open-vault/vendor/github.com/go-ldap/ldap/bind.go

140 lines
4.3 KiB
Go
Raw Normal View History

2015-06-29 21:50:55 +00:00
package ldap
import (
"errors"
2018-06-15 17:13:57 +00:00
"fmt"
2015-06-29 21:50:55 +00:00
2017-10-27 19:06:04 +00:00
"gopkg.in/asn1-ber.v1"
2015-06-29 21:50:55 +00:00
)
2016-07-23 00:11:47 +00:00
// SimpleBindRequest represents a username/password bind operation
2015-06-29 21:50:55 +00:00
type SimpleBindRequest struct {
2016-07-23 00:11:47 +00:00
// Username is the name of the Directory object that the client wishes to bind as
2015-06-29 21:50:55 +00:00
Username string
2016-07-23 00:11:47 +00:00
// Password is the credentials to bind with
2015-06-29 21:50:55 +00:00
Password string
2016-07-23 00:11:47 +00:00
// Controls are optional controls to send with the bind request
2015-06-29 21:50:55 +00:00
Controls []Control
2017-09-05 22:06:47 +00:00
// AllowEmptyPassword sets whether the client allows binding with an empty password
// (normally used for unauthenticated bind).
AllowEmptyPassword bool
2015-06-29 21:50:55 +00:00
}
2016-07-23 00:11:47 +00:00
// SimpleBindResult contains the response from the server
2015-06-29 21:50:55 +00:00
type SimpleBindResult struct {
Controls []Control
}
2016-07-23 00:11:47 +00:00
// NewSimpleBindRequest returns a bind request
2015-06-29 21:50:55 +00:00
func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
return &SimpleBindRequest{
2017-09-05 22:06:47 +00:00
Username: username,
Password: password,
Controls: controls,
AllowEmptyPassword: false,
2015-06-29 21:50:55 +00:00
}
}
func (bindRequest *SimpleBindRequest) encode() *ber.Packet {
request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, bindRequest.Username, "User Name"))
request.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, bindRequest.Password, "Password"))
return request
}
2016-07-23 00:11:47 +00:00
// SimpleBind performs the simple bind operation defined in the given request
2015-06-29 21:50:55 +00:00
func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
2017-09-05 22:06:47 +00:00
if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
}
2015-06-29 21:50:55 +00:00
packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
2016-06-30 18:19:03 +00:00
packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
2015-06-29 21:50:55 +00:00
encodedBindRequest := simpleBindRequest.encode()
packet.AppendChild(encodedBindRequest)
2018-06-15 17:13:57 +00:00
if len(simpleBindRequest.Controls) > 0 {
packet.AppendChild(encodeControls(simpleBindRequest.Controls))
}
2015-06-29 21:50:55 +00:00
if l.Debug {
ber.PrintPacket(packet)
}
2016-06-30 18:19:03 +00:00
msgCtx, err := l.sendMessage(packet)
2015-06-29 21:50:55 +00:00
if err != nil {
return nil, err
}
2016-06-30 18:19:03 +00:00
defer l.finishMessage(msgCtx)
2015-06-29 21:50:55 +00:00
2016-06-30 18:19:03 +00:00
packetResponse, ok := <-msgCtx.responses
2016-04-26 00:18:04 +00:00
if !ok {
2016-06-30 18:19:03 +00:00
return nil, NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
2016-04-26 00:18:04 +00:00
}
packet, err = packetResponse.ReadPacket()
2016-06-30 18:19:03 +00:00
l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
2016-04-26 00:18:04 +00:00
if err != nil {
return nil, err
2015-06-29 21:50:55 +00:00
}
if l.Debug {
if err := addLDAPDescriptions(packet); err != nil {
return nil, err
}
ber.PrintPacket(packet)
}
result := &SimpleBindResult{
Controls: make([]Control, 0),
}
if len(packet.Children) == 3 {
for _, child := range packet.Children[2].Children {
2018-06-15 17:13:57 +00:00
decodedChild, err := DecodeControl(child)
if err != nil {
return nil, fmt.Errorf("failed to decode child control: %s", err)
}
result.Controls = append(result.Controls, decodedChild)
2015-06-29 21:50:55 +00:00
}
}
resultCode, resultDescription := getLDAPResultCode(packet)
if resultCode != 0 {
return result, NewError(resultCode, errors.New(resultDescription))
}
return result, nil
}
2017-09-05 22:06:47 +00:00
// Bind performs a bind with the given username and password.
//
// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
// for that.
2015-06-29 21:50:55 +00:00
func (l *Conn) Bind(username, password string) error {
2017-09-05 22:06:47 +00:00
req := &SimpleBindRequest{
Username: username,
Password: password,
AllowEmptyPassword: false,
2015-06-29 21:50:55 +00:00
}
2017-09-05 22:06:47 +00:00
_, err := l.SimpleBind(req)
return err
}
2015-06-29 21:50:55 +00:00
2017-09-05 22:06:47 +00:00
// UnauthenticatedBind performs an unauthenticated bind.
//
// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
// authenticated or otherwise validated by the LDAP server.
//
// See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
// See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
func (l *Conn) UnauthenticatedBind(username string) error {
req := &SimpleBindRequest{
Username: username,
Password: "",
AllowEmptyPassword: true,
2015-06-29 21:50:55 +00:00
}
2017-09-05 22:06:47 +00:00
_, err := l.SimpleBind(req)
return err
2015-06-29 21:50:55 +00:00
}