outposts/ldap: add support for base scope and domain info

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-09-26 14:01:22 +02:00 · 2021-09-26 14:01:22 +02:00 · c7e6eb8896
parent 674bd9e05c
commit c7e6eb8896
3 changed files with 60 additions and 2 deletions
--- a/internal/outpost/ldap/instance_search.go
+++ b/internal/outpost/ldap/instance_search.go
@ -79,6 +79,11 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
 		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
+
+	if req.SearchRequest.Scope == ldap.ScopeBaseObject {
+		pi.log.Debug("base scope, showing domain info")
+		return pi.SearchBase(req, flags.CanSearch)
+	}
 	if !flags.CanSearch {
 		pi.log.Debug("User can't search, showing info about user")
 		return pi.SearchMe(req, flags)
--- a/internal/outpost/ldap/instance_search_base.go
+++ b/internal/outpost/ldap/instance_search_base.go
@ -0,0 +1,53 @@
+package ldap
+
+import (
+	"fmt"
+
+	"github.com/nmcclain/ldap"
+	"goauthentik.io/internal/constants"
+)
+
+func (pi *ProviderInstance) SearchBase(req SearchRequest, authz bool) (ldap.ServerSearchResult, error) {
+	dn := ""
+	if authz {
+		dn = req.SearchRequest.BaseDN
+	}
+	return ldap.ServerSearchResult{
+		Entries: []*ldap.Entry{
+			{
+				DN: dn,
+				Attributes: []*ldap.EntryAttribute{
+					{
+						Name:   "distinguishedName",
+						Values: []string{pi.BaseDN},
+					},
+					{
+						Name:   "objectClass",
+						Values: []string{"top", "domain"},
+					},
+					{
+						Name:   "supportedLDAPVersion",
+						Values: []string{"3"},
+					},
+					{
+						Name: "namingContexts",
+						Values: []string{
+							pi.BaseDN,
+							pi.GroupDN,
+							pi.UserDN,
+						},
+					},
+					{
+						Name:   "vendorName",
+						Values: []string{"goauthentik.io"},
+					},
+					{
+						Name:   "vendorVersion",
+						Values: []string{fmt.Sprintf("authentik LDAP Outpost Version %s (build %s)", constants.VERSION, constants.BUILD())},
+					},
+				},
+			},
+		},
+		Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess,
+	}, nil
+}
--- a/internal/outpost/ldap/search.go
+++ b/internal/outpost/ldap/search.go
@ -38,7 +38,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
 		SearchRequest: searchReq,
 		BindDN:        bindDN,
 		conn:          conn,
-		log:           ls.log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN),
+		log:           ls.log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("scope", ldap.ScopeMap[searchReq.Scope]).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN),
 		id:            rid,
 		ctx:           span.Context(),
 	}
@ -74,7 +74,7 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
 	}
 	for _, provider := range ls.providers {
 		providerBase, _ := goldap.ParseDN(provider.BaseDN)
-		if providerBase.AncestorOf(bd) {
+		if providerBase.AncestorOf(bd) || providerBase.Equal(bd) {
 			return provider.Search(req)
 		}
 	}