Documentation ¶
Index ¶
- Constants
- Variables
- func IsEnabled() bool
- func ReloadConfig() error
- type AttributeMap
- type Config
- type GroupToOrgRole
- type IConnection
- type IServer
- type MockConnection
- func (c *MockConnection) Add(request *ldap.AddRequest) error
- func (c *MockConnection) Bind(username, password string) error
- func (c *MockConnection) Close()
- func (c *MockConnection) Del(request *ldap.DelRequest) error
- func (c *MockConnection) Search(sr *ldap.SearchRequest) (*ldap.SearchResult, error)
- func (c *MockConnection) StartTLS(*tls.Config) error
- func (c *MockConnection) UnauthenticatedBind(username string) error
- type Server
- func (server *Server) AdminBind() error
- func (server *Server) Bind() error
- func (server *Server) Close()
- func (server *Server) Dial() error
- func (server *Server) Login(query *models.LoginUserQuery) (*models.ExternalUserInfo, error)
- func (server *Server) UserBind(username, password string) error
- func (server *Server) Users(logins []string) ([]*models.ExternalUserInfo, error)
- type ServerConfig
Constants ¶
const UsersMaxRequest = 500
UsersMaxRequest is a max amount of users we can request via Users(). Since many LDAP servers has limitations on how much items can we return in one request
Variables ¶
var ( // ErrInvalidCredentials is returned if username and password do not match ErrInvalidCredentials = errors.New("Invalid Username or Password") // ErrCouldNotFindUser is returned when username hasn't been found (not username+password) ErrCouldNotFindUser = errors.New("Can't find user in LDAP") )
Functions ¶
func ReloadConfig ¶
func ReloadConfig() error
ReloadConfig reads the config from the disc and caches it.
Types ¶
type AttributeMap ¶
type AttributeMap struct { Username string `toml:"username"` Name string `toml:"name"` Surname string `toml:"surname"` Email string `toml:"email"` MemberOf string `toml:"member_of"` }
AttributeMap is a struct representation for LDAP "attributes" setting
type Config ¶
type Config struct {
Servers []*ServerConfig `toml:"servers"`
}
Config holds list of connections to LDAP
type GroupToOrgRole ¶
type GroupToOrgRole struct { GroupDN string `toml:"group_dn"` OrgId int64 `toml:"org_id"` // This pointer specifies if setting was set (for backwards compatibility) IsGrafanaAdmin *bool `toml:"grafana_admin"` OrgRole models.RoleType `toml:"org_role"` }
GroupToOrgRole is a struct representation of LDAP config "group_mappings" setting
type IConnection ¶
type IConnection interface { Bind(username, password string) error UnauthenticatedBind(username string) error Add(*ldap.AddRequest) error Del(*ldap.DelRequest) error Search(*ldap.SearchRequest) (*ldap.SearchResult, error) StartTLS(*tls.Config) error Close() }
IConnection is interface for LDAP connection manipulation
type IServer ¶
type IServer interface { Login(*models.LoginUserQuery) (*models.ExternalUserInfo, error) Users([]string) ([]*models.ExternalUserInfo, error) Bind() error UserBind(string, string) error Dial() error Close() }
IServer is interface for LDAP authorization
type MockConnection ¶
type MockConnection struct { SearchResult *ldap.SearchResult SearchError error SearchCalled bool SearchAttributes []string AddParams *ldap.AddRequest AddCalled bool DelParams *ldap.DelRequest DelCalled bool CloseCalled bool UnauthenticatedBindCalled bool BindCalled bool BindProvider func(username, password string) error UnauthenticatedBindProvider func() error }
MockConnection struct for testing
func (*MockConnection) Add ¶
func (c *MockConnection) Add(request *ldap.AddRequest) error
Add mocks Add connection function
func (*MockConnection) Bind ¶
func (c *MockConnection) Bind(username, password string) error
Bind mocks Bind connection function
func (*MockConnection) Close ¶
func (c *MockConnection) Close()
Close mocks Close connection function
func (*MockConnection) Del ¶
func (c *MockConnection) Del(request *ldap.DelRequest) error
Del mocks Del connection function
func (*MockConnection) Search ¶
func (c *MockConnection) Search(sr *ldap.SearchRequest) (*ldap.SearchResult, error)
Search mocks Search connection function
func (*MockConnection) StartTLS ¶
func (c *MockConnection) StartTLS(*tls.Config) error
StartTLS mocks StartTLS connection function
func (*MockConnection) UnauthenticatedBind ¶
func (c *MockConnection) UnauthenticatedBind(username string) error
UnauthenticatedBind mocks UnauthenticatedBind connection function
type Server ¶
type Server struct { Config *ServerConfig Connection IConnection // contains filtered or unexported fields }
Server is basic struct of LDAP authorization
func (*Server) AdminBind ¶
AdminBind binds "admin" user with LDAP Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
func (*Server) Bind ¶
Bind authenticates the connection with the LDAP server - with the username and password setup in the config - or, anonymously
Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
func (*Server) Close ¶
func (server *Server) Close()
Close closes the LDAP connection Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
func (*Server) Login ¶
func (server *Server) Login(query *models.LoginUserQuery) ( *models.ExternalUserInfo, error, )
Login the user. There are several cases - 1. "admin" user Bind the "admin" user (defined in Grafana config file) which has the search privileges in LDAP server, then we search the targeted user through that bind, then the second perform the bind via passed login/password. 2. Single bind // If all the users meant to be used with Grafana have the ability to search in LDAP server then we bind with LDAP server with targeted login/password and then search for the said user in order to retrieve all the information about them 3. Unauthenticated bind For some LDAP configurations it is allowed to search the user without login/password binding with LDAP server, in such case we will perform "unauthenticated bind", then search for the targeted user and then perform the bind with passed login/password.
Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
type ServerConfig ¶
type ServerConfig struct { Host string `toml:"host"` Port int `toml:"port"` UseSSL bool `toml:"use_ssl"` StartTLS bool `toml:"start_tls"` SkipVerifySSL bool `toml:"ssl_skip_verify"` RootCACert string `toml:"root_ca_cert"` ClientCert string `toml:"client_cert"` ClientKey string `toml:"client_key"` BindDN string `toml:"bind_dn"` BindPassword string `toml:"bind_password"` Attr AttributeMap `toml:"attributes"` SearchFilter string `toml:"search_filter"` SearchBaseDNs []string `toml:"search_base_dns"` GroupSearchFilter string `toml:"group_search_filter"` GroupSearchFilterUserAttribute string `toml:"group_search_filter_user_attribute"` GroupSearchBaseDNs []string `toml:"group_search_base_dns"` Groups []*GroupToOrgRole `toml:"group_mappings"` }
ServerConfig holds connection data to LDAP