Documentation ¶
Index ¶
- Constants
- Variables
- func ADSIDStringFromLDAPEntry(entry *ldap.Entry) (string, error)
- func CertKeyPEM(ctx context.Context, req *GenerateCredentialsRequest) (certPEM, keyPEM []byte, caCerts [][]byte, err error)
- func CombineLDAPFilters(filters []string) string
- func GenerateWindowsDesktopCredentials(ctx context.Context, req *GenerateCredentialsRequest) (certDER, keyDER []byte, err error)
- func SubjectAltNameExtension(user, domain string) (pkix.Extension, error)
- type AuthInterface
- type CertificateStoreClient
- type CertificateStoreConfig
- type GenerateCredentialsRequest
- type LDAPClient
- func (c *LDAPClient) Close()
- func (c *LDAPClient) Create(dn string, class string, attrs map[string][]string) error
- func (c *LDAPClient) CreateContainer(dn string) error
- func (c *LDAPClient) Read(dn string, class string, attrs []string) ([]*ldap.Entry, error)
- func (c *LDAPClient) ReadWithFilter(dn string, filter string, attrs []string) ([]*ldap.Entry, error)
- func (c *LDAPClient) SetClient(client ldap.Client)
- func (c *LDAPClient) Update(dn string, replaceAttrs map[string][]string) error
- type LDAPConfig
- type SubjectAltName
Constants ¶
const ( // WritableDomainControllerGroupID is the windows security identifier for dcs with write permissions WritableDomainControllerGroupID = "516" // ReadOnlyDomainControllerGroupID is the windows security identifier for read only dcs ReadOnlyDomainControllerGroupID = "521" )
const ( // ClassComputer is the object class for computers in Active Directory ClassComputer = "computer" // ClassContainer is the object class for containers in Active Directory ClassContainer = "container" // ClassGMSA is the object class for group managed service accounts in Active Directory. ClassGMSA = "msDS-GroupManagedServiceAccount" // AccountTypeUser is the SAM account type for user accounts. // See https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccounttype // (SAM_USER_OBJECT) AccountTypeUser = "805306368" // AttrName is the name of an LDAP object AttrName = "name" // AttrSAMAccountName is the SAM Account name of an LDAP object AttrSAMAccountName = "sAMAccountName" // AttrSAMAccountType is the SAM Account type for an LDAP object AttrSAMAccountType = "sAMAccountType" // AttrCommonName is the common name of an LDAP object, or "CN" AttrCommonName = "cn" // AttrDistinguishedName is the distinguished name of an LDAP object, or "DN" AttrDistinguishedName = "distinguishedName" // AttrDNSHostName is the DNS Host name of an LDAP object AttrDNSHostName = "dNSHostName" // unusual capitalization is correct // AttrObjectGUID is the globally unique identifier for an LDAP object AttrObjectGUID = "objectGUID" // AttrOS is the operating system of a computer object AttrOS = "operatingSystem" // AttrOSVersion is the operating system version of a computer object AttrOSVersion = "operatingSystemVersion" // AttrPrimaryGroupID is the primary group id of an LDAP object AttrPrimaryGroupID = "primaryGroupID" // AttrObjectSid is the Security Identifier of an LDAP object AttrObjectSid = "objectSid" // AttrObjectCategory is the object category of an LDAP object AttrObjectCategory = "objectCategory" // AttrObjectClass is the object class of an LDAP object AttrObjectClass = "objectClass" )
const ( // CertTTL is the TTL for Teleport-issued Windows Certificates. // Certificates are requested on each connection attempt, so the TTL is // deliberately set to a small value to give enough time to establish a // single desktop session. CertTTL = 5 * time.Minute )
Variables ¶
var ( // EnhancedKeyUsageExtensionOID is the object identifier for a // certificate's enhanced key usage extension EnhancedKeyUsageExtensionOID = asn1.ObjectIdentifier{2, 5, 29, 37} // SubjectAltNameExtensionOID is the object identifier for a // certificate's subject alternative name extension SubjectAltNameExtensionOID = asn1.ObjectIdentifier{2, 5, 29, 17} // ClientAuthenticationOID is the object idnetifier that is used to // include client SSL authentication in a certificate's enhanced // key usage ClientAuthenticationOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2} // SmartcardLogonOID is the object identifier that is used to include // smartcard login in a certificate's enhanced key usage SmartcardLogonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 2} // UPNOtherNameOID is the object identifier that is used to include // the user principal name in a certificate's subject alternative name UPNOtherNameOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 3} // ADUserMappingExtensionOID is the Active Directory SID extension for mapping certificates // to their user's Active Directory SID. This value goes in the Id field of the pkix.Extension. // See https://go.microsoft.com/fwlink/?linkid=2189925. ADUserMappingExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 25, 2} // ADUserMappingInternalOID is the OID that's sent as part of the Other Name section // of the Active Directory SID extension. There's limited documentation on this extension, // this value was determined empirically based on how AD CA's Enterprise CA issues these // certificates post the May 10, 2022 Windows update. ADUserMappingInternalOID = append(ADUserMappingExtensionOID, 1) )
The following vars contain the various object identifiers required for smartcard login certificates.
var EnhancedKeyUsageExtension = pkix.Extension{ Id: EnhancedKeyUsageExtensionOID, Value: func() []byte { val, err := asn1.Marshal([]asn1.ObjectIdentifier{ ClientAuthenticationOID, SmartcardLogonOID, }) if err != nil { panic(err) } return val }(), }
EnhancedKeyUsageExtension is a set of required extended key fields specific for Microsoft certificates
Functions ¶
func ADSIDStringFromLDAPEntry ¶
ADSIDStringFromLDAPEntry extracts the objectSid attribute from an ldap.Entry and returns its string representation.
func CertKeyPEM ¶
func CertKeyPEM(ctx context.Context, req *GenerateCredentialsRequest) (certPEM, keyPEM []byte, caCerts [][]byte, err error)
CertKeyPEM returns certificate and private key bytes encoded in PEM format for use with `kinit`
func CombineLDAPFilters ¶
CombineLDAPFilters joins the slice of filters
func GenerateWindowsDesktopCredentials ¶
func GenerateWindowsDesktopCredentials(ctx context.Context, req *GenerateCredentialsRequest) (certDER, keyDER []byte, err error)
GenerateWindowsDesktopCredentials generates a private key / certificate pair for the given Windows username. The certificate has certain special fields different from the regular Teleport user certificate, to meet the requirements of Active Directory. See: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration
Types ¶
type AuthInterface ¶
type AuthInterface interface { // GenerateDatabaseCert generates a database certificate for windows SQL Server GenerateDatabaseCert(context.Context, *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error) // GenerateWindowsDesktopCert generates a windows remote desktop certificate GenerateWindowsDesktopCert(context.Context, *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error) // GetCertAuthority returns a types.CertAuthority interface GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error) // GetClusterName returns a types.ClusterName interface GetClusterName(opts ...services.MarshalOption) (types.ClusterName, error) }
AuthInterface is a subset of auth.ClientI
type CertificateStoreClient ¶
type CertificateStoreClient struct {
// contains filtered or unexported fields
}
CertificateStoreClient implements access to a Windows Certificate Authority
func NewCertificateStoreClient ¶
func NewCertificateStoreClient(cfg CertificateStoreConfig) *CertificateStoreClient
NewCertificateStoreClient returns a new structure for modifying windows certificates in a Windows CA.
type CertificateStoreConfig ¶
type CertificateStoreConfig struct { // AccessPoint is the Auth API client (with caching). AccessPoint auth.WindowsDesktopAccessPoint // LDAPConfig is the ldap configuration LDAPConfig // Log is the logging sink for the service Log logrus.FieldLogger // ClusterName is the name of this cluster ClusterName string // LC is the LDAPClient LC *LDAPClient }
CertificateStoreConfig is a config structure for a Windows Certificate Authority
type GenerateCredentialsRequest ¶
type GenerateCredentialsRequest struct { // Username is the Windows username Username string // Domain is the Windows domain Domain string // TTL is the ttl for the certificate TTL time.Duration // ClusterName is the local cluster name ClusterName string // ActiveDirectorySID is the SID of the Windows user // specified by Username. If specified (!= ""), it is // encoded in the certificate per https://go.microsoft.com/fwlink/?linkid=2189925. ActiveDirectorySID string // LDAPConfig is the ldap config LDAPConfig LDAPConfig // AuthClient is the windows AuthInterface AuthClient AuthInterface // CAType is the certificate authority type used to generate the certificate. // This is used to proper generate the CRL LDAP path. CAType types.CertAuthType // CreateUser specifies if Windows user should be created if missing CreateUser bool // Groups are groups that user should be member of Groups []string }
GenerateCredentialsRequest are the request parameters for generating a windows cert/key pair
type LDAPClient ¶
type LDAPClient struct { // Cfg is the LDAPConfig Cfg LDAPConfig // contains filtered or unexported fields }
LDAPClient is a windows LDAP client.
It does not automatically detect when the underlying connection is closed. Callers should check for trace.ConnectionProblem errors and provide a new client with [SetClient].
func (*LDAPClient) Create ¶
Create creates an LDAP entry at the given path, with the given class and attributes. Note that AD will create a bunch of attributes for each object class automatically and you don't need to specify all of them.
You can browse LDAP on the Windows host to find the objectClass and attributes for similar entries using ADSIEdit.msc. You can find the list of all AD classes at https://docs.microsoft.com/en-us/windows/win32/adschema/classes-all
func (*LDAPClient) CreateContainer ¶
func (c *LDAPClient) CreateContainer(dn string) error
CreateContainer creates an LDAP container entry if it doesn't already exist.
func (*LDAPClient) Read ¶
func (c *LDAPClient) Read(dn string, class string, attrs []string) ([]*ldap.Entry, error)
Read fetches an LDAP entry at path and its children, if any. Only entries with the given class are returned and only with the specified attributes.
You can browse LDAP on the Windows host to find the objectClass for a specific entry using ADSIEdit.msc. You can find the list of all AD classes at https://docs.microsoft.com/en-us/windows/win32/adschema/classes-all
func (*LDAPClient) ReadWithFilter ¶
func (c *LDAPClient) ReadWithFilter(dn string, filter string, attrs []string) ([]*ldap.Entry, error)
ReadWithFilter searches the specified DN (and its children) using the specified LDAP filter. See https://ldap.com/ldap-filters/ for more information on LDAP filter syntax.
func (*LDAPClient) SetClient ¶
func (c *LDAPClient) SetClient(client ldap.Client)
SetClient sets the underlying ldap.Client
func (*LDAPClient) Update ¶
func (c *LDAPClient) Update(dn string, replaceAttrs map[string][]string) error
Update updates an LDAP entry at the given path, replacing the provided attributes. For each attribute in replaceAttrs, the value is completely replaced, not merged. If you want to modify the value of an existing attribute, you should read the existing value first, modify it and provide the final combined value in replaceAttrs.
You can browse LDAP on the Windows host to find attributes of existing entries using ADSIEdit.msc.
type LDAPConfig ¶
type LDAPConfig struct { // Addr is the LDAP server address in the form host:port. // Standard port is 636 for LDAPS. Addr string //nolint:unused // False-positive // Domain is an Active Directory domain name, like "example.com". Domain string //nolint:unused // False-positive // Username is an LDAP username, like "EXAMPLE\Administrator", where // "EXAMPLE" is the NetBIOS version of Domain. Username string //nolint:unused // False-positive // SID is the SID for the user specified by Username. SID string //nolint:unused // False-positive // InsecureSkipVerify decides whether we skip verifying with the LDAP server's CA when making the LDAPS connection. InsecureSkipVerify bool //nolint:unused // False-positive // ServerName is the name of the LDAP server for TLS. ServerName string //nolint:unused // False-positive // CA is an optional CA cert to be used for verification if InsecureSkipVerify is set to false. CA *x509.Certificate //nolint:unused // False-positive }
LDAPConfig contains parameters for connecting to an LDAP server.
func (LDAPConfig) DomainDN ¶
func (cfg LDAPConfig) DomainDN() string
DomainDN returns the distinguished name for the domain
type SubjectAltName ¶
type SubjectAltName[T any] struct { OtherName otherName[T] `asn1:"tag:0"` }
SubjectAltName is a struct that can be marshaled as ASN.1 into the SAN field in an x.509 certificate.
See RFC 3280: https://www.ietf.org/rfc/rfc3280.txt
T is the ASN.1 encodeable struct corresponding to an otherName item of the GeneralNames sequence.