From c7e6eb889628240d91a6da577c72b867745c2e1b Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 26 Sep 2021 14:01:22 +0200 Subject: [PATCH] outposts/ldap: add support for base scope and domain info Signed-off-by: Jens Langhammer --- internal/outpost/ldap/instance_search.go | 5 ++ internal/outpost/ldap/instance_search_base.go | 53 +++++++++++++++++++ internal/outpost/ldap/search.go | 4 +- 3 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 internal/outpost/ldap/instance_search_base.go diff --git a/internal/outpost/ldap/instance_search.go b/internal/outpost/ldap/instance_search.go index f39101cdc..14e8efd59 100644 --- a/internal/outpost/ldap/instance_search.go +++ b/internal/outpost/ldap/instance_search.go @@ -79,6 +79,11 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult, }).Inc() return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied") } + + if req.SearchRequest.Scope == ldap.ScopeBaseObject { + pi.log.Debug("base scope, showing domain info") + return pi.SearchBase(req, flags.CanSearch) + } if !flags.CanSearch { pi.log.Debug("User can't search, showing info about user") return pi.SearchMe(req, flags) diff --git a/internal/outpost/ldap/instance_search_base.go b/internal/outpost/ldap/instance_search_base.go new file mode 100644 index 000000000..9411a314c --- /dev/null +++ b/internal/outpost/ldap/instance_search_base.go @@ -0,0 +1,53 @@ +package ldap + +import ( + "fmt" + + "github.com/nmcclain/ldap" + "goauthentik.io/internal/constants" +) + +func (pi *ProviderInstance) SearchBase(req SearchRequest, authz bool) (ldap.ServerSearchResult, error) { + dn := "" + if authz { + dn = req.SearchRequest.BaseDN + } + return ldap.ServerSearchResult{ + Entries: []*ldap.Entry{ + { + DN: dn, + Attributes: []*ldap.EntryAttribute{ + { + Name: "distinguishedName", + Values: []string{pi.BaseDN}, + }, + { + Name: "objectClass", + Values: []string{"top", "domain"}, + }, + { + Name: "supportedLDAPVersion", + Values: []string{"3"}, + }, + { + Name: "namingContexts", + Values: []string{ + pi.BaseDN, + pi.GroupDN, + pi.UserDN, + }, + }, + { + Name: "vendorName", + Values: []string{"goauthentik.io"}, + }, + { + Name: "vendorVersion", + Values: []string{fmt.Sprintf("authentik LDAP Outpost Version %s (build %s)", constants.VERSION, constants.BUILD())}, + }, + }, + }, + }, + Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess, + }, nil +} diff --git a/internal/outpost/ldap/search.go b/internal/outpost/ldap/search.go index d1df57126..8e31512b6 100644 --- a/internal/outpost/ldap/search.go +++ b/internal/outpost/ldap/search.go @@ -38,7 +38,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n SearchRequest: searchReq, BindDN: bindDN, conn: conn, - log: ls.log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN), + log: ls.log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("scope", ldap.ScopeMap[searchReq.Scope]).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN), id: rid, ctx: span.Context(), } @@ -74,7 +74,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n } for _, provider := range ls.providers { providerBase, _ := goldap.ParseDN(provider.BaseDN) - if providerBase.AncestorOf(bd) { + if providerBase.AncestorOf(bd) || providerBase.Equal(bd) { return provider.Search(req) } }