Documentation ¶
Overview ¶
Package upstreamldap implements an abstraction of upstream LDAP IDP interactions.
Index ¶
- Constants
- type Conn
- type GroupSearchConfig
- type LDAPConnectionProtocol
- type LDAPDialer
- type LDAPDialerFunc
- type Provider
- func (p *Provider) AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*authenticators.Response, bool, error)
- func (p *Provider) DryRunAuthenticateUser(ctx context.Context, username string, grantedScopes []string) (*authenticators.Response, bool, error)
- func (p *Provider) GetConfig() ProviderConfig
- func (p *Provider) GetName() string
- func (p *Provider) GetResourceUID() types.UID
- func (p *Provider) GetURL() *url.URL
- func (p *Provider) PerformRefresh(ctx context.Context, ...) ([]string, error)
- func (p *Provider) SearchForDefaultNamingContext(ctx context.Context) (string, error)
- func (p *Provider) TestConnection(ctx context.Context) error
- type ProviderConfig
- type UserSearchConfig
Constants ¶
const ( StartTLS = LDAPConnectionProtocol("StartTLS") TLS = LDAPConnectionProtocol("TLS") )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Conn ¶
type Conn interface { Bind(username, password string) error Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error) SearchWithPaging(searchRequest *ldap.SearchRequest, pagingSize uint32) (*ldap.SearchResult, error) Close() error }
Conn abstracts the upstream LDAP communication protocol (mostly for testing).
type GroupSearchConfig ¶
type GroupSearchConfig struct { // Base is the base DN to use for the group search in the upstream LDAP IDP. Empty means to skip group search // entirely, in which case authenticated users will not belong to any groups from the upstream LDAP IDP. Base string // Filter is the filter to use for the group search in the upstream LDAP IDP. Empty means to use `member={}`. Filter string // UserAttributeForFilter is the name of the user attribute whose value should be used to replace the placeholder // in the Filter. Empty means to use 'dn'. UserAttributeForFilter string // GroupNameAttribute is the attribute in the LDAP group entry from which the group name should be // retrieved. Empty means to use 'cn'. GroupNameAttribute string // SkipGroupRefresh skips the group refresh operation that occurs with each refresh // (every 5 minutes). This can be done if group search is very slow or resource intensive for the LDAP // server. SkipGroupRefresh bool }
GroupSearchConfig contains information about how to search for group membership for users in the upstream LDAP IDP.
type LDAPConnectionProtocol ¶
type LDAPConnectionProtocol string
type LDAPDialer ¶
LDAPDialer is a factory of Conn, and the resulting Conn can then be used to interact with an upstream LDAP IDP.
type LDAPDialerFunc ¶
LDAPDialerFunc makes it easy to use a func as an LDAPDialer.
func (LDAPDialerFunc) Dial ¶
func (f LDAPDialerFunc) Dial(ctx context.Context, addr endpointaddr.HostPort) (Conn, error)
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
func New ¶
func New(config ProviderConfig) *Provider
New creates a Provider. The config is not a pointer to ensure that a copy of the config is created, making the resulting Provider use an effectively read-only configuration.
func (*Provider) AuthenticateUser ¶
func (p *Provider) AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*authenticators.Response, bool, error)
AuthenticateUser authenticates an end user and returns their mapped username, groups, and UID. Implements authenticators.UserAuthenticator.
func (*Provider) DryRunAuthenticateUser ¶
func (p *Provider) DryRunAuthenticateUser(ctx context.Context, username string, grantedScopes []string) (*authenticators.Response, bool, error)
DryRunAuthenticateUser provides a method for testing all of the Provider settings in a kind of dry run of authentication for a given end user's username. It runs the same logic as AuthenticateUser except it does not bind as that user, so it does not test their password. It returns the same values that a real call to AuthenticateUser with the correct password would return.
func (*Provider) GetConfig ¶
func (p *Provider) GetConfig() ProviderConfig
GetConfig is a reader for the config. Returns a copy of the config to keep the underlying config read-only.
func (*Provider) GetResourceUID ¶ added in v0.13.0
func (*Provider) GetURL ¶
GetURL returns a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234?base=user-search-base". This URL is not used for connecting to the provider, but rather is used for creating a globally unique user identifier by being combined with the user's UID, since user UIDs are only unique within one provider.
func (*Provider) PerformRefresh ¶ added in v0.13.0
func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes upstreamprovider.RefreshAttributes, idpDisplayName string) ([]string, error)
func (*Provider) SearchForDefaultNamingContext ¶ added in v0.11.0
type ProviderConfig ¶
type ProviderConfig struct { // Name is the unique name of this upstream LDAP IDP. Name string // ResourceUID is the Kubernetes resource UID of this identity provider. ResourceUID types.UID // Host is the hostname or "hostname:port" of the LDAP server. When the port is not specified, // the default LDAP port will be used. Host string // ConnectionProtocol determines how to establish the connection to the server. Either StartTLS or TLS. ConnectionProtocol LDAPConnectionProtocol // PEM-encoded CA cert bundle to trust when connecting to the LDAP server. Can be nil. CABundle []byte // BindUsername is the username to use when performing a bind with the upstream LDAP IDP. BindUsername string // BindPassword is the password to use when performing a bind with the upstream LDAP IDP. BindPassword string // UserSearch contains information about how to search for users in the upstream LDAP IDP. UserSearch UserSearchConfig // GroupSearch contains information about how to search for group membership in the upstream LDAP IDP. GroupSearch GroupSearchConfig // Dialer exists to enable testing. When nil, will use a default appropriate for production use. Dialer LDAPDialer // UIDAttributeParsingOverrides are mappings between an attribute name and a way to parse it as a UID when // it comes out of LDAP. UIDAttributeParsingOverrides map[string]func(*ldap.Entry) (string, error) // GroupNameMappingOverrides are the mappings between an attribute name and a way to parse it as a group // name when it comes out of LDAP. GroupAttributeParsingOverrides map[string]func(*ldap.Entry) (string, error) // RefreshAttributeChecks are extra checks that attributes in a refresh response are as expected. RefreshAttributeChecks map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error }
ProviderConfig includes all of the settings for connection and searching for users and groups in the upstream LDAP IDP. It also provides methods for testing the connection and performing logins. The nested structs are not pointer fields to enable deep copy on function params and return values.
type UserSearchConfig ¶
type UserSearchConfig struct { // Base is the base DN to use for the user search in the upstream LDAP IDP. Base string // Filter is the filter to use for the user search in the upstream LDAP IDP. Filter string // UsernameAttribute is the attribute in the LDAP entry from which the username should be // retrieved. UsernameAttribute string // UIDAttribute is the attribute in the LDAP entry from which the user's unique ID should be // retrieved. UIDAttribute string }
UserSearchConfig contains information about how to search for users in the upstream LDAP IDP.