ldap

package
v0.0.0-test Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 24, 2021 License: AGPL-3.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const UsersMaxRequest = 500

UsersMaxRequest is a max amount of users we can request via Users(). Since many LDAP servers has limitations on how much items can we return in one request

Variables

View Source
var (

	// ErrInvalidCredentials is returned if username and password do not match
	ErrInvalidCredentials = errors.New("invalid username or password")

	// ErrCouldNotFindUser is returned when username hasn't been found (not username+password)
	ErrCouldNotFindUser = errors.New("can't find user in LDAP")
)

Functions

func IsEnabled

func IsEnabled() bool

IsEnabled checks if ldap is enabled

func ReloadConfig

func ReloadConfig() error

ReloadConfig reads the config from the disk and caches it.

Types

type AttributeMap

type AttributeMap struct {
	Username string `toml:"username"`
	Name     string `toml:"name"`
	Surname  string `toml:"surname"`
	Email    string `toml:"email"`
	MemberOf string `toml:"member_of"`
}

AttributeMap is a struct representation for LDAP "attributes" setting

type Config

type Config struct {
	Servers []*ServerConfig `toml:"servers"`
}

Config holds list of connections to LDAP

func GetConfig

func GetConfig(cfg *setting.Cfg) (*Config, error)

GetConfig returns the LDAP config if LDAP is enabled otherwise it returns nil. It returns either cached value of the config or it reads it and caches it first.

type GroupToOrgRole

type GroupToOrgRole struct {
	GroupDN string `toml:"group_dn"`
	OrgId   int64  `toml:"org_id"`

	// This pointer specifies if setting was set (for backwards compatibility)
	IsGrafanaAdmin *bool `toml:"grafana_admin"`

	OrgRole models.RoleType `toml:"org_role"`
}

GroupToOrgRole is a struct representation of LDAP config "group_mappings" setting

type IConnection

type IConnection interface {
	Bind(username, password string) error
	UnauthenticatedBind(username string) error
	Add(*ldap.AddRequest) error
	Del(*ldap.DelRequest) error
	Search(*ldap.SearchRequest) (*ldap.SearchResult, error)
	StartTLS(*tls.Config) error
	Close()
}

IConnection is interface for LDAP connection manipulation

type IServer

type IServer interface {
	Login(*models.LoginUserQuery) (*models.ExternalUserInfo, error)
	Users([]string) ([]*models.ExternalUserInfo, error)
	Bind() error
	UserBind(string, string) error
	Dial() error
	Close()
}

IServer is interface for LDAP authorization

func New

func New(config *ServerConfig) IServer

New creates the new LDAP connection

type MockConnection

type MockConnection struct {
	SearchFunc       searchFunc
	SearchCalled     bool
	SearchAttributes []string

	AddParams *ldap.AddRequest
	AddCalled bool

	DelParams *ldap.DelRequest
	DelCalled bool

	CloseCalled bool

	UnauthenticatedBindCalled bool
	BindCalled                bool

	BindProvider                func(username, password string) error
	UnauthenticatedBindProvider func() error
}

MockConnection struct for testing

func (*MockConnection) Add

func (c *MockConnection) Add(request *ldap.AddRequest) error

Add mocks Add connection function

func (*MockConnection) Bind

func (c *MockConnection) Bind(username, password string) error

Bind mocks Bind connection function

func (*MockConnection) Close

func (c *MockConnection) Close()

Close mocks Close connection function

func (*MockConnection) Del

func (c *MockConnection) Del(request *ldap.DelRequest) error

Del mocks Del connection function

func (*MockConnection) Search

func (c *MockConnection) Search(sr *ldap.SearchRequest) (*ldap.SearchResult, error)

Search mocks Search connection function

func (*MockConnection) StartTLS

func (c *MockConnection) StartTLS(*tls.Config) error

StartTLS mocks StartTLS connection function

func (*MockConnection) UnauthenticatedBind

func (c *MockConnection) UnauthenticatedBind(username string) error

UnauthenticatedBind mocks UnauthenticatedBind connection function

type Server

type Server struct {
	Config     *ServerConfig
	Connection IConnection
	// contains filtered or unexported fields
}

Server is basic struct of LDAP authorization

func (*Server) AdminBind

func (server *Server) AdminBind() error

AdminBind binds "admin" user with LDAP Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.

func (*Server) Bind

func (server *Server) Bind() error

Bind authenticates the connection with the LDAP server - with the username and password setup in the config - or, anonymously

Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.

func (*Server) Close

func (server *Server) Close()

Close closes the LDAP connection Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.

func (*Server) Dial

func (server *Server) Dial() error

Dial dials in the LDAP TODO: decrease cyclomatic complexity

func (*Server) Login

func (server *Server) Login(query *models.LoginUserQuery) (
	*models.ExternalUserInfo, error,
)

Login the user. There are several cases - 1. "admin" user Bind the "admin" user (defined in Grafana config file) which has the search privileges in LDAP server, then we search the targeted user through that bind, then the second perform the bind via passed login/password. 2. Single bind // If all the users meant to be used with Grafana have the ability to search in LDAP server then we bind with LDAP server with targeted login/password and then search for the said user in order to retrieve all the information about them 3. Unauthenticated bind For some LDAP configurations it is allowed to search the user without login/password binding with LDAP server, in such case we will perform "unauthenticated bind", then search for the targeted user and then perform the bind with passed login/password.

Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.

func (*Server) UserBind

func (server *Server) UserBind(username, password string) error

UserBind binds the user with the LDAP server Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.

func (*Server) Users

func (server *Server) Users(logins []string) (
	[]*models.ExternalUserInfo,
	error,
)

Users gets LDAP users by logins Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.

type ServerConfig

type ServerConfig struct {
	Host          string       `toml:"host"`
	Port          int          `toml:"port"`
	UseSSL        bool         `toml:"use_ssl"`
	StartTLS      bool         `toml:"start_tls"`
	SkipVerifySSL bool         `toml:"ssl_skip_verify"`
	RootCACert    string       `toml:"root_ca_cert"`
	ClientCert    string       `toml:"client_cert"`
	ClientKey     string       `toml:"client_key"`
	BindDN        string       `toml:"bind_dn"`
	BindPassword  string       `toml:"bind_password"`
	Attr          AttributeMap `toml:"attributes"`

	SearchFilter  string   `toml:"search_filter"`
	SearchBaseDNs []string `toml:"search_base_dns"`

	GroupSearchFilter              string   `toml:"group_search_filter"`
	GroupSearchFilterUserAttribute string   `toml:"group_search_filter_user_attribute"`
	GroupSearchBaseDNs             []string `toml:"group_search_base_dns"`

	Groups []*GroupToOrgRole `toml:"group_mappings"`
}

ServerConfig holds connection data to LDAP

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL