Documentation ¶
Overview ¶
The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server
This package relies on the two following local database tables:
ldap_sessions: Upon successful LDAP response, creates a keyed local copy of the user email ldap_user_api_tokens: User created API tokens, tied to the node, storing user email.
Note: user can have only one API token at a time, and token expiration is enforced
User session and roles are cached and revalidated with the upstream service at the interval defined in the local LDAP config through the Application.sessionReaper implementation in reaper.go.
Changes to the upstream identity server will propagate through and update local tables (web sessions, API tokens) by either removing the entries or updating the roles. This sync happens for every auth endpoint hit, and via the defined sync interval. One goroutine is created to coordinate the sync timing in the New function
This implementation is read only; user mutation actions such as Delete are not supported.
MFA is supported via the remote LDAP server implementation. Sufficient request time out should accommodate for a blocking auth call while the user responds to a potential push notification callback.
Index ¶
- Constants
- Variables
- func GroupSearchResultsToUserRole(ldapGroups []*ldap.Entry, adminCN string, editCN string, runCN string, ...) (sessions.UserRole, error)
- func NewLDAPAuthenticator(ds sqlutil.DataSource, ldapCfg config.LDAP, dev bool, lggr logger.Logger, ...) (*ldapAuthenticator, error)
- func NewLDAPServerStateSync(ds sqlutil.DataSource, config config.LDAP, lggr logger.Logger) *utils.SleeperTask
- type LDAPClient
- type LDAPConn
- type LDAPServerStateSyncer
Constants ¶
const (
UniqueMemberAttribute = "uniqueMember"
)
Variables ¶
var ErrUserNoLDAPGroups = errors.New("user present in directory, but matching no role groups assigned")
var ErrUserNotInUpstream = errors.New("LDAP query returned no matching users")
Functions ¶
func NewLDAPAuthenticator ¶
func NewLDAPAuthenticator( ds sqlutil.DataSource, ldapCfg config.LDAP, dev bool, lggr logger.Logger, auditLogger audit.AuditLogger, ) (*ldapAuthenticator, error)
func NewLDAPServerStateSync ¶
func NewLDAPServerStateSync( ds sqlutil.DataSource, config config.LDAP, lggr logger.Logger, ) *utils.SleeperTask
NewLDAPServerStateSync creates a reaper that cleans stale sessions from the store.
Types ¶
type LDAPClient ¶
Wrapper for creating a handle to a *ldap.Conn/LDAPConn interface
type LDAPConn ¶
type LDAPConn interface { Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error) Bind(username string, password string) error Close() (err error) }
Wrapper for ldap connection and mock testing, implemented by *ldap.Conn
type LDAPServerStateSyncer ¶
type LDAPServerStateSyncer struct {
// contains filtered or unexported fields
}
func (*LDAPServerStateSyncer) Name ¶
func (ldSync *LDAPServerStateSyncer) Name() string
func (*LDAPServerStateSyncer) StartWorkOnTimer ¶
func (ldSync *LDAPServerStateSyncer) StartWorkOnTimer()
func (*LDAPServerStateSyncer) Work ¶
func (ldSync *LDAPServerStateSyncer) Work()