package ldaputil
import "github.com/hashicorp/vault/sdk/helper/ldaputil"
Index ¶
- func ConfigFields() map[string]*framework.FieldSchema
- func ConvertConfig(cfg *ConfigEntry) *capldap.ClientConfig
- func EscapeLDAPValue(input string) string
- type Client
- func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error)
- func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, username string) ([]string, error)
- func (c *Client) GetUserAliasAttributeValue(cfg *ConfigEntry, conn Connection, username string) (string, error)
- func (c *Client) GetUserBindDN(cfg *ConfigEntry, conn Connection, username string) (string, error)
- func (c *Client) GetUserDN(cfg *ConfigEntry, conn Connection, bindDN, username string) (string, error)
- func (c *Client) RenderUserSearchFilter(cfg *ConfigEntry, username string) (string, error)
- type ConfigEntry
- func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry, error)
- func (c *ConfigEntry) Map() map[string]interface{}
- func (c *ConfigEntry) PasswordlessMap() map[string]interface{}
- func (c *ConfigEntry) Validate() error
- type Connection
- type LDAP
- type PagingConnection
Functions ¶
func ConfigFields ¶
func ConfigFields() map[string]*framework.FieldSchema
ConfigFields returns all the config fields that can potentially be used by the LDAP client. Not all fields will be used by every integration.
func ConvertConfig ¶
func ConvertConfig(cfg *ConfigEntry) *capldap.ClientConfig
func EscapeLDAPValue ¶
EscapeLDAPValue is exported because a plugin uses it outside this package. EscapeLDAPValue will properly escape the input string as an ldap value rfc4514 states the following must be escaped: - leading space or hash - trailing space - special characters '"', '+', ',', ';', '<', '>', '\\' - hex
Types ¶
type Client ¶
func (*Client) DialLDAP ¶
func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error)
func (*Client) GetLdapGroups ¶
func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, username string) ([]string, error)
* getLdapGroups queries LDAP and returns a slice describing the set of groups the authenticated user is a member of. * * If cfg.UseTokenGroups is true then the search is performed directly on the userDN. * The values of those attributes are converted to string SIDs, and then looked up to get ldap.Entry objects. * Otherwise, the search query is constructed according to cfg.GroupFilter, and run in context of cfg.GroupDN. * Groups will be resolved from the query results by following the attribute defined in cfg.GroupAttr. * * cfg.GroupFilter is a go template and is compiled with the following context: [UserDN, Username] * UserDN - The DN of the authenticated user * Username - The Username of the authenticated user * * Example: * cfg.GroupFilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" * cfg.GroupDN = "OU=Groups,DC=myorg,DC=com" * cfg.GroupAttr = "cn" * * NOTE - If cfg.GroupFilter is empty, no query is performed and an empty result slice is returned. *
func (*Client) GetUserAliasAttributeValue ¶
func (c *Client) GetUserAliasAttributeValue(cfg *ConfigEntry, conn Connection, username string) (string, error)
* Returns the value to be used for the entity alias of this user * This is handled in one of several ways: * * 1. If DiscoverDN is set, the user will be searched for using userdn (base search path) * and userattr (the attribute that maps to the provided username) or user search filter. * The bind will either be anonymous or use binddn and bindpassword if they were provided. * 2. If upndomain is set, the alias attribte is constructed as 'username@upndomain'. *
func (*Client) GetUserBindDN ¶
func (c *Client) GetUserBindDN(cfg *ConfigEntry, conn Connection, username string) (string, error)
* Discover and return the bind string for the user attempting to authenticate, as well as the * value to use for the identity alias. * This is handled in one of several ways: * * 1. If DiscoverDN is set, the user object will be searched for using userdn (base search path) * and userattr (the attribute that maps to the provided username) or user search filter. * The bind will either be anonymous or use binddn and bindpassword if they were provided. * 2. If upndomain is set, the user dn and alias attribte are constructed as 'username@upndomain'. * See https://msdn.microsoft.com/en-us/library/cc223499.aspx *
func (*Client) GetUserDN ¶
func (c *Client) GetUserDN(cfg *ConfigEntry, conn Connection, bindDN, username string) (string, error)
* Returns the DN of the object representing the authenticated user.
func (*Client) RenderUserSearchFilter ¶
func (c *Client) RenderUserSearchFilter(cfg *ConfigEntry, username string) (string, error)
type ConfigEntry ¶
type ConfigEntry struct {
Url string `json:"url"`
UserDN string `json:"userdn"`
AnonymousGroupSearch bool `json:"anonymous_group_search"`
GroupDN string `json:"groupdn"`
GroupFilter string `json:"groupfilter"`
GroupAttr string `json:"groupattr"`
UPNDomain string `json:"upndomain"`
UsernameAsAlias bool `json:"username_as_alias"`
UserFilter string `json:"userfilter"`
UserAttr string `json:"userattr"`
Certificate string `json:"certificate"`
InsecureTLS bool `json:"insecure_tls"`
StartTLS bool `json:"starttls"`
BindDN string `json:"binddn"`
BindPassword string `json:"bindpass"`
DenyNullBind bool `json:"deny_null_bind"`
DiscoverDN bool `json:"discoverdn"`
TLSMinVersion string `json:"tls_min_version"`
TLSMaxVersion string `json:"tls_max_version"`
UseTokenGroups bool `json:"use_token_groups"`
UsePre111GroupCNBehavior *bool `json:"use_pre111_group_cn_behavior"`
RequestTimeout int `json:"request_timeout"`
ConnectionTimeout int `json:"connection_timeout"` // deprecated: use RequestTimeout
DerefAliases string `json:"dereference_aliases"`
MaximumPageSize int `json:"max_page_size"`
// These json tags deviate from snake case because there was a past issue
// where the tag was being ignored, causing it to be jsonified as "CaseSensitiveNames", etc.
// To continue reading in users' previously stored values,
// we chose to carry that forward.
CaseSensitiveNames *bool `json:"CaseSensitiveNames,omitempty"`
ClientTLSCert string `json:"ClientTLSCert"`
ClientTLSKey string `json:"ClientTLSKey"`
EnableSamaccountnameLogin bool `json:"EnableSamaccountnameLogin"`
}
func NewConfigEntry ¶
func NewConfigEntry(existing *ConfigEntry, d *framework.FieldData) (*ConfigEntry, error)
* Creates and initializes a ConfigEntry object with its default values, * as specified by the passed schema.
func (*ConfigEntry) Map ¶
func (c *ConfigEntry) Map() map[string]interface{}
func (*ConfigEntry) PasswordlessMap ¶
func (c *ConfigEntry) PasswordlessMap() map[string]interface{}
func (*ConfigEntry) Validate ¶
func (c *ConfigEntry) Validate() error
type Connection ¶
type Connection interface {
Bind(username, password string) error
Close() error
Add(addRequest *ldap.AddRequest) error
Modify(modifyRequest *ldap.ModifyRequest) error
Del(delRequest *ldap.DelRequest) error
Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
StartTLS(config *tls.Config) error
SetTimeout(timeout time.Duration)
UnauthenticatedBind(username string) error
}
Connection provides the functionality of an LDAP connection, but through an interface.
type LDAP ¶
type LDAP interface {
DialURL(addr string, opts ...ldap.DialOpt) (Connection, error)
}
LDAP provides ldap functionality, but through an interface rather than statically. This allows faking it for tests.
func NewLDAP ¶
func NewLDAP() LDAP
type PagingConnection ¶
type PagingConnection interface {
Connection
SearchWithPaging(searchRequest *ldap.SearchRequest, pagingSize uint32) (*ldap.SearchResult, error)
}
Source Files ¶
client.go config.go connection.go ldap.go
- Version
- v0.18.0 (latest)
- Published
- Jun 5, 2025
- Platform
- linux/amd64
- Imports
- 22 packages
- Last checked
- 1 month ago –
Tools for package owners.