test

conf/config.go

@@ -12,6 +12,7 @@ type Config struct {
 	LDAPBindDN     string
 	LDAPBindPW     string
 	LDAPBaseDN     string
+	LDAPUserBaseDN string
 	LDAPRoleBaseDN string
 
 	ClientSecret                string

docker-compose.yml

@@ -20,6 +20,7 @@ services:
           LDAP_BINDDN: cn=admin,dc=example,dc=com
           LDAP_BINDPW: password
           LDAP_BASEDN: "dc=example,dc=com"
+          LDAP_USER_BASEDN: "ou=users,dc=example,dc=com"
           LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
     networks: 
       - oc

infrastructure/auth_connector/ldap.go

@@ -49,6 +49,7 @@ type Config struct {
 	BindPass       string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
 	BaseDN         string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
 	AttrClaims     map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
+	UserBaseDN     string            `envconfig:"user_basedn" required:"true" desc:"a LDAP base DN for searching users"`
 	RoleBaseDN     string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
 	RoleAttr       string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
 	RoleClaim      string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
@@ -66,6 +67,7 @@ func New() *Client {
 		BindPass:   conf.GetConfig().LDAPBindPW,
 		BaseDN:     conf.GetConfig().LDAPBaseDN,
 		RoleBaseDN: conf.GetConfig().LDAPRoleBaseDN,
+		UserBaseDN: conf.GetConfig().LDAPUserBaseDN,
 	}
 	return &Client{
 		Config:    cnf,
@@ -299,6 +301,7 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
 }
 
 func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, error) {
+	fmt.Println("cli", cli.BindDN, cli.BindPass)
 	if cli.BindDN != "" {
 		// We need to login to a LDAP server with a service account for retrieving user data.
 		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
@@ -402,6 +405,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 type ldapConnector struct {
 	BaseDN     string
 	RoleBaseDN string
+	UserBaseDN string
 	IsTLS      bool
 }
 
@@ -423,12 +427,13 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
 	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
 
 	ldapcn.Start()
-	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
+	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, UserBaseDN: c.UserBaseDN, RoleBaseDN: c.RoleBaseDN}, nil
 }
 
 type ldapConn struct {
 	*ldap.Conn
 	BaseDN     string
+	UserBaseDN string
 	RoleBaseDN string
 }
 
@@ -444,7 +449,7 @@ func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string][]stri
 	query := fmt.Sprintf(
 		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
 			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
-	return c.searchEntries(c.BaseDN, query, attrs)
+	return c.searchEntries(c.RoleBaseDN, query, attrs)
 }
 
 func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error) {

main.go

@@ -58,6 +58,7 @@ func main() {
 	conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com")
 	conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
 	conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
+	conf.GetConfig().LDAPUserBaseDN = o.GetStringDefault("LDAP_USER_BASEDN", "ou=users,dc=example,dc=com")
 	conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
 	go generateSelfPeer()
 	go generateRole()