outposts/ldap: add dockerfile

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-04-26 15:35:56 +02:00
parent b3c8ffb96c
commit 91ca90f700
7 changed files with 72 additions and 14 deletions

View File

@ -51,9 +51,9 @@ stages:
script: |
docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
workingDirectory: 'outpost/'
- stage: proxy_build_go
- stage: build_go
jobs:
- job: build_go
- job: proxy_build_go
pool:
vmImage: 'ubuntu-latest'
steps:
@ -70,9 +70,26 @@ stages:
command: 'build'
arguments: './cmd/proxy'
workingDirectory: 'outpost/'
- stage: proxy_build_docker
- job: ldap_build_go
pool:
vmImage: 'ubuntu-latest'
steps:
- task: GoTool@0
inputs:
version: '1.16.3'
- task: DownloadPipelineArtifact@2
inputs:
buildType: 'current'
artifactName: 'go_swagger_client'
path: "outpost/pkg/"
- task: Go@0
inputs:
command: 'build'
arguments: './cmd/ldap'
workingDirectory: 'outpost/'
- stage: build_docker
jobs:
- job: build
- job: proxy_build_docker
pool:
vmImage: 'ubuntu-latest'
steps:
@ -97,3 +114,28 @@ stages:
Dockerfile: 'outpost/proxy.Dockerfile'
buildContext: 'outpost/'
tags: "gh-$(branchName)"
- job: ldap_build_docker
pool:
vmImage: 'ubuntu-latest'
steps:
- task: GoTool@0
inputs:
version: '1.16.3'
- task: DownloadPipelineArtifact@2
inputs:
buildType: 'current'
artifactName: 'go_swagger_client'
path: "outpost/pkg/"
- task: Bash@3
inputs:
targetType: 'inline'
script: |
python ./scripts/az_do_set_branch.py
- task: Docker@2
inputs:
containerRegistry: 'beryjuorg-harbor'
repository: 'authentik/outpost-ldap'
command: 'buildAndPush'
Dockerfile: 'outpost/ldap.Dockerfile'
buildContext: 'outpost/'
tags: "gh-$(branchName)"

13
outpost/ldap.Dockerfile Normal file
View File

@ -0,0 +1,13 @@
FROM golang:1.16.3 AS builder
WORKDIR /work
COPY . .
RUN go build -o /work/ldap ./cmd/ldap
FROM gcr.io/distroless/base-debian10:debug
COPY --from=builder /work/ldap /
ENTRYPOINT ["/ldap"]

View File

@ -28,7 +28,7 @@ func (ls *LDAPServer) Refresh() error {
appSlug: *provider.ApplicationSlug,
flowSlug: *provider.BindFlowSlug,
s: ls,
log: log.WithField("provider", provider.Name),
log: log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
}
}
ls.providers = providers

View File

@ -6,15 +6,9 @@ import (
"github.com/nmcclain/ldap"
)
type UIDResponse struct {
UIDFIeld string `json:"uid_field"`
}
type PasswordResponse struct {
Password string `json:"password"`
}
func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
ls.log.WithField("dn", bindDN).Info("bind")
for _, instance := range ls.providers {
username, err := instance.getUsername(bindDN)
if err == nil {

View File

@ -16,6 +16,14 @@ import (
"goauthentik.io/outpost/pkg/client/flows"
)
type UIDResponse struct {
UIDFIeld string `json:"uid_field"`
}
type PasswordResponse struct {
Password string `json:"password"`
}
func (pi *ProviderInstance) getUsername(dn string) (string, error) {
if !strings.HasSuffix(dn, pi.BaseDN) {
return "", errors.New("invalid base DN")
@ -59,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
if err != nil {
if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
pi.log.WithField("dn", username).Info("Access denied for user")
return ldap.LDAPResultInvalidCredentials, nil
return ldap.LDAPResultInsufficientAccessRights, nil
}
pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
return ldap.LDAPResultOperationsError, nil

View File

@ -35,7 +35,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
s.EnforceLDAP = true
ls := &LDAPServer{
s: s,
log: log.WithField("logger", "ldap-server"),
log: log.WithField("logger", "authentik.outpost.ldap"),
ac: ac,
providers: []*ProviderInstance{},
}

View File

@ -9,6 +9,7 @@ import (
)
func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
ls.log.WithField("dn", boundDN).Info("search")
bd, err := goldap.ParseDN(boundDN)
if err != nil {
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")