diff --git a/conf/config.go b/conf/config.go index 01a6c38..cfbd2db 100644 --- a/conf/config.go +++ b/conf/config.go @@ -12,6 +12,7 @@ type Config struct { LDAPBindDN string LDAPBindPW string LDAPBaseDN string + LDAPUserBaseDN string LDAPRoleBaseDN string ClientSecret string diff --git a/docker-compose.yml b/docker-compose.yml index 5badea0..c0ac9cc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,6 +20,7 @@ services: LDAP_BINDDN: cn=admin,dc=example,dc=com LDAP_BINDPW: password LDAP_BASEDN: "dc=example,dc=com" + LDAP_USER_BASEDN: "ou=users,dc=example,dc=com" LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com" networks: - oc diff --git a/infrastructure/auth_connector/ldap.go b/infrastructure/auth_connector/ldap.go index 133952b..96eef99 100644 --- a/infrastructure/auth_connector/ldap.go +++ b/infrastructure/auth_connector/ldap.go @@ -49,6 +49,7 @@ type Config struct { BindPass string `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"` BaseDN string `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"` AttrClaims map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"` + UserBaseDN string `envconfig:"user_basedn" required:"true" desc:"a LDAP base DN for searching users"` RoleBaseDN string `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"` RoleAttr string `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"` RoleClaim string `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"` @@ -66,6 +67,7 @@ func New() *Client { BindPass: conf.GetConfig().LDAPBindPW, BaseDN: conf.GetConfig().LDAPBaseDN, RoleBaseDN: conf.GetConfig().LDAPRoleBaseDN, + UserBaseDN: conf.GetConfig().LDAPUserBaseDN, } return &Client{ Config: cnf, @@ -299,6 +301,7 @@ func (cli *Client) connect(ctx context.Context) <-chan conn { } func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, error) { + fmt.Println("cli", cli.BindDN, cli.BindPass) if cli.BindDN != "" { // We need to login to a LDAP server with a service account for retrieving user data. if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil { @@ -402,6 +405,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string type ldapConnector struct { BaseDN string RoleBaseDN string + UserBaseDN string IsTLS bool } @@ -423,12 +427,13 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) ldapcn := ldap.NewConn(tcpcn, c.IsTLS) ldapcn.Start() - return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil + return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, UserBaseDN: c.UserBaseDN, RoleBaseDN: c.RoleBaseDN}, nil } type ldapConn struct { *ldap.Conn BaseDN string + UserBaseDN string RoleBaseDN string } @@ -444,7 +449,7 @@ func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string][]stri query := fmt.Sprintf( "(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+ "(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user) - return c.searchEntries(c.BaseDN, query, attrs) + return c.searchEntries(c.RoleBaseDN, query, attrs) } func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error) { diff --git a/main.go b/main.go index 99a51ad..734d200 100644 --- a/main.go +++ b/main.go @@ -58,6 +58,7 @@ func main() { conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com") conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password") conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com") + conf.GetConfig().LDAPUserBaseDN = o.GetStringDefault("LDAP_USER_BASEDN", "ou=users,dc=example,dc=com") conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com") go generateSelfPeer() go generateRole()