Documentation ¶
Overview ¶
Package ldap implements strategies for authenticating using the LDAP protocol.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { // The host and optional port of the LDAP server. If port isn't supplied, it will be // guessed based on the TLS configuration. 389 or 636. Host string `json:"host"` // Required if LDAP host does not use TLS. InsecureNoSSL bool `json:"insecureNoSSL"` // Don't verify the CA. InsecureSkipVerify bool `json:"insecureSkipVerify"` // Connect to the insecure port then issue a StartTLS command to negotiate a // secure connection. If unsupplied secure connections will use the LDAPS // protocol. StartTLS bool `json:"startTLS"` // Path to a trusted root certificate file. RootCA string `json:"rootCA"` // Path to a client cert file generated by rootCA. ClientCert string `json:"clientCert"` // Path to a client private key file generated by rootCA. ClientKey string `json:"clientKey"` // Base64 encoded PEM data containing root CAs. RootCAData []byte `json:"rootCAData"` // BindDN and BindPW for an application service account. The connector uses these // credentials to search for users and groups. BindDN string `json:"bindDN"` BindPW string `json:"bindPW"` // UsernamePrompt allows users to override the username attribute (displayed // in the username/password prompt). If unset, the handler will use // "Username". UsernamePrompt string `json:"usernamePrompt"` // User entry search configuration. UserSearch struct { // BaseDN to start the search from. For example "cn=users,dc=example,dc=com" BaseDN string `json:"baseDN"` // Optional filter to apply when searching the directory. For example "(objectClass=person)" Filter string `json:"filter"` // Attribute to match against the inputted username. This will be translated and combined // with the other filter as "(<attr>=<username>)". Username string `json:"username"` // Can either be: // * "sub" - search the whole sub tree // * "one" - only search one level Scope string `json:"scope"` // A mapping of attributes on the user entry to claims. IDAttr string `json:"idAttr"` // Defaults to "uid" EmailAttr string `json:"emailAttr"` // Defaults to "mail" NameAttr string `json:"nameAttr"` // No default. } `json:"userSearch"` // Group search configuration. GroupSearch struct { // BaseDN to start the search from. For example "cn=groups,dc=example,dc=com" BaseDN string `json:"baseDN"` // Optional filter to apply when searching the directory. For example "(objectClass=posixGroup)" Filter string `json:"filter"` Scope string `json:"scope"` // Defaults to "sub" // These two fields are use to match a user to a group. // // It adds an additional requirement to the filter that an attribute in the group // match the user's attribute value. For example that the "members" attribute of // a group matches the "uid" of the user. The exact filter being added is: // // (<groupAttr>=<userAttr value>) // UserAttr string `json:"userAttr"` GroupAttr string `json:"groupAttr"` // The attribute of the group that represents its name. NameAttr string `json:"nameAttr"` } `json:"groupSearch"` }
Config holds the configuration parameters for the LDAP connector. The LDAP connectors require executing two queries, the first to find the user based on the username and password given to the connector. The second to use the user entry to search for groups.
An example config:
type: ldap config: host: ldap.example.com:636 # The following field is required if using port 389. # insecureNoSSL: true rootCA: /etc/dex/ldap.ca bindDN: uid=seviceaccount,cn=users,dc=example,dc=com bindPW: password userSearch: # Would translate to the query "(&(objectClass=person)(uid=<username>))" baseDN: cn=users,dc=example,dc=com filter: "(objectClass=person)" username: uid idAttr: uid emailAttr: mail nameAttr: name groupSearch: # Would translate to the query "(&(objectClass=group)(member=<user uid>))" baseDN: cn=groups,dc=example,dc=com filter: "(objectClass=group)" userAttr: uid # Use if full DN is needed and not available as any other attribute # Will only work if "DN" attribute does not exist in the record # userAttr: DN groupAttr: member nameAttr: name
func (*Config) Open ¶
Open returns an authentication strategy using LDAP.
func (*Config) OpenConnector ¶
func (c *Config) OpenConnector(logger logrus.FieldLogger) (interface { connector.Connector connector.PasswordConnector connector.RefreshConnector }, error)
OpenConnector is the same as Open but returns a type with all implemented connector interfaces.
Click to show internal directories.
Click to hide internal directories.