Documentation ¶
Index ¶
- func ConfigFields() map[string]*framework.FieldSchema
- func EscapeLDAPValue(input string) string
- type Client
- func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error)
- func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, username string) ([]string, error)
- func (c *Client) GetUserAliasAttributeValue(cfg *ConfigEntry, conn Connection, username string) (string, error)
- func (c *Client) GetUserBindDN(cfg *ConfigEntry, conn Connection, username string) (string, error)
- func (c *Client) GetUserDN(cfg *ConfigEntry, conn Connection, bindDN, username string) (string, error)
- func (c *Client) RenderUserSearchFilter(cfg *ConfigEntry, username string) (string, error)
- type ConfigEntry
- type Connection
- type LDAP
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConfigFields ¶
func ConfigFields() map[string]*framework.FieldSchema
ConfigFields returns all the config fields that can potentially be used by the LDAP client. Not all fields will be used by every integration.
func EscapeLDAPValue ¶
EscapeLDAPValue is exported because a plugin uses it outside this package.
Types ¶
type Client ¶
func (*Client) DialLDAP ¶
func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error)
func (*Client) GetLdapGroups ¶
func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, username string) ([]string, error)
* getLdapGroups queries LDAP and returns a slice describing the set of groups the authenticated user is a member of. * * If cfg.UseTokenGroups is true then the search is performed directly on the userDN. * The values of those attributes are converted to string SIDs, and then looked up to get ldap.Entry objects. * Otherwise, the search query is constructed according to cfg.GroupFilter, and run in context of cfg.GroupDN. * Groups will be resolved from the query results by following the attribute defined in cfg.GroupAttr. * * cfg.GroupFilter is a go template and is compiled with the following context: [UserDN, Username] * UserDN - The DN of the authenticated user * Username - The Username of the authenticated user * * Example: * cfg.GroupFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" * cfg.GroupDN = "OU=Groups,DC=myorg,DC=com" * cfg.GroupAttr = "cn" * * NOTE - If cfg.GroupFilter is empty, no query is performed and an empty result slice is returned. *
func (*Client) GetUserAliasAttributeValue ¶ added in v0.3.0
func (c *Client) GetUserAliasAttributeValue(cfg *ConfigEntry, conn Connection, username string) (string, error)
* Returns the value to be used for the entity alias of this user * This is handled in one of several ways: * * 1. If DiscoverDN is set, the user will be searched for using userdn (base search path) * and userattr (the attribute that maps to the provided username) or user search filter. * The bind will either be anonymous or use binddn and bindpassword if they were provided. * 2. If upndomain is set, the alias attribte is constructed as 'username@upndomain'. *
func (*Client) GetUserBindDN ¶
func (c *Client) GetUserBindDN(cfg *ConfigEntry, conn Connection, username string) (string, error)
* Discover and return the bind string for the user attempting to authenticate, as well as the * value to use for the identity alias. * This is handled in one of several ways: * * 1. If DiscoverDN is set, the user object will be searched for using userdn (base search path) * and userattr (the attribute that maps to the provided username) or user search filter. * The bind will either be anonymous or use binddn and bindpassword if they were provided. * 2. If upndomain is set, the user dn and alias attribte are constructed as 'username@upndomain'. * See https://msdn.microsoft.com/en-us/library/cc223499.aspx *
func (*Client) GetUserDN ¶
func (c *Client) GetUserDN(cfg *ConfigEntry, conn Connection, bindDN, username string) (string, error)
* Returns the DN of the object representing the authenticated user.
func (*Client) RenderUserSearchFilter ¶ added in v0.3.0
func (c *Client) RenderUserSearchFilter(cfg *ConfigEntry, username string) (string, error)
type ConfigEntry ¶
type ConfigEntry struct { Url string `json:"url"` UserDN string `json:"userdn"` AnonymousGroupSearch bool `json:"anonymous_group_search"` GroupDN string `json:"groupdn"` GroupFilter string `json:"groupfilter"` GroupAttr string `json:"groupattr"` UPNDomain string `json:"upndomain"` UserFilter string `json:"userfilter"` UserAttr string `json:"userattr"` Certificate string `json:"certificate"` InsecureTLS bool `json:"insecure_tls"` StartTLS bool `json:"starttls"` BindDN string `json:"binddn"` BindPassword string `json:"bindpass"` DenyNullBind bool `json:"deny_null_bind"` DiscoverDN bool `json:"discoverdn"` TLSMinVersion string `json:"tls_min_version"` TLSMaxVersion string `json:"tls_max_version"` UseTokenGroups bool `json:"use_token_groups"` UsePre111GroupCNBehavior *bool `json:"use_pre111_group_cn_behavior"` RequestTimeout int `json:"request_timeout"` // These json tags deviate from snake case because there was a past issue // where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames", etc. // To continue reading in users' previously stored values, // we chose to carry that forward. CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"` ClientTLSCert string `json:"ClientTLSCert"` ClientTLSKey string `json:"ClientTLSKey"` }
func NewConfigEntry ¶
func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry, error)
* Creates and initializes a ConfigEntry object with its default values, * as specified by the passed schema.
func (*ConfigEntry) Map ¶
func (c *ConfigEntry) Map() map[string]interface{}
func (*ConfigEntry) PasswordlessMap ¶
func (c *ConfigEntry) PasswordlessMap() map[string]interface{}
func (*ConfigEntry) Validate ¶
func (c *ConfigEntry) Validate() error
type Connection ¶
type Connection interface { Bind(username, password string) error Close() Add(addRequest *ldap.AddRequest) error Modify(modifyRequest *ldap.ModifyRequest) error Del(delRequest *ldap.DelRequest) error Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error) StartTLS(config *tls.Config) error SetTimeout(timeout time.Duration) UnauthenticatedBind(username string) error }
Connection provides the functionality of an LDAP connection, but through an interface.
type LDAP ¶
type LDAP interface { Dial(network, addr string) (Connection, error) DialTLS(network, addr string, config *tls.Config) (Connection, error) }
LDAP provides ldap functionality, but through an interface rather than statically. This allows faking it for tests.