2021-08-05 11:17:07 +07:00
package authentication
import (
"strings"
"github.com/go-ldap/ldap/v3"
2021-09-17 16:53:59 +07:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
2022-05-15 13:37:23 +07:00
"github.com/authelia/authelia/v4/internal/utils"
2021-08-05 11:17:07 +07:00
)
2021-09-17 16:53:59 +07:00
// StartupCheck implements the startup check provider interface.
2021-11-23 16:45:38 +07:00
func ( p * LDAPUserProvider ) StartupCheck ( ) ( err error ) {
2022-05-10 11:38:36 +07:00
var client LDAPClient
2022-05-02 08:51:38 +07:00
2022-05-10 11:38:36 +07:00
if client , err = p . connect ( ) ; err != nil {
2021-08-05 11:17:07 +07:00
return err
}
2022-05-10 11:38:36 +07:00
defer client . Close ( )
2021-08-05 11:17:07 +07:00
2022-05-10 11:38:36 +07:00
if p . features , err = p . getServerSupportedFeatures ( client ) ; err != nil {
2021-08-05 11:17:07 +07:00
return err
}
2022-05-10 11:38:36 +07:00
if ! p . features . Extensions . PwdModifyExOp && ! p . disableResetPassword &&
p . config . Implementation != schema . LDAPImplementationActiveDirectory {
p . log . Warn ( "Your LDAP server implementation may not support a method for password hashing " +
"known to Authelia, it's strongly recommended you ensure your directory server hashes the password " +
"attribute when users reset their password via Authelia." )
}
if p . features . Extensions . TLS && ! p . config . StartTLS && ! strings . HasPrefix ( p . config . URL , "ldaps://" ) {
2022-06-21 07:56:20 +07:00
p . log . Error ( "Your LDAP Server supports TLS but you don't appear to be utilizing it. We strongly " +
"recommend using the scheme 'ldaps://' or enabling the StartTLS option to secure connections with your " +
2022-05-10 11:38:36 +07:00
"LDAP Server." )
}
if ! p . features . Extensions . TLS && p . config . StartTLS {
2022-07-18 07:56:09 +07:00
p . log . Info ( "Your LDAP Server does not appear to support TLS but you enabled StartTLS which may result " +
2022-05-10 11:38:36 +07:00
"in an error." )
}
return nil
}
func ( p * LDAPUserProvider ) getServerSupportedFeatures ( client LDAPClient ) ( features LDAPSupportedFeatures , err error ) {
var (
searchRequest * ldap . SearchRequest
searchResult * ldap . SearchResult
)
searchRequest = ldap . NewSearchRequest ( "" , ldap . ScopeBaseObject , ldap . NeverDerefAliases ,
1 , 0 , false , "(objectClass=*)" , [ ] string { ldapSupportedExtensionAttribute , ldapSupportedControlAttribute } , nil )
if searchResult , err = client . Search ( searchRequest ) ; err != nil {
return features , err
}
2022-05-02 08:51:38 +07:00
if len ( searchResult . Entries ) != 1 {
2022-05-10 11:38:36 +07:00
p . log . Errorf ( "The LDAP Server did not respond appropriately to a RootDSE search. This may result in reduced functionality." )
return features , nil
2021-08-05 11:17:07 +07:00
}
2022-05-10 11:38:36 +07:00
var controlTypeOIDs , extensionOIDs [ ] string
controlTypeOIDs , extensionOIDs , features = ldapGetFeatureSupportFromEntry ( searchResult . Entries [ 0 ] )
2021-08-05 11:17:07 +07:00
2022-05-10 11:38:36 +07:00
controlTypes , extensions := none , none
if len ( controlTypeOIDs ) != 0 {
controlTypes = strings . Join ( controlTypeOIDs , ", " )
2021-08-05 11:17:07 +07:00
}
2022-05-10 11:38:36 +07:00
if len ( extensionOIDs ) != 0 {
extensions = strings . Join ( extensionOIDs , ", " )
2021-09-17 16:53:59 +07:00
}
2022-05-10 11:38:36 +07:00
p . log . Debugf ( "LDAP Supported OIDs. Control Types: %s. Extensions: %s" , controlTypes , extensions )
return features , nil
2021-08-05 11:17:07 +07:00
}
func ( p * LDAPUserProvider ) parseDynamicUsersConfiguration ( ) {
2022-05-02 08:51:38 +07:00
p . config . UsersFilter = strings . ReplaceAll ( p . config . UsersFilter , "{username_attribute}" , p . config . UsernameAttribute )
p . config . UsersFilter = strings . ReplaceAll ( p . config . UsersFilter , "{mail_attribute}" , p . config . MailAttribute )
p . config . UsersFilter = strings . ReplaceAll ( p . config . UsersFilter , "{display_name_attribute}" , p . config . DisplayNameAttribute )
2021-08-05 11:17:07 +07:00
2022-05-02 08:51:38 +07:00
p . log . Tracef ( "Dynamically generated users filter is %s" , p . config . UsersFilter )
2021-08-05 11:17:07 +07:00
2022-05-15 13:37:23 +07:00
if ! utils . IsStringInSlice ( p . config . UsernameAttribute , p . usersAttributes ) {
p . usersAttributes = append ( p . usersAttributes , p . config . UsernameAttribute )
}
if ! utils . IsStringInSlice ( p . config . MailAttribute , p . usersAttributes ) {
p . usersAttributes = append ( p . usersAttributes , p . config . MailAttribute )
}
if ! utils . IsStringInSlice ( p . config . DisplayNameAttribute , p . usersAttributes ) {
p . usersAttributes = append ( p . usersAttributes , p . config . DisplayNameAttribute )
2021-08-05 11:17:07 +07:00
}
2022-05-02 08:51:38 +07:00
if p . config . AdditionalUsersDN != "" {
p . usersBaseDN = p . config . AdditionalUsersDN + "," + p . config . BaseDN
2021-08-05 11:17:07 +07:00
} else {
2022-05-02 08:51:38 +07:00
p . usersBaseDN = p . config . BaseDN
2021-08-05 11:17:07 +07:00
}
2021-11-23 16:45:38 +07:00
p . log . Tracef ( "Dynamically generated users BaseDN is %s" , p . usersBaseDN )
2021-08-05 11:17:07 +07:00
2022-05-02 08:51:38 +07:00
if strings . Contains ( p . config . UsersFilter , ldapPlaceholderInput ) {
2021-08-05 11:17:07 +07:00
p . usersFilterReplacementInput = true
}
2021-11-23 16:45:38 +07:00
p . log . Tracef ( "Detected user filter replacements that need to be resolved per lookup are: %s=%v" ,
2021-08-05 11:17:07 +07:00
ldapPlaceholderInput , p . usersFilterReplacementInput )
}
func ( p * LDAPUserProvider ) parseDynamicGroupsConfiguration ( ) {
p . groupsAttributes = [ ] string {
2022-05-02 08:51:38 +07:00
p . config . GroupNameAttribute ,
2021-08-05 11:17:07 +07:00
}
2022-05-02 08:51:38 +07:00
if p . config . AdditionalGroupsDN != "" {
p . groupsBaseDN = ldap . EscapeFilter ( p . config . AdditionalGroupsDN + "," + p . config . BaseDN )
2021-08-05 11:17:07 +07:00
} else {
2022-05-02 08:51:38 +07:00
p . groupsBaseDN = p . config . BaseDN
2021-08-05 11:17:07 +07:00
}
2021-11-23 16:45:38 +07:00
p . log . Tracef ( "Dynamically generated groups BaseDN is %s" , p . groupsBaseDN )
2021-08-05 11:17:07 +07:00
2022-05-02 08:51:38 +07:00
if strings . Contains ( p . config . GroupsFilter , ldapPlaceholderInput ) {
2021-08-05 11:17:07 +07:00
p . groupsFilterReplacementInput = true
}
2022-05-02 08:51:38 +07:00
if strings . Contains ( p . config . GroupsFilter , ldapPlaceholderUsername ) {
2021-08-05 11:17:07 +07:00
p . groupsFilterReplacementUsername = true
}
2022-05-02 08:51:38 +07:00
if strings . Contains ( p . config . GroupsFilter , ldapPlaceholderDistinguishedName ) {
2021-08-05 11:17:07 +07:00
p . groupsFilterReplacementDN = true
}
2021-11-23 16:45:38 +07:00
p . log . Tracef ( "Detected group filter replacements that need to be resolved per lookup are: input=%v, username=%v, dn=%v" , p . groupsFilterReplacementInput , p . groupsFilterReplacementUsername , p . groupsFilterReplacementDN )
2021-08-05 11:17:07 +07:00
}