2021-04-19 23:30:27 +01:00
|
|
|
package ldap
|
|
|
|
|
|
|
|
import (
|
2021-05-16 20:07:01 +01:00
|
|
|
"context"
|
2021-07-13 17:24:18 +01:00
|
|
|
"crypto/tls"
|
2021-04-26 10:53:06 +01:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2021-07-20 10:03:09 +01:00
|
|
|
"net"
|
2021-05-08 19:59:31 +01:00
|
|
|
"net/http"
|
2021-04-26 10:53:06 +01:00
|
|
|
"strings"
|
2021-05-08 19:59:31 +01:00
|
|
|
"sync"
|
2021-04-26 10:53:06 +01:00
|
|
|
|
2021-05-04 23:03:19 +01:00
|
|
|
"github.com/go-openapi/strfmt"
|
2021-07-20 10:03:09 +01:00
|
|
|
"github.com/pires/go-proxyproto"
|
2021-04-19 23:30:27 +01:00
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
func (ls *LDAPServer) Refresh() error {
|
2021-05-16 20:35:23 +01:00
|
|
|
outposts, _, err := ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()).Execute()
|
2021-04-26 10:53:06 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-05-16 20:07:01 +01:00
|
|
|
if len(outposts.Results) < 1 {
|
2021-04-26 10:53:06 +01:00
|
|
|
return errors.New("no ldap provider defined")
|
|
|
|
}
|
2021-05-16 20:07:01 +01:00
|
|
|
providers := make([]*ProviderInstance, len(outposts.Results))
|
|
|
|
for idx, provider := range outposts.Results {
|
|
|
|
userDN := strings.ToLower(fmt.Sprintf("ou=users,%s", *provider.BaseDn))
|
|
|
|
groupDN := strings.ToLower(fmt.Sprintf("ou=groups,%s", *provider.BaseDn))
|
2021-07-13 17:24:18 +01:00
|
|
|
logger := log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name)
|
2021-04-26 10:53:06 +01:00
|
|
|
providers[idx] = &ProviderInstance{
|
2021-05-16 20:07:01 +01:00
|
|
|
BaseDN: *provider.BaseDn,
|
2021-05-04 23:03:19 +01:00
|
|
|
GroupDN: groupDN,
|
|
|
|
UserDN: userDN,
|
2021-05-16 20:07:01 +01:00
|
|
|
appSlug: provider.ApplicationSlug,
|
|
|
|
flowSlug: provider.BindFlowSlug,
|
|
|
|
searchAllowedGroups: []*strfmt.UUID{(*strfmt.UUID)(provider.SearchGroup.Get())},
|
2021-05-08 19:59:31 +01:00
|
|
|
boundUsersMutex: sync.RWMutex{},
|
|
|
|
boundUsers: make(map[string]UserFlags),
|
2021-05-04 23:03:19 +01:00
|
|
|
s: ls,
|
2021-07-17 20:24:11 +01:00
|
|
|
log: logger,
|
2021-07-13 17:24:18 +01:00
|
|
|
tlsServerName: provider.TlsServerName,
|
2021-07-14 19:37:27 +01:00
|
|
|
uidStartNumber: *provider.UidStartNumber,
|
|
|
|
gidStartNumber: *provider.GidStartNumber,
|
2021-07-13 17:24:18 +01:00
|
|
|
}
|
|
|
|
if provider.Certificate.Get() != nil {
|
2021-07-21 22:53:43 +01:00
|
|
|
kp := provider.Certificate.Get()
|
|
|
|
err := ls.cs.AddKeypair(*kp)
|
2021-07-13 17:24:18 +01:00
|
|
|
if err != nil {
|
2021-07-21 22:53:43 +01:00
|
|
|
ls.log.WithError(err).Warning("Failed to initially fetch certificate")
|
2021-07-13 17:24:18 +01:00
|
|
|
}
|
2021-07-21 22:53:43 +01:00
|
|
|
providers[idx].cert = ls.cs.Get(*kp)
|
2021-04-26 10:53:06 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
ls.providers = providers
|
|
|
|
ls.log.Info("Update providers")
|
2021-04-19 23:30:27 +01:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-06-06 22:07:13 +01:00
|
|
|
func (ls *LDAPServer) StartHTTPServer() error {
|
|
|
|
listen := "0.0.0.0:4180" // same port as proxy
|
|
|
|
m := http.NewServeMux()
|
|
|
|
m.HandleFunc("/akprox/ping", func(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
rw.WriteHeader(204)
|
|
|
|
})
|
|
|
|
ls.log.WithField("listen", listen).Info("Starting http server")
|
|
|
|
return http.ListenAndServe(listen, m)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ls *LDAPServer) StartLDAPServer() error {
|
2021-04-26 13:46:29 +01:00
|
|
|
listen := "0.0.0.0:3389"
|
2021-07-20 10:03:09 +01:00
|
|
|
|
|
|
|
ln, err := net.Listen("tcp", listen)
|
|
|
|
if err != nil {
|
|
|
|
ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err)
|
|
|
|
}
|
|
|
|
proxyListener := &proxyproto.Listener{Listener: ln}
|
|
|
|
defer proxyListener.Close()
|
|
|
|
|
2021-06-06 22:07:13 +01:00
|
|
|
ls.log.WithField("listen", listen).Info("Starting ldap server")
|
2021-07-20 10:03:09 +01:00
|
|
|
err = ls.s.Serve(proxyListener)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
ls.log.Printf("closing %s", ln.Addr())
|
2021-06-06 22:07:13 +01:00
|
|
|
return ls.s.ListenAndServe(listen)
|
|
|
|
}
|
|
|
|
|
2021-07-13 17:24:18 +01:00
|
|
|
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
|
|
|
listen := "0.0.0.0:6636"
|
|
|
|
tlsConfig := &tls.Config{
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
MaxVersion: tls.VersionTLS12,
|
|
|
|
GetCertificate: ls.getCertificates,
|
|
|
|
}
|
|
|
|
|
2021-07-20 14:25:11 +01:00
|
|
|
ln, err := net.Listen("tcp", listen)
|
2021-07-13 17:24:18 +01:00
|
|
|
if err != nil {
|
|
|
|
ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err)
|
|
|
|
}
|
2021-07-20 14:25:11 +01:00
|
|
|
|
2021-07-20 10:03:09 +01:00
|
|
|
proxyListener := &proxyproto.Listener{Listener: ln}
|
|
|
|
defer proxyListener.Close()
|
|
|
|
|
2021-07-20 14:25:11 +01:00
|
|
|
tln := tls.NewListener(proxyListener, tlsConfig)
|
|
|
|
|
2021-07-13 17:24:18 +01:00
|
|
|
ls.log.WithField("listen", listen).Info("Starting ldap tls server")
|
2021-07-20 14:25:11 +01:00
|
|
|
err = ls.s.Serve(tln)
|
2021-07-13 17:24:18 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
ls.log.Printf("closing %s", ln.Addr())
|
|
|
|
return ls.s.ListenAndServe(listen)
|
|
|
|
}
|
|
|
|
|
2021-06-06 22:07:13 +01:00
|
|
|
func (ls *LDAPServer) Start() error {
|
|
|
|
wg := sync.WaitGroup{}
|
2021-07-13 17:24:18 +01:00
|
|
|
wg.Add(3)
|
2021-06-06 22:07:13 +01:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
err := ls.StartHTTPServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
err := ls.StartLDAPServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
2021-07-13 17:24:18 +01:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
err := ls.StartLDAPTLSServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
2021-06-06 22:07:13 +01:00
|
|
|
wg.Wait()
|
2021-04-19 23:30:27 +01:00
|
|
|
return nil
|
|
|
|
}
|