Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding

2024-10-28 14:58:11 +01:00
parent 05c4aab72a
commit 7198c40d30
37 changed files with 4181 additions and 610 deletions
--- a/infrastructure/auth_connector/auth_connector.go
+++ b/infrastructure/auth_connector/auth_connector.go
@@ -0,0 +1,28 @@
+package auth_connectors
+
+import (
+	"net/http"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type AuthConnector interface {
+	Status() tools.State
+	Login(username string, cookies ...*http.Cookie) (*Token, error)
+	Logout(token string, cookies ...*http.Cookie) (*Token, error)
+	Introspect(token string, cookie ...*http.Cookie) (bool, error)
+	Refresh(token *Token) (*Token, error)
+}
+
+type Token struct {
+	Active      bool   `json:"active"`
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+	Challenge   string `json:"challenge"`
+	Username    string `json:"username,omitempty"`
+	Password    string `json:"password,omitempty"`
+}
+
+type Redirect struct {
+	RedirectTo string `json:"redirect_to"`
+}
--- a/infrastructure/auth_connector/hydra_connector.go
+++ b/infrastructure/auth_connector/hydra_connector.go
@@ -0,0 +1,240 @@
+package auth_connectors
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"oc-auth/conf"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type HydraConnector struct {
+	State        string `json:"state"`
+	Scopes       string `json:"scope"`
+	ClientID     string `json:"client_id"`
+	ResponseType string `json:"response_type"`
+
+	Caller *tools.HTTPCaller
+}
+
+func (a HydraConnector) Status() tools.State {
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	var responseBody map[string]interface{}
+	host := conf.GetConfig().AuthConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
+	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
+	if err != nil {
+		return tools.DEAD
+	}
+	err = json.Unmarshal(resp, &responseBody)
+	if err != nil || responseBody["status"] != "ok" {
+		return tools.DEAD
+	}
+	return tools.ALIVE
+}
+
+// urlFormat formats the URL of the peer with the data type API function
+func (a *HydraConnector) urlFormat(url string, replaceWith string) string {
+	// localhost is replaced by the local peer URL
+	// because localhost must collide on a web request security protocol
+	r := regexp.MustCompile("(http://[a-z]+:[0-9]+)/oauth2")
+	t := r.FindString(url)
+	if t != "" {
+		url = strings.Replace(url, t, replaceWith, -1)
+	}
+	return url
+}
+
+func (a HydraConnector) challenge(username string, url string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
+	body := map[string]interface{}{
+		"remember_for": 0,
+		"remember":     true,
+	}
+	if challenge != "consent" {
+		body["subject"] = username
+	}
+	s := strings.Split(url, challenge+"_challenge=")
+	resp, err := a.Caller.CallRaw(http.MethodPut,
+		a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
+		body, "application/json", true, cookies...) // "remember": true, "subject": username
+	if err != nil {
+		return nil, s[1], cookies, err
+	}
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, s[1], cookies, err
+	}
+	var token Redirect
+	err = json.Unmarshal(b, &token)
+	if err != nil {
+		return nil, s[1], cookies, err
+	}
+	return &token, s[1], cookies, nil
+}
+
+func (a HydraConnector) Refresh(token *Token) (*Token, error) {
+	isValid, err := a.Introspect(token.AccessToken)
+	if err != nil || !isValid {
+		return nil, err
+	}
+	return a.Login(token.Username)
+}
+
+func (a HydraConnector) tryLog(username string, url string, subpath string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
+	resp, err := a.Caller.CallRaw(http.MethodGet, url, subpath,
+		map[string]interface{}{}, "application/json", true, cookies...)
+	if err != nil || resp.Request.Response == nil || resp.Request.Response.Header["Set-Cookie"] == nil {
+		return nil, "", cookies, err
+	}
+	cc := resp.Request.Response.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
+	if len(cc) > 0 {
+		for _, c := range cc {
+			first := strings.Split(c, ";")
+			cookies = append(cookies, &http.Cookie{
+				Name:  strings.Split(first[0], "=")[0],
+				Value: strings.ReplaceAll(first[0], strings.Split(first[0], "=")[0]+"=", ""),
+			})
+		}
+	}
+	return a.challenge(username, resp.Request.URL.String(), challenge, cookies...)
+}
+
+func (a HydraConnector) extractTokenFromFragment(fragment string) *Token {
+	splittedFragment := strings.Split(fragment, "#")
+	f := splittedFragment[0]
+	if len(splittedFragment) > 1 {
+		f = splittedFragment[1]
+	}
+	token := &Token{}
+	frags := strings.Split(f, "&")
+	for _, f := range frags {
+		splittedFrag := strings.Split(f, "=")
+		if len(splittedFrag) > 1 {
+			if splittedFrag[0] == "access_token" {
+				token.AccessToken = strings.ReplaceAll(splittedFrag[1], "ory_at_", "")
+			}
+			if splittedFrag[0] == "expires_in" {
+				i, err := strconv.Atoi(splittedFrag[1])
+				if err != nil {
+					return nil
+				}
+				token.ExpiresIn = i
+			}
+		}
+	}
+	return token
+}
+
+func (a HydraConnector) getClient() string {
+	resp, err := a.Caller.CallGet(a.getPath(true, false), "/clients")
+	if err != nil {
+		return ""
+	}
+	var clients []interface{}
+	err = json.Unmarshal(resp, &clients)
+	if err != nil || len(clients) == 0 {
+		return ""
+	}
+	return clients[0].(map[string]interface{})["client_id"].(string)
+}
+
+func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Token, err error) {
+	clientID := a.getClient()
+	redirect, challenge, cookies, err := a.tryLog(username, a.getPath(false, true),
+		"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
+		"login", cookies...)
+	if err != nil || redirect == nil {
+		return nil, err
+	}
+	redirect, challenge, cookies, err = a.tryLog(username, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", "consent", cookies...)
+	if err != nil || redirect == nil {
+		return nil, err
+	}
+	// problem with consent THERE we need to accept the consent challenge && get the token
+	url := ""
+	resp, err := a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
+		"application/json", true, cookies...)
+	if err != nil {
+		s := strings.Split(err.Error(), "\"")
+		if len(s) > 1 && strings.Contains(s[1], "access_token") {
+			url = s[1]
+			err = nil
+		} else {
+			return nil, err
+		}
+	} else {
+		url = resp.Request.Response.Request.URL.Fragment
+	}
+	token := a.extractTokenFromFragment(url)
+	fmt.Println(url, token)
+	if token == nil || token.AccessToken == "" {
+		return nil, errors.New("no token found")
+	}
+	token.Challenge = challenge
+	token.Active = true
+	token.Username = username
+	fmt.Println(token)
+	return token, nil
+}
+
+func (a HydraConnector) Logout(token string, cookies ...*http.Cookie) (*Token, error) {
+	p := a.getPath(false, true) + "/revoke"
+	urls := url.Values{}
+	urls.Add("token", token)
+	urls.Add("client_id", a.getClient())
+	urls.Add("client_secret", conf.GetConfig().ClientSecret)
+	_, err := a.Caller.CallForm(http.MethodPost, p, "", urls, "application/x-www-form-urlencoded", true)
+	if err != nil {
+		return nil, err
+	}
+	return &Token{
+		AccessToken: token,
+		Active:      false,
+	}, nil
+}
+func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool, error) {
+	// check validity of the token by calling introspect endpoint
+	// if token is not active, we need to re-authenticate by sending the user to the login page
+	urls := url.Values{}
+	urls.Add("token", token)
+	resp, err := a.Caller.CallForm(http.MethodPost, a.getPath(true, true), "/introspect", urls,
+		"application/x-www-form-urlencoded", true, cookie...)
+	if err != nil || resp.StatusCode >= 300 {
+		return false, err
+	}
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return false, err
+	}
+	var introspect Token
+	err = json.Unmarshal(b, &introspect)
+	if err != nil {
+		return false, err
+	}
+	introspect.AccessToken = token
+	return introspect.Active, nil
+}
+
+func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
+	host := conf.GetConfig().AuthConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
+	if isAdmin {
+		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
+	}
+	oauth := ""
+	if isOauth {
+		oauth = "/oauth2"
+	}
+	fmt.Println("http://" + host + ":" + port + oauth)
+	return "http://" + host + ":" + port + oauth
+
+}
--- a/infrastructure/auth_connector/ldap.go
+++ b/infrastructure/auth_connector/ldap.go
@@ -0,0 +1,386 @@
+package auth_connectors
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"oc-auth/conf"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/coocood/freecache"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/i-core/rlog"
+	"go.uber.org/zap"
+)
+
+var (
+	// errInvalidCredentials is an error that happens when a user's password is invalid.
+	errInvalidCredentials = fmt.Errorf("invalid credentials")
+	// errConnectionTimeout is an error that happens when no one LDAP endpoint responds.
+	errConnectionTimeout = fmt.Errorf("connection timeout")
+	// errMissedUsername is an error that happens
+	errMissedUsername = errors.New("username is missed")
+	// errUnknownUsername is an error that happens
+	errUnknownUsername = errors.New("unknown username")
+)
+
+type conn interface {
+	Bind(bindDN, password string) error
+	SearchUser(user string, attrs ...string) ([]map[string]interface{}, error)
+	SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error)
+	Close() error
+}
+
+type connector interface {
+	Connect(ctx context.Context, addr string) (conn, error)
+}
+
+// Config is a LDAP configuration.
+type Config struct {
+	Endpoints      []string          `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
+	BindDN         string            `envconfig:"binddn" desc:"a LDAP bind DN"`
+	BindPass       string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
+	BaseDN         string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
+	AttrClaims     map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
+	RoleBaseDN     string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
+	RoleAttr       string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
+	RoleClaim      string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
+	CacheSize      int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
+	CacheTTL       time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
+	IsTLS          bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
+	FlatRoleClaims bool              `envconfig:"flat_role_claims" desc:"add roles claim as single list"`
+}
+
+// New creates a new LDAP client.
+func New() *Client {
+	cnf := Config{
+		Endpoints:  strings.Split(conf.GetConfig().LDAPEndpoints, ","),
+		BindDN:     conf.GetConfig().LDAPBindDN,
+		BindPass:   conf.GetConfig().LDAPBindPW,
+		BaseDN:     conf.GetConfig().LDAPBaseDN,
+		RoleBaseDN: conf.GetConfig().LDAPRoleBaseDN,
+	}
+	return &Client{
+		Config:    cnf,
+		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
+		cache:     freecache.NewCache(cnf.CacheSize * 1024),
+	}
+}
+
+type Client struct {
+	Config
+	connector connector
+	cache     *freecache.Cache
+}
+
+func (cli *Client) Authenticate(ctx context.Context, username, password string) (bool, error) {
+	if username == "" || password == "" {
+		return false, nil
+	}
+
+	var cancel context.CancelFunc
+	ctx, cancel = context.WithCancel(ctx)
+
+	cn, ok := <-cli.connect(ctx)
+	cancel()
+	if !ok {
+		return false, errConnectionTimeout
+	}
+	defer cn.Close()
+
+	// Find a user DN by his or her username.
+	details, err := cli.findBasicUserDetails(cn, username, []string{"dn"})
+	if err != nil {
+		return false, err
+	}
+	if details == nil {
+		return false, nil
+	}
+
+	if err := cn.Bind(details["dn"].(string), password); err != nil {
+		if err == errInvalidCredentials {
+			return false, nil
+		}
+		return false, err
+	}
+
+	// Clear the claims' cache because of possible re-authentication. We don't want stale claims after re-login.
+	if ok := cli.cache.Del([]byte(username)); ok {
+		log := rlog.FromContext(ctx)
+		log.Debug("Cleared user's OIDC claims in the cache")
+	}
+
+	return true, nil
+}
+
+// Claim is the FindOIDCClaims result struct
+type LDAPClaim struct {
+	Code  string      // the root claim name
+	Name  string      // the claim name
+	Value interface{} // the value
+}
+
+// FindOIDCClaims finds all OIDC claims for a user.
+func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPClaim, error) {
+	if username == "" {
+		return nil, errMissedUsername
+	}
+
+	log := rlog.FromContext(ctx).Sugar()
+
+	// Retrieving from LDAP is slow. So, we try to get claims for the given username from the cache.
+	switch cdata, err := cli.cache.Get([]byte(username)); err {
+	case nil:
+		var claims []LDAPClaim
+		if err = json.Unmarshal(cdata, &claims); err != nil {
+			log.Info("Failed to unmarshal user's OIDC claims", zap.Error(err), "data", cdata)
+			return nil, err
+		}
+		log.Debugw("Retrieved user's OIDC claims from the cache", "claims", claims)
+		return claims, nil
+	case freecache.ErrNotFound:
+		log.Debug("User's OIDC claims is not found in the cache")
+	default:
+		log.Infow("Failed to retrieve user's OIDC claims from the cache", zap.Error(err))
+	}
+
+	// Try to make multiple TCP connections to the LDAP server for getting claims.
+	// Accept the first one, and cancel others.
+	var cancel context.CancelFunc
+	ctx, cancel = context.WithCancel(ctx)
+
+	cn, ok := <-cli.connect(ctx)
+	cancel()
+	if !ok {
+		return nil, errConnectionTimeout
+	}
+	defer cn.Close()
+
+	// We need to find LDAP attribute's names for all required claims.
+	attrs := []string{"dn"}
+	for k := range cli.AttrClaims {
+		attrs = append(attrs, k)
+	}
+	// Find the attributes in the LDAP server.
+	details, err := cli.findBasicUserDetails(cn, username, attrs)
+	if err != nil {
+		return nil, err
+	}
+	if details == nil {
+		return nil, errUnknownUsername
+	}
+	log.Infow("Retrieved user's info from LDAP", "details", details)
+
+	// Transform the retrieved attributes to corresponding claims.
+	claims := make([]LDAPClaim, 0, len(details))
+	for attr, v := range details {
+		if claim, ok := cli.AttrClaims[attr]; ok {
+			claims = append(claims, LDAPClaim{claim, claim, v})
+		}
+	}
+
+	// User's roles is stored in LDAP as groups. We find all groups in a role's DN
+	// that include the user as a member.
+	entries, err := cn.SearchUserRoles(fmt.Sprintf("%s", details["dn"]), "dn", cli.RoleAttr)
+	if err != nil {
+		return nil, err
+	}
+
+	roles := make(map[string]interface{})
+	for _, entry := range entries {
+		roleDN, ok := entry["dn"].(string)
+		if !ok || roleDN == "" {
+			log.Infow("No required LDAP attribute for a role", "ldapAttribute", "dn", "entry", entry)
+			continue
+		}
+		if entry[cli.RoleAttr] == nil {
+			log.Infow("No required LDAP attribute for a role", "ldapAttribute", cli.RoleAttr, "roleDN", roleDN)
+			continue
+		}
+
+		// Ensure that a role's DN is inside of the role's base DN.
+		// It's sufficient to compare the DN's suffix with the base DN.
+		n, k := len(roleDN), len(cli.RoleBaseDN)
+		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
+			panic("You should never see that")
+		}
+		// The DN without the role's base DN must contain a CN and OU
+		// where the CN is for uniqueness only, and the OU is an application id.
+		path := strings.Split(roleDN[:n-k-1], ",")
+		if len(path) != 2 {
+			log.Infow("A role's DN without the role's base DN must contain two nodes only",
+				"roleBaseDN", cli.RoleBaseDN, "roleDN", roleDN)
+			continue
+		}
+		appID := path[1][len("OU="):]
+
+		var appRoles []interface{}
+		if v := roles[appID]; v != nil {
+			appRoles = v.([]interface{})
+		}
+		appRoles = append(appRoles, entry[cli.RoleAttr])
+		roles[appID] = appRoles
+	}
+
+	claims = append(claims, LDAPClaim{cli.RoleClaim, cli.RoleClaim, roles})
+
+	if cli.FlatRoleClaims {
+		for appID, appRoles := range roles {
+			claims = append(claims, LDAPClaim{cli.RoleClaim, cli.RoleClaim + "/" + appID, appRoles})
+		}
+	}
+
+	// Save the claims in the cache for future queries.
+	cdata, err := json.Marshal(claims)
+	if err != nil {
+		log.Infow("Failed to marshal user's OIDC claims for caching", zap.Error(err), "claims", claims)
+	}
+	if err = cli.cache.Set([]byte(username), cdata, int(cli.CacheTTL.Seconds())); err != nil {
+		log.Infow("Failed to store user's OIDC claims into the cache", zap.Error(err), "claims", claims)
+	}
+
+	return claims, nil
+}
+
+func (cli *Client) connect(ctx context.Context) <-chan conn {
+	var (
+		wg sync.WaitGroup
+		ch = make(chan conn)
+	)
+	wg.Add(len(cli.Endpoints))
+	for _, addr := range cli.Endpoints {
+		fmt.Println("addr", addr)
+		go func(addr string) {
+			defer wg.Done()
+
+			cn, err := cli.connector.Connect(ctx, addr)
+			if err != nil {
+				fmt.Println("Failed to create a LDAP connection", "address", addr)
+				return
+			}
+			select {
+			case <-ctx.Done():
+				cn.Close()
+				fmt.Println("a LDAP connection is cancelled", "address", addr)
+				return
+			case ch <- cn:
+			}
+		}(addr)
+	}
+	go func() {
+		wg.Wait()
+		close(ch)
+	}()
+	return ch
+}
+
+// findBasicUserDetails finds user's LDAP attributes that were specified. It returns nil if no such user.
+func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string]interface{}, error) {
+	if cli.BindDN != "" {
+		// We need to login to a LDAP server with a service account for retrieving user data.
+		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
+			return nil, errors.New(err.Error() + " : failed to login to a LDAP woth a service account")
+		}
+	}
+
+	entries, err := cn.SearchUser(username, attrs...)
+	if err != nil {
+		return nil, err
+	}
+	if len(entries) != 1 {
+		// We didn't find the user.
+		return nil, nil
+	}
+
+	var (
+		entry   = entries[0]
+		details = make(map[string]interface{})
+	)
+	for _, attr := range attrs {
+		if v, ok := entry[attr]; ok {
+			details[attr] = v
+		}
+	}
+	return details, nil
+}
+
+type ldapConnector struct {
+	BaseDN     string
+	RoleBaseDN string
+	IsTLS      bool
+}
+
+func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
+	d := net.Dialer{Timeout: ldap.DefaultTimeout}
+	tcpcn, err := d.DialContext(ctx, "tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	if c.IsTLS {
+		tlscn, err := tls.DialWithDialer(&d, "tcp", addr, nil)
+		if err != nil {
+			return nil, err
+		}
+		tcpcn = tlscn
+	}
+
+	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
+
+	ldapcn.Start()
+	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
+}
+
+type ldapConn struct {
+	*ldap.Conn
+	BaseDN     string
+	RoleBaseDN string
+}
+
+func (c *ldapConn) Bind(bindDN, password string) error {
+	err := c.Conn.Bind(bindDN, password)
+	if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
+		return errInvalidCredentials
+	}
+	return err
+}
+
+func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
+	query := fmt.Sprintf(
+		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
+			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
+	return c.searchEntries(c.BaseDN, query, attrs)
+}
+
+func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
+	query := fmt.Sprintf("(|"+
+		"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
+		"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
+		")", user)
+	return c.searchEntries(c.RoleBaseDN, query, attrs)
+}
+
+// searchEntries executes a LDAP query, and returns a result as entries where each entry is mapping of LDAP attributes.
+func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string]interface{}, error) {
+	req := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, query, attrs, nil)
+	res, err := c.Search(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var entries []map[string]interface{}
+	for _, v := range res.Entries {
+		entry := map[string]interface{}{"dn": v.DN}
+		for _, attr := range v.Attributes {
+			// We need the first value only for the named attribute.
+			entry[attr.Name] = attr.Values[0]
+		}
+		entries = append(entries, entry)
+	}
+	return entries, nil
+}