outposts/ldap: move virtual groups to other OU for lookups, conditionally skip requests based on search filter

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-08-21 17:53:09 +02:00 · 2021-08-21 17:53:09 +02:00 · 294d70ae4d
parent 23fd257624
commit 294d70ae4d
8 changed files with 92 additions and 39 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -150,8 +150,8 @@ class UsersFilter(FilterSet):
    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
    groups_by_name = ModelMultipleChoiceFilter(
-        field_name="ak_groups__username",
+        field_name="ak_groups__name",
-        to_field_name="username",
+        to_field_name="name",
        queryset=Group.objects.all(),
    )
    groups_by_pk = ModelMultipleChoiceFilter(
--- a/internal/outpost/ldap/api.go
+++ b/internal/outpost/ldap/api.go
@ -15,6 +15,12 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 const (
 	UsersOU         = "users"
 	GroupsOU        = "groups"
 	VirtualGroupsOU = "virtual-groups"
 )
 func (ls *LDAPServer) Refresh() error {
 	outposts, _, err := ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()).Execute()
 	if err != nil {
@ -25,11 +31,13 @@ func (ls *LDAPServer) Refresh() error {
 	}
 	providers := make([]*ProviderInstance, len(outposts.Results))
 	for idx, provider := range outposts.Results {
-		userDN := strings.ToLower(fmt.Sprintf("ou=users,%s", *provider.BaseDn))
+		userDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", UsersOU, *provider.BaseDn))
-		groupDN := strings.ToLower(fmt.Sprintf("ou=groups,%s", *provider.BaseDn))
+		groupDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", GroupsOU, *provider.BaseDn))
 		virtualGroupDN := strings.ToLower(fmt.Sprintf("ou=%s,%s", VirtualGroupsOU, *provider.BaseDn))
 		logger := log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name)
 		providers[idx] = &ProviderInstance{
 			BaseDN:              *provider.BaseDn,
 			VirtualGroupDN:      virtualGroupDN,
 			GroupDN:             groupDN,
 			UserDN:              userDN,
 			appSlug:             provider.ApplicationSlug,
--- a/internal/outpost/ldap/instance_search.go
+++ b/internal/outpost/ldap/instance_search.go
@ -59,6 +59,10 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}
 	// Create a custom client to set additional headers
 	c := api.NewAPIClient(pi.s.ac.Client.GetConfig())
 	c.GetConfig().AddDefaultHeader("X-authentik-outpost-ldap-query", req.Filter)
 	switch filterEntity {
 	default:
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, req.Filter)
@ -72,7 +76,12 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
 		go func() {
 			defer wg.Done()
 			gapisp := sentry.StartSpan(req.ctx, "authentik.providers.ldap.search.api_group")
-			groups, _, err := parseFilterForGroup(pi.s.ac.Client.CoreApi.CoreGroupsList(gapisp.Context()), parsedFilter).Execute()
+			searchReq, skip := parseFilterForGroup(c.CoreApi.CoreGroupsList(gapisp.Context()), parsedFilter, false)
 			if skip {
 				pi.log.Trace("Skip backend request")
 				return
 			}
 			groups, _, err := searchReq.Execute()
 			gapisp.Finish()
 			if err != nil {
 				req.log.WithError(err).Warning("failed to get groups")
@ -88,7 +97,12 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
 		go func() {
 			defer wg.Done()
 			uapisp := sentry.StartSpan(req.ctx, "authentik.providers.ldap.search.api_user")
-			users, _, err := parseFilterForUser(pi.s.ac.Client.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter).Execute()
+			searchReq, skip := parseFilterForUser(c.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter, false)
 			if skip {
 				pi.log.Trace("Skip backend request")
 				return
 			}
 			users, _, err := searchReq.Execute()
 			uapisp.Finish()
 			if err != nil {
 				req.log.WithError(err).Warning("failed to get users")
@ -103,7 +117,12 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
 		entries = append(gEntries, uEntries...)
 	case UserObjectClass, "":
 		uapisp := sentry.StartSpan(req.ctx, "authentik.providers.ldap.search.api_user")
-		users, _, err := parseFilterForUser(pi.s.ac.Client.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter).Execute()
+		searchReq, skip := parseFilterForUser(c.CoreApi.CoreUsersList(uapisp.Context()), parsedFilter, false)
 		if skip {
 			pi.log.Trace("Skip backend request")
 			return ldap.ServerSearchResult{Entries: entries, Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess}, nil
 		}
 		users, _, err := searchReq.Execute()
 		uapisp.Finish()
 		if err != nil {
--- a/internal/outpost/ldap/instance_search_group.go
+++ b/internal/outpost/ldap/instance_search_group.go
@ -7,52 +7,62 @@ import (
 	"goauthentik.io/api"
 )
-func parseFilterForGroup(req api.ApiCoreGroupsListRequest, f *ber.Packet) api.ApiCoreGroupsListRequest {
+func parseFilterForGroup(req api.ApiCoreGroupsListRequest, f *ber.Packet, skip bool) (api.ApiCoreGroupsListRequest, bool) {
 	switch f.Tag {
 	case ldap.FilterEqualityMatch:
 		return parseFilterForGroupSingle(req, f)
 	case ldap.FilterAnd:
 		for _, child := range f.Children {
-			req = parseFilterForGroup(req, child)
+			r, s := parseFilterForGroup(req, child, skip)
 			skip = skip || s
 			req = r
 		}
-		return req
+		return req, skip
 	}
-	return req
+	return req, skip
 }
-func parseFilterForGroupSingle(req api.ApiCoreGroupsListRequest, f *ber.Packet) api.ApiCoreGroupsListRequest {
+func parseFilterForGroupSingle(req api.ApiCoreGroupsListRequest, f *ber.Packet) (api.ApiCoreGroupsListRequest, bool) {
 	// We can only handle key = value pairs here
 	if len(f.Children) < 2 {
-		return req
+		return req, false
 	}
 	k := f.Children[0].Value
 	// Ensure key is string
 	if _, ok := k.(string); !ok {
-		return req
+		return req, false
 	}
 	v := f.Children[1].Value
 	// Null values are ignored
 	if v == nil {
-		return req
+		return req, false
 	}
 	// Switch on type of the value, then check the key
 	switch vv := v.(type) {
 	case string:
 		switch k {
 		case "cn":
-			return req.Name(vv)
+			return req.Name(vv), false
 		case "member":
 			fallthrough
 		case "memberOf":
 			userDN, err := goldap.ParseDN(vv)
 			if err != nil {
-				return req
+				return req.MembersByUsername([]string{vv}), false
 			}
 			username := userDN.RDNs[0].Attributes[0].Value
-			return req.MembersByUsername([]string{username})
+			// If the DN's first ou is virtual-groups, ignore this filter
 			if len(userDN.RDNs) > 1 {
 				if userDN.RDNs[1].Attributes[0].Value == VirtualGroupsOU || userDN.RDNs[1].Attributes[0].Value == GroupsOU {
 					// Since we know we're not filtering anything, skip this request
 					return req, true
 				}
 			}
 			return req.MembersByUsername([]string{username}), false
 		}
 	// TODO: Support int
 	default:
-		return req
+		return req, false
 	}
-	return req
+	return req, false
 }
--- a/internal/outpost/ldap/instance_search_user.go
+++ b/internal/outpost/ldap/instance_search_user.go
@ -7,57 +7,67 @@ import (
 	"goauthentik.io/api"
 )
-func parseFilterForUser(req api.ApiCoreUsersListRequest, f *ber.Packet) api.ApiCoreUsersListRequest {
+func parseFilterForUser(req api.ApiCoreUsersListRequest, f *ber.Packet, skip bool) (api.ApiCoreUsersListRequest, bool) {
 	switch f.Tag {
 	case ldap.FilterEqualityMatch:
 		return parseFilterForUserSingle(req, f)
 	case ldap.FilterAnd:
 		for _, child := range f.Children {
-			req = parseFilterForUser(req, child)
+			r, s := parseFilterForUser(req, child, skip)
 			skip = skip || s
 			req = r
 		}
-		return req
+		return req, skip
 	}
-	return req
+	return req, skip
 }
-func parseFilterForUserSingle(req api.ApiCoreUsersListRequest, f *ber.Packet) api.ApiCoreUsersListRequest {
+func parseFilterForUserSingle(req api.ApiCoreUsersListRequest, f *ber.Packet) (api.ApiCoreUsersListRequest, bool) {
 	// We can only handle key = value pairs here
 	if len(f.Children) < 2 {
-		return req
+		return req, false
 	}
 	k := f.Children[0].Value
 	// Ensure key is string
 	if _, ok := k.(string); !ok {
-		return req
+		return req, false
 	}
 	v := f.Children[1].Value
 	// Null values are ignored
 	if v == nil {
-		return req
+		return req, false
 	}
 	// Switch on type of the value, then check the key
 	switch vv := v.(type) {
 	case string:
 		switch k {
 		case "cn":
-			return req.Username(vv)
+			return req.Username(vv), false
 		case "name":
 		case "displayName":
-			return req.Name(vv)
+			return req.Name(vv), false
 		case "mail":
-			return req.Email(vv)
+			return req.Email(vv), false
 		case "member":
 			fallthrough
 		case "memberOf":
 			groupDN, err := goldap.ParseDN(vv)
 			if err != nil {
-				return req
+				return req.GroupsByName([]string{vv}), false
 			}
 			name := groupDN.RDNs[0].Attributes[0].Value
-			return req.GroupsByName([]string{name})
+			// If the DN's first ou is virtual-groups, ignore this filter
 			if len(groupDN.RDNs) > 1 {
 				if groupDN.RDNs[1].Attributes[0].Value == UsersOU || groupDN.RDNs[1].Attributes[0].Value == VirtualGroupsOU {
 					// Since we know we're not filtering anything, skip this request
 					return req, true
 				}
 			}
 			return req.GroupsByName([]string{name}), false
 		}
 	// TODO: Support int
 	default:
-		return req
+		return req, false
 	}
-	return req
+	return req, false
 }
--- a/internal/outpost/ldap/ldap.go
+++ b/internal/outpost/ldap/ldap.go
@ -19,8 +19,10 @@ const UserObjectClass = "user"
 type ProviderInstance struct {
 	BaseDN string
-	UserDN  string
+	UserDN string
-	GroupDN string
+
 	VirtualGroupDN string
 	GroupDN        string
 	appSlug  string
 	flowSlug string
--- a/internal/outpost/ldap/utils.go
+++ b/internal/outpost/ldap/utils.go
@ -95,7 +95,7 @@ func (pi *ProviderInstance) APIGroupToLDAPGroup(g api.Group) LDAPGroup {
 func (pi *ProviderInstance) APIUserToLDAPGroup(u api.User) LDAPGroup {
 	return LDAPGroup{
-		dn:             pi.GetGroupDN(u.Username),
+		dn:             pi.GetVirtualGroupDN(u.Username),
 		cn:             u.Username,
 		uid:            u.Uid,
 		gidNumber:      pi.GetUidNumber(u),
@ -114,6 +114,10 @@ func (pi *ProviderInstance) GetGroupDN(group string) string {
 	return fmt.Sprintf("cn=%s,%s", group, pi.GroupDN)
 }
 func (pi *ProviderInstance) GetVirtualGroupDN(group string) string {
 	return fmt.Sprintf("cn=%s,%s", group, pi.VirtualGroupDN)
 }
 func (pi *ProviderInstance) GetUidNumber(user api.User) string {
 	return strconv.FormatInt(int64(pi.uidStartNumber+user.Pk), 10)
 }
--- a/website/docs/providers/ldap.md
+++ b/website/docs/providers/ldap.md
@ -14,7 +14,7 @@ Binding against the LDAP Server uses a flow in the background. This allows you t
 You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`.
-Users are available under `ou=users,<base DN>` and groups under `ou=groups,<base DN>`.
+Users are available under `ou=users,<base DN>` and groups under `ou=groups,<base DN>`. To aid compatibility, each user belongs to its own "virtual" group, as is standard on most Unix-like systems. This group does not exist in the authentik database, and is generated on the fly. These virtual groups are under the `ou=virtual-groups,<base DN>` DN.
 You can bind using the DN `cn=<username>,ou=users,<base DN>`, or using the following ldapsearch command for example: