This is an automated email from the ASF dual-hosted git repository. rob pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-trafficcontrol.git
commit edc1f896cd5dfb89403789b529842a1e06af3818 Author: Dylan Volz <dylan_v...@comcast.com> AuthorDate: Wed Mar 14 13:48:59 2018 -0600 move more ldap options to the ldap config and refactor connection logic --- traffic_ops/app/conf/development/ldap.conf | 9 +++++ traffic_ops/app/conf/integration/ldap.conf | 9 +++++ traffic_ops/app/conf/production/ldap.conf | 9 +++++ traffic_ops/app/conf/test/ldap.conf | 9 +++++ traffic_ops/traffic_ops_golang/auth/ldap.go | 48 ++++++++++++++++++++++--- traffic_ops/traffic_ops_golang/config/config.go | 11 +++--- 6 files changed, 86 insertions(+), 9 deletions(-) diff --git a/traffic_ops/app/conf/development/ldap.conf b/traffic_ops/app/conf/development/ldap.conf new file mode 100644 index 0000000..9224ae2 --- /dev/null +++ b/traffic_ops/app/conf/development/ldap.conf @@ -0,0 +1,9 @@ +{ + "admin_pass" : "password", + "search_base" : "dc=prefix,dc=domain,dc=suffix", + "admin_dn" : "user@prefix.domain.suffix", + "host" : "ldaps://host:[port]", + "search_query" : "(&(objectCategory=person)(objectClass=user)(userName=%s))", + "verify_tls" : "true", + "ldap_timeout_secs" : 20 +} diff --git a/traffic_ops/app/conf/integration/ldap.conf b/traffic_ops/app/conf/integration/ldap.conf new file mode 100644 index 0000000..9224ae2 --- /dev/null +++ b/traffic_ops/app/conf/integration/ldap.conf @@ -0,0 +1,9 @@ +{ + "admin_pass" : "password", + "search_base" : "dc=prefix,dc=domain,dc=suffix", + "admin_dn" : "user@prefix.domain.suffix", + "host" : "ldaps://host:[port]", + "search_query" : "(&(objectCategory=person)(objectClass=user)(userName=%s))", + "verify_tls" : "true", + "ldap_timeout_secs" : 20 +} diff --git a/traffic_ops/app/conf/production/ldap.conf b/traffic_ops/app/conf/production/ldap.conf new file mode 100644 index 0000000..9224ae2 --- /dev/null +++ b/traffic_ops/app/conf/production/ldap.conf @@ -0,0 +1,9 @@ +{ + "admin_pass" : "password", + "search_base" : "dc=prefix,dc=domain,dc=suffix", + "admin_dn" : "user@prefix.domain.suffix", + "host" : "ldaps://host:[port]", + "search_query" : "(&(objectCategory=person)(objectClass=user)(userName=%s))", + "verify_tls" : "true", + "ldap_timeout_secs" : 20 +} diff --git a/traffic_ops/app/conf/test/ldap.conf b/traffic_ops/app/conf/test/ldap.conf new file mode 100644 index 0000000..9224ae2 --- /dev/null +++ b/traffic_ops/app/conf/test/ldap.conf @@ -0,0 +1,9 @@ +{ + "admin_pass" : "password", + "search_base" : "dc=prefix,dc=domain,dc=suffix", + "admin_dn" : "user@prefix.domain.suffix", + "host" : "ldaps://host:[port]", + "search_query" : "(&(objectCategory=person)(objectClass=user)(userName=%s))", + "verify_tls" : "true", + "ldap_timeout_secs" : 20 +} diff --git a/traffic_ops/traffic_ops_golang/auth/ldap.go b/traffic_ops/traffic_ops_golang/auth/ldap.go index 1903505..487d2ab 100644 --- a/traffic_ops/traffic_ops_golang/auth/ldap.go +++ b/traffic_ops/traffic_ops_golang/auth/ldap.go @@ -4,17 +4,56 @@ import ( "crypto/tls" "errors" "fmt" + "time" "github.com/apache/incubator-trafficcontrol/lib/go-log" "github.com/apache/incubator-trafficcontrol/traffic_ops/traffic_ops_golang/config" + "strings" + "gopkg.in/ldap.v2" ) +var defaultSet bool + +func setLdapTimeoutDefault(duration time.Duration) { + if !defaultSet { + ldap.DefaultTimeout = duration + defaultSet = true + } +} + +const ( + LDAPWithTLS = "ldaps://" + LDAPNoTLS = "ldap://" +) + +func ConnectToLDAP(cfg *config.ConfigLDAP) (*ldap.Conn, error) { + setLdapTimeoutDefault(time.Duration(cfg.LDAPTimeoutSecs) * time.Second) + host := strings.ToLower(cfg.Host) + var l *ldap.Conn + var err error + if strings.HasPrefix(host, LDAPWithTLS) { + host = strings.TrimPrefix(host, LDAPWithTLS) + l, err = ldap.DialTLS("tcp", host, &tls.Config{InsecureSkipVerify: cfg.Insecure, ServerName: strings.Split(host, ":")[0]}) + if err != nil { + log.Errorln("error dialing tls") + return nil, err + } + } else if strings.HasPrefix(host, LDAPNoTLS) { + host = strings.TrimPrefix(host, LDAPNoTLS) + l, err = ldap.Dial("tcp", host) + if err != nil { + log.Errorln("error dialing") + return nil, err + } + } + return l, nil +} + func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool, error) { - l, err := ldap.DialTLS("tcp", cfg.Host, &tls.Config{InsecureSkipVerify: true}) + l, err := ConnectToLDAP(cfg) if err != nil { - log.Errorln("error dialing tls") return "", false, err } defer l.Close() @@ -29,7 +68,7 @@ func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool, error) searchRequest := ldap.NewSearchRequest( cfg.SearchBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, - fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(sAMAccountName=%s))", username), + fmt.Sprintf(cfg.SearchQuery, username), []string{"dn"}, nil, ) @@ -48,9 +87,8 @@ func LookupUserDN(username string, cfg *config.ConfigLDAP) (string, bool, error) } func AuthenticateUserDN(userDN string, password string, cfg *config.ConfigLDAP) (bool, error) { - l, err := ldap.DialTLS("tcp", cfg.Host, &tls.Config{InsecureSkipVerify: true}) + l, err := ConnectToLDAP(cfg) if err != nil { - log.Errorln("error dialing tls") return false, err } defer l.Close() diff --git a/traffic_ops/traffic_ops_golang/config/config.go b/traffic_ops/traffic_ops_golang/config/config.go index 4864845..ca1f053 100644 --- a/traffic_ops/traffic_ops_golang/config/config.go +++ b/traffic_ops/traffic_ops_golang/config/config.go @@ -87,10 +87,13 @@ type ConfigDatabase struct { } type ConfigLDAP struct { - AdminPass string `json:"admin_pass"` - SearchBase string `json:"search_base"` - AdminDN string `json:"admin_dn"` - Host string `json:"host"` + AdminPass string `json:"admin_pass"` + SearchBase string `json:"search_base"` + AdminDN string `json:"admin_dn"` + Host string `json:"host"` + SearchQuery string `json:"search_query"` + Insecure bool `json:"insecure"` + LDAPTimeoutSecs int `json:"ldap_timeout_secs"` } // ErrorLog - critical messages -- To stop receiving notification emails like this one, please contact r...@apache.org.