outposts/ldap: add dockerfile
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
b3c8ffb96c
commit
91ca90f700
|
@ -51,9 +51,9 @@ stages:
|
||||||
script: |
|
script: |
|
||||||
docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
|
docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
|
||||||
workingDirectory: 'outpost/'
|
workingDirectory: 'outpost/'
|
||||||
- stage: proxy_build_go
|
- stage: build_go
|
||||||
jobs:
|
jobs:
|
||||||
- job: build_go
|
- job: proxy_build_go
|
||||||
pool:
|
pool:
|
||||||
vmImage: 'ubuntu-latest'
|
vmImage: 'ubuntu-latest'
|
||||||
steps:
|
steps:
|
||||||
|
@ -70,9 +70,26 @@ stages:
|
||||||
command: 'build'
|
command: 'build'
|
||||||
arguments: './cmd/proxy'
|
arguments: './cmd/proxy'
|
||||||
workingDirectory: 'outpost/'
|
workingDirectory: 'outpost/'
|
||||||
- stage: proxy_build_docker
|
- job: ldap_build_go
|
||||||
|
pool:
|
||||||
|
vmImage: 'ubuntu-latest'
|
||||||
|
steps:
|
||||||
|
- task: GoTool@0
|
||||||
|
inputs:
|
||||||
|
version: '1.16.3'
|
||||||
|
- task: DownloadPipelineArtifact@2
|
||||||
|
inputs:
|
||||||
|
buildType: 'current'
|
||||||
|
artifactName: 'go_swagger_client'
|
||||||
|
path: "outpost/pkg/"
|
||||||
|
- task: Go@0
|
||||||
|
inputs:
|
||||||
|
command: 'build'
|
||||||
|
arguments: './cmd/ldap'
|
||||||
|
workingDirectory: 'outpost/'
|
||||||
|
- stage: build_docker
|
||||||
jobs:
|
jobs:
|
||||||
- job: build
|
- job: proxy_build_docker
|
||||||
pool:
|
pool:
|
||||||
vmImage: 'ubuntu-latest'
|
vmImage: 'ubuntu-latest'
|
||||||
steps:
|
steps:
|
||||||
|
@ -97,3 +114,28 @@ stages:
|
||||||
Dockerfile: 'outpost/proxy.Dockerfile'
|
Dockerfile: 'outpost/proxy.Dockerfile'
|
||||||
buildContext: 'outpost/'
|
buildContext: 'outpost/'
|
||||||
tags: "gh-$(branchName)"
|
tags: "gh-$(branchName)"
|
||||||
|
- job: ldap_build_docker
|
||||||
|
pool:
|
||||||
|
vmImage: 'ubuntu-latest'
|
||||||
|
steps:
|
||||||
|
- task: GoTool@0
|
||||||
|
inputs:
|
||||||
|
version: '1.16.3'
|
||||||
|
- task: DownloadPipelineArtifact@2
|
||||||
|
inputs:
|
||||||
|
buildType: 'current'
|
||||||
|
artifactName: 'go_swagger_client'
|
||||||
|
path: "outpost/pkg/"
|
||||||
|
- task: Bash@3
|
||||||
|
inputs:
|
||||||
|
targetType: 'inline'
|
||||||
|
script: |
|
||||||
|
python ./scripts/az_do_set_branch.py
|
||||||
|
- task: Docker@2
|
||||||
|
inputs:
|
||||||
|
containerRegistry: 'beryjuorg-harbor'
|
||||||
|
repository: 'authentik/outpost-ldap'
|
||||||
|
command: 'buildAndPush'
|
||||||
|
Dockerfile: 'outpost/ldap.Dockerfile'
|
||||||
|
buildContext: 'outpost/'
|
||||||
|
tags: "gh-$(branchName)"
|
||||||
|
|
13
outpost/ldap.Dockerfile
Normal file
13
outpost/ldap.Dockerfile
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
FROM golang:1.16.3 AS builder
|
||||||
|
|
||||||
|
WORKDIR /work
|
||||||
|
|
||||||
|
COPY . .
|
||||||
|
|
||||||
|
RUN go build -o /work/ldap ./cmd/ldap
|
||||||
|
|
||||||
|
FROM gcr.io/distroless/base-debian10:debug
|
||||||
|
|
||||||
|
COPY --from=builder /work/ldap /
|
||||||
|
|
||||||
|
ENTRYPOINT ["/ldap"]
|
|
@ -28,7 +28,7 @@ func (ls *LDAPServer) Refresh() error {
|
||||||
appSlug: *provider.ApplicationSlug,
|
appSlug: *provider.ApplicationSlug,
|
||||||
flowSlug: *provider.BindFlowSlug,
|
flowSlug: *provider.BindFlowSlug,
|
||||||
s: ls,
|
s: ls,
|
||||||
log: log.WithField("provider", provider.Name),
|
log: log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ls.providers = providers
|
ls.providers = providers
|
||||||
|
|
|
@ -6,15 +6,9 @@ import (
|
||||||
"github.com/nmcclain/ldap"
|
"github.com/nmcclain/ldap"
|
||||||
)
|
)
|
||||||
|
|
||||||
type UIDResponse struct {
|
|
||||||
UIDFIeld string `json:"uid_field"`
|
|
||||||
}
|
|
||||||
|
|
||||||
type PasswordResponse struct {
|
|
||||||
Password string `json:"password"`
|
|
||||||
}
|
|
||||||
|
|
||||||
func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
|
func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
|
||||||
|
ls.log.WithField("dn", bindDN).Info("bind")
|
||||||
for _, instance := range ls.providers {
|
for _, instance := range ls.providers {
|
||||||
username, err := instance.getUsername(bindDN)
|
username, err := instance.getUsername(bindDN)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
|
|
|
@ -16,6 +16,14 @@ import (
|
||||||
"goauthentik.io/outpost/pkg/client/flows"
|
"goauthentik.io/outpost/pkg/client/flows"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
type UIDResponse struct {
|
||||||
|
UIDFIeld string `json:"uid_field"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type PasswordResponse struct {
|
||||||
|
Password string `json:"password"`
|
||||||
|
}
|
||||||
|
|
||||||
func (pi *ProviderInstance) getUsername(dn string) (string, error) {
|
func (pi *ProviderInstance) getUsername(dn string) (string, error) {
|
||||||
if !strings.HasSuffix(dn, pi.BaseDN) {
|
if !strings.HasSuffix(dn, pi.BaseDN) {
|
||||||
return "", errors.New("invalid base DN")
|
return "", errors.New("invalid base DN")
|
||||||
|
@ -59,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
|
if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
|
||||||
pi.log.WithField("dn", username).Info("Access denied for user")
|
pi.log.WithField("dn", username).Info("Access denied for user")
|
||||||
return ldap.LDAPResultInvalidCredentials, nil
|
return ldap.LDAPResultInsufficientAccessRights, nil
|
||||||
}
|
}
|
||||||
pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
|
pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
|
||||||
return ldap.LDAPResultOperationsError, nil
|
return ldap.LDAPResultOperationsError, nil
|
||||||
|
|
|
@ -35,7 +35,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
|
||||||
s.EnforceLDAP = true
|
s.EnforceLDAP = true
|
||||||
ls := &LDAPServer{
|
ls := &LDAPServer{
|
||||||
s: s,
|
s: s,
|
||||||
log: log.WithField("logger", "ldap-server"),
|
log: log.WithField("logger", "authentik.outpost.ldap"),
|
||||||
ac: ac,
|
ac: ac,
|
||||||
providers: []*ProviderInstance{},
|
providers: []*ProviderInstance{},
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
|
func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
|
||||||
|
ls.log.WithField("dn", boundDN).Info("search")
|
||||||
bd, err := goldap.ParseDN(boundDN)
|
bd, err := goldap.ParseDN(boundDN)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
|
||||||
|
|
Reference in a new issue