2015-05-06 01:54:27 +00:00
|
|
|
package ldap
|
|
|
|
|
|
|
|
import (
|
2015-06-29 21:50:55 +00:00
|
|
|
"crypto/tls"
|
2015-05-06 22:39:02 +00:00
|
|
|
"fmt"
|
|
|
|
"net"
|
2015-05-06 01:54:27 +00:00
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
2015-06-29 21:50:55 +00:00
|
|
|
"github.com/go-ldap/ldap"
|
2015-05-06 01:54:27 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func pathConfig(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: `config`,
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"url": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "ldap URL to connect to (default: ldap://127.0.0.1)",
|
|
|
|
},
|
2015-05-06 23:49:26 +00:00
|
|
|
"userdn": &framework.FieldSchema{
|
2015-05-06 01:54:27 +00:00
|
|
|
Type: framework.TypeString,
|
2015-05-06 23:49:26 +00:00
|
|
|
Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
|
|
|
|
},
|
|
|
|
"groupdn": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "LDAP domain to use for groups (eg: ou=Groups,dc=example,dc=org)",
|
2015-05-06 01:54:27 +00:00
|
|
|
},
|
|
|
|
"userattr": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Attribute used for users (default: cn)",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.ReadOperation: b.pathConfigRead,
|
|
|
|
logical.WriteOperation: b.pathConfigWrite,
|
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathConfigHelpSyn,
|
|
|
|
HelpDescription: pathConfigHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) Config(req *logical.Request) (*ConfigEntry, error) {
|
|
|
|
entry, err := req.Storage.Get("config")
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if entry == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
var result ConfigEntry
|
|
|
|
result.SetDefaults()
|
|
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &result, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathConfigRead(
|
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
|
|
|
|
cfg, err := b.Config(req)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if cfg == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"url": cfg.Url,
|
2015-05-06 23:49:26 +00:00
|
|
|
"userdn": cfg.UserDN,
|
|
|
|
"groupdn": cfg.GroupDN,
|
2015-05-06 01:54:27 +00:00
|
|
|
"userattr": cfg.UserAttr,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathConfigWrite(
|
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
|
|
|
|
cfg := &ConfigEntry{}
|
|
|
|
url := d.Get("url").(string)
|
|
|
|
if url != "" {
|
|
|
|
cfg.Url = strings.ToLower(url)
|
|
|
|
}
|
|
|
|
userattr := d.Get("userattr").(string)
|
2015-05-06 23:49:26 +00:00
|
|
|
if userattr != "" {
|
2015-05-06 01:54:27 +00:00
|
|
|
cfg.UserAttr = strings.ToLower(userattr)
|
|
|
|
}
|
2015-05-06 23:49:26 +00:00
|
|
|
userdn := d.Get("userdn").(string)
|
|
|
|
if userdn != "" {
|
|
|
|
cfg.UserDN = userdn
|
|
|
|
}
|
|
|
|
groupdn := d.Get("groupdn").(string)
|
|
|
|
if groupdn != "" {
|
|
|
|
cfg.GroupDN = groupdn
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
|
2015-05-06 22:39:02 +00:00
|
|
|
// Try to connect to the LDAP server, to validate the URL configuration
|
|
|
|
// We can also check the URL at this stage, as anything else would probably
|
|
|
|
// require authentication.
|
|
|
|
conn, cerr := cfg.DialLDAP()
|
|
|
|
if cerr != nil {
|
|
|
|
return logical.ErrorResponse(cerr.Error()), nil
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
2015-05-06 22:39:02 +00:00
|
|
|
conn.Close()
|
2015-05-06 01:54:27 +00:00
|
|
|
|
|
|
|
entry, err := logical.StorageEntryJSON("config", cfg)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if err := req.Storage.Put(entry); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type ConfigEntry struct {
|
|
|
|
Url string
|
2015-05-06 23:49:26 +00:00
|
|
|
UserDN string
|
|
|
|
GroupDN string
|
2015-05-06 01:54:27 +00:00
|
|
|
UserAttr string
|
|
|
|
}
|
|
|
|
|
2015-05-06 22:39:02 +00:00
|
|
|
func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
|
|
|
|
|
2015-05-06 01:54:27 +00:00
|
|
|
u, err := url.Parse(c.Url)
|
|
|
|
if err != nil {
|
2015-05-06 22:39:02 +00:00
|
|
|
return nil, err
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
2015-05-06 22:39:02 +00:00
|
|
|
host, port, err := net.SplitHostPort(u.Host)
|
|
|
|
if err != nil {
|
|
|
|
host = u.Host
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
2015-05-06 22:39:02 +00:00
|
|
|
|
|
|
|
var conn *ldap.Conn
|
|
|
|
switch u.Scheme {
|
|
|
|
case "ldap":
|
|
|
|
if port == "" {
|
|
|
|
port = "389"
|
|
|
|
}
|
|
|
|
conn, err = ldap.Dial("tcp", host+":"+port)
|
|
|
|
case "ldaps":
|
|
|
|
if port == "" {
|
|
|
|
port = "636"
|
|
|
|
}
|
2015-06-29 21:50:55 +00:00
|
|
|
conn, err = ldap.DialTLS(
|
|
|
|
"tcp", host+":"+port, &tls.Config{ServerName: host})
|
2015-05-06 22:39:02 +00:00
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("invalid LDAP scheme")
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
2015-05-06 22:39:02 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("cannot connect to LDAP: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return conn, nil
|
2015-05-06 01:54:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *ConfigEntry) SetDefaults() {
|
|
|
|
c.Url = "ldap://127.0.0.1"
|
|
|
|
c.UserAttr = "cn"
|
|
|
|
}
|
|
|
|
|
|
|
|
const pathConfigHelpSyn = `
|
|
|
|
Configure the LDAP server to connect to.
|
|
|
|
`
|
|
|
|
|
|
|
|
const pathConfigHelpDesc = `
|
|
|
|
This endpoint allows you to configure the LDAP server to connect to, and give
|
|
|
|
basic information of the schema of that server.
|
|
|
|
|
|
|
|
The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former
|
|
|
|
case, an unencrypted connection will be done, with default port 389; in the latter
|
|
|
|
case, a SSL connection will be done, with default port 636.
|
|
|
|
`
|