pi.BaseDN,
|
||||||
|
pi.GroupDN,
|
||||||
|
pi.UserDN,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "vendorName",
|
||||||
|
Values: []string{"goauthentik.io"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "vendorVersion",
|
||||||
|
Values: []string{fmt.Sprintf("authentik LDAP Outpost Version %s (build %s)", constants.VERSION, constants.BUILD())},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
@ -38,7 +38,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
|
||||||
SearchRequest: searchReq,
|
SearchRequest: searchReq,
|
||||||
BindDN: bindDN,
|
BindDN: bindDN,
|
||||||
conn: conn,
|
conn: conn,
|
||||||
log: ls.log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN),
|
log: ls.log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("scope", ldap.ScopeMap[searchReq.Scope]).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN),
|
||||||
id: rid,
|
id: rid,
|
||||||
ctx: span.Context(),
|
ctx: span.Context(),
|
||||||
}
|
}
|
||||||
|
|
@ -74,7 +74,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
|
||||||
}
|
}
|
||||||
for _, provider := range ls.providers {
|
for _, provider := range ls.providers {
|
||||||
providerBase, _ := goldap.ParseDN(provider.BaseDN)
|
providerBase, _ := goldap.ParseDN(provider.BaseDN)
|
||||||
if providerBase.AncestorOf(bd) {
|
if providerBase.AncestorOf(bd) || providerBase.Equal(bd) {
|
||||||
return provider.Search(req)
|
return provider.Search(req)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Reference in New Issue