ldapauth

package
v0.0.0-...-3674750 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 19, 2024 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server

This package relies on the two following local database tables:

ldap_sessions: 	Upon successful LDAP response, creates a keyed local copy of the user email
ldap_user_api_tokens: User created API tokens, tied to the node, storing user email.

Note: user can have only one API token at a time, and token expiration is enforced

User session and roles are cached and revalidated with the upstream service at the interval defined in the local LDAP config through the Application.sessionReaper implementation in reaper.go.

Changes to the upstream identity server will propagate through and update local tables (web sessions, API tokens) by either removing the entries or updating the roles. This sync happens for every auth endpoint hit, and via the defined sync interval. One goroutine is created to coordinate the sync timing in the New function

This implementation is read only; user mutation actions such as Delete are not supported.

MFA is supported via the remote LDAP server implementation. Sufficient request time out should accommodate for a blocking auth call while the user responds to a potential push notification callback.

Index

Constants

View Source
const (
	UniqueMemberAttribute = "uniqueMember"
)

Variables

View Source
var ErrUserNoLDAPGroups = errors.New("user present in directory, but matching no role groups assigned")
View Source
var ErrUserNotInUpstream = errors.New("LDAP query returned no matching users")

Functions

func GroupSearchResultsToUserRole

func GroupSearchResultsToUserRole(ldapGroups []*ldap.Entry, adminCN string, editCN string, runCN string, readCN string) (sessions.UserRole, error)

func NewLDAPAuthenticator

func NewLDAPAuthenticator(
	db *sqlx.DB,
	pgCfg pg.QConfig,
	ldapCfg config.LDAP,
	dev bool,
	lggr logger.Logger,
	auditLogger audit.AuditLogger,
) (*ldapAuthenticator, error)

func NewLDAPServerStateSync

func NewLDAPServerStateSync(
	db *sqlx.DB,
	pgCfg pg.QConfig,
	config config.LDAP,
	lggr logger.Logger,
) *utils.SleeperTask

NewLDAPServerStateSync creates a reaper that cleans stale sessions from the store.

Types

type LDAPClient

type LDAPClient interface {
	CreateEphemeralConnection() (LDAPConn, error)
}

Wrapper for creating a handle to a *ldap.Conn/LDAPConn interface

type LDAPConn

type LDAPConn interface {
	Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
	Bind(username string, password string) error
	Close() (err error)
}

Wrapper for ldap connection and mock testing, implemented by *ldap.Conn

type LDAPServerStateSyncer

type LDAPServerStateSyncer struct {
	// contains filtered or unexported fields
}

func (*LDAPServerStateSyncer) Name

func (ldSync *LDAPServerStateSyncer) Name() string

func (*LDAPServerStateSyncer) StartWorkOnTimer

func (ldSync *LDAPServerStateSyncer) StartWorkOnTimer()

func (*LDAPServerStateSyncer) Work

func (ldSync *LDAPServerStateSyncer) Work()

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL