bottin/main.go

package main

// @FIXME: Proper handling of various upper/lower case combinations
// @FIXME: Implement missing search filters (in applyFilter)
// @FIXME: Add an initial prefix to the consul key value

import (
	"crypto/tls"
	"encoding/base64"
	"encoding/json"
	"flag"
	"fmt"
	"io/ioutil"
	"log"
	"math/rand"
	"os"
	"os/signal"
	"syscall"

	ldap "./ldapserver"
	consul "github.com/hashicorp/consul/api"
	message "github.com/vjeantet/goldap/message"
)

const DEBUG = false

const ATTR_USERPASSWORD = "userpassword"
const ATTR_MEMBER = "member"
const ATTR_MEMBEROF = "memberof"
const ATTR_ENTRYUUID = "entryuuid"
const ATTR_CREATORSNAME = "creatorsname"
const ATTR_CREATETIMESTAMP = "createtimestamp"
const ATTR_MODIFIERSNAME = "modifiersname"
const ATTR_MODIFYTIMESTAMP = "modifytimestamp"

type ConfigFile struct {
	Suffix        string   `json:"suffix"`
	Bind          string   `json:"bind"`
	BindSecure    string   `json:"bind_secure"`
	ConsulHost    string   `json:"consul_host"`
	Acl           []string `json:"acl"`
	TLSCertFile   string   `json:"tls_cert_file"`
	TLSKeyFile    string   `json:"tls_key_file"`
	TLSServerName string   `json:"tls_server_name"`
}

type Config struct {
	Suffix     string
	Bind       string
	BindSecure string
	ConsulHost string

	Acl ACL

	TLSConfig *tls.Config
}

type Server struct {
	logger *log.Logger
	config Config
	kv     *consul.KV
}

type State struct {
	login Login
}

type Entry map[string][]string

var configFlag = flag.String("config", "./config.json", "Configuration file path")

func readConfig() Config {
	config_file := ConfigFile{
		Bind:       "0.0.0.0:389",
		BindSecure: "0.0.0.0:636",
	}

	bytes, err := ioutil.ReadFile(*configFlag)
	if err != nil {
		panic(err)
	}

	err = json.Unmarshal(bytes, &config_file)
	if err != nil {
		panic(err)
	}

	acl, err := ParseACL(config_file.Acl)
	if err != nil {
		panic(err)
	}

	ret := Config{
		Suffix:     config_file.Suffix,
		Bind:       config_file.Bind,
		BindSecure: config_file.BindSecure,
		ConsulHost: config_file.ConsulHost,
		Acl:        acl,
	}

	if config_file.TLSCertFile != "" && config_file.TLSKeyFile != "" && config_file.TLSServerName != "" {
		cert_txt, err := ioutil.ReadFile(config_file.TLSCertFile)
		if err != nil {
			panic(err)
		}
		key_txt, err := ioutil.ReadFile(config_file.TLSKeyFile)
		if err != nil {
			panic(err)
		}
		cert, err := tls.X509KeyPair(cert_txt, key_txt)
		if err != nil {
			panic(err)
		}
		ret.TLSConfig = &tls.Config{
			MinVersion:   tls.VersionTLS10,
			MaxVersion:   tls.VersionTLS12,
			Certificates: []tls.Certificate{cert},
			ServerName:   config_file.TLSServerName,
		}
	}

	return ret
}

func main() {
	flag.Parse()

	ldap.Logger = log.New(os.Stdout, "[ldapserver] ", log.LstdFlags)

	config := readConfig()

	// Connect to Consul
	consul_config := consul.DefaultConfig()
	if config.ConsulHost != "" {
		consul_config.Address = config.ConsulHost
	}
	consul_client, err := consul.NewClient(consul_config)
	if err != nil {
		panic(err)
	}
	kv := consul_client.KV()

	// Create gobottin server
	gobottin := Server{
		logger: log.New(os.Stdout, "[gobottin] ", log.LstdFlags),
		config: config,
		kv:     kv,
	}
	err = gobottin.init()
	if err != nil {
		panic(err)
	}

	// Create routes
	routes := ldap.NewRouteMux()

	routes.Bind(gobottin.handleBind)
	routes.Search(gobottin.handleSearch)
	routes.Add(gobottin.handleAdd)
	routes.Compare(gobottin.handleCompare)
	routes.Delete(gobottin.handleDelete)
	routes.Modify(gobottin.handleModify)

	if config.TLSConfig != nil {
		routes.Extended(gobottin.handleStartTLS).
			RequestName(ldap.NoticeOfStartTLS).Label("StartTLS")
	}

	// Create LDAP servers
	var ldapServer, ldapServerSecure *ldap.Server = nil, nil

	// Bind on standard LDAP port without TLS
	if config.Bind != "" {
		ldapServer = ldap.NewServer()
		ldapServer.Handle(routes)
		ldapServer.NewUserState = gobottin.newUserState
		go func() {
			err := ldapServer.ListenAndServe(config.Bind)
			if err != nil {
				panic(err)
			}
		}()
	}

	// Bind on LDAP secure port with TLS
	if config.BindSecure != "" {
		if config.TLSConfig != nil {
			ldapServerSecure := ldap.NewServer()
			ldapServerSecure.Handle(routes)
			ldapServerSecure.NewUserState = gobottin.newUserState
			secureConn := func(s *ldap.Server) {
				s.Listener = tls.NewListener(s.Listener, config.TLSConfig)
			}
			go func() {
				err := ldapServerSecure.ListenAndServe(config.BindSecure, secureConn)
				if err != nil {
					panic(err)
				}
			}()
		} else {
			fmt.Printf("Warning: no valid TLS configuration was provided, not binding on %s", config.BindSecure)
		}
	}

	if ldapServer == nil && ldapServerSecure == nil {
		panic("Not doing anything.")
	}

	// When CTRL+C, SIGINT and SIGTERM signal occurs
	// Then stop server gracefully
	ch := make(chan os.Signal)
	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
	<-ch
	close(ch)

	if ldapServer != nil {
		ldapServer.Stop()
	}
	if ldapServerSecure != nil {
		ldapServerSecure.Stop()
	}
}

func (server *Server) newUserState() ldap.UserState {
	return &State{
		login: Login{
			user:   "ANONYMOUS",
			groups: []string{},
		},
	}
}

func (server *Server) init() error {
	path, err := dnToConsul(server.config.Suffix)
	if err != nil {
		return err
	}

	pair, _, err := server.kv.Get(path+"/attribute=objectClass", nil)
	if err != nil {
		return err
	}

	if pair != nil {
		return nil
	}

	base_attributes := Entry{
		"objectClass":           []string{"top", "dcObject", "organization"},
		"structuralObjectClass": []string{"Organization"},
		ATTR_CREATORSNAME:       []string{server.config.Suffix},
		ATTR_CREATETIMESTAMP:    []string{genTimestamp()},
		ATTR_ENTRYUUID:          []string{genUuid()},
	}
	suffix_dn, err := parseDN(server.config.Suffix)
	if err != nil {
		return err
	}
	base_attributes[suffix_dn[0].Type] = []string{suffix_dn[0].Value}

	err = server.addElements(server.config.Suffix, base_attributes)
	if err != nil {
		return err
	}

	admin_pass := make([]byte, 8)
	rand.Read(admin_pass)
	admin_pass_str := base64.RawURLEncoding.EncodeToString(admin_pass)
	admin_pass_hash := SSHAEncode([]byte(admin_pass_str))

	admin_dn := "cn=admin," + server.config.Suffix
	admin_attributes := Entry{
		"objectClass":           []string{"simpleSecurityObject", "organizationalRole"},
		"description":           []string{"LDAP administrator"},
		"cn":                    []string{"admin"},
		"structuralObjectClass": []string{"organizationalRole"},
		ATTR_USERPASSWORD:       []string{admin_pass_hash},
		ATTR_CREATORSNAME:       []string{server.config.Suffix},
		ATTR_CREATETIMESTAMP:    []string{genTimestamp()},
		ATTR_ENTRYUUID:          []string{genUuid()},
	}

	err = server.addElements(admin_dn, admin_attributes)
	if err != nil {
		return err
	}

	server.logger.Printf(
		"It seems to be a new installation, we created a default user for you:\n\n    dn:          %s\n    password:    %s\n\nWe didn't use true random, you should replace it as soon as possible.",
		admin_dn,
		admin_pass_str,
	)

	return nil
}

func (server *Server) addElements(dn string, attrs Entry) error {
	prefix, err := dnToConsul(dn)
	if err != nil {
		return err
	}

	for k, v := range attrs {
		path := prefix + "/attribute=" + k
		if len(v) == 0 {
			// If we have zero values, delete associated k/v pair
			_, err := server.kv.Delete(path, nil)
			if err != nil {
				return err
			}
		} else {
			json, err := json.Marshal(v)
			if err != nil {
				return err
			}
			pair := &consul.KVPair{Key: path, Value: json}
			_, err = server.kv.Put(pair, nil)
			if err != nil {
				return err
			}
		}
	}
	return nil
}

func (server *Server) getAttribute(dn string, attr string) ([]string, error) {
	path, err := dnToConsul(dn)
	if err != nil {
		return nil, err
	}

	pair, _, err := server.kv.Get(path+"/attribute="+attr, nil)
	if err != nil {
		return nil, err
	}

	if pair == nil {
		return nil, nil
	}

	return parseValue(pair.Value)
}

func (server *Server) objectExists(dn string) (bool, error) {
	prefix, err := dnToConsul(dn)
	if err != nil {
		return false, err
	}

	data, _, err := server.kv.List(prefix+"/", nil)
	if err != nil {
		return false, err
	}
	return len(data) > 0, nil
}

func (server *Server) checkSuffix(dn string, allow_extend bool) (string, error) {
	suffix := server.config.Suffix
	if len(dn) < len(suffix) {
		if dn != suffix[-len(dn):] || !allow_extend {
			return suffix, fmt.Errorf(
				"Only handling stuff under DN %s", suffix)
		}
		return suffix, nil
	} else {
		if dn[len(dn)-len(suffix):] != suffix {
			return suffix, fmt.Errorf(
				"Only handling stuff under DN %s", suffix)
		}
		return dn, nil
	}
}

func (server *Server) handleStartTLS(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {
	tlsConn := tls.Server(m.Client.GetConn(), server.config.TLSConfig)
	res := ldap.NewExtendedResponse(ldap.LDAPResultSuccess)
	res.SetResponseName(ldap.NoticeOfStartTLS)
	w.Write(res)

	if err := tlsConn.Handshake(); err != nil {
		log.Printf("StartTLS Handshake error %v", err)
		res.SetDiagnosticMessage(fmt.Sprintf("StartTLS Handshake error : \"%s\"", err.Error()))
		res.SetResultCode(ldap.LDAPResultOperationsError)
		w.Write(res)
		return
	}

	m.Client.SetConn(tlsConn)
}

func (server *Server) handleBind(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {
	state := s.(*State)
	r := m.GetBindRequest()

	result_code, err := server.handleBindInternal(state, &r)

	res := ldap.NewBindResponse(result_code)
	if err != nil {
		res.SetDiagnosticMessage(err.Error())
		server.logger.Printf("Failed bind for %s: %s", string(r.Name()), err.Error())
	}
	if result_code == ldap.LDAPResultSuccess {
		server.logger.Printf("Successfully bound to %s", string(r.Name()))
	} else {
		server.logger.Printf("Failed to bind to %s (%s)", string(r.Name()), err)
	}
	w.Write(res)
}

func (server *Server) handleBindInternal(state *State, r *message.BindRequest) (int, error) {
	// Check permissions
	if !server.config.Acl.Check(&state.login, "bind", string(r.Name()), []string{}) {
		return ldap.LDAPResultInsufficientAccessRights, nil
	}

	// Try to retrieve password and check for match
	passwd, err := server.getAttribute(string(r.Name()), ATTR_USERPASSWORD)
	if err != nil {
		return ldap.LDAPResultOperationsError, err
	}
	if passwd == nil {
		return ldap.LDAPResultNoSuchObject, nil
	}

	for _, hash := range passwd {
		valid := SSHAMatches(hash, []byte(r.AuthenticationSimple()))
		if valid {
			groups, err := server.getAttribute(string(r.Name()), ATTR_MEMBEROF)
			if err != nil {
				return ldap.LDAPResultOperationsError, err
			}
			state.login = Login{
				user:   string(r.Name()),
				groups: groups,
			}
			return ldap.LDAPResultSuccess, nil
		}
	}
	return ldap.LDAPResultInvalidCredentials, nil
}
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`package main`

More serious schema enforcement 2020-01-26 20:22:51 +00:00			`// @FIXME: Proper handling of various upper/lower case combinations`
Add TODO list 2020-01-19 21:30:51 +00:00			`// @FIXME: Implement missing search filters (in applyFilter)`
			`// @FIXME: Add an initial prefix to the consul key value`

Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`import (`
Externalize config 2020-01-26 18:27:17 +00:00			`"crypto/tls"`
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`"encoding/base64"`
			`"encoding/json"`
Externalize config 2020-01-26 18:27:17 +00:00			`"flag"`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`"fmt"`
Externalize config 2020-01-26 18:27:17 +00:00			`"io/ioutil"`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`"log"`
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`"math/rand"`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`"os"`
			`"os/signal"`
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`"syscall"`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`ldap "./ldapserver"`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`consul "github.com/hashicorp/consul/api"`
			`message "github.com/vjeantet/goldap/message"`
			`)`

Less logs but better logs 2020-01-26 18:47:38 +00:00			`const DEBUG = false`

More serious schema enforcement 2020-01-26 20:22:51 +00:00			`const ATTR_USERPASSWORD = "userpassword"`
Fix missing procedure for delete membership & "better" failure handling After an object has been updated, membership information must be propagated to other object. Such operations may fail when calling consul but if they do we don't return fail immediatly returning an error code any more. Instead we just print all the errors to our logs and try to process the remaining updates. 2020-01-26 21:22:38 +00:00			`const ATTR_MEMBER = "member"`
More serious schema enforcement 2020-01-26 20:22:51 +00:00			`const ATTR_MEMBEROF = "memberof"`
			`const ATTR_ENTRYUUID = "entryuuid"`
			`const ATTR_CREATORSNAME = "creatorsname"`
			`const ATTR_CREATETIMESTAMP = "createtimestamp"`
			`const ATTR_MODIFIERSNAME = "modifiersname"`
			`const ATTR_MODIFYTIMESTAMP = "modifytimestamp"`

Externalize config 2020-01-26 18:27:17 +00:00			`type ConfigFile struct {`
			Suffix string `json:"suffix"`
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			Bind string `json:"bind"`
			BindSecure string `json:"bind_secure"`
Externalize config 2020-01-26 18:27:17 +00:00			ConsulHost string `json:"consul_host"`
			Acl []string `json:"acl"`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			TLSCertFile string `json:"tls_cert_file"`
			TLSKeyFile string `json:"tls_key_file"`
			TLSServerName string `json:"tls_server_name"`
Externalize config 2020-01-26 18:27:17 +00:00			`}`

Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`type Config struct {`
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`Suffix string`
			`Bind string`
			`BindSecure string`
			`ConsulHost string`
Externalize config 2020-01-26 18:27:17 +00:00
			`Acl ACL`

Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`TLSConfig *tls.Config`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`

			`type Server struct {`
Less logs but better logs 2020-01-26 18:47:38 +00:00			`logger *log.Logger`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`config Config`
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`kv *consul.KV`
			`}`

			`type State struct {`
First ACL implementation 2020-01-26 17:42:04 +00:00			`login Login`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`

Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`type Entry map[string][]string`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
Externalize config 2020-01-26 18:27:17 +00:00			`var configFlag = flag.String("config", "./config.json", "Configuration file path")`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
Externalize config 2020-01-26 18:27:17 +00:00			`func readConfig() Config {`
			`config_file := ConfigFile{`
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`Bind: "0.0.0.0:389",`
			`BindSecure: "0.0.0.0:636",`
Externalize config 2020-01-26 18:27:17 +00:00			`}`

			`bytes, err := ioutil.ReadFile(*configFlag)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`if err != nil {`
			`panic(err)`
			`}`
Externalize config 2020-01-26 18:27:17 +00:00
			`err = json.Unmarshal(bytes, &config_file)`
			`if err != nil {`
			`panic(err)`
First ACL implementation 2020-01-26 17:42:04 +00:00			`}`
Externalize config 2020-01-26 18:27:17 +00:00
			`acl, err := ParseACL(config_file.Acl)`
First ACL implementation 2020-01-26 17:42:04 +00:00			`if err != nil {`
			`panic(err)`
			`}`

Externalize config 2020-01-26 18:27:17 +00:00			`ret := Config{`
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`Suffix: config_file.Suffix,`
			`Bind: config_file.Bind,`
			`BindSecure: config_file.BindSecure,`
			`ConsulHost: config_file.ConsulHost,`
			`Acl: acl,`
Externalize config 2020-01-26 18:27:17 +00:00			`}`

Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`if config_file.TLSCertFile != "" && config_file.TLSKeyFile != "" && config_file.TLSServerName != "" {`
			`cert_txt, err := ioutil.ReadFile(config_file.TLSCertFile)`
Externalize config 2020-01-26 18:27:17 +00:00			`if err != nil {`
			`panic(err)`
			`}`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`key_txt, err := ioutil.ReadFile(config_file.TLSKeyFile)`
Externalize config 2020-01-26 18:27:17 +00:00			`if err != nil {`
			`panic(err)`
			`}`
			`cert, err := tls.X509KeyPair(cert_txt, key_txt)`
			`if err != nil {`
			`panic(err)`
			`}`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`ret.TLSConfig = &tls.Config{`
			`MinVersion: tls.VersionTLS10,`
Externalize config 2020-01-26 18:27:17 +00:00			`MaxVersion: tls.VersionTLS12,`
			`Certificates: []tls.Certificate{cert},`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`ServerName: config_file.TLSServerName,`
Externalize config 2020-01-26 18:27:17 +00:00			`}`
			`}`

			`return ret`
			`}`

			`func main() {`
Fixes 2020-01-26 20:03:18 +00:00			`flag.Parse()`

Less logs but better logs 2020-01-26 18:47:38 +00:00			`ldap.Logger = log.New(os.Stdout, "[ldapserver] ", log.LstdFlags)`
Externalize config 2020-01-26 18:27:17 +00:00
			`config := readConfig()`

			`// Connect to Consul`
			`consul_config := consul.DefaultConfig()`
			`if config.ConsulHost != "" {`
			`consul_config.Address = config.ConsulHost`
			`}`
			`consul_client, err := consul.NewClient(consul_config)`
			`if err != nil {`
			`panic(err)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`
Externalize config 2020-01-26 18:27:17 +00:00			`kv := consul_client.KV()`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
Externalize config 2020-01-26 18:27:17 +00:00			`// Create gobottin server`
Less logs but better logs 2020-01-26 18:47:38 +00:00			`gobottin := Server{`
			`logger: log.New(os.Stdout, "[gobottin] ", log.LstdFlags),`
			`config: config,`
			`kv: kv,`
			`}`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`err = gobottin.init()`
			`if err != nil {`
			`panic(err)`
			`}`

Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`// Create routes`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`routes := ldap.NewRouteMux()`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`routes.Bind(gobottin.handleBind)`
Implement Search with basic filter support 2020-01-19 16:55:25 +00:00			`routes.Search(gobottin.handleSearch)`
Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`routes.Add(gobottin.handleAdd)`
Handle LDAP Compare and Delete requests 2020-01-19 20:48:14 +00:00			`routes.Compare(gobottin.handleCompare)`
			`routes.Delete(gobottin.handleDelete)`
Implement Modify 2020-01-19 21:21:05 +00:00			`routes.Modify(gobottin.handleModify)`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`if config.TLSConfig != nil {`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`routes.Extended(gobottin.handleStartTLS).`
			`RequestName(ldap.NoticeOfStartTLS).Label("StartTLS")`
			`}`

Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`// Create LDAP servers`
			`var ldapServer, ldapServerSecure *ldap.Server = nil, nil`

			`// Bind on standard LDAP port without TLS`
			`if config.Bind != "" {`
			`ldapServer = ldap.NewServer()`
			`ldapServer.Handle(routes)`
			`ldapServer.NewUserState = gobottin.newUserState`
			`go func() {`
			`err := ldapServer.ListenAndServe(config.Bind)`
			`if err != nil {`
			`panic(err)`
			`}`
			`}()`
			`}`

			`// Bind on LDAP secure port with TLS`
			`if config.BindSecure != "" {`
			`if config.TLSConfig != nil {`
			`ldapServerSecure := ldap.NewServer()`
			`ldapServerSecure.Handle(routes)`
			`ldapServerSecure.NewUserState = gobottin.newUserState`
			`secureConn := func(s *ldap.Server) {`
			`s.Listener = tls.NewListener(s.Listener, config.TLSConfig)`
			`}`
			`go func() {`
			`err := ldapServerSecure.ListenAndServe(config.BindSecure, secureConn)`
			`if err != nil {`
			`panic(err)`
			`}`
			`}()`
			`} else {`
			`fmt.Printf("Warning: no valid TLS configuration was provided, not binding on %s", config.BindSecure)`
			`}`
			`}`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`if ldapServer == nil && ldapServerSecure == nil {`
			`panic("Not doing anything.")`
			`}`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`// When CTRL+C, SIGINT and SIGTERM signal occurs`
			`// Then stop server gracefully`
			`ch := make(chan os.Signal)`
			`signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)`
			`<-ch`
			`close(ch)`

			`if ldapServer != nil {`
			`ldapServer.Stop()`
Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`}`
Allow for both TLS and non-TLS connections 2020-01-27 15:32:39 +00:00			`if ldapServerSecure != nil {`
			`ldapServerSecure.Stop()`
			`}`
			`}`

			`func (server *Server) newUserState() ldap.UserState {`
			`return &State{`
			`login: Login{`
			`user: "ANONYMOUS",`
			`groups: []string{},`
			`},`
Externalize config 2020-01-26 18:27:17 +00:00			`}`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`

			`func (server *Server) init() error {`
Forbid "/" in DN 2020-01-19 21:27:54 +00:00			`path, err := dnToConsul(server.config.Suffix)`
			`if err != nil {`
			`return err`
			`}`

			`pair, _, err := server.kv.Get(path+"/attribute=objectClass", nil)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`if err != nil {`
			`return err`
			`}`

			`if pair != nil {`
			`return nil`
			`}`

Implement Search with basic filter support 2020-01-19 16:55:25 +00:00			`base_attributes := Entry{`
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`"objectClass": []string{"top", "dcObject", "organization"},`
Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`"structuralObjectClass": []string{"Organization"},`
Don't do stupid things like use a dn as a pattern Also add metadata fields in objects created on initialization 2020-01-26 22:12:00 +00:00			`ATTR_CREATORSNAME: []string{server.config.Suffix},`
			`ATTR_CREATETIMESTAMP: []string{genTimestamp()},`
			`ATTR_ENTRYUUID: []string{genUuid()},`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`
			`suffix_dn, err := parseDN(server.config.Suffix)`
			`if err != nil {`
			`return err`
			`}`
Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`base_attributes[suffix_dn[0].Type] = []string{suffix_dn[0].Value}`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
			`err = server.addElements(server.config.Suffix, base_attributes)`
			`if err != nil {`
			`return err`
			`}`

			`admin_pass := make([]byte, 8)`
			`rand.Read(admin_pass)`
			`admin_pass_str := base64.RawURLEncoding.EncodeToString(admin_pass)`
			`admin_pass_hash := SSHAEncode([]byte(admin_pass_str))`

			`admin_dn := "cn=admin," + server.config.Suffix`
Implement Search with basic filter support 2020-01-19 16:55:25 +00:00			`admin_attributes := Entry{`
Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`"objectClass": []string{"simpleSecurityObject", "organizationalRole"},`
Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`"description": []string{"LDAP administrator"},`
			`"cn": []string{"admin"},`
			`"structuralObjectClass": []string{"organizationalRole"},`
Don't do stupid things like use a dn as a pattern Also add metadata fields in objects created on initialization 2020-01-26 22:12:00 +00:00			`ATTR_USERPASSWORD: []string{admin_pass_hash},`
			`ATTR_CREATORSNAME: []string{server.config.Suffix},`
			`ATTR_CREATETIMESTAMP: []string{genTimestamp()},`
			`ATTR_ENTRYUUID: []string{genUuid()},`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`

			`err = server.addElements(admin_dn, admin_attributes)`
			`if err != nil {`
			`return err`
			`}`

Less logs but better logs 2020-01-26 18:47:38 +00:00			`server.logger.Printf(`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`"It seems to be a new installation, we created a default user for you:\n\n dn: %s\n password: %s\n\nWe didn't use true random, you should replace it as soon as possible.",`
			`admin_dn,`
			`admin_pass_str,`
			`)`

			`return nil`
			`}`

Implement Search with basic filter support 2020-01-19 16:55:25 +00:00			`func (server *Server) addElements(dn string, attrs Entry) error {`
Forbid "/" in DN 2020-01-19 21:27:54 +00:00			`prefix, err := dnToConsul(dn)`
			`if err != nil {`
			`return err`
			`}`

Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`for k, v := range attrs {`
Fix handling of empty set of values as absence of the key 2020-01-20 08:11:30 +00:00			`path := prefix + "/attribute=" + k`
			`if len(v) == 0 {`
			`// If we have zero values, delete associated k/v pair`
			`_, err := server.kv.Delete(path, nil)`
			`if err != nil {`
			`return err`
			`}`
			`} else {`
			`json, err := json.Marshal(v)`
			`if err != nil {`
			`return err`
			`}`
			`pair := &consul.KVPair{Key: path, Value: json}`
			`_, err = server.kv.Put(pair, nil)`
			`if err != nil {`
			`return err`
			`}`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`
			`}`
			`return nil`
			`}`

Implement add with group membership 2020-01-19 18:10:38 +00:00			`func (server *Server) getAttribute(dn string, attr string) ([]string, error) {`
Forbid "/" in DN 2020-01-19 21:27:54 +00:00			`path, err := dnToConsul(dn)`
			`if err != nil {`
			`return nil, err`
			`}`

Apply gofmt & minor refactoring 2020-01-26 16:45:04 +00:00			`pair, _, err := server.kv.Get(path+"/attribute="+attr, nil)`
Implement add with group membership 2020-01-19 18:10:38 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`if pair == nil {`
			`return nil, nil`
			`}`

			`return parseValue(pair.Value)`
			`}`

			`func (server *Server) objectExists(dn string) (bool, error) {`
Forbid "/" in DN 2020-01-19 21:27:54 +00:00			`prefix, err := dnToConsul(dn)`
			`if err != nil {`
			`return false, err`
			`}`
Implement add with group membership 2020-01-19 18:10:38 +00:00
Apply gofmt & minor refactoring 2020-01-26 16:45:04 +00:00			`data, _, err := server.kv.List(prefix+"/", nil)`
Implement add with group membership 2020-01-19 18:10:38 +00:00			`if err != nil {`
			`return false, err`
			`}`
			`return len(data) > 0, nil`
			`}`

Better DN suffix validation 2020-01-19 18:19:34 +00:00			`func (server *Server) checkSuffix(dn string, allow_extend bool) (string, error) {`
			`suffix := server.config.Suffix`
			`if len(dn) < len(suffix) {`
			`if dn != suffix[-len(dn):] \|\| !allow_extend {`
			`return suffix, fmt.Errorf(`
			`"Only handling stuff under DN %s", suffix)`
			`}`
			`return suffix, nil`
			`} else {`
			`if dn[len(dn)-len(suffix):] != suffix {`
			`return suffix, fmt.Errorf(`
			`"Only handling stuff under DN %s", suffix)`
			`}`
			`return dn, nil`
			`}`
			`}`

Implement TLS mechanisms correctly, I hope 2020-01-27 15:08:35 +00:00			`func (server Server) handleStartTLS(s ldap.UserState, w ldap.ResponseWriter, m ldap.Message) {`
			`tlsConn := tls.Server(m.Client.GetConn(), server.config.TLSConfig)`
			`res := ldap.NewExtendedResponse(ldap.LDAPResultSuccess)`
			`res.SetResponseName(ldap.NoticeOfStartTLS)`
			`w.Write(res)`

			`if err := tlsConn.Handshake(); err != nil {`
			`log.Printf("StartTLS Handshake error %v", err)`
			`res.SetDiagnosticMessage(fmt.Sprintf("StartTLS Handshake error : \"%s\"", err.Error()))`
			`res.SetResultCode(ldap.LDAPResultOperationsError)`
			`w.Write(res)`
			`return`
			`}`

			`m.Client.SetConn(tlsConn)`
			`}`

Add ldapserver source in here & add support for client state 2020-01-19 12:00:53 +00:00			`func (server Server) handleBind(s ldap.UserState, w ldap.ResponseWriter, m ldap.Message) {`
			`state := s.(*State)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`r := m.GetBindRequest()`

Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`result_code, err := server.handleBindInternal(state, &r)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00
			`res := ldap.NewBindResponse(result_code)`
			`if err != nil {`
			`res.SetDiagnosticMessage(err.Error())`
Less logs but better logs 2020-01-26 18:47:38 +00:00			`server.logger.Printf("Failed bind for %s: %s", string(r.Name()), err.Error())`
			`}`
			`if result_code == ldap.LDAPResultSuccess {`
			`server.logger.Printf("Successfully bound to %s", string(r.Name()))`
			`} else {`
			`server.logger.Printf("Failed to bind to %s (%s)", string(r.Name()), err)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`
			`w.Write(res)`
			`}`

Use only []string for values, implement add 2020-01-19 17:24:21 +00:00			`func (server Server) handleBindInternal(state State, r *message.BindRequest) (int, error) {`
First ACL implementation 2020-01-26 17:42:04 +00:00			`// Check permissions`
			`if !server.config.Acl.Check(&state.login, "bind", string(r.Name()), []string{}) {`
			`return ldap.LDAPResultInsufficientAccessRights, nil`
			`}`

			`// Try to retrieve password and check for match`
More serious schema enforcement 2020-01-26 20:22:51 +00:00			`passwd, err := server.getAttribute(string(r.Name()), ATTR_USERPASSWORD)`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`if err != nil {`
			`return ldap.LDAPResultOperationsError, err`
			`}`
Implement add with group membership 2020-01-19 18:10:38 +00:00			`if passwd == nil {`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`return ldap.LDAPResultNoSuchObject, nil`
			`}`

Implement add with group membership 2020-01-19 18:10:38 +00:00			`for _, hash := range passwd {`
			`valid := SSHAMatches(hash, []byte(r.AuthenticationSimple()))`
			`if valid {`
More serious schema enforcement 2020-01-26 20:22:51 +00:00			`groups, err := server.getAttribute(string(r.Name()), ATTR_MEMBEROF)`
First ACL implementation 2020-01-26 17:42:04 +00:00			`if err != nil {`
			`return ldap.LDAPResultOperationsError, err`
			`}`
			`state.login = Login{`
			`user: string(r.Name()),`
			`groups: groups,`
			`}`
Implement add with group membership 2020-01-19 18:10:38 +00:00			`return ldap.LDAPResultSuccess, nil`
			`}`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`
Implement add with group membership 2020-01-19 18:10:38 +00:00			`return ldap.LDAPResultInvalidCredentials, nil`
Begin Go reimplementation of Bottin 2020-01-19 11:49:49 +00:00			`}`