Affected by 
Documentation
¶
Index ¶
- Constants
- Variables
- func IsEnabled() bool
- func IsMemberOf(memberOf []string, group string) bool
- func ReloadConfig() error
- type AttributeMap
- type Config
- type GroupToOrgRole
- type Groups
- type IConnection
- type IServer
- type MockConnection
- func (c *MockConnection) Add(request *ldap.AddRequest) error
- func (c *MockConnection) Bind(username, password string) error
- func (c *MockConnection) Close()
- func (c *MockConnection) Del(request *ldap.DelRequest) error
- func (c *MockConnection) Search(sr *ldap.SearchRequest) (*ldap.SearchResult, error)
- func (c *MockConnection) StartTLS(*tls.Config) error
- func (c *MockConnection) UnauthenticatedBind(username string) error
- type OSSGroups
- type Server
- func (server *Server) AdminBind() error
- func (server *Server) Bind() error
- func (server *Server) Close()
- func (server *Server) Dial() error
- func (server *Server) Login(query *models.LoginUserQuery) (*models.ExternalUserInfo, error)
- func (server *Server) UserBind(username, password string) error
- func (server *Server) Users(logins []string) ([]*models.ExternalUserInfo, error)
- type ServerConfig
Constants ¶
const UsersMaxRequest = 500
UsersMaxRequest is a max amount of users we can request via Users(). Since many LDAP servers has limitations on how much items can we return in one request
Variables ¶
var ( // ErrInvalidCredentials is returned if username and password do not match ErrInvalidCredentials = errors.New("invalid username or password") // ErrCouldNotFindUser is returned when username hasn't been found (not username+password) ErrCouldNotFindUser = errors.New("can't find user in LDAP") )
Functions ¶
func IsMemberOf ¶
func ReloadConfig ¶
func ReloadConfig() error
ReloadConfig reads the config from the disk and caches it.
Types ¶
type AttributeMap ¶
type AttributeMap struct {
Username string `toml:"username"`
Name string `toml:"name"`
Surname string `toml:"surname"`
Email string `toml:"email"`
MemberOf string `toml:"member_of"`
}
AttributeMap is a struct representation for LDAP "attributes" setting
type Config ¶
type Config struct {
Servers []*ServerConfig `toml:"servers"`
}
Config holds list of connections to LDAP
type GroupToOrgRole ¶
type GroupToOrgRole struct {
GroupDN string `toml:"group_dn"`
OrgId int64 `toml:"org_id"`
// This pointer specifies if setting was set (for backwards compatibility)
IsGrafanaAdmin *bool `toml:"grafana_admin"`
OrgRole org.RoleType `toml:"org_role"`
}
GroupToOrgRole is a struct representation of LDAP config "group_mappings" setting
type Groups ¶
type Groups interface {
GetTeams(groups []string, orgIDs []int64) ([]models.TeamOrgGroupDTO, error)
}
type IConnection ¶
type IConnection interface {
Bind(username, password string) error
UnauthenticatedBind(username string) error
Add(*ldap.AddRequest) error
Del(*ldap.DelRequest) error
Search(*ldap.SearchRequest) (*ldap.SearchResult, error)
StartTLS(*tls.Config) error
Close()
}
IConnection is interface for LDAP connection manipulation
type IServer ¶
type IServer interface {
Login(*models.LoginUserQuery) (*models.ExternalUserInfo, error)
Users([]string) ([]*models.ExternalUserInfo, error)
Bind() error
UserBind(string, string) error
Dial() error
Close()
}
IServer is interface for LDAP authorization
type MockConnection ¶
type MockConnection struct {
SearchFunc searchFunc
SearchCalled bool
SearchAttributes []string
AddParams *ldap.AddRequest
AddCalled bool
DelParams *ldap.DelRequest
DelCalled bool
CloseCalled bool
UnauthenticatedBindCalled bool
BindCalled bool
BindProvider func(username, password string) error
UnauthenticatedBindProvider func() error
}
MockConnection struct for testing
func (*MockConnection) Add ¶
func (c *MockConnection) Add(request *ldap.AddRequest) error
Add mocks Add connection function
func (*MockConnection) Bind ¶
func (c *MockConnection) Bind(username, password string) error
Bind mocks Bind connection function
func (*MockConnection) Close ¶
func (c *MockConnection) Close()
Close mocks Close connection function
func (*MockConnection) Del ¶
func (c *MockConnection) Del(request *ldap.DelRequest) error
Del mocks Del connection function
func (*MockConnection) Search ¶
func (c *MockConnection) Search(sr *ldap.SearchRequest) (*ldap.SearchResult, error)
Search mocks Search connection function
func (*MockConnection) StartTLS ¶
func (c *MockConnection) StartTLS(*tls.Config) error
StartTLS mocks StartTLS connection function
func (*MockConnection) UnauthenticatedBind ¶
func (c *MockConnection) UnauthenticatedBind(username string) error
UnauthenticatedBind mocks UnauthenticatedBind connection function
type OSSGroups ¶
type OSSGroups struct{}
func ProvideGroupsService ¶
func ProvideGroupsService() *OSSGroups
type Server ¶
type Server struct {
Config *ServerConfig
Connection IConnection
// contains filtered or unexported fields
}
Server is basic struct of LDAP authorization
func (*Server) AdminBind ¶
AdminBind binds "admin" user with LDAP Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
func (*Server) Bind ¶
Bind authenticates the connection with the LDAP server - with the username and password setup in the config - or, anonymously
Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
func (*Server) Close ¶
func (server *Server) Close()
Close closes the LDAP connection Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
func (*Server) Login ¶
func (server *Server) Login(query *models.LoginUserQuery) ( *models.ExternalUserInfo, error, )
Login the user. There are several cases - 1. "admin" user Bind the "admin" user (defined in Grafana config file) which has the search privileges in LDAP server, then we search the targeted user through that bind, then the second perform the bind via passed login/password. 2. Single bind // If all the users meant to be used with Grafana have the ability to search in LDAP server then we bind with LDAP server with targeted login/password and then search for the said user in order to retrieve all the information about them 3. Unauthenticated bind For some LDAP configurations it is allowed to search the user without login/password binding with LDAP server, in such case we will perform "unauthenticated bind", then search for the targeted user and then perform the bind with passed login/password.
Dial() sets the connection with the server for this Struct. Therefore, we require a call to Dial() before being able to execute this function.
type ServerConfig ¶
type ServerConfig struct {
Host string `toml:"host"`
Port int `toml:"port"`
UseSSL bool `toml:"use_ssl"`
StartTLS bool `toml:"start_tls"`
SkipVerifySSL bool `toml:"ssl_skip_verify"`
RootCACert string `toml:"root_ca_cert"`
ClientCert string `toml:"client_cert"`
ClientKey string `toml:"client_key"`
BindDN string `toml:"bind_dn"`
BindPassword string `toml:"bind_password"`
Timeout int `toml:"timeout"`
Attr AttributeMap `toml:"attributes"`
SearchFilter string `toml:"search_filter"`
SearchBaseDNs []string `toml:"search_base_dns"`
GroupSearchFilter string `toml:"group_search_filter"`
GroupSearchFilterUserAttribute string `toml:"group_search_filter_user_attribute"`
GroupSearchBaseDNs []string `toml:"group_search_base_dns"`
Groups []*GroupToOrgRole `toml:"group_mappings"`
}
ServerConfig holds connection data to LDAP
Source Files