Documentation ¶
Overview ¶
Package ldap implements strategies for authenticating using the LDAP protocol.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { // The host and optional port of the LDAP server. If port isn't supplied, it will be // guessed based on the TLS configuration. 389 or 636. Host string `json:"host"` // Required if LDAP host does not use TLS. InsecureNoSSL bool `json:"insecureNoSSL"` // Don't verify the CA. InsecureSkipVerify bool `json:"insecureSkipVerify"` // Connect to the insecure port then issue a StartTLS command to negotiate a // secure connection. If unsupplied secure connections will use the LDAPS // protocol. StartTLS bool `json:"startTLS"` // Path to a trusted root certificate file. RootCA string `json:"rootCA"` // Path to a client cert file generated by rootCA. ClientCert string `json:"clientCert"` // Path to a client private key file generated by rootCA. ClientKey string `json:"clientKey"` // Base64 encoded PEM data containing root CAs. RootCAData []byte `json:"rootCAData"` // BindDN and BindPW for an application service account. The connector uses these // credentials to search for users and groups. BindDN string `json:"bindDN"` BindPW string `json:"bindPW"` // UsernamePrompt allows users to override the username attribute (displayed // in the username/password prompt). If unset, the handler will use // "Username". UsernamePrompt string `json:"usernamePrompt"` // User entry search configuration. UserSearch struct { // BaseDN to start the search from. For example "cn=users,dc=example,dc=com" BaseDN string `json:"baseDN"` // Optional filter to apply when searching the directory. For example "(objectClass=person)" Filter string `json:"filter"` // Attribute to match against the inputted username. This will be translated and combined // with the other filter as "(<attr>=<username>)". Username string `json:"username"` // Can either be: // * "sub" - search the whole sub tree // * "one" - only search one level Scope string `json:"scope"` // A mapping of attributes on the user entry to claims. IDAttr string `json:"idAttr"` // Defaults to "uid" EmailAttr string `json:"emailAttr"` // Defaults to "mail" NameAttr string `json:"nameAttr"` // No default. PreferredUsernameAttrAttr string `json:"preferredUsernameAttr"` // No default. // If this is set, the email claim of the id token will be constructed from the idAttr and // value of emailSuffix. This should not include the @ character. EmailSuffix string `json:"emailSuffix"` // No default. } `json:"userSearch"` // Group search configuration. GroupSearch struct { // BaseDN to start the search from. For example "cn=groups,dc=example,dc=com" BaseDN string `json:"baseDN"` // Optional filter to apply when searching the directory. For example "(objectClass=posixGroup)" Filter string `json:"filter"` Scope string `json:"scope"` // Defaults to "sub" // DEPRECATED config options. Those are left for backward compatibility. // See "UserMatchers" below for the current group to user matching implementation // TODO: should be eventually removed from the code UserAttr string `json:"userAttr"` GroupAttr string `json:"groupAttr"` // Array of the field pairs used to match a user to a group. // See the "UserMatcher" struct for the exact field names // // Each pair adds an additional requirement to the filter that an attribute in the group // match the user's attribute value. For example that the "members" attribute of // a group matches the "uid" of the user. The exact filter being added is: // // (userMatchers[n].<groupAttr>=userMatchers[n].<userAttr value>) // UserMatchers []UserMatcher `json:"userMatchers"` // The attribute of the group that represents its name. NameAttr string `json:"nameAttr"` } `json:"groupSearch"` }
Config holds configuration options for LDAP logins.
func (*Config) OpenConnector ¶
func (c *Config) OpenConnector(logger *slog.Logger) (interface { connector.Connector connector.PasswordConnector connector.RefreshConnector }, error, )
OpenConnector is the same as Open but returns a type with all implemented connector interfaces.
type UserMatcher ¶
UserMatcher holds information about user and group matching.
Click to show internal directories.
Click to hide internal directories.