add tls and ldap auth

genouest · Nov 27, 2021 · 7de3c2b · 7de3c2b
1 parent 8839a43
commit 7de3c2b
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -23,8 +23,11 @@ and do not use TLS
 Variables:
 
 * PORT: optional port to listen, defaults to 9999
-* LDAP_HOST: ldap host address
-* LDAP_PORT: optional ldap port, defaults to 389
+* LDAP_URL: ldap url (ldap://, ldaps://, prefered method)
+* LDAP_HOST: ldap host address if not using LDAP_URL (old way)
+* LDAP_PORT: optional ldap port, defaults to 389 if not using LDAP_URL (old way)
+* LDAP_USER: optional ldap user dn to bind with (if empty use unauthenticated bind)
+* LDAP_PASSWORD: optional ldap user password to bind
 * LDAP_USER_DN: ldap user search dn (example: ou=People,dc=genouest,dc=org)
 * LDAP_GROUP_DN: ldap groups search dn (example: ou=Groups,dc=genouest,dc=org), expecting users to be in group *memberUid* (posixGroup)
 

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,18 @@
+nginx-goldap (0.2.0-1) UNRELEASED; urgency=medium
+
+  * Add support for TLS and user/password ldap conn
+  * new env vars LDAP_URL, LDAP_USER, LDAP_PASSWORD
+  * LDAP_URL replace LDAP_HOST and LDAP_PORT (though still works)
+
+ -- Olivier Sallou <[email protected]>  Mon, 15 Nov 2021 12:57:54 +0000
+
+nginx-goldap (0.1.0-1) UNRELEASED; urgency=medium
+
+  * Update doc
+  * Add /etc/default/nginx-goldap
+
+ -- Olivier Sallou <[email protected]>  Mon, 27 Nov 2021 12:57:54 +0000
+
 nginx-goldap (0.0.1-1) UNRELEASED; urgency=medium
 
   * Initial release

diff --git a/main.go b/main.go
@@ -21,8 +21,11 @@ import (
 type favContextKey string
 
 type Config struct {
+	LdapURL       string
 	LdapHost      string
 	LdapPort      int64
+	LdapUser      string
+	LdapPassword  string
 	UserSearchDN  string
 	GroupSearchDN string
 }
@@ -83,14 +86,25 @@ func ldapAuth(username, password string, config *Config) ([]string, error) {
 		return nil, fmt.Errorf("ldap not configured")
 	}
 
-	conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", config.LdapHost, config.LdapPort))
+	var conn *ldap.Conn
+	var err error
+	if config.LdapURL != "" {
+		conn, err = ldap.DialURL(config.LdapURL)
+	} else {
+		conn, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", config.LdapHost, config.LdapPort))
+	}
 	if err != nil {
 		log.Error().Err(err).Msg("[ldap] failed to contact server")
 		return nil, err
 	}
 	defer conn.Close()
-	// conn.Start()
-	err = conn.UnauthenticatedBind("")
+
+	if config.LdapUser != "" {
+		err = conn.Bind(config.LdapURL, config.LdapPassword)
+	} else {
+		err = conn.UnauthenticatedBind("")
+	}
+
 	if err != nil {
 		log.Error().Err(err).Msg("[ldap] anon bind error")
 		return nil, err
@@ -229,12 +243,16 @@ func main() {
 	if os.Getenv("LDAP_PORT") != "" {
 		ldapPort, _ = strconv.ParseInt(os.Getenv("LDAP_PORT"), 10, 64)
 	}
-	ldapUserDN := os.Getenv("LDAP_USER_DN")  // "ou=People,dc=genouest,dc=org"
-	ldapGroupDN := os.Getenv("LDAP_GROUP_DN")  // "ou=Groups,dc=genouest,dc=org"
+
+	ldapUserDN := os.Getenv("LDAP_USER_DN")   // "ou=People,dc=genouest,dc=org"
+	ldapGroupDN := os.Getenv("LDAP_GROUP_DN") // "ou=Groups,dc=genouest,dc=org"
 
 	cfg := Config{
+		LdapURL:       os.Getenv("LDAP_URL"),
 		LdapHost:      ldapHost,
 		LdapPort:      ldapPort,
+		LdapUser:      os.Getenv("LDAP_USER"),
+		LdapPassword:  os.Getenv("LDAP_PASSWORD"),
 		UserSearchDN:  ldapUserDN,
 		GroupSearchDN: ldapGroupDN,
 	}

diff --git a/services/nginx-goldap b/services/nginx-goldap
@@ -1,4 +1,7 @@
+LDAP_URL=
 LDAP_HOST=
+LDAP_USER=
+LDAP_PASSWORD=
 LDAP_USER_DN=
 LDAP_GROUP_DN=