2015-06-29 21:50:55 +00:00
|
|
|
package ldap
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"errors"
|
2018-06-15 17:13:57 +00:00
|
|
|
"fmt"
|
2015-06-29 21:50:55 +00:00
|
|
|
|
2019-11-08 16:24:23 +00:00
|
|
|
ber "github.com/go-asn1-ber/asn1-ber"
|
2015-06-29 21:50:55 +00:00
|
|
|
)
|
|
|
|
|
|
2016-07-23 00:11:47 +00:00
|
|
|
// SimpleBindRequest represents a username/password bind operation
|
2015-06-29 21:50:55 +00:00
|
|
|
type SimpleBindRequest struct {
|
2016-07-23 00:11:47 +00:00
|
|
|
// Username is the name of the Directory object that the client wishes to bind as
|
2015-06-29 21:50:55 +00:00
|
|
|
Username string
|
2016-07-23 00:11:47 +00:00
|
|
|
// Password is the credentials to bind with
|
2015-06-29 21:50:55 +00:00
|
|
|
Password string
|
2016-07-23 00:11:47 +00:00
|
|
|
// Controls are optional controls to send with the bind request
|
2015-06-29 21:50:55 +00:00
|
|
|
Controls []Control
|
2017-09-05 22:06:47 +00:00
|
|
|
// AllowEmptyPassword sets whether the client allows binding with an empty password
|
|
|
|
|
// (normally used for unauthenticated bind).
|
|
|
|
|
AllowEmptyPassword bool
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
|
|
|
|
|
2016-07-23 00:11:47 +00:00
|
|
|
// SimpleBindResult contains the response from the server
|
2015-06-29 21:50:55 +00:00
|
|
|
type SimpleBindResult struct {
|
|
|
|
|
Controls []Control
|
|
|
|
|
}
|
|
|
|
|
|
2016-07-23 00:11:47 +00:00
|
|
|
// NewSimpleBindRequest returns a bind request
|
2015-06-29 21:50:55 +00:00
|
|
|
func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
|
|
|
|
|
return &SimpleBindRequest{
|
2017-09-05 22:06:47 +00:00
|
|
|
Username: username,
|
|
|
|
|
Password: password,
|
|
|
|
|
Controls: controls,
|
|
|
|
|
AllowEmptyPassword: false,
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-08 16:24:23 +00:00
|
|
|
func (req *SimpleBindRequest) appendTo(envelope *ber.Packet) error {
|
|
|
|
|
pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
|
|
|
pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
|
|
|
pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, req.Username, "User Name"))
|
|
|
|
|
pkt.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, req.Password, "Password"))
|
2015-06-29 21:50:55 +00:00
|
|
|
|
2019-11-08 16:24:23 +00:00
|
|
|
envelope.AppendChild(pkt)
|
|
|
|
|
if len(req.Controls) > 0 {
|
|
|
|
|
envelope.AppendChild(encodeControls(req.Controls))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
|
|
|
|
|
2016-07-23 00:11:47 +00:00
|
|
|
// SimpleBind performs the simple bind operation defined in the given request
|
2015-06-29 21:50:55 +00:00
|
|
|
func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
|
2017-09-05 22:06:47 +00:00
|
|
|
if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
|
|
|
|
|
return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-08 16:24:23 +00:00
|
|
|
msgCtx, err := l.doRequest(simpleBindRequest)
|
2015-06-29 21:50:55 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2016-06-30 18:19:03 +00:00
|
|
|
defer l.finishMessage(msgCtx)
|
2015-06-29 21:50:55 +00:00
|
|
|
|
2019-11-08 16:24:23 +00:00
|
|
|
packet, err := l.readPacket(msgCtx)
|
2016-04-26 00:18:04 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result := &SimpleBindResult{
|
|
|
|
|
Controls: make([]Control, 0),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(packet.Children) == 3 {
|
|
|
|
|
for _, child := range packet.Children[2].Children {
|
2019-01-31 22:07:25 +00:00
|
|
|
decodedChild, decodeErr := DecodeControl(child)
|
|
|
|
|
if decodeErr != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to decode child control: %s", decodeErr)
|
2018-06-15 17:13:57 +00:00
|
|
|
}
|
|
|
|
|
result.Controls = append(result.Controls, decodedChild)
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-31 22:07:25 +00:00
|
|
|
err = GetLDAPError(packet)
|
|
|
|
|
return result, err
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-05 22:06:47 +00:00
|
|
|
// Bind performs a bind with the given username and password.
|
|
|
|
|
//
|
|
|
|
|
// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
|
|
|
|
|
// for that.
|
2015-06-29 21:50:55 +00:00
|
|
|
func (l *Conn) Bind(username, password string) error {
|
2017-09-05 22:06:47 +00:00
|
|
|
req := &SimpleBindRequest{
|
|
|
|
|
Username: username,
|
|
|
|
|
Password: password,
|
|
|
|
|
AllowEmptyPassword: false,
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
2017-09-05 22:06:47 +00:00
|
|
|
_, err := l.SimpleBind(req)
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-06-29 21:50:55 +00:00
|
|
|
|
2017-09-05 22:06:47 +00:00
|
|
|
// UnauthenticatedBind performs an unauthenticated bind.
|
|
|
|
|
//
|
|
|
|
|
// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
|
|
|
|
|
// authenticated or otherwise validated by the LDAP server.
|
|
|
|
|
//
|
|
|
|
|
// See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
|
|
|
|
|
// See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
|
|
|
|
|
func (l *Conn) UnauthenticatedBind(username string) error {
|
|
|
|
|
req := &SimpleBindRequest{
|
|
|
|
|
Username: username,
|
|
|
|
|
Password: "",
|
|
|
|
|
AllowEmptyPassword: true,
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
2017-09-05 22:06:47 +00:00
|
|
|
_, err := l.SimpleBind(req)
|
|
|
|
|
return err
|
2015-06-29 21:50:55 +00:00
|
|
|
}
|
2019-11-08 16:24:23 +00:00
|
|
|
|
|
|
|
|
var externalBindRequest = requestFunc(func(envelope *ber.Packet) error {
|
|
|
|
|
pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
|
|
|
pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
|
|
|
pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
|
|
|
|
|
|
|
|
|
|
saslAuth := ber.Encode(ber.ClassContext, ber.TypeConstructed, 3, "", "authentication")
|
|
|
|
|
saslAuth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "EXTERNAL", "SASL Mech"))
|
|
|
|
|
saslAuth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "SASL Cred"))
|
|
|
|
|
|
|
|
|
|
pkt.AppendChild(saslAuth)
|
|
|
|
|
|
|
|
|
|
envelope.AppendChild(pkt)
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// ExternalBind performs SASL/EXTERNAL authentication.
|
|
|
|
|
//
|
|
|
|
|
// Use ldap.DialURL("ldapi://") to connect to the Unix socket before ExternalBind.
|
|
|
|
|
//
|
|
|
|
|
// See https://tools.ietf.org/html/rfc4422#appendix-A
|
|
|
|
|
func (l *Conn) ExternalBind() error {
|
|
|
|
|
msgCtx, err := l.doRequest(externalBindRequest)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer l.finishMessage(msgCtx)
|
|
|
|
|
|
|
|
|
|
packet, err := l.readPacket(msgCtx)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return GetLDAPError(packet)
|
|
|
|
|
}
|
