package ldaputil

import "github.com/hashicorp/vault/sdk/helper/ldaputil"

Index ¶

• func ConfigFields() map[string]*framework.FieldSchema
• func EscapeLDAPValue(input string) string
• type Client
• func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error)
• func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, username string) ([]string, error)
• func (c *Client) GetUserBindDN(cfg *ConfigEntry, conn Connection, username string) (string, error)
• func (c *Client) GetUserDN(cfg *ConfigEntry, conn Connection, bindDN string) (string, error)
• type ConfigEntry
• func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry, error)
• func (c *ConfigEntry) Map() map[string]interface{}
• func (c *ConfigEntry) PasswordlessMap() map[string]interface{}
• func (c *ConfigEntry) Validate() error
• type Connection
• type LDAP
• func NewLDAP() LDAP

Package Files ¶

client.go config.go connection.go ldap.go

func ConfigFields ¶ Uses

func ConfigFields() map[string]*framework.FieldSchema

ConfigFields returns all the config fields that can potentially be used by the LDAP client. Not all fields will be used by every integration.

func EscapeLDAPValue ¶ Uses

func EscapeLDAPValue(input string) string

EscapeLDAPValue is exported because a plugin uses it outside this package.

type Client ¶ Uses

type Client struct {
    Logger hclog.Logger
    LDAP   LDAP
}

func (*Client) DialLDAP ¶ Uses

func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error)

func (*Client) GetLdapGroups ¶ Uses

func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, username string) ([]string, error)

* getLdapGroups queries LDAP and returns a slice describing the set of groups the authenticated user is a member of. * * If cfg.UseTokenGroups is true then the search is performed directly on the userDN. * The values of those attributes are converted to string SIDs, and then looked up to get ldap.Entry objects. * Otherwise, the search query is constructed according to cfg.GroupFilter, and run in context of cfg.GroupDN. * Groups will be resolved from the query results by following the attribute defined in cfg.GroupAttr. * * cfg.GroupFilter is a go template and is compiled with the following context: [UserDN, Username] * UserDN - The DN of the authenticated user * Username - The Username of the authenticated user * * Example: * cfg.GroupFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" * cfg.GroupDN = "OU=Groups,DC=myorg,DC=com" * cfg.GroupAttr = "cn" * * NOTE - If cfg.GroupFilter is empty, no query is performed and an empty result slice is returned. *

func (*Client) GetUserBindDN ¶ Uses

func (c *Client) GetUserBindDN(cfg *ConfigEntry, conn Connection, username string) (string, error)

* Discover and return the bind string for the user attempting to authenticate. * This is handled in one of several ways: * * 1. If DiscoverDN is set, the user object will be searched for using userdn (base search path) * and userattr (the attribute that maps to the provided username). * The bind will either be anonymous or use binddn and bindpassword if they were provided. * 2. If upndomain is set, the user dn is constructed as 'username@upndomain'. See https://msdn.microsoft.com/en-us/library/cc223499.aspx *

func (*Client) GetUserDN ¶ Uses

func (c *Client) GetUserDN(cfg *ConfigEntry, conn Connection, bindDN string) (string, error)

* Returns the DN of the object representing the authenticated user.

type ConfigEntry ¶ Uses

type ConfigEntry struct {
    Url            string `json:"url"`
    UserDN         string `json:"userdn"`
    GroupDN        string `json:"groupdn"`
    GroupFilter    string `json:"groupfilter"`
    GroupAttr      string `json:"groupattr"`
    UPNDomain      string `json:"upndomain"`
    UserAttr       string `json:"userattr"`
    Certificate    string `json:"certificate"`
    InsecureTLS    bool   `json:"insecure_tls"`
    StartTLS       bool   `json:"starttls"`
    BindDN         string `json:"binddn"`
    BindPassword   string `json:"bindpass"`
    DenyNullBind   bool   `json:"deny_null_bind"`
    DiscoverDN     bool   `json:"discoverdn"`
    TLSMinVersion  string `json:"tls_min_version"`
    TLSMaxVersion  string `json:"tls_max_version"`
    UseTokenGroups bool   `json:"use_token_groups"`

    // This json tag deviates from snake case because there was a past issue
    // where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames".
    // To continue reading in users' previously stored values,
    // we chose to carry that forward.
    CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"`
}

func NewConfigEntry ¶ Uses

func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry, error)

* Creates and initializes a ConfigEntry object with its default values, * as specified by the passed schema.

func (*ConfigEntry) Map ¶ Uses

func (c *ConfigEntry) Map() map[string]interface{}

func (*ConfigEntry) PasswordlessMap ¶ Uses

func (c *ConfigEntry) PasswordlessMap() map[string]interface{}

func (*ConfigEntry) Validate ¶ Uses

func (c *ConfigEntry) Validate() error

type Connection ¶ Uses

type Connection interface {
    Bind(username, password string) error
    Close()
    Modify(modifyRequest *ldap.ModifyRequest) error
    Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
    StartTLS(config *tls.Config) error
    UnauthenticatedBind(username string) error
}

Connection provides the functionality of an LDAP connection, but through an interface.

type LDAP ¶ Uses

type LDAP interface {
    Dial(network, addr string) (Connection, error)
    DialTLS(network, addr string, config *tls.Config) (Connection, error)
}

LDAP provides ldap functionality, but through an interface rather than statically. This allows faking it for tests.

func NewLDAP ¶ Uses

func NewLDAP() LDAP