2015-08-16 09:31:54 +03:00
// Copyright 2014 The Gogs Authors. All rights reserved.
2020-09-10 18:30:07 +03:00
// Copyright 2020 The Gitea Authors. All rights reserved.
2022-11-27 21:20:29 +03:00
// SPDX-License-Identifier: MIT
2014-04-22 20:55:27 +04:00
package ldap
import (
2015-09-14 22:48:51 +03:00
"crypto/tls"
2014-04-22 20:55:27 +04:00
"fmt"
2021-08-11 23:42:58 +03:00
"net"
"strconv"
2015-10-27 04:08:59 +03:00
"strings"
2014-05-03 06:48:14 +04:00
2023-02-08 09:44:42 +03:00
"code.gitea.io/gitea/modules/container"
2016-11-10 19:24:48 +03:00
"code.gitea.io/gitea/modules/log"
2019-02-18 15:34:37 +03:00
2020-10-15 22:27:33 +03:00
"github.com/go-ldap/ldap/v3"
2014-04-22 20:55:27 +04:00
)
2017-05-10 16:10:18 +03:00
// SearchResult : user data
type SearchResult struct {
2023-02-08 09:44:42 +03:00
Username string // Username
Name string // Name
Surname string // Surname
Mail string // E-mail address
SSHPublicKey [ ] string // SSH Public Key
IsAdmin bool // if user is administrator
IsRestricted bool // if user is restricted
LowerName string // LowerName
Avatar [ ] byte
Groups container . Set [ string ]
2017-05-10 16:10:18 +03:00
}
2022-06-20 13:02:49 +03:00
func ( source * Source ) sanitizedUserQuery ( username string ) ( string , bool ) {
2015-10-27 04:08:59 +03:00
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00()*\\"
if strings . ContainsAny ( username , badCharacters ) {
log . Debug ( "'%s' contains invalid query characters. Aborting." , username )
return "" , false
}
2022-06-20 13:02:49 +03:00
return fmt . Sprintf ( source . Filter , username ) , true
2015-10-27 04:08:59 +03:00
}
2022-06-20 13:02:49 +03:00
func ( source * Source ) sanitizedUserDN ( username string ) ( string , bool ) {
2015-10-27 04:08:59 +03:00
// See http://tools.ietf.org/search/rfc4514: "special characters"
2017-11-13 12:32:16 +03:00
badCharacters := "\x00()*\\,='\"#+;<>"
2015-10-27 04:08:59 +03:00
if strings . ContainsAny ( username , badCharacters ) {
log . Debug ( "'%s' contains invalid DN characters. Aborting." , username )
return "" , false
}
2022-06-20 13:02:49 +03:00
return fmt . Sprintf ( source . UserDN , username ) , true
2015-10-27 04:08:59 +03:00
}
2022-06-20 13:02:49 +03:00
func ( source * Source ) sanitizedGroupFilter ( group string ) ( string , bool ) {
2020-09-10 18:30:07 +03:00
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00*\\"
if strings . ContainsAny ( group , badCharacters ) {
log . Trace ( "Group filter invalid query characters: %s" , group )
return "" , false
}
return group , true
}
2022-06-20 13:02:49 +03:00
func ( source * Source ) sanitizedGroupDN ( groupDn string ) ( string , bool ) {
2020-09-10 18:30:07 +03:00
// See http://tools.ietf.org/search/rfc4514: "special characters"
badCharacters := "\x00()*\\'\"#+;<>"
if strings . ContainsAny ( groupDn , badCharacters ) || strings . HasPrefix ( groupDn , " " ) || strings . HasSuffix ( groupDn , " " ) {
log . Trace ( "Group DN contains invalid query characters: %s" , groupDn )
return "" , false
}
return groupDn , true
}
2022-06-20 13:02:49 +03:00
func ( source * Source ) findUserDN ( l * ldap . Conn , name string ) ( string , bool ) {
2015-08-13 02:58:27 +03:00
log . Trace ( "Search for LDAP user: %s" , name )
// A search for the user.
2022-06-20 13:02:49 +03:00
userFilter , ok := source . sanitizedUserQuery ( name )
2015-10-27 04:08:59 +03:00
if ! ok {
return "" , false
}
2022-06-20 13:02:49 +03:00
log . Trace ( "Searching for DN using filter %s and base %s" , userFilter , source . UserBase )
2015-08-13 02:58:27 +03:00
search := ldap . NewSearchRequest (
2022-06-20 13:02:49 +03:00
source . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 ,
2015-08-13 02:58:27 +03:00
false , userFilter , [ ] string { } , nil )
// Ensure we found a user
sr , err := l . Search ( search )
if err != nil || len ( sr . Entries ) < 1 {
2015-08-17 23:03:11 +03:00
log . Debug ( "Failed search using filter[%s]: %v" , userFilter , err )
2015-08-16 09:31:54 +03:00
return "" , false
2015-08-13 02:58:27 +03:00
} else if len ( sr . Entries ) > 1 {
log . Debug ( "Filter '%s' returned more than one user." , userFilter )
2015-08-16 09:31:54 +03:00
return "" , false
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
2015-08-16 09:31:54 +03:00
userDN := sr . Entries [ 0 ] . DN
2015-08-13 02:58:27 +03:00
if userDN == "" {
2019-04-02 10:48:31 +03:00
log . Error ( "LDAP search was successful, but found no DN!" )
2015-08-16 09:31:54 +03:00
return "" , false
2015-08-13 02:58:27 +03:00
}
2015-08-16 09:31:54 +03:00
return userDN , true
2014-04-22 20:55:27 +04:00
}
2021-08-11 23:42:58 +03:00
func dial ( source * Source ) ( * ldap . Conn , error ) {
log . Trace ( "Dialing LDAP with security protocol (%v) without verifying: %v" , source . SecurityProtocol , source . SkipVerify )
2016-07-08 02:25:09 +03:00
2021-08-11 23:42:58 +03:00
tlsConfig := & tls . Config {
ServerName : source . Host ,
InsecureSkipVerify : source . SkipVerify ,
2016-07-08 02:25:09 +03:00
}
2021-08-11 23:42:58 +03:00
if source . SecurityProtocol == SecurityProtocolLDAPS {
return ldap . DialTLS ( "tcp" , net . JoinHostPort ( source . Host , strconv . Itoa ( source . Port ) ) , tlsConfig )
2016-07-08 02:25:09 +03:00
}
2021-08-11 23:42:58 +03:00
conn , err := ldap . Dial ( "tcp" , net . JoinHostPort ( source . Host , strconv . Itoa ( source . Port ) ) )
2016-07-08 02:25:09 +03:00
if err != nil {
2022-10-24 22:29:17 +03:00
return nil , fmt . Errorf ( "error during Dial: %w" , err )
2016-07-08 02:25:09 +03:00
}
2021-08-11 23:42:58 +03:00
if source . SecurityProtocol == SecurityProtocolStartTLS {
if err = conn . StartTLS ( tlsConfig ) ; err != nil {
2016-07-08 02:25:09 +03:00
conn . Close ( )
2022-10-24 22:29:17 +03:00
return nil , fmt . Errorf ( "error during StartTLS: %w" , err )
2016-07-08 02:25:09 +03:00
}
}
return conn , nil
}
func bindUser ( l * ldap . Conn , userDN , passwd string ) error {
log . Trace ( "Binding with userDN: %s" , userDN )
err := l . Bind ( userDN , passwd )
if err != nil {
log . Debug ( "LDAP auth. failed for %s, reason: %v" , userDN , err )
return err
}
log . Trace ( "Bound successfully with userDN: %s" , userDN )
return err
}
2017-05-10 16:10:18 +03:00
func checkAdmin ( l * ldap . Conn , ls * Source , userDN string ) bool {
2020-03-05 09:30:33 +03:00
if len ( ls . AdminFilter ) == 0 {
return false
}
log . Trace ( "Checking admin with filter %s and base %s" , ls . AdminFilter , userDN )
search := ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . AdminFilter ,
[ ] string { ls . AttributeName } ,
nil )
2017-05-10 16:10:18 +03:00
2020-03-05 09:30:33 +03:00
sr , err := l . Search ( search )
2017-05-10 16:10:18 +03:00
2020-03-05 09:30:33 +03:00
if err != nil {
2021-09-11 01:46:27 +03:00
log . Error ( "LDAP Admin Search with filter %s for %s failed unexpectedly! (%v)" , ls . AdminFilter , userDN , err )
2020-03-05 09:30:33 +03:00
} else if len ( sr . Entries ) < 1 {
log . Trace ( "LDAP Admin Search found no matching entries." )
} else {
return true
}
return false
}
func checkRestricted ( l * ldap . Conn , ls * Source , userDN string ) bool {
if len ( ls . RestrictedFilter ) == 0 {
return false
}
if ls . RestrictedFilter == "*" {
return true
}
log . Trace ( "Checking restricted with filter %s and base %s" , ls . RestrictedFilter , userDN )
search := ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . RestrictedFilter ,
[ ] string { ls . AttributeName } ,
nil )
sr , err := l . Search ( search )
if err != nil {
2021-09-11 01:46:27 +03:00
log . Error ( "LDAP Restrictred Search with filter %s for %s failed unexpectedly! (%v)" , ls . RestrictedFilter , userDN , err )
2020-03-05 09:30:33 +03:00
} else if len ( sr . Entries ) < 1 {
log . Trace ( "LDAP Restricted Search found no matching entries." )
} else {
return true
2017-05-10 16:10:18 +03:00
}
return false
}
2022-02-11 17:24:58 +03:00
// List all group memberships of a user
2023-02-08 09:44:42 +03:00
func ( source * Source ) listLdapGroupMemberships ( l * ldap . Conn , uid string , applyGroupFilter bool ) container . Set [ string ] {
ldapGroups := make ( container . Set [ string ] )
2023-02-02 10:45:00 +03:00
groupFilter , ok := source . sanitizedGroupFilter ( source . GroupFilter )
if ! ok {
return ldapGroups
}
groupDN , ok := source . sanitizedGroupDN ( source . GroupDN )
if ! ok {
return ldapGroups
}
2023-02-08 09:44:42 +03:00
var searchFilter string
2023-03-29 12:54:36 +03:00
if applyGroupFilter && groupFilter != "" {
2023-02-02 10:45:00 +03:00
searchFilter = fmt . Sprintf ( "(&(%s)(%s=%s))" , groupFilter , source . GroupMemberUID , ldap . EscapeFilter ( uid ) )
} else {
searchFilter = fmt . Sprintf ( "(%s=%s)" , source . GroupMemberUID , ldap . EscapeFilter ( uid ) )
}
2022-02-11 17:24:58 +03:00
result , err := l . Search ( ldap . NewSearchRequest (
2023-02-02 10:45:00 +03:00
groupDN ,
2022-02-11 17:24:58 +03:00
ldap . ScopeWholeSubtree ,
ldap . NeverDerefAliases ,
0 ,
0 ,
false ,
2023-02-02 10:45:00 +03:00
searchFilter ,
2022-02-11 17:24:58 +03:00
[ ] string { } ,
nil ,
) )
if err != nil {
2023-02-02 10:45:00 +03:00
log . Error ( "Failed group search in LDAP with filter [%s]: %v" , searchFilter , err )
2022-02-11 17:24:58 +03:00
return ldapGroups
}
for _ , entry := range result . Entries {
if entry . DN == "" {
log . Error ( "LDAP search was successful, but found no DN!" )
continue
}
2023-02-08 09:44:42 +03:00
ldapGroups . Add ( entry . DN )
2022-02-11 17:24:58 +03:00
}
return ldapGroups
}
2023-02-02 10:45:00 +03:00
func ( source * Source ) getUserAttributeListedInGroup ( entry * ldap . Entry ) string {
if strings . ToLower ( source . UserUID ) == "dn" {
return entry . DN
}
return entry . GetAttributeValue ( source . UserUID )
}
2016-11-27 09:03:59 +03:00
// SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
2022-06-20 13:02:49 +03:00
func ( source * Source ) SearchEntry ( name , passwd string , directBind bool ) * SearchResult {
2016-12-12 03:46:51 +03:00
// See https://tools.ietf.org/search/rfc4513#section-5.1.2
if len ( passwd ) == 0 {
2019-04-02 10:48:31 +03:00
log . Debug ( "Auth. failed for %s, password cannot be empty" , name )
2017-05-10 16:10:18 +03:00
return nil
2016-12-12 03:46:51 +03:00
}
2022-06-20 13:02:49 +03:00
l , err := dial ( source )
2016-02-16 13:58:00 +03:00
if err != nil {
2022-06-20 13:02:49 +03:00
log . Error ( "LDAP Connect error, %s:%v" , source . Host , err )
source . Enabled = false
2017-05-10 16:10:18 +03:00
return nil
2016-02-16 13:58:00 +03:00
}
defer l . Close ( )
2015-09-05 06:39:23 +03:00
var userDN string
if directBind {
2022-06-20 13:02:49 +03:00
log . Trace ( "LDAP will bind directly via UserDN template: %s" , source . UserDN )
2015-10-27 04:08:59 +03:00
var ok bool
2022-06-20 13:02:49 +03:00
userDN , ok = source . sanitizedUserDN ( name )
2018-12-27 19:51:19 +03:00
2015-10-27 04:08:59 +03:00
if ! ok {
2017-05-10 16:10:18 +03:00
return nil
2015-10-27 04:08:59 +03:00
}
2018-12-27 19:51:19 +03:00
err = bindUser ( l , userDN , passwd )
if err != nil {
return nil
}
2022-06-20 13:02:49 +03:00
if source . UserBase != "" {
2018-12-27 19:51:19 +03:00
// not everyone has a CN compatible with input name so we need to find
// the real userDN in that case
2022-06-20 13:02:49 +03:00
userDN , ok = source . findUserDN ( l , name )
2018-12-27 19:51:19 +03:00
if ! ok {
return nil
}
}
2015-09-05 06:39:23 +03:00
} else {
log . Trace ( "LDAP will use BindDN." )
var found bool
2018-12-27 19:51:19 +03:00
2022-06-20 13:02:49 +03:00
if source . BindDN != "" && source . BindPassword != "" {
err := l . Bind ( source . BindDN , source . BindPassword )
2018-12-27 19:51:19 +03:00
if err != nil {
2022-06-20 13:02:49 +03:00
log . Debug ( "Failed to bind as BindDN[%s]: %v" , source . BindDN , err )
2018-12-27 19:51:19 +03:00
return nil
}
2022-06-20 13:02:49 +03:00
log . Trace ( "Bound as BindDN %s" , source . BindDN )
2018-12-27 19:51:19 +03:00
} else {
log . Trace ( "Proceeding with anonymous LDAP search." )
}
2022-06-20 13:02:49 +03:00
userDN , found = source . findUserDN ( l , name )
2015-09-05 06:39:23 +03:00
if ! found {
2017-05-10 16:10:18 +03:00
return nil
2015-09-05 06:39:23 +03:00
}
2015-08-13 02:58:27 +03:00
}
2022-06-20 13:02:49 +03:00
if ! source . AttributesInBind {
2016-02-16 14:33:16 +03:00
// binds user (checking password) before looking-up attributes in user context
err = bindUser ( l , userDN , passwd )
if err != nil {
2017-05-10 16:10:18 +03:00
return nil
2016-02-16 14:33:16 +03:00
}
2014-04-22 20:55:27 +04:00
}
2022-06-20 13:02:49 +03:00
userFilter , ok := source . sanitizedUserQuery ( name )
2015-10-27 04:08:59 +03:00
if ! ok {
2017-05-10 16:10:18 +03:00
return nil
2015-10-27 04:08:59 +03:00
}
2022-06-20 13:02:49 +03:00
isAttributeSSHPublicKeySet := len ( strings . TrimSpace ( source . AttributeSSHPublicKey ) ) > 0
isAtributeAvatarSet := len ( strings . TrimSpace ( source . AttributeAvatar ) ) > 0
2019-01-24 02:25:33 +03:00
2022-06-20 13:02:49 +03:00
attribs := [ ] string { source . AttributeUsername , source . AttributeName , source . AttributeSurname , source . AttributeMail }
if len ( strings . TrimSpace ( source . UserUID ) ) > 0 {
attribs = append ( attribs , source . UserUID )
2020-09-10 18:30:07 +03:00
}
2019-01-24 02:25:33 +03:00
if isAttributeSSHPublicKeySet {
2022-06-20 13:02:49 +03:00
attribs = append ( attribs , source . AttributeSSHPublicKey )
2019-01-24 02:25:33 +03:00
}
2021-09-27 05:39:36 +03:00
if isAtributeAvatarSet {
2022-06-20 13:02:49 +03:00
attribs = append ( attribs , source . AttributeAvatar )
2021-09-27 05:39:36 +03:00
}
2019-01-24 02:25:33 +03:00
2022-06-20 13:02:49 +03:00
log . Trace ( "Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'" , source . AttributeUsername , source . AttributeName , source . AttributeSurname , source . AttributeMail , source . AttributeSSHPublicKey , source . AttributeAvatar , source . UserUID , userFilter , userDN )
2014-09-08 04:04:47 +04:00
search := ldap . NewSearchRequest (
2015-08-13 02:58:27 +03:00
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
2019-01-24 02:25:33 +03:00
attribs , nil )
2015-08-13 02:58:27 +03:00
2014-04-22 20:55:27 +04:00
sr , err := l . Search ( search )
if err != nil {
2019-04-02 10:48:31 +03:00
log . Error ( "LDAP Search failed unexpectedly! (%v)" , err )
2017-05-10 16:10:18 +03:00
return nil
2015-08-13 02:58:27 +03:00
} else if len ( sr . Entries ) < 1 {
2015-09-05 06:39:23 +03:00
if directBind {
2019-01-19 22:57:27 +03:00
log . Trace ( "User filter inhibited user login." )
2015-09-05 06:39:23 +03:00
} else {
2019-01-19 22:57:27 +03:00
log . Trace ( "LDAP Search found no matching entries." )
2015-09-05 06:39:23 +03:00
}
2017-05-10 16:10:18 +03:00
return nil
2014-04-22 20:55:27 +04:00
}
2015-08-13 02:58:27 +03:00
2019-01-24 02:25:33 +03:00
var sshPublicKey [ ] string
2021-09-27 05:39:36 +03:00
var Avatar [ ] byte
2019-01-24 02:25:33 +03:00
2022-06-20 13:02:49 +03:00
username := sr . Entries [ 0 ] . GetAttributeValue ( source . AttributeUsername )
firstname := sr . Entries [ 0 ] . GetAttributeValue ( source . AttributeName )
surname := sr . Entries [ 0 ] . GetAttributeValue ( source . AttributeSurname )
mail := sr . Entries [ 0 ] . GetAttributeValue ( source . AttributeMail )
2020-09-10 18:30:07 +03:00
2019-01-24 02:25:33 +03:00
if isAttributeSSHPublicKeySet {
2022-06-20 13:02:49 +03:00
sshPublicKey = sr . Entries [ 0 ] . GetAttributeValues ( source . AttributeSSHPublicKey )
2019-01-24 02:25:33 +03:00
}
2023-02-02 10:45:00 +03:00
2022-06-20 13:02:49 +03:00
isAdmin := checkAdmin ( l , source , userDN )
2023-02-02 10:45:00 +03:00
2020-03-05 09:30:33 +03:00
var isRestricted bool
if ! isAdmin {
2022-06-20 13:02:49 +03:00
isRestricted = checkRestricted ( l , source , userDN )
2020-03-05 09:30:33 +03:00
}
2015-08-19 07:34:03 +03:00
2021-09-27 05:39:36 +03:00
if isAtributeAvatarSet {
2022-06-20 13:02:49 +03:00
Avatar = sr . Entries [ 0 ] . GetRawAttributeValue ( source . AttributeAvatar )
2021-09-27 05:39:36 +03:00
}
2023-02-08 09:44:42 +03:00
// Check group membership
var usersLdapGroups container . Set [ string ]
if source . GroupsEnabled {
userAttributeListedInGroup := source . getUserAttributeListedInGroup ( sr . Entries [ 0 ] )
usersLdapGroups = source . listLdapGroupMemberships ( l , userAttributeListedInGroup , true )
if source . GroupFilter != "" && len ( usersLdapGroups ) == 0 {
return nil
}
}
2022-06-20 13:02:49 +03:00
if ! directBind && source . AttributesInBind {
2022-05-03 15:41:11 +03:00
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser ( l , userDN , passwd )
if err != nil {
return nil
}
}
2017-05-10 16:10:18 +03:00
return & SearchResult {
2023-02-08 09:44:42 +03:00
LowerName : strings . ToLower ( username ) ,
Username : username ,
Name : firstname ,
Surname : surname ,
Mail : mail ,
SSHPublicKey : sshPublicKey ,
IsAdmin : isAdmin ,
IsRestricted : isRestricted ,
Avatar : Avatar ,
Groups : usersLdapGroups ,
2017-05-10 16:10:18 +03:00
}
}
2018-05-05 17:30:47 +03:00
// UsePagedSearch returns if need to use paged search
2022-06-20 13:02:49 +03:00
func ( source * Source ) UsePagedSearch ( ) bool {
return source . SearchPageSize > 0
2018-05-05 17:30:47 +03:00
}
2017-05-10 16:10:18 +03:00
// SearchEntries : search an LDAP source for all users matching userFilter
2022-06-20 13:02:49 +03:00
func ( source * Source ) SearchEntries ( ) ( [ ] * SearchResult , error ) {
l , err := dial ( source )
2017-05-10 16:10:18 +03:00
if err != nil {
2022-06-20 13:02:49 +03:00
log . Error ( "LDAP Connect error, %s:%v" , source . Host , err )
source . Enabled = false
2019-08-24 21:53:37 +03:00
return nil , err
2017-05-10 16:10:18 +03:00
}
defer l . Close ( )
2022-06-20 13:02:49 +03:00
if source . BindDN != "" && source . BindPassword != "" {
err := l . Bind ( source . BindDN , source . BindPassword )
2016-02-16 14:33:16 +03:00
if err != nil {
2022-06-20 13:02:49 +03:00
log . Debug ( "Failed to bind as BindDN[%s]: %v" , source . BindDN , err )
2019-08-24 21:53:37 +03:00
return nil , err
2017-05-10 16:10:18 +03:00
}
2022-06-20 13:02:49 +03:00
log . Trace ( "Bound as BindDN %s" , source . BindDN )
2017-05-10 16:10:18 +03:00
} else {
log . Trace ( "Proceeding with anonymous LDAP search." )
}
2022-06-20 13:02:49 +03:00
userFilter := fmt . Sprintf ( source . Filter , "*" )
2017-05-10 16:10:18 +03:00
2022-06-20 13:02:49 +03:00
isAttributeSSHPublicKeySet := len ( strings . TrimSpace ( source . AttributeSSHPublicKey ) ) > 0
isAtributeAvatarSet := len ( strings . TrimSpace ( source . AttributeAvatar ) ) > 0
2019-01-24 02:25:33 +03:00
2022-06-20 13:02:49 +03:00
attribs := [ ] string { source . AttributeUsername , source . AttributeName , source . AttributeSurname , source . AttributeMail , source . UserUID }
2019-01-24 02:25:33 +03:00
if isAttributeSSHPublicKeySet {
2022-06-20 13:02:49 +03:00
attribs = append ( attribs , source . AttributeSSHPublicKey )
2019-01-24 02:25:33 +03:00
}
2021-09-27 05:39:36 +03:00
if isAtributeAvatarSet {
2022-06-20 13:02:49 +03:00
attribs = append ( attribs , source . AttributeAvatar )
2021-09-27 05:39:36 +03:00
}
2019-01-24 02:25:33 +03:00
2022-06-20 13:02:49 +03:00
log . Trace ( "Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter %s and base %s" , source . AttributeUsername , source . AttributeName , source . AttributeSurname , source . AttributeMail , source . AttributeSSHPublicKey , source . AttributeAvatar , userFilter , source . UserBase )
2017-05-10 16:10:18 +03:00
search := ldap . NewSearchRequest (
2022-06-20 13:02:49 +03:00
source . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
2019-01-24 02:25:33 +03:00
attribs , nil )
2017-05-10 16:10:18 +03:00
2018-05-05 17:30:47 +03:00
var sr * ldap . SearchResult
2022-06-20 13:02:49 +03:00
if source . UsePagedSearch ( ) {
sr , err = l . SearchWithPaging ( search , source . SearchPageSize )
2018-05-05 17:30:47 +03:00
} else {
sr , err = l . Search ( search )
}
2017-05-10 16:10:18 +03:00
if err != nil {
2019-04-02 10:48:31 +03:00
log . Error ( "LDAP Search failed unexpectedly! (%v)" , err )
2019-08-24 21:53:37 +03:00
return nil , err
2017-05-10 16:10:18 +03:00
}
2023-02-02 10:45:00 +03:00
result := make ( [ ] * SearchResult , 0 , len ( sr . Entries ) )
2017-05-10 16:10:18 +03:00
2023-02-02 10:45:00 +03:00
for _ , v := range sr . Entries {
2023-02-08 09:44:42 +03:00
var usersLdapGroups container . Set [ string ]
2023-02-02 10:45:00 +03:00
if source . GroupsEnabled {
userAttributeListedInGroup := source . getUserAttributeListedInGroup ( v )
if source . GroupFilter != "" {
2023-02-08 09:44:42 +03:00
usersLdapGroups = source . listLdapGroupMemberships ( l , userAttributeListedInGroup , true )
2023-02-02 10:45:00 +03:00
if len ( usersLdapGroups ) == 0 {
continue
}
}
if source . GroupTeamMap != "" || source . GroupTeamMapRemoval {
2023-02-08 09:44:42 +03:00
usersLdapGroups = source . listLdapGroupMemberships ( l , userAttributeListedInGroup , false )
2022-02-11 17:24:58 +03:00
}
}
2023-02-02 10:45:00 +03:00
user := & SearchResult {
2023-02-08 09:44:42 +03:00
Username : v . GetAttributeValue ( source . AttributeUsername ) ,
Name : v . GetAttributeValue ( source . AttributeName ) ,
Surname : v . GetAttributeValue ( source . AttributeSurname ) ,
Mail : v . GetAttributeValue ( source . AttributeMail ) ,
IsAdmin : checkAdmin ( l , source , v . DN ) ,
Groups : usersLdapGroups ,
2019-01-24 02:25:33 +03:00
}
2023-02-02 10:45:00 +03:00
if ! user . IsAdmin {
user . IsRestricted = checkRestricted ( l , source , v . DN )
2020-03-05 09:30:33 +03:00
}
2023-02-02 10:45:00 +03:00
2019-01-24 02:25:33 +03:00
if isAttributeSSHPublicKeySet {
2023-02-02 10:45:00 +03:00
user . SSHPublicKey = v . GetAttributeValues ( source . AttributeSSHPublicKey )
2016-02-16 14:33:16 +03:00
}
2023-02-02 10:45:00 +03:00
2021-09-27 05:39:36 +03:00
if isAtributeAvatarSet {
2023-02-02 10:45:00 +03:00
user . Avatar = v . GetRawAttributeValue ( source . AttributeAvatar )
2021-09-27 05:39:36 +03:00
}
2023-02-02 10:45:00 +03:00
user . LowerName = strings . ToLower ( user . Username )
result = append ( result , user )
2016-02-16 14:33:16 +03:00
}
2019-08-24 21:53:37 +03:00
return result , nil
2014-04-22 20:55:27 +04:00
}