This is an automated email from the ASF dual-hosted git repository.
rob pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-trafficcontrol.git
commit edc1f896cd5dfb89403789b529842a1e06af3818
Author: Dylan Volz <dylan_v...@comcast.com>
AuthorDate: Wed Mar 14 13:48:59 2018 -0600
move more ldap options to the ldap config and refactor connection logic
---
traffic_ops/app/conf/development/ldap.conf | 9 +++++
traffic_ops/app/conf/integration/ldap.conf | 9 +++++
traffic_ops/app/conf/production/ldap.conf | 9 +++++
traffic_ops/app/conf/test/ldap.conf | 9 +++++
traffic_ops/traffic_ops_golang/auth/ldap.go | 48 ++++++++++++++++++++++---
traffic_ops/traffic_ops_golang/config/config.go | 11 +++---
6 files changed, 86 insertions(+), 9 deletions(-)
diff --git a/traffic_ops/app/conf/development/ldap.conf
b/traffic_ops/app/conf/development/ldap.conf
new file mode 100644
index 0000000..9224ae2
--- /dev/null
+++ b/traffic_ops/app/conf/development/ldap.conf
@@ -0,0 +1,9 @@
+{
+ "admin_pass" : "password",
+ "search_base" : "dc=prefix,dc=domain,dc=suffix",
+ "admin_dn" : "user@prefix.domain.suffix",
+ "host" : "ldaps://host:[port]",
+ "search_query" :
"(&(objectCategory=person)(objectClass=user)(userName=%s))",
+ "verify_tls" : "true",
+ "ldap_timeout_secs" : 20
+}
diff --git a/traffic_ops/app/conf/integration/ldap.conf
b/traffic_ops/app/conf/integration/ldap.conf
new file mode 100644
index 0000000..9224ae2
--- /dev/null
+++ b/traffic_ops/app/conf/integration/ldap.conf
@@ -0,0 +1,9 @@
+{
+ "admin_pass" : "password",
+ "search_base" : "dc=prefix,dc=domain,dc=suffix",
+ "admin_dn" : "user@prefix.domain.suffix",
+ "host" : "ldaps://host:[port]",
+ "search_query" :
"(&(objectCategory=person)(objectClass=user)(userName=%s))",
+ "verify_tls" : "true",
+ "ldap_timeout_secs" : 20
+}
diff --git a/traffic_ops/app/conf/production/ldap.conf
b/traffic_ops/app/conf/production/ldap.conf
new file mode 100644
index 0000000..9224ae2
--- /dev/null
+++ b/traffic_ops/app/conf/production/ldap.conf
@@ -0,0 +1,9 @@
+{
+ "admin_pass" : "password",
+ "search_base" : "dc=prefix,dc=domain,dc=suffix",
+ "admin_dn" : "user@prefix.domain.suffix",
+ "host" : "ldaps://host:[port]",
+ "search_query" :
"(&(objectCategory=person)(objectClass=user)(userName=%s))",
+ "verify_tls" : "true",
+ "ldap_timeout_secs" : 20
+}
diff --git a/traffic_ops/app/conf/test/ldap.conf
b/traffic_ops/app/conf/test/ldap.conf
new file mode 100644
index 0000000..9224ae2
--- /dev/null
+++ b/traffic_ops/app/conf/test/ldap.conf
@@ -0,0 +1,9 @@
+{
+ "admin_pass" : "password",
+ "search_base" : "dc=prefix,dc=domain,dc=suffix",
+ "admin_dn" : "user@prefix.domain.suffix",
+ "host" : "ldaps://host:[port]",
+ "search_query" :
"(&(objectCategory=person)(objectClass=user)(userName=%s))",
+ "verify_tls" : "true",
+ "ldap_timeout_secs" : 20
+}
diff --git a/traffic_ops/traffic_ops_golang/auth/ldap.go
b/traffic_ops/traffic_ops_golang/auth/ldap.go
index 1903505..487d2ab 100644
--- a/traffic_ops/traffic_ops_golang/auth/ldap.go
+++ b/traffic_ops/traffic_ops_golang/auth/ldap.go
@@ -4,17 +4,56 @@ import (
"crypto/tls"
"errors"
"fmt"
+ "time"
"github.com/apache/incubator-trafficcontrol/lib/go-log"
"github.com/apache/incubator-trafficcontrol/traffic_ops/traffic_ops_golang/config"
+ "strings"
+
"gopkg.in/ldap.v2"
)
+var defaultSet bool
+
+func setLdapTimeoutDefault(duration time.Duration) {
+ if !defaultSet {
+ ldap.DefaultTimeout = duration
+ defaultSet = true
+ }
+}
+
+const (
+ LDAPWithTLS = "ldaps://"
+ LDAPNoTLS = "ldap://";
+)
+
+func ConnectToLDAP(cfg *config.ConfigLDAP) (*ldap.Conn, error) {
+ setLdapTimeoutDefault(time.Duration(cfg.LDAPTimeoutSecs) * time.Second)
+ host := strings.ToLower(cfg.Host)
+ var l *ldap.Conn
+ var err error
+ if strings.HasPrefix(host, LDAPWithTLS) {
+ host = strings.TrimPrefix(host, LDAPWithTLS)
+ l, err = ldap.DialTLS("tcp", host,
&tls.Config{InsecureSkipVerify: cfg.Insecure, ServerName: strings.Split(host,
":")[0]})
+ if err != nil {
+ log.Errorln("error dialing tls")
+ return nil, err
+ }
+ } else if strings.HasPrefix(host, LDAPNoTLS) {
+ host = strings.TrimPrefix(host, LDAPNoTLS)
+ l, err = ldap.Dial("tcp", host)
+ if err != nil {
+ log.Errorln("error dialing")
+ return nil, err
+ }
+ }
+ return l, nil
+}
+
func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool,
error) {
- l, err := ldap.DialTLS("tcp", cfg.Host, &tls.Config{InsecureSkipVerify:
true})
+ l, err := ConnectToLDAP(cfg)
if err != nil {
- log.Errorln("error dialing tls")
return "", false, err
}
defer l.Close()
@@ -29,7 +68,7 @@ func LookupUserDN(username string, cfg *config.ConfigLDAP)
(string, bool, error)
searchRequest := ldap.NewSearchRequest(
cfg.SearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-
fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(sAMAccountName=%s))",
username),
+ fmt.Sprintf(cfg.SearchQuery, username),
[]string{"dn"},
nil,
)
@@ -48,9 +87,8 @@ func LookupUserDN(username string, cfg *config.ConfigLDAP)
(string, bool, error)
}
func AuthenticateUserDN(userDN string, password string, cfg
*config.ConfigLDAP) (bool, error) {
- l, err := ldap.DialTLS("tcp", cfg.Host, &tls.Config{InsecureSkipVerify:
true})
+ l, err := ConnectToLDAP(cfg)
if err != nil {
- log.Errorln("error dialing tls")
return false, err
}
defer l.Close()
diff --git a/traffic_ops/traffic_ops_golang/config/config.go
b/traffic_ops/traffic_ops_golang/config/config.go
index 4864845..ca1f053 100644
--- a/traffic_ops/traffic_ops_golang/config/config.go
+++ b/traffic_ops/traffic_ops_golang/config/config.go
@@ -87,10 +87,13 @@ type ConfigDatabase struct {
}
type ConfigLDAP struct {
- AdminPass string `json:"admin_pass"`
- SearchBase string `json:"search_base"`
- AdminDN string `json:"admin_dn"`
- Host string `json:"host"`
+ AdminPass string `json:"admin_pass"`
+ SearchBase string `json:"search_base"`
+ AdminDN string `json:"admin_dn"`
+ Host string `json:"host"`
+ SearchQuery string `json:"search_query"`
+ Insecure bool `json:"insecure"`
+ LDAPTimeoutSecs int `json:"ldap_timeout_secs"`
}
// ErrorLog - critical messages
--
To stop receiving notification emails like this one, please contact
r...@apache.org.
