open-vault/builtin/credential/ldap/backend.go

package ldap

import (
	"fmt"

	"github.com/go-ldap/ldap"
	"github.com/hashicorp/vault/helper/mfa"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
	"strings"
)

func Factory(conf *logical.BackendConfig) (logical.Backend, error) {
	return Backend().Setup(conf)
}

func Backend() *framework.Backend {
	var b backend
	b.Backend = &framework.Backend{
		Help: backendHelp,

		PathsSpecial: &logical.Paths{
			Root: append([]string{
				"config",
				"groups/*",
				"users/*",
			},
				mfa.MFARootPaths()...,
			),

			Unauthenticated: []string{
				"login/*",
			},
		},

		Paths: append([]*framework.Path{
			pathConfig(&b),
			pathGroups(&b),
			pathUsers(&b),
		},
			mfa.MFAPaths(b.Backend, pathLogin(&b))...,
		),

		AuthRenew: b.pathLoginRenew,
	}

	return b.Backend
}

type backend struct {
	*framework.Backend
}

func EscapeLDAPValue(input string) string {
	// RFC4514 forbids un-escaped:
	// - leading space or hash
	// - trailing space
	// - special characters '"', '+', ',', ';', '<', '>', '\\'
	// - null
	for i := 0; i < len(input); i++ {
		escaped := false
		if input[i] == '\\' {
			i++
			escaped = true
		}
		switch input[i] {
		case '"', '+', ',', ';', '<', '>', '\\':
			if !escaped {
				input = input[0:i] + "\\" + input[i:]
				i++
			}
			continue
		}
		if escaped {
			input = input[0:i] + "\\" + input[i:]
			i++
		}
	}
	if input[0] == ' ' || input[0] == '#' {
		input = "\\" + input
	}
	if input[len(input)-1] == ' ' {
		input = input[0:len(input)-1] + "\\ "
	}
	return input
}

func (b *backend) Login(req *logical.Request, username string, password string) ([]string, *logical.Response, error) {

	cfg, err := b.Config(req)
	if err != nil {
		return nil, nil, err
	}
	if cfg == nil {
		return nil, logical.ErrorResponse("ldap backend not configured"), nil
	}

	c, err := cfg.DialLDAP()
	if err != nil {
		return nil, logical.ErrorResponse(err.Error()), nil
	}
	if c == nil {
		return nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil
	}

	// Format binddn
	binddn := ""
	if cfg.DiscoverDN || (cfg.BindDN != "" && cfg.BindPassword != "") {
		if err = c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err)), nil
		}
		sresult, err := c.Search(&ldap.SearchRequest{
			BaseDN: cfg.UserDN,
			Scope:  2, // subtree
			Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username)),
		})
		if err != nil {
			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err)), nil
		}
		if len(sresult.Entries) != 1 {
			return nil, logical.ErrorResponse("LDAP search for binddn 0 or not unique"), nil
		}
		binddn = sresult.Entries[0].DN
	} else {
		if cfg.UPNDomain != "" {
			binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)
		} else {
			binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)
		}
	}
	if err = c.Bind(binddn, password); err != nil {
		return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil
	}

	userdn := ""
	ldapGroups := make(map[string]bool)
	if cfg.UPNDomain != "" {
		// Find the distinguished name for the user if userPrincipalName used for login
		// and the groups from memberOf attributes
		sresult, err := c.Search(&ldap.SearchRequest{
			BaseDN: cfg.UserDN,
			Scope:  2, // subtree
			Filter: fmt.Sprintf("(userPrincipalName=%s)", ldap.EscapeFilter(binddn)),
		})
		if err != nil {
			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
		}
		for _, e := range sresult.Entries {
			userdn = e.DN
			// Find the groups the user is member of from the 'memberOf' attribute extracting the CN
			for _,dnAttr := range e.Attributes {
				if dnAttr.Name == "memberOf" {
					for _,value := range dnAttr.Values {
						memberOfDN, err := ldap.ParseDN(value)
						if err != nil {
							return nil, nil, err
						}

						for _, rdn := range memberOfDN.RDNs {
							for _, rdnTypeAndValue := range rdn.Attributes {
								if strings.EqualFold(rdnTypeAndValue.Type, "CN") {
									ldapGroups[rdnTypeAndValue.Value] = true
								}
							}
						}
					}
				}
			}
		}
	} else {
		userdn = binddn
	}

	resp := &logical.Response{
		Data: map[string]interface{}{},
	}
	// Find groups by searching in groupDN for any of the memberUid, member or uniqueMember attributes
	// and retrieving the CN in the DN result
	if cfg.GroupDN != "" {
		sresult, err := c.Search(&ldap.SearchRequest{
			BaseDN: cfg.GroupDN,
			Scope:  2, // subtree
			Filter: fmt.Sprintf("(|(memberUid=%s)(member=%s)(uniqueMember=%s))", ldap.EscapeFilter(username), ldap.EscapeFilter(userdn), ldap.EscapeFilter(userdn)),
		})
		if err != nil {
			return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil
		}
	
		for _, e := range sresult.Entries {
			dn, err := ldap.ParseDN(e.DN)
			if err != nil {
				return nil, nil, err
			}
			for _, rdn := range dn.RDNs {
				for _, rdnTypeAndValue := range rdn.Attributes {
					if strings.EqualFold(rdnTypeAndValue.Type, "CN" ) {
						ldapGroups[rdnTypeAndValue.Value] = true
					}
				}
			}
		}
	}
	
	if len(ldapGroups) == 0 {
		errString := fmt.Sprintf(
			"no LDAP groups found in user DN '%s' or group DN '%s';only policies from locally-defined groups available",
			cfg.UserDN,
			cfg.GroupDN)
		resp.AddWarning(errString)
	}

	var allgroups []string
	// Import the custom added groups from ldap backend
	user, err := b.User(req.Storage, username)
	if err == nil && user != nil {
		allgroups = append(allgroups, user.Groups...)
	}
	// add the LDAP groups
	for key, _ := range ldapGroups {
		allgroups = append(allgroups, key)
	}

	// Retrieve policies
	var policies []string
	for _, gname := range allgroups {
		group, err := b.Group(req.Storage, gname)
		if err == nil && group != nil {
			policies = append(policies, group.Policies...)
		}
	}

	if len(policies) == 0 {
		errStr := "user is not a member of any authorized group"
		if len(resp.Warnings()) > 0 {
			errStr = fmt.Sprintf("%s; additionally, %s", errStr, resp.Warnings()[0])
		}

		resp.Data["error"] = errStr
		return nil, resp, nil
	}

	return policies, resp, nil
}

const backendHelp = `
The "ldap" credential provider allows authentication querying
a LDAP server, checking username and password, and associating groups
to set of policies.

Configuration of the server is done through the "config" and "groups"
endpoints by a user with root access. Authentication is then done
by suppying the two fields for "login".
`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`package ldap`

			`import (`
auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`"fmt"`

Updating for backend API change 2015-07-01 00:36:12 +00:00			`"github.com/go-ldap/ldap"`
ldap: add mfa to LDAP login 2015-07-27 18:24:12 +00:00			`"github.com/hashicorp/vault/helper/mfa"`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 17:44:08 +00:00			`"strings"`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`)`

Remove SetLogger, and unify on framework.Setup 2015-07-01 00:45:20 +00:00			`func Factory(conf *logical.BackendConfig) (logical.Backend, error) {`
			`return Backend().Setup(conf)`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`

			`func Backend() *framework.Backend {`
			`var b backend`
			`b.Backend = &framework.Backend{`
			`Help: backendHelp,`

			`PathsSpecial: &logical.Paths{`
ldap: add mfa to LDAP login 2015-07-27 18:24:12 +00:00			`Root: append([]string{`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`"config",`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`"groups/*",`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`"users/*",`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`},`
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`mfa.MFARootPaths()...,`
ldap: add mfa to LDAP login 2015-07-27 18:24:12 +00:00			`),`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00
			`Unauthenticated: []string{`
auth/ldap: move username into the path (to allow per-user revokation on the path) 2015-05-09 19:07:52 +00:00			`"login/*",`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`},`
			`},`

			`Paths: append([]*framework.Path{`
			`pathConfig(&b),`
auth/ldap: add configuration path for groups 2015-05-06 23:48:59 +00:00			`pathGroups(&b),`
ldap: add ability to set policies based on username as well as groups 2015-07-14 22:46:15 +00:00			`pathUsers(&b),`
ldap: add mfa to LDAP login 2015-07-27 18:24:12 +00:00			`},`
			`mfa.MFAPaths(b.Backend, pathLogin(&b))...,`
			`),`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00
auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`AuthRenew: b.pathLoginRenew,`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`

			`return b.Backend`
			`}`

			`type backend struct {`
			`*framework.Backend`
			`}`

Fixing merge conflict 2015-06-29 21:50:55 +00:00			`func EscapeLDAPValue(input string) string {`
			`// RFC4514 forbids un-escaped:`
			`// - leading space or hash`
			`// - trailing space`
			`// - special characters '"', '+', ',', ';', '<', '>', '\\'`
			`// - null`
			`for i := 0; i < len(input); i++ {`
			`escaped := false`
			`if input[i] == '\\' {`
			`i++`
			`escaped = true`
			`}`
			`switch input[i] {`
			`case '"', '+', ',', ';', '<', '>', '\\':`
			`if !escaped {`
			`input = input[0:i] + "\\" + input[i:]`
			`i++`
			`}`
			`continue`
			`}`
			`if escaped {`
			`input = input[0:i] + "\\" + input[i:]`
			`i++`
			`}`
			`}`
			`if input[0] == ' ' \|\| input[0] == '#' {`
			`input = "\\" + input`
			`}`
			`if input[len(input)-1] == ' ' {`
			`input = input[0:len(input)-1] + "\\ "`
			`}`
			`return input`
			`}`

auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`func (b backend) Login(req logical.Request, username string, password string) ([]string, *logical.Response, error) {`

			`cfg, err := b.Config(req)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`if cfg == nil {`
			`return nil, logical.ErrorResponse("ldap backend not configured"), nil`
			`}`

			`c, err := cfg.DialLDAP()`
			`if err != nil {`
			`return nil, logical.ErrorResponse(err.Error()), nil`
			`}`
Check for nil connection back from go-ldap, which apparently can happen even with no error Ping #1262 2016-03-29 13:59:28 +00:00			`if c == nil {`
			`return nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil`
			`}`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00
			`// Format binddn`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`binddn := ""`
discover bind dn with anonymous binds 2016-01-27 16:06:27 +00:00			`if cfg.DiscoverDN \|\| (cfg.BindDN != "" && cfg.BindPassword != "") {`
fix stupid c&p error 2016-01-26 15:15:25 +00:00			`if err = c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {`
add binddn/bindpath to search for the users bind DN 2016-01-26 14:56:41 +00:00			`return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind (service) failed: %v", err)), nil`
			`}`
			`sresult, err := c.Search(&ldap.SearchRequest{`
			`BaseDN: cfg.UserDN,`
			`Scope: 2, // subtree`
Properly escape filter values. Fixes #1030 2016-02-19 18:16:52 +00:00			`Filter: fmt.Sprintf("(%s=%s)", cfg.UserAttr, ldap.EscapeFilter(username)),`
add binddn/bindpath to search for the users bind DN 2016-01-26 14:56:41 +00:00			`})`
			`if err != nil {`
			`return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search for binddn failed: %v", err)), nil`
			`}`
			`if len(sresult.Entries) != 1 {`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`return nil, logical.ErrorResponse("LDAP search for binddn 0 or not unique"), nil`
add binddn/bindpath to search for the users bind DN 2016-01-26 14:56:41 +00:00			`}`
			`binddn = sresult.Entries[0].DN`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`} else {`
add binddn/bindpath to search for the users bind DN 2016-01-26 14:56:41 +00:00			`if cfg.UPNDomain != "" {`
			`binddn = fmt.Sprintf("%s@%s", EscapeLDAPValue(username), cfg.UPNDomain)`
			`} else {`
			`binddn = fmt.Sprintf("%s=%s,%s", cfg.UserAttr, EscapeLDAPValue(username), cfg.UserDN)`
			`}`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`}`
auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`if err = c.Bind(binddn, password); err != nil {`
			`return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil`
			`}`

ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`userdn := ""`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`ldapGroups := make(map[string]bool)`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`if cfg.UPNDomain != "" {`
			`// Find the distinguished name for the user if userPrincipalName used for login`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`// and the groups from memberOf attributes`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`sresult, err := c.Search(&ldap.SearchRequest{`
			`BaseDN: cfg.UserDN,`
			`Scope: 2, // subtree`
Properly escape filter values. Fixes #1030 2016-02-19 18:16:52 +00:00			`Filter: fmt.Sprintf("(userPrincipalName=%s)", ldap.EscapeFilter(binddn)),`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`})`
			`if err != nil {`
			`return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil`
			`}`
			`for _, e := range sresult.Entries {`
			`userdn = e.DN`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`// Find the groups the user is member of from the 'memberOf' attribute extracting the CN`
			`for _,dnAttr := range e.Attributes {`
			`if dnAttr.Name == "memberOf" {`
			`for _,value := range dnAttr.Values {`
			`memberOfDN, err := ldap.ParseDN(value)`
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 17:44:08 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`

			`for _, rdn := range memberOfDN.RDNs {`
			`for _, rdnTypeAndValue := range rdn.Attributes {`
			`if strings.EqualFold(rdnTypeAndValue.Type, "CN") {`
			`ldapGroups[rdnTypeAndValue.Value] = true`
			`}`
			`}`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`}`
			`}`
			`}`
			`}`
ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 22:37:46 +00:00			`}`
			`} else {`
			`userdn = binddn`
			`}`

If no group DN is configured, still look for policies on local users and return a warning, rather than just trying to do an LDAP search on an empty string. 2016-04-02 17:11:36 +00:00			`resp := &logical.Response{`
			`Data: map[string]interface{}{},`
			`}`
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`// Find groups by searching in groupDN for any of the memberUid, member or uniqueMember attributes`
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 17:44:08 +00:00			`// and retrieving the CN in the DN result`
If no group DN is configured, still look for policies on local users and return a warning, rather than just trying to do an LDAP search on an empty string. 2016-04-02 17:11:36 +00:00			`if cfg.GroupDN != "" {`
			`sresult, err := c.Search(&ldap.SearchRequest{`
			`BaseDN: cfg.GroupDN,`
			`Scope: 2, // subtree`
			`Filter: fmt.Sprintf("(\|(memberUid=%s)(member=%s)(uniqueMember=%s))", ldap.EscapeFilter(username), ldap.EscapeFilter(userdn), ldap.EscapeFilter(userdn)),`
			`})`
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 17:44:08 +00:00			`if err != nil {`
If no group DN is configured, still look for policies on local users and return a warning, rather than just trying to do an LDAP search on an empty string. 2016-04-02 17:11:36 +00:00			`return nil, logical.ErrorResponse(fmt.Sprintf("LDAP search failed: %v", err)), nil`
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 17:44:08 +00:00			`}`
Merge remote-tracking branch 'upstream/master' Conflicts: builtin/credential/ldap/backend.go 2016-04-26 10:16:42 +00:00
If no group DN is configured, still look for policies on local users and return a warning, rather than just trying to do an LDAP search on an empty string. 2016-04-02 17:11:36 +00:00			`for _, e := range sresult.Entries {`
			`dn, err := ldap.ParseDN(e.DN)`
Merge remote-tracking branch 'upstream/master' Conflicts: builtin/credential/ldap/backend.go 2016-04-26 10:16:42 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`for _, rdn := range dn.RDNs {`
			`for _, rdnTypeAndValue := range rdn.Attributes {`
			`if strings.EqualFold(rdnTypeAndValue.Type, "CN" ) {`
			`ldapGroups[rdnTypeAndValue.Value] = true`
			`}`
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 17:44:08 +00:00			`}`
			`}`
Fixing merge conflict 2015-06-29 21:50:55 +00:00			`}`
ldap: change setting user policies to setting user groups 2015-07-17 21:40:06 +00:00			`}`
Merge remote-tracking branch 'upstream/master' Conflicts: builtin/credential/ldap/backend.go 2016-04-26 10:16:42 +00:00
			`if len(ldapGroups) == 0 {`
- fixed merge with upstream master 2016-04-26 10:23:43 +00:00			`errString := fmt.Sprintf(`
			`"no LDAP groups found in user DN '%s' or group DN '%s';only policies from locally-defined groups available",`
			`cfg.UserDN,`
			`cfg.GroupDN)`
			`resp.AddWarning(errString)`
Merge remote-tracking branch 'upstream/master' Conflicts: builtin/credential/ldap/backend.go 2016-04-26 10:16:42 +00:00			`}`
- fixed merge with upstream master 2016-04-26 10:23:43 +00:00
- added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 14:55:38 +00:00			`var allgroups []string`
			`// Import the custom added groups from ldap backend`
			`user, err := b.User(req.Storage, username)`
			`if err == nil && user != nil {`
			`allgroups = append(allgroups, user.Groups...)`
			`}`
			`// add the LDAP groups`
			`for key, _ := range ldapGroups {`
			`allgroups = append(allgroups, key)`
			`}`

			`// Retrieve policies`
			`var policies []string`
ldap: change setting user policies to setting user groups 2015-07-17 21:40:06 +00:00			`for _, gname := range allgroups {`
auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`group, err := b.Group(req.Storage, gname)`
			`if err == nil && group != nil {`
			`policies = append(policies, group.Policies...)`
			`}`
			`}`

			`if len(policies) == 0 {`
Some fixups around error/warning in LDAP 2016-04-02 17:33:00 +00:00			`errStr := "user is not a member of any authorized group"`
			`if len(resp.Warnings()) > 0 {`
			`errStr = fmt.Sprintf("%s; additionally, %s", errStr, resp.Warnings()[0])`
			`}`

			`resp.Data["error"] = errStr`
If no group DN is configured, still look for policies on local users and return a warning, rather than just trying to do an LDAP search on an empty string. 2016-04-02 17:11:36 +00:00			`return nil, resp, nil`
auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`}`

If no group DN is configured, still look for policies on local users and return a warning, rather than just trying to do an LDAP search on an empty string. 2016-04-02 17:11:36 +00:00			`return policies, resp, nil`
auth/ldap: implement login renew 2015-05-08 07:28:26 +00:00			`}`

Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			const backendHelp = `
			`The "ldap" credential provider allows authentication querying`
			`a LDAP server, checking username and password, and associating groups`
			`to set of policies.`

			`Configuration of the server is done through the "config" and "groups"`
			`endpoints by a user with root access. Authentication is then done`
			`by suppying the two fields for "login".`
			`