outposts/ldap: move virtual groups to other OU for lookups, conditionally skip requests based on search filter
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
23fd257624
commit
294d70ae4d
|
@ -150,8 +150,8 @@ class UsersFilter(FilterSet):
|
|||
is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
|
||||
|
||||
groups_by_name = ModelMultipleChoiceFilter(
|
||||
field_name="ak_groups__username",
|
||||
to_field_name="username",
|
||||
field_name="ak_groups__name",
|
||||
to_field_name="name",
|
||||
queryset=Group.objects.all(),
|
||||
)
|
||||
groups_by_pk = ModelMultipleChoiceFilter(
|
||||
|
|
|
@ -15,6 +15,12 @@ import (
|
|||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
const (
|
||||
UsersOU = "users"
|
||||
GroupsOU = "groups"
|
||||
VirtualGroupsOU = "virtual-groups"
|
||||
)
|
||||
|
||||
func (ls *LDAPServer) Refresh() error {
|
||||
outposts, _, err := ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()).Execute()
|
||||
if err != nil {
|
||||
|
@ -25,11 +31,13 @@ func (ls *LDAPServer) Refresh() error {
|
|||
}
|
||||
providers := make([]*ProviderInstance, len(outposts.Results))
|
||||
for idx, provider := range outposts.Results {
|
||||
userDN := strings.ToLower(fmt.Sprintf("ou=users,%s", *provider.BaseDn))
|
||||
groupDN := strings.ToLower(fmt.Sprintf("ou=groups,%s", *provider.BaseDn))
|
||||
userDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", UsersOU, *provider.BaseDn))
|
||||
groupDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", GroupsOU, *provider.BaseDn))
|
||||
virtualGroupDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", VirtualGroupsOU, *provider.BaseDn))
|
||||
logger := log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name)
|
||||
providers[idx] = &ProviderInstance{
|
||||
BaseDN: *provider.BaseDn,
|
||||
VirtualGroupDN: virtualGroupDN,
|
||||
GroupDN: groupDN,
|
||||
UserDN: userDN,
|
||||
appSlug: provider.ApplicationSlug,
|
||||
|
|
|
@ -59,6 +59,10 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
|
|||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
|
||||
}
|
||||
|
||||
// Create a custom client to set additional headers
|
||||
c := api.NewAPIClient(pi.s.ac.Client.GetConfig())
|
||||
c.GetConfig().AddDefaultHeader("X-authentik-outpost-ldap-query", req.Filter)
|
||||
|
||||
switch filterEntity {
|
||||
default:
|
||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, req.Filter)
|
||||
|
@ -72,7 +76,12 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
|
|||
go func() {
|
||||
defer wg.Done()
|
||||
gapisp := sentry.StartSpan(req.ctx, "authentik.providers.ldap.search.api_group")
|
||||
groups, _, err := parseFilterForGroup(pi.s.ac.Client.CoreApi.CoreGroupsList(gapisp.Context()), parsedFilter).Execute()
|
||||
searchReq, skip := parseFilterForGroup(c.CoreApi.CoreGroupsList(gapisp.Context()), parsedFilter, false)
|
||||
if skip {
|
||||
pi.log.Trace("Skip backend request")
|
||||
return
|
||||
}
|
||||
groups, _, err := searchReq.Execute()
|
||||
gapisp.Finish()
|
||||
if err != nil {
|
||||
req.log.WithError(err).Warning("failed to get groups")
|
||||
|
@ -88,7 +97,12 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
|
|||
go func() {
|
||||
defer wg.Done()
|
||||
uapisp := sentry.StartSpan(req.ctx, "authentik.providers.ldap.search.api_user")
|
||||
users, _, err := parseFilterForUser(pi.s.ac.Client.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter).Execute()
|
||||
searchReq, skip := parseFilterForUser(c.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter, false)
|
||||
if skip {
|
||||
pi.log.Trace("Skip backend request")
|
||||
return
|
||||
}
|
||||
users, _, err := searchReq.Execute()
|
||||
uapisp.Finish()
|
||||
if err != nil {
|
||||
req.log.WithError(err).Warning("failed to get users")
|
||||
|
@ -103,7 +117,12 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
|
|||
entries = append(gEntries, uEntries...)
|
||||
case UserObjectClass, "":
|
||||
uapisp := sentry.StartSpan(req.ctx, "authentik.providers.ldap.search.api_user")
|
||||
users, _, err := parseFilterForUser(pi.s.ac.Client.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter).Execute()
|
||||
searchReq, skip := parseFilterForUser(c.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter, false)
|
||||
if skip {
|
||||
pi.log.Trace("Skip backend request")
|
||||
return ldap.ServerSearchResult{Entries: entries, Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess}, nil
|
||||
}
|
||||
users, _, err := searchReq.Execute()
|
||||
uapisp.Finish()
|
||||
|
||||
if err != nil {
|
||||
|
|
|
@ -7,52 +7,62 @@ import (
|
|||
"goauthentik.io/api"
|
||||
)
|
||||
|
||||
func parseFilterForGroup(req api.ApiCoreGroupsListRequest, f *ber.Packet) api.ApiCoreGroupsListRequest {
|
||||
func parseFilterForGroup(req api.ApiCoreGroupsListRequest, f *ber.Packet, skip bool) (api.ApiCoreGroupsListRequest, bool) {
|
||||
switch f.Tag {
|
||||
case ldap.FilterEqualityMatch:
|
||||
return parseFilterForGroupSingle(req, f)
|
||||
case ldap.FilterAnd:
|
||||
for _, child := range f.Children {
|
||||
req = parseFilterForGroup(req, child)
|
||||
r, s := parseFilterForGroup(req, child, skip)
|
||||
skip = skip || s
|
||||
req = r
|
||||
}
|
||||
return req
|
||||
return req, skip
|
||||
}
|
||||
return req
|
||||
return req, skip
|
||||
}
|
||||
|
||||
func parseFilterForGroupSingle(req api.ApiCoreGroupsListRequest, f *ber.Packet) api.ApiCoreGroupsListRequest {
|
||||
func parseFilterForGroupSingle(req api.ApiCoreGroupsListRequest, f *ber.Packet) (api.ApiCoreGroupsListRequest, bool) {
|
||||
// We can only handle key = value pairs here
|
||||
if len(f.Children) < 2 {
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
k := f.Children[0].Value
|
||||
// Ensure key is string
|
||||
if _, ok := k.(string); !ok {
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
v := f.Children[1].Value
|
||||
// Null values are ignored
|
||||
if v == nil {
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
// Switch on type of the value, then check the key
|
||||
switch vv := v.(type) {
|
||||
case string:
|
||||
switch k {
|
||||
case "cn":
|
||||
return req.Name(vv)
|
||||
return req.Name(vv), false
|
||||
case "member":
|
||||
fallthrough
|
||||
case "memberOf":
|
||||
userDN, err := goldap.ParseDN(vv)
|
||||
if err != nil {
|
||||
return req
|
||||
return req.MembersByUsername([]string{vv}), false
|
||||
}
|
||||
username := userDN.RDNs[0].Attributes[0].Value
|
||||
return req.MembersByUsername([]string{username})
|
||||
// If the DN's first ou is virtual-groups, ignore this filter
|
||||
if len(userDN.RDNs) > 1 {
|
||||
if userDN.RDNs[1].Attributes[0].Value == VirtualGroupsOU || userDN.RDNs[1].Attributes[0].Value == GroupsOU {
|
||||
// Since we know we're not filtering anything, skip this request
|
||||
return req, true
|
||||
}
|
||||
}
|
||||
return req.MembersByUsername([]string{username}), false
|
||||
}
|
||||
// TODO: Support int
|
||||
default:
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
|
|
|
@ -7,57 +7,67 @@ import (
|
|||
"goauthentik.io/api"
|
||||
)
|
||||
|
||||
func parseFilterForUser(req api.ApiCoreUsersListRequest, f *ber.Packet) api.ApiCoreUsersListRequest {
|
||||
func parseFilterForUser(req api.ApiCoreUsersListRequest, f *ber.Packet, skip bool) (api.ApiCoreUsersListRequest, bool) {
|
||||
switch f.Tag {
|
||||
case ldap.FilterEqualityMatch:
|
||||
return parseFilterForUserSingle(req, f)
|
||||
case ldap.FilterAnd:
|
||||
for _, child := range f.Children {
|
||||
req = parseFilterForUser(req, child)
|
||||
r, s := parseFilterForUser(req, child, skip)
|
||||
skip = skip || s
|
||||
req = r
|
||||
}
|
||||
return req
|
||||
return req, skip
|
||||
}
|
||||
return req
|
||||
return req, skip
|
||||
}
|
||||
|
||||
func parseFilterForUserSingle(req api.ApiCoreUsersListRequest, f *ber.Packet) api.ApiCoreUsersListRequest {
|
||||
func parseFilterForUserSingle(req api.ApiCoreUsersListRequest, f *ber.Packet) (api.ApiCoreUsersListRequest, bool) {
|
||||
// We can only handle key = value pairs here
|
||||
if len(f.Children) < 2 {
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
k := f.Children[0].Value
|
||||
// Ensure key is string
|
||||
if _, ok := k.(string); !ok {
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
v := f.Children[1].Value
|
||||
// Null values are ignored
|
||||
if v == nil {
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
// Switch on type of the value, then check the key
|
||||
switch vv := v.(type) {
|
||||
case string:
|
||||
switch k {
|
||||
case "cn":
|
||||
return req.Username(vv)
|
||||
return req.Username(vv), false
|
||||
case "name":
|
||||
case "displayName":
|
||||
return req.Name(vv)
|
||||
return req.Name(vv), false
|
||||
case "mail":
|
||||
return req.Email(vv)
|
||||
return req.Email(vv), false
|
||||
case "member":
|
||||
fallthrough
|
||||
case "memberOf":
|
||||
groupDN, err := goldap.ParseDN(vv)
|
||||
if err != nil {
|
||||
return req
|
||||
return req.GroupsByName([]string{vv}), false
|
||||
}
|
||||
name := groupDN.RDNs[0].Attributes[0].Value
|
||||
return req.GroupsByName([]string{name})
|
||||
// If the DN's first ou is virtual-groups, ignore this filter
|
||||
if len(groupDN.RDNs) > 1 {
|
||||
if groupDN.RDNs[1].Attributes[0].Value == UsersOU || groupDN.RDNs[1].Attributes[0].Value == VirtualGroupsOU {
|
||||
// Since we know we're not filtering anything, skip this request
|
||||
return req, true
|
||||
}
|
||||
}
|
||||
return req.GroupsByName([]string{name}), false
|
||||
}
|
||||
// TODO: Support int
|
||||
default:
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
return req
|
||||
return req, false
|
||||
}
|
||||
|
|
|
@ -19,8 +19,10 @@ const UserObjectClass = "user"
|
|||
type ProviderInstance struct {
|
||||
BaseDN string
|
||||
|
||||
UserDN string
|
||||
GroupDN string
|
||||
UserDN string
|
||||
|
||||
VirtualGroupDN string
|
||||
GroupDN string
|
||||
|
||||
appSlug string
|
||||
flowSlug string
|
||||
|
|
|
@ -95,7 +95,7 @@ func (pi *ProviderInstance) APIGroupToLDAPGroup(g api.Group) LDAPGroup {
|
|||
|
||||
func (pi *ProviderInstance) APIUserToLDAPGroup(u api.User) LDAPGroup {
|
||||
return LDAPGroup{
|
||||
dn: pi.GetGroupDN(u.Username),
|
||||
dn: pi.GetVirtualGroupDN(u.Username),
|
||||
cn: u.Username,
|
||||
uid: u.Uid,
|
||||
gidNumber: pi.GetUidNumber(u),
|
||||
|
@ -114,6 +114,10 @@ func (pi *ProviderInstance) GetGroupDN(group string) string {
|
|||
return fmt.Sprintf("cn=%s,%s", group, pi.GroupDN)
|
||||
}
|
||||
|
||||
func (pi *ProviderInstance) GetVirtualGroupDN(group string) string {
|
||||
return fmt.Sprintf("cn=%s,%s", group, pi.VirtualGroupDN)
|
||||
}
|
||||
|
||||
func (pi *ProviderInstance) GetUidNumber(user api.User) string {
|
||||
return strconv.FormatInt(int64(pi.uidStartNumber+user.Pk), 10)
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@ Binding against the LDAP Server uses a flow in the background. This allows you t
|
|||
|
||||
You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
|
||||
|
||||
Users are available under `ou=users,<base DN>` and groups under `ou=groups,<base DN>`.
|
||||
Users are available under `ou=users,<base DN>` and groups under `ou=groups,<base DN>`. To aid compatibility, each user belongs to its own "virtual" group, as is standard on most Unix-like systems. This group does not exist in the authentik database, and is generated on the fly. These virtual groups are under the `ou=virtual-groups,<base DN>` DN.
|
||||
|
||||
You can bind using the DN `cn=<username>,ou=users,<base DN>`, or using the following ldapsearch command for example:
|
||||
|
||||
|
|
Reference in a new issue