Skip to content

Commit

Permalink
Update ldap library to v3
Browse files Browse the repository at this point in the history 
Notes:
- the v3 major release coincided with an update to use Go modules[1] but
  is an otherwise backwards-compatible release. It was not related to
  compatibility with the LDAP V3 protocol, the ldap.v2 package was
  already compatible with the LDAP V3 protocol.
- the import path changed shortly after the v3 release[2], but it is the
  same package as before

[1] go-ldap/ldap#247
[2] go-ldap/ldap@c135faa
  • Loading branch information
@cmurphy
cmurphy committed Oct 19, 2021
1 parent 76e743c commit 737ae12
Show file tree
Hide file tree
Showing 6 changed files with 119 additions and 114 deletions.
6 changes: 3 additions & 3 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ require (
github.com/evanphx/json-patch v4.9.0+incompatible
github.com/garyburd/redigo v1.6.2 // indirect
github.com/ghodss/yaml v1.0.0
github.com/go-asn1-ber/asn1-ber v1.5.3 // indirect
github.com/go-ldap/ldap/v3 v3.4.1
github.com/go-logr/logr v0.4.0
github.com/golang-jwt/jwt v3.2.1+incompatible
github.com/golang/protobuf v1.5.0
Expand Down Expand Up @@ -134,7 +136,7 @@ require (
github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect
github.com/yvasiyarov/gorelic v0.0.7 // indirect
github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
golang.org/x/mod v0.4.0
golang.org/x/net v0.0.0-20210315170653-34ac3e1c2000
golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5
Expand All @@ -143,9 +145,7 @@ require (
google.golang.org/api v0.40.0
google.golang.org/genproto v0.0.0-20210315173758-2651cd453018 // indirect
google.golang.org/grpc v1.34.0
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
gopkg.in/ldap.v2 v2.5.1
gopkg.in/natefinch/lumberjack.v2 v2.0.0
gopkg.in/yaml.v2 v2.4.0
helm.sh/helm/v3 v3.5.4
Expand Down
15 changes: 10 additions & 5 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ
github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
Expand Down Expand Up @@ -373,6 +375,9 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
github.com/go-acme/lego v2.5.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-asn1-ber/asn1-ber v1.5.3 h1:u7utq56RUFiynqUzgVMFDymapcOtQ/MZkh3H4QYkxag=
github.com/go-asn1-ber/asn1-ber v1.5.3/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-bindata/go-bindata v3.1.1+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
github.com/go-bindata/go-bindata v3.1.2+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
Expand All @@ -385,6 +390,8 @@ github.com/go-ini/ini v1.37.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3I
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
github.com/go-ldap/ldap/v3 v3.4.1 h1:fU/0xli6HY02ocbMuozHAYsaHLcnkLjvho2r5a34BUU=
github.com/go-ldap/ldap/v3 v3.4.1/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
Expand Down Expand Up @@ -1289,15 +1296,17 @@ golang.org/x/crypto v0.0.0-20191202143827-86a70503ff7e/go.mod h1:LzIPMQfyMNhhGPh
golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI=
golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
Expand Down Expand Up @@ -1694,8 +1703,6 @@ google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/l
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
Expand All @@ -1716,8 +1723,6 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/ini.v1 v1.57.0 h1:9unxIsFcTt4I55uWluz+UmL95q4kdJ0buvQ1ZIqVQww=
gopkg.in/ini.v1 v1.57.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/ldap.v2 v2.5.1 h1:wiu0okdNfjlBzg6UWvd1Hn8Y+Ux17/u/4nlk4CQr6tU=
gopkg.in/ldap.v2 v2.5.1/go.mod h1:oI0cpe/D7HRtBQl8aTg+ZmzFUAvu4lsv3eLXMLGFxWk=
gopkg.in/mcuadros/go-syslog.v2 v2.2.1/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U=
gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
Expand Down
78 changes: 39 additions & 39 deletions pkg/auth/providers/activedirectory/activedirectory_client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@ import (

v32 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"

ldapv3 "github.com/go-ldap/ldap/v3"
"github.com/pkg/errors"
"github.com/rancher/norman/httperror"
"github.com/rancher/norman/types/slice"
"github.com/rancher/rancher/pkg/auth/providers/common/ldap"
v3 "github.com/rancher/rancher/pkg/generated/norman/management.cattle.io/v3"
"github.com/sirupsen/logrus"
ldapv2 "gopkg.in/ldap.v2"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -46,7 +46,7 @@ func (p *adProvider) loginUser(adCredential *v32.BasicLogin, config *v32.ActiveD
logrus.Debug("Binding username password")
err = lConn.Bind(externalID, password)
if err != nil {
if ldapv2.IsErrorWithCode(err, ldapv2.LDAPResultInvalidCredentials) {
if ldapv3.IsErrorWithCode(err, ldapv3.LDAPResultInvalidCredentials) {
return v3.Principal{}, nil, httperror.WrapAPIError(err, httperror.Unauthorized, "authentication failed")
}
return v3.Principal{}, nil, httperror.WrapAPIError(err, httperror.ServerError, "server error while authenticating")
Expand All @@ -56,10 +56,10 @@ func (p *adProvider) loginUser(adCredential *v32.BasicLogin, config *v32.ActiveD
if strings.Contains(username, `\`) {
samName = strings.SplitN(username, `\`, 2)[1]
}
query := fmt.Sprintf("(%v=%v)", config.UserLoginAttribute, ldapv2.EscapeFilter(samName))
query := fmt.Sprintf("(%v=%v)", config.UserLoginAttribute, ldapv3.EscapeFilter(samName))
logrus.Debugf("LDAP Search query: {%s}", query)
search := ldapv2.NewSearchRequest(config.UserSearchBase,
ldapv2.ScopeWholeSubtree, ldapv2.NeverDerefAliases, 0, 0, false,
search := ldapv3.NewSearchRequest(config.UserSearchBase,
ldapv3.ScopeWholeSubtree, ldapv3.NeverDerefAliases, 0, 0, false,
query,
ldap.GetUserSearchAttributes(MemberOfAttribute, ObjectClass, config), nil)

Expand Down Expand Up @@ -119,10 +119,10 @@ func (p *adProvider) RefetchGroupPrincipals(principalID string, secret string) (

logrus.Debugf("LDAP Refetch principals base DN : {%s}", dn)

search := ldapv2.NewSearchRequest(
search := ldapv3.NewSearchRequest(
dn,
ldapv2.ScopeBaseObject,
ldapv2.NeverDerefAliases,
ldapv3.ScopeBaseObject,
ldapv3.NeverDerefAliases,
0,
0,
false,
Expand Down Expand Up @@ -150,7 +150,7 @@ func (p *adProvider) RefetchGroupPrincipals(principalID string, secret string) (
return groupPrincipals, err
}

func (p *adProvider) getPrincipalsFromSearchResult(result *ldapv2.SearchResult, config *v32.ActiveDirectoryConfig, lConn *ldapv2.Conn) (v3.Principal, []v3.Principal, error) {
func (p *adProvider) getPrincipalsFromSearchResult(result *ldapv3.SearchResult, config *v32.ActiveDirectoryConfig, lConn *ldapv3.Conn) (v3.Principal, []v3.Principal, error) {
var groupPrincipals []v3.Principal
var userPrincipal v3.Principal

Expand Down Expand Up @@ -195,7 +195,7 @@ func (p *adProvider) getPrincipalsFromSearchResult(result *ldapv2.SearchResult,
filter := fmt.Sprintf("(%v=%v)", ObjectClass, config.GroupObjectClass)
query := "(|"
for _, attrib := range batch {
query += fmt.Sprintf("(distinguishedName=%v)", ldapv2.EscapeFilter(attrib))
query += fmt.Sprintf("(distinguishedName=%v)", ldapv3.EscapeFilter(attrib))
}
query += ")"
query = fmt.Sprintf("(&%v%v)", filter, query)
Expand Down Expand Up @@ -256,21 +256,21 @@ func (p *adProvider) getPrincipalsFromSearchResult(result *ldapv2.SearchResult,
return userPrincipal, groupPrincipals, nil
}

func (p *adProvider) getGroupPrincipalsFromSearch(searchBase string, filter string, config *v32.ActiveDirectoryConfig, lConn *ldapv2.Conn,
func (p *adProvider) getGroupPrincipalsFromSearch(searchBase string, filter string, config *v32.ActiveDirectoryConfig, lConn *ldapv3.Conn,
groupDN []string) ([]v3.Principal, error) {
var groupPrincipals []v3.Principal
var nilPrincipal []v3.Principal

search := ldapv2.NewSearchRequest(searchBase,
ldapv2.ScopeWholeSubtree, ldapv2.NeverDerefAliases, 0, 0, false,
search := ldapv3.NewSearchRequest(searchBase,
ldapv3.ScopeWholeSubtree, ldapv3.NeverDerefAliases, 0, 0, false,
filter,
ldap.GetGroupSearchAttributes(config, ObjectClass), nil)

serviceAccountUsername := ldap.GetUserExternalID(config.ServiceAccountUsername, config.DefaultLoginDomain)
err := lConn.Bind(serviceAccountUsername, config.ServiceAccountPassword)

if err != nil {
if ldapv2.IsErrorWithCode(err, ldapv2.LDAPResultInvalidCredentials) && config.Enabled {
if ldapv3.IsErrorWithCode(err, ldapv3.LDAPResultInvalidCredentials) && config.Enabled {
// If bind fails because service account password has changed, just return identities formed from groups in `memberOf`
groupList := []v3.Principal{}
for _, dn := range groupDN {
Expand Down Expand Up @@ -309,22 +309,22 @@ func (p *adProvider) getGroupPrincipalsFromSearch(searchBase string, filter stri
}

func (p *adProvider) getPrincipal(distinguishedName string, scope string, config *v32.ActiveDirectoryConfig, caPool *x509.CertPool) (*v3.Principal, error) {
var search *ldapv2.SearchRequest
var search *ldapv3.SearchRequest
var filter string
if !slice.ContainsString(scopes, scope) {
return nil, fmt.Errorf("Invalid scope")
}

var attributes []*ldapv2.AttributeTypeAndValue
var attribs []*ldapv2.EntryAttribute
object, err := ldapv2.ParseDN(distinguishedName)
var attributes []*ldapv3.AttributeTypeAndValue
var attribs []*ldapv3.EntryAttribute
object, err := ldapv3.ParseDN(distinguishedName)
if err != nil {
return nil, err
}
for _, rdns := range object.RDNs {
for _, attr := range rdns.Attributes {
attributes = append(attributes, attr)
entryAttr := ldapv2.NewEntryAttribute(attr.Type, []string{attr.Value})
entryAttr := ldapv3.NewEntryAttribute(attr.Type, []string{attr.Value})
attribs = append(attribs, entryAttr)
}
}
Expand Down Expand Up @@ -352,7 +352,7 @@ func (p *adProvider) getPrincipal(distinguishedName string, scope string, config
err = lConn.Bind(serviceAccountUsername, config.ServiceAccountPassword)

if err != nil {
if ldapv2.IsErrorWithCode(err, ldapv2.LDAPResultInvalidCredentials) && config.Enabled {
if ldapv3.IsErrorWithCode(err, ldapv3.LDAPResultInvalidCredentials) && config.Enabled {
var kind string
if strings.EqualFold(UserScope, scope) {
kind = "user"
Expand All @@ -372,20 +372,20 @@ func (p *adProvider) getPrincipal(distinguishedName string, scope string, config
}

if strings.EqualFold(UserScope, scope) {
search = ldapv2.NewSearchRequest(distinguishedName,
ldapv2.ScopeBaseObject, ldapv2.NeverDerefAliases, 0, 0, false,
search = ldapv3.NewSearchRequest(distinguishedName,
ldapv3.ScopeBaseObject, ldapv3.NeverDerefAliases, 0, 0, false,
filter,
ldap.GetUserSearchAttributes(MemberOfAttribute, ObjectClass, config), nil)
} else {
search = ldapv2.NewSearchRequest(distinguishedName,
ldapv2.ScopeBaseObject, ldapv2.NeverDerefAliases, 0, 0, false,
search = ldapv3.NewSearchRequest(distinguishedName,
ldapv3.ScopeBaseObject, ldapv3.NeverDerefAliases, 0, 0, false,
filter,
ldap.GetGroupSearchAttributes(config, MemberOfAttribute, ObjectClass), nil)
}

result, err := lConn.Search(search)
if err != nil {
if ldapErr, ok := err.(*ldapv2.Error); ok && ldapErr.ResultCode == 32 {
if ldapErr, ok := err.(*ldapv3.Error); ok && ldapErr.ResultCode == 32 {
return nil, httperror.NewAPIError(httperror.NotFound, fmt.Sprintf("%v not found", distinguishedName))
}
return nil, httperror.WrapAPIError(errors.Wrapf(err, "server returned error for search %v %v: %v", search.BaseDN, filter, err), httperror.ServerError, "Internal server error")
Expand All @@ -410,8 +410,8 @@ func (p *adProvider) getPrincipal(distinguishedName string, scope string, config
return principal, nil
}

func (p *adProvider) searchPrincipals(name, principalType string, config *v32.ActiveDirectoryConfig, lConn *ldapv2.Conn) ([]v3.Principal, error) {
name = ldapv2.EscapeFilter(name)
func (p *adProvider) searchPrincipals(name, principalType string, config *v32.ActiveDirectoryConfig, lConn *ldapv3.Conn) ([]v3.Principal, error) {
name = ldapv3.EscapeFilter(name)

var principals []v3.Principal

Expand All @@ -434,7 +434,7 @@ func (p *adProvider) searchPrincipals(name, principalType string, config *v32.Ac
return principals, nil
}

func (p *adProvider) searchUser(name string, config *v32.ActiveDirectoryConfig, lConn *ldapv2.Conn) ([]v3.Principal, error) {
func (p *adProvider) searchUser(name string, config *v32.ActiveDirectoryConfig, lConn *ldapv3.Conn) ([]v3.Principal, error) {
srchAttributes := strings.Split(config.UserSearchAttribute, "|")
query := fmt.Sprintf("(&(%v=%v)", ObjectClass, config.UserObjectClass)
srchAttrs := "(|"
Expand All @@ -447,29 +447,29 @@ func (p *adProvider) searchUser(name string, config *v32.ActiveDirectoryConfig,
return p.searchLdap(query, UserScope, config, lConn)
}

func (p *adProvider) searchGroup(name string, config *v32.ActiveDirectoryConfig, lConn *ldapv2.Conn) ([]v3.Principal, error) {
func (p *adProvider) searchGroup(name string, config *v32.ActiveDirectoryConfig, lConn *ldapv3.Conn) ([]v3.Principal, error) {
// GroupSearchFilter should be follow AD search filter syntax, enclosed by parentheses
query := "(&(" + ObjectClass + "=" + config.GroupObjectClass + ")(" + config.GroupSearchAttribute + "=" + name + "*)" + config.GroupSearchFilter + ")"
logrus.Debugf("LDAPProvider searchGroup query: %s", query)
return p.searchLdap(query, GroupScope, config, lConn)
}

func (p *adProvider) searchLdap(query string, scope string, config *v32.ActiveDirectoryConfig, lConn *ldapv2.Conn) ([]v3.Principal, error) {
func (p *adProvider) searchLdap(query string, scope string, config *v32.ActiveDirectoryConfig, lConn *ldapv3.Conn) ([]v3.Principal, error) {
var principals []v3.Principal
var search *ldapv2.SearchRequest
var search *ldapv3.SearchRequest

searchDomain := config.UserSearchBase
if strings.EqualFold(UserScope, scope) {
search = ldapv2.NewSearchRequest(searchDomain,
ldapv2.ScopeWholeSubtree, ldapv2.NeverDerefAliases, 0, 0, false,
search = ldapv3.NewSearchRequest(searchDomain,
ldapv3.ScopeWholeSubtree, ldapv3.NeverDerefAliases, 0, 0, false,
query,
ldap.GetUserSearchAttributes(MemberOfAttribute, ObjectClass, config), nil)
} else {
if config.GroupSearchBase != "" {
searchDomain = config.GroupSearchBase
}
search = ldapv2.NewSearchRequest(searchDomain,
ldapv2.ScopeWholeSubtree, ldapv2.NeverDerefAliases, 0, 0, false,
search = ldapv3.NewSearchRequest(searchDomain,
ldapv3.ScopeWholeSubtree, ldapv3.NeverDerefAliases, 0, 0, false,
query,
ldap.GetGroupSearchAttributes(config, MemberOfAttribute, ObjectClass), nil)
}
Expand All @@ -483,8 +483,8 @@ func (p *adProvider) searchLdap(query string, scope string, config *v32.ActiveDi

results, err := lConn.SearchWithPaging(search, 1000)
if err != nil {
ldapErr, ok := reflect.ValueOf(err).Interface().(*ldapv2.Error)
if ok && ldapErr.ResultCode != ldapv2.LDAPResultNoSuchObject {
ldapErr, ok := reflect.ValueOf(err).Interface().(*ldapv3.Error)
if ok && ldapErr.ResultCode != ldapv3.LDAPResultNoSuchObject {
return []v3.Principal{}, fmt.Errorf("When searching ldap, Failed to search: %s, error: %#v", query, err)
}
}
Expand All @@ -502,15 +502,15 @@ func (p *adProvider) searchLdap(query string, scope string, config *v32.ActiveDi
return principals, nil
}

func (p *adProvider) ldapConnection(config *v32.ActiveDirectoryConfig, caPool *x509.CertPool) (*ldapv2.Conn, error) {
func (p *adProvider) ldapConnection(config *v32.ActiveDirectoryConfig, caPool *x509.CertPool) (*ldapv3.Conn, error) {
servers := config.Servers
TLS := config.TLS
port := config.Port
connectionTimeout := config.ConnectionTimeout
startTLS := config.StartTLS
return ldap.NewLDAPConn(servers, TLS, startTLS, port, connectionTimeout, caPool)
}
func (p *adProvider) permissionCheck(attributes []*ldapv2.EntryAttribute, config *v32.ActiveDirectoryConfig) bool {
func (p *adProvider) permissionCheck(attributes []*ldapv3.EntryAttribute, config *v32.ActiveDirectoryConfig) bool {
userObjectClass := config.UserObjectClass
userEnabledAttribute := config.UserEnabledAttribute
userDisabledBitMask := config.UserDisabledBitMask
Expand Down
Loading

0 comments on commit 737ae12

Please sign in to comment.