ldap

package

v0.0.0-...-c3b95e6 Latest Latest Go to latest Published: Mar 16, 2023 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/adminium/dex

Links

Open Source Insights

Documentation ¶

Overview ¶

Package ldap implements strategies for authenticating using the LDAP protocol.

Index ¶

type Config
- func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
- func (c *Config) OpenConnector(logger log.Logger) (interface{ ... }, error)
type UserMatcher

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// The host and optional port of the LDAP server. If port isn't supplied, it will be
	// guessed based on the TLS configuration. 389 or 636.
	Host string `json:"host"`

	// Required if LDAP host does not use TLS.
	InsecureNoSSL bool `json:"insecureNoSSL"`

	// Don't verify the CA.
	InsecureSkipVerify bool `json:"insecureSkipVerify"`

	// Connect to the insecure port then issue a StartTLS command to negotiate a
	// secure connection. If unsupplied secure connections will use the LDAPS
	// protocol.
	StartTLS bool `json:"startTLS"`

	// Path to a trusted root certificate file.
	RootCA string `json:"rootCA"`
	// Path to a client cert file generated by rootCA.
	ClientCert string `json:"clientCert"`
	// Path to a client private key file generated by rootCA.
	ClientKey string `json:"clientKey"`
	// Base64 encoded PEM data containing root CAs.
	RootCAData []byte `json:"rootCAData"`

	// BindDN and BindPW for an application service account. The connector uses these
	// credentials to search for users and groups.
	BindDN string `json:"bindDN"`
	BindPW string `json:"bindPW"`

	// UsernamePrompt allows users to override the username attribute (displayed
	// in the username/password prompt). If unset, the handler will use
	// "Username".
	UsernamePrompt string `json:"usernamePrompt"`

	// User entry search configuration.
	UserSearch struct {
		// BaseDN to start the search from. For example "cn=users,dc=example,dc=com"
		BaseDN string `json:"baseDN"`

		// Optional filter to apply when searching the directory. For example "(objectClass=person)"
		Filter string `json:"filter"`

		// Attribute to match against the inputted username. This will be translated and combined
		// with the other filter as "(<attr>=<username>)".
		Username string `json:"username"`

		// Can either be:
		// * "sub" - search the whole sub tree
		// * "one" - only search one level
		Scope string `json:"scope"`

		// A mapping of attributes on the user entry to claims.
		IDAttr                    string `json:"idAttr"`                // Defaults to "uid"
		EmailAttr                 string `json:"emailAttr"`             // Defaults to "mail"
		NameAttr                  string `json:"nameAttr"`              // No default.
		PreferredUsernameAttrAttr string `json:"preferredUsernameAttr"` // No default.

		// If this is set, the email claim of the id token will be constructed from the idAttr and
		// value of emailSuffix. This should not include the @ character.
		EmailSuffix string `json:"emailSuffix"` // No default.
	} `json:"userSearch"`

	// Group search configuration.
	GroupSearch struct {
		// BaseDN to start the search from. For example "cn=groups,dc=example,dc=com"
		BaseDN string `json:"baseDN"`

		// Optional filter to apply when searching the directory. For example "(objectClass=posixGroup)"
		Filter string `json:"filter"`

		Scope string `json:"scope"` // Defaults to "sub"

		// DEPRECATED config options. Those are left for backward compatibility.
		// See "UserMatchers" below for the current group to user matching implementation
		// TODO: should be eventually removed from the code
		UserAttr  string `json:"userAttr"`
		GroupAttr string `json:"groupAttr"`

		// Array of the field pairs used to match a user to a group.
		// See the "UserMatcher" struct for the exact field names
		//
		// Each pair adds an additional requirement to the filter that an attribute in the group
		// match the user's attribute value. For example that the "members" attribute of
		// a group matches the "uid" of the user. The exact filter being added is:
		//
		//   (userMatchers[n].<groupAttr>=userMatchers[n].<userAttr value>)
		//
		UserMatchers []UserMatcher `json:"userMatchers"`

		// The attribute of the group that represents its name.
		NameAttr string `json:"nameAttr"`
	} `json:"groupSearch"`
}

Config holds configuration options for LDAP logins.

func (*Config) Open ¶

func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)

Open returns an authentication strategy using LDAP.

func (*Config) OpenConnector ¶

func (c *Config) OpenConnector(logger log.Logger) (interface {
	connector.Connector
	connector.PasswordConnector
	connector.RefreshConnector
}, error,
)

OpenConnector is the same as Open but returns a type with all implemented connector interfaces.

type UserMatcher ¶

type UserMatcher struct {
	UserAttr  string `json:"userAttr"`
	GroupAttr string `json:"groupAttr"`
}

UserMatcher holds information about user and group matching.

Source Files ¶

View all Source files

ldap.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL