2015-08-16 09:31:54 +03:00
// Copyright 2014 The Gogs Authors. All rights reserved.
2014-04-22 20:55:27 +04:00
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
2015-08-16 09:31:54 +03:00
// Package ldap provide functions & structure to query a LDAP ldap directory
2014-04-22 20:55:27 +04:00
// For now, it's mainly tested again an MS Active Directory service, see README.md for more information
package ldap
import (
2015-09-14 22:48:51 +03:00
"crypto/tls"
2014-04-22 20:55:27 +04:00
"fmt"
2015-10-27 04:08:59 +03:00
"strings"
2014-05-03 06:48:14 +04:00
2015-11-26 22:04:58 +03:00
"gopkg.in/ldap.v2"
2014-04-22 20:55:27 +04:00
"github.com/gogits/gogs/modules/log"
)
// Basic LDAP authentication service
2015-09-14 22:48:51 +03:00
type Source struct {
2015-12-01 16:49:49 +03:00
Name string // canonical name (ie. corporate.ad)
Host string // LDAP host
Port int // port number
UseSSL bool // Use SSL
SkipVerify bool
BindDN string // DN to bind with
BindPassword string // Bind DN password
UserBase string // Base search path for users
UserDN string // Template for the DN of the user for simple auth
AttributeUsername string // Username attribute
AttributeName string // First name attribute
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin
Enabled bool // if this source is disabled
2014-04-22 20:55:27 +04:00
}
2015-10-27 04:08:59 +03:00
func ( ls * Source ) sanitizedUserQuery ( username string ) ( string , bool ) {
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00()*\\"
if strings . ContainsAny ( username , badCharacters ) {
log . Debug ( "'%s' contains invalid query characters. Aborting." , username )
return "" , false
}
return fmt . Sprintf ( ls . Filter , username ) , true
}
func ( ls * Source ) sanitizedUserDN ( username string ) ( string , bool ) {
// See http://tools.ietf.org/search/rfc4514: "special characters"
badCharacters := "\x00()*\\,='\"#+;<> "
if strings . ContainsAny ( username , badCharacters ) {
log . Debug ( "'%s' contains invalid DN characters. Aborting." , username )
return "" , false
}
return fmt . Sprintf ( ls . UserDN , username ) , true
}
2015-09-14 22:48:51 +03:00
func ( ls * Source ) FindUserDN ( name string ) ( string , bool ) {
2015-08-13 02:58:27 +03:00
l , err := ldapDial ( ls )
if err != nil {
log . Error ( 4 , "LDAP Connect error, %s:%v" , ls . Host , err )
ls . Enabled = false
2015-08-16 09:31:54 +03:00
return "" , false
2015-08-13 02:58:27 +03:00
}
defer l . Close ( )
2014-04-22 20:55:27 +04:00
2015-08-13 02:58:27 +03:00
log . Trace ( "Search for LDAP user: %s" , name )
if ls . BindDN != "" && ls . BindPassword != "" {
err = l . Bind ( ls . BindDN , ls . BindPassword )
if err != nil {
2015-08-17 23:03:11 +03:00
log . Debug ( "Failed to bind as BindDN[%s]: %v" , ls . BindDN , err )
2015-08-16 09:31:54 +03:00
return "" , false
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
log . Trace ( "Bound as BindDN %s" , ls . BindDN )
} else {
log . Trace ( "Proceeding with anonymous LDAP search." )
}
// A search for the user.
2015-10-27 04:08:59 +03:00
userFilter , ok := ls . sanitizedUserQuery ( name )
if ! ok {
return "" , false
}
2015-08-13 02:58:27 +03:00
log . Trace ( "Searching using filter %s" , userFilter )
search := ldap . NewSearchRequest (
ls . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 ,
false , userFilter , [ ] string { } , nil )
// Ensure we found a user
sr , err := l . Search ( search )
if err != nil || len ( sr . Entries ) < 1 {
2015-08-17 23:03:11 +03:00
log . Debug ( "Failed search using filter[%s]: %v" , userFilter , err )
2015-08-16 09:31:54 +03:00
return "" , false
2015-08-13 02:58:27 +03:00
} else if len ( sr . Entries ) > 1 {
log . Debug ( "Filter '%s' returned more than one user." , userFilter )
2015-08-16 09:31:54 +03:00
return "" , false
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
2015-08-16 09:31:54 +03:00
userDN := sr . Entries [ 0 ] . DN
2015-08-13 02:58:27 +03:00
if userDN == "" {
log . Error ( 4 , "LDAP search was succesful, but found no DN!" )
2015-08-16 09:31:54 +03:00
return "" , false
2015-08-13 02:58:27 +03:00
}
2015-08-16 09:31:54 +03:00
return userDN , true
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
2015-12-01 16:49:49 +03:00
func ( ls * Source ) SearchEntry ( name , passwd string , directBind bool ) ( string , string , string , string , bool , bool ) {
2015-09-05 06:39:23 +03:00
var userDN string
if directBind {
2015-09-16 19:15:14 +03:00
log . Trace ( "LDAP will bind directly via UserDN template: %s" , ls . UserDN )
2015-10-27 04:08:59 +03:00
var ok bool
userDN , ok = ls . sanitizedUserDN ( name )
if ! ok {
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2015-10-27 04:08:59 +03:00
}
2015-09-05 06:39:23 +03:00
} else {
log . Trace ( "LDAP will use BindDN." )
var found bool
userDN , found = ls . FindUserDN ( name )
if ! found {
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2015-09-05 06:39:23 +03:00
}
2015-08-13 02:58:27 +03:00
}
2014-05-15 16:21:27 +04:00
l , err := ldapDial ( ls )
2014-04-22 20:55:27 +04:00
if err != nil {
2015-11-05 05:57:10 +03:00
log . Error ( 4 , "LDAP Connect error (%s): %v" , ls . Host , err )
2014-04-22 20:55:27 +04:00
ls . Enabled = false
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2014-04-22 20:55:27 +04:00
}
defer l . Close ( )
2015-08-13 02:58:27 +03:00
log . Trace ( "Binding with userDN: %s" , userDN )
err = l . Bind ( userDN , passwd )
2014-04-22 20:55:27 +04:00
if err != nil {
2015-08-17 23:03:11 +03:00
log . Debug ( "LDAP auth. failed for %s, reason: %v" , userDN , err )
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
log . Trace ( "Bound successfully with userDN: %s" , userDN )
2015-10-27 04:08:59 +03:00
userFilter , ok := ls . sanitizedUserQuery ( name )
if ! ok {
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2015-10-27 04:08:59 +03:00
}
2014-09-08 04:04:47 +04:00
search := ldap . NewSearchRequest (
2015-08-13 02:58:27 +03:00
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
[ ] string { ls . AttributeName , ls . AttributeSurname , ls . AttributeMail } ,
2014-04-22 20:55:27 +04:00
nil )
2015-08-13 02:58:27 +03:00
2014-04-22 20:55:27 +04:00
sr , err := l . Search ( search )
if err != nil {
2015-08-17 23:03:11 +03:00
log . Error ( 4 , "LDAP Search failed unexpectedly! (%v)" , err )
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2015-08-13 02:58:27 +03:00
} else if len ( sr . Entries ) < 1 {
2015-09-05 06:39:23 +03:00
if directBind {
log . Error ( 4 , "User filter inhibited user login." )
} else {
log . Error ( 4 , "LDAP Search failed unexpectedly! (0 entries)" )
}
2015-12-01 16:49:49 +03:00
return "" , "" , "" , "" , false , false
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
2015-12-01 16:49:49 +03:00
username_attr := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeUsername )
2015-08-13 02:58:27 +03:00
name_attr := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeName )
sn_attr := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeSurname )
mail_attr := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeMail )
2015-08-19 07:34:03 +03:00
admin_attr := false
2015-09-01 15:40:11 +03:00
if len ( ls . AdminFilter ) > 0 {
search = ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . AdminFilter ,
[ ] string { ls . AttributeName } ,
nil )
sr , err = l . Search ( search )
if err != nil {
log . Error ( 4 , "LDAP Admin Search failed unexpectedly! (%v)" , err )
} else if len ( sr . Entries ) < 1 {
log . Error ( 4 , "LDAP Admin Search failed" )
} else {
admin_attr = true
}
2015-08-19 07:34:03 +03:00
}
2015-12-01 16:49:49 +03:00
return username_attr , name_attr , sn_attr , mail_attr , admin_attr , true
2014-04-22 20:55:27 +04:00
}
2014-05-15 16:21:27 +04:00
2015-09-14 22:48:51 +03:00
func ldapDial ( ls * Source ) ( * ldap . Conn , error ) {
2014-05-15 16:21:27 +04:00
if ls . UseSSL {
2015-09-14 22:48:51 +03:00
log . Debug ( "Using TLS for LDAP without verifying: %v" , ls . SkipVerify )
return ldap . DialTLS ( "tcp" , fmt . Sprintf ( "%s:%d" , ls . Host , ls . Port ) , & tls . Config {
InsecureSkipVerify : ls . SkipVerify ,
} )
2014-05-15 16:21:27 +04:00
} else {
2014-09-08 04:04:47 +04:00
return ldap . Dial ( "tcp" , fmt . Sprintf ( "%s:%d" , ls . Host , ls . Port ) )
2014-05-15 16:21:27 +04:00
}
}