ldapauth

package
v0.0.0-...-3674750 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2024 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

The LDAP authentication package forwards the credentials in the user session request for authentication with a configured upstream LDAP server

This package relies on the two following local database tables: 

ldap_sessions: 	Upon successful LDAP response, creates a keyed local copy of the user email
ldap_user_api_tokens: User created API tokens, tied to the node, storing user email.

Note: user can have only one API token at a time, and token expiration is enforced

User session and roles are cached and revalidated with the upstream service at the interval defined in the local LDAP config through the Application.sessionReaper implementation in reaper.go.

Changes to the upstream identity server will propagate through and update local tables (web sessions, API tokens) by either removing the entries or updating the roles. This sync happens for every auth endpoint hit, and via the defined sync interval. One goroutine is created to coordinate the sync timing in the New function

This implementation is read only; user mutation actions such as Delete are not supported.

MFA is supported via the remote LDAP server implementation. Sufficient request time out should accommodate for a blocking auth call while the user responds to a potential push notification callback.

Index

Constants

View Source 
const (
	UniqueMemberAttribute = "uniqueMember"
)

Variables

View Source 
var ErrUserNoLDAPGroups = errors.New("user present in directory, but matching no role groups assigned")
View Source 
var ErrUserNotInUpstream = errors.New("LDAP query returned no matching users")

Functions

func GroupSearchResultsToUserRole 

func GroupSearchResultsToUserRole(ldapGroups []*ldap.Entry, adminCN string, editCN string, runCN string, readCN string) (sessions.UserRole, error)

func NewLDAPAuthenticator 

func NewLDAPAuthenticator(
	db *sqlx.DB,
	pgCfg pg.QConfig,
	ldapCfg config.LDAP,
	dev bool,
	lggr logger.Logger,
	auditLogger audit.AuditLogger,
) (*ldapAuthenticator, error)

func NewLDAPServerStateSync 

func NewLDAPServerStateSync(
	db *sqlx.DB,
	pgCfg pg.QConfig,
	config config.LDAP,
	lggr logger.Logger,
) *utils.SleeperTask

NewLDAPServerStateSync creates a reaper that cleans stale sessions from the store.

Types

type LDAPClient 

type LDAPClient interface {
	CreateEphemeralConnection() (LDAPConn, error)
}

Wrapper for creating a handle to a *ldap.Conn/LDAPConn interface

type LDAPConn 

type LDAPConn interface {
	Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
	Bind(username string, password string) error
	Close() (err error)
}

Wrapper for ldap connection and mock testing, implemented by *ldap.Conn

type LDAPServerStateSyncer 

type LDAPServerStateSyncer struct {
	// contains filtered or unexported fields
}

func (*LDAPServerStateSyncer) Name 

func (ldSync *LDAPServerStateSyncer) Name() string

func (*LDAPServerStateSyncer) StartWorkOnTimer 

func (ldSync *LDAPServerStateSyncer) StartWorkOnTimer()

func (*LDAPServerStateSyncer) Work 

func (ldSync *LDAPServerStateSyncer) Work()

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.