forkjo/modules/auth/ldap/ldap.go

// Copyright 2014 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

// Package ldap provide functions & structure to query a LDAP ldap directory
// For now, it's mainly tested again an MS Active Directory service, see README.md for more information
package ldap

import (
	"crypto/tls"
	"fmt"
	"strings"

	"gopkg.in/ldap.v2"

	"github.com/gogits/gogs/modules/log"
)

// Basic LDAP authentication service
type Source struct {
	Name              string // canonical name (ie. corporate.ad)
	Host              string // LDAP host
	Port              int    // port number
	UseSSL            bool   // Use SSL
	SkipVerify        bool
	BindDN            string // DN to bind with
	BindPassword      string // Bind DN password
	UserBase          string // Base search path for users
	UserDN            string // Template for the DN of the user for simple auth
	AttributeUsername string // Username attribute
	AttributeName     string // First name attribute
	AttributeSurname  string // Surname attribute
	AttributeMail     string // E-mail attribute
	Filter            string // Query filter to validate entry
	AdminFilter       string // Query filter to check if user is admin
	Enabled           bool   // if this source is disabled
}

func (ls *Source) sanitizedUserQuery(username string) (string, bool) {
	// See http://tools.ietf.org/search/rfc4515
	badCharacters := "\x00()*\\"
	if strings.ContainsAny(username, badCharacters) {
		log.Debug("'%s' contains invalid query characters. Aborting.", username)
		return "", false
	}

	return fmt.Sprintf(ls.Filter, username), true
}

func (ls *Source) sanitizedUserDN(username string) (string, bool) {
	// See http://tools.ietf.org/search/rfc4514: "special characters"
	badCharacters := "\x00()*\\,='\"#+;<> "
	if strings.ContainsAny(username, badCharacters) {
		log.Debug("'%s' contains invalid DN characters. Aborting.", username)
		return "", false
	}

	return fmt.Sprintf(ls.UserDN, username), true
}

func (ls *Source) FindUserDN(name string) (string, bool) {
	l, err := ldapDial(ls)
	if err != nil {
		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
		ls.Enabled = false
		return "", false
	}
	defer l.Close()

	log.Trace("Search for LDAP user: %s", name)
	if ls.BindDN != "" && ls.BindPassword != "" {
		err = l.Bind(ls.BindDN, ls.BindPassword)
		if err != nil {
			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
			return "", false
		}
		log.Trace("Bound as BindDN %s", ls.BindDN)
	} else {
		log.Trace("Proceeding with anonymous LDAP search.")
	}

	// A search for the user.
	userFilter, ok := ls.sanitizedUserQuery(name)
	if !ok {
		return "", false
	}

	log.Trace("Searching using filter %s", userFilter)
	search := ldap.NewSearchRequest(
		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
		false, userFilter, []string{}, nil)

	// Ensure we found a user
	sr, err := l.Search(search)
	if err != nil || len(sr.Entries) < 1 {
		log.Debug("Failed search using filter[%s]: %v", userFilter, err)
		return "", false
	} else if len(sr.Entries) > 1 {
		log.Debug("Filter '%s' returned more than one user.", userFilter)
		return "", false
	}

	userDN := sr.Entries[0].DN
	if userDN == "" {
		log.Error(4, "LDAP search was successful, but found no DN!")
		return "", false
	}

	return userDN, true
}

// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {
	var userDN string
	if directBind {
		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)

		var ok bool
		userDN, ok = ls.sanitizedUserDN(name)
		if !ok {
			return "", "", "", "", false, false
		}
	} else {
		log.Trace("LDAP will use BindDN.")

		var found bool
		userDN, found = ls.FindUserDN(name)
		if !found {
			return "", "", "", "", false, false
		}
	}

	l, err := ldapDial(ls)
	if err != nil {
		log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)
		ls.Enabled = false
		return "", "", "", "", false, false
	}
	defer l.Close()

	log.Trace("Binding with userDN: %s", userDN)
	err = l.Bind(userDN, passwd)
	if err != nil {
		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
		return "", "", "", "", false, false
	}

	log.Trace("Bound successfully with userDN: %s", userDN)
	userFilter, ok := ls.sanitizedUserQuery(name)
	if !ok {
		return "", "", "", "", false, false
	}

	search := ldap.NewSearchRequest(
		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
		[]string{ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},
		nil)

	sr, err := l.Search(search)
	if err != nil {
		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)
		return "", "", "", "", false, false
	} else if len(sr.Entries) < 1 {
		if directBind {
			log.Error(4, "User filter inhibited user login.")
		} else {
			log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
		}

		return "", "", "", "", false, false
	}

	username_attr := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)
	name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName)
	sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
	mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail)

	admin_attr := false
	if len(ls.AdminFilter) > 0 {
		search = ldap.NewSearchRequest(
			userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
			[]string{ls.AttributeName},
			nil)

		sr, err = l.Search(search)
		if err != nil {
			log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)
		} else if len(sr.Entries) < 1 {
			log.Error(4, "LDAP Admin Search failed")
		} else {
			admin_attr = true
		}
	}

	return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true
}

func ldapDial(ls *Source) (*ldap.Conn, error) {
	if ls.UseSSL {
		log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)
		return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), &tls.Config{
			InsecureSkipVerify: ls.SkipVerify,
		})
	} else {
		return ldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))
	}
}
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`// Copyright 2014 The Gogs Authors. All rights reserved.`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`// Package ldap provide functions & structure to query a LDAP ldap directory`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`// For now, it's mainly tested again an MS Active Directory service, see README.md for more information`
			`package ldap`

			`import (`
#1637 able to skip verify for LDAP 2015-09-14 21:48:51 +02:00			`"crypto/tls"`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`"fmt"`
Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00			`"strings"`
ldap support 2014-05-03 04:48:14 +02:00
Use better LDAP lib and should fix #1139 2015-11-26 20:04:58 +01:00			`"gopkg.in/ldap.v2"`

initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`"github.com/gogits/gogs/modules/log"`
			`)`

			`// Basic LDAP authentication service`
#1637 able to skip verify for LDAP 2015-09-14 21:48:51 +02:00			`type Source struct {`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`Name string // canonical name (ie. corporate.ad)`
			`Host string // LDAP host`
			`Port int // port number`
			`UseSSL bool // Use SSL`
			`SkipVerify bool`
			`BindDN string // DN to bind with`
			`BindPassword string // Bind DN password`
			`UserBase string // Base search path for users`
			`UserDN string // Template for the DN of the user for simple auth`
			`AttributeUsername string // Username attribute`
			`AttributeName string // First name attribute`
			`AttributeSurname string // Surname attribute`
			`AttributeMail string // E-mail attribute`
			`Filter string // Query filter to validate entry`
			`AdminFilter string // Query filter to check if user is admin`
			`Enabled bool // if this source is disabled`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`

Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00			`func (ls *Source) sanitizedUserQuery(username string) (string, bool) {`
			`// See http://tools.ietf.org/search/rfc4515`
			`badCharacters := "\x00()*\\"`
			`if strings.ContainsAny(username, badCharacters) {`
			`log.Debug("'%s' contains invalid query characters. Aborting.", username)`
			`return "", false`
			`}`

			`return fmt.Sprintf(ls.Filter, username), true`
			`}`

			`func (ls *Source) sanitizedUserDN(username string) (string, bool) {`
			`// See http://tools.ietf.org/search/rfc4514: "special characters"`
			`badCharacters := "\x00()*\\,='\"#+;<> "`
			`if strings.ContainsAny(username, badCharacters) {`
			`log.Debug("'%s' contains invalid DN characters. Aborting.", username)`
			`return "", false`
			`}`

			`return fmt.Sprintf(ls.UserDN, username), true`
			`}`

#1637 able to skip verify for LDAP 2015-09-14 21:48:51 +02:00			`func (ls *Source) FindUserDN(name string) (string, bool) {`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`l, err := ldapDial(ls)`
			`if err != nil {`
			`log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)`
			`ls.Enabled = false`
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`return "", false`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`}`
			`defer l.Close()`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`log.Trace("Search for LDAP user: %s", name)`
			`if ls.BindDN != "" && ls.BindPassword != "" {`
			`err = l.Bind(ls.BindDN, ls.BindPassword)`
			`if err != nil {`
work on #986 and fix a LDAP crash 2015-08-17 22:03:11 +02:00			`log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)`
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`return "", false`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`log.Trace("Bound as BindDN %s", ls.BindDN)`
			`} else {`
			`log.Trace("Proceeding with anonymous LDAP search.")`
			`}`

			`// A search for the user.`
Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00			`userFilter, ok := ls.sanitizedUserQuery(name)`
			`if !ok {`
			`return "", false`
			`}`

Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`log.Trace("Searching using filter %s", userFilter)`
			`search := ldap.NewSearchRequest(`
			`ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,`
			`false, userFilter, []string{}, nil)`

			`// Ensure we found a user`
			`sr, err := l.Search(search)`
			`if err != nil \|\| len(sr.Entries) < 1 {`
work on #986 and fix a LDAP crash 2015-08-17 22:03:11 +02:00			`log.Debug("Failed search using filter[%s]: %v", userFilter, err)`
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`return "", false`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`} else if len(sr.Entries) > 1 {`
			`log.Debug("Filter '%s' returned more than one user.", userFilter)`
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`return "", false`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`userDN := sr.Entries[0].DN`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`if userDN == "" {`
Fix misspelled words 2015-12-06 15:42:23 +01:00			`log.Error(4, "LDAP search was successful, but found no DN!")`
Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`return "", false`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`}`

Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop # Conflicts: # modules/bindata/bindata.go 2015-08-16 08:31:54 +02:00			`return userDN, true`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`

Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`// searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, string, string, string, bool, bool) {`
Added LDAP simple auth support. 2015-09-05 05:39:23 +02:00			`var userDN string`
			`if directBind {`
revert simple LDAP userDN and update example 2015-09-16 18:15:14 +02:00			`log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)`
Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00
			`var ok bool`
			`userDN, ok = ls.sanitizedUserDN(name)`
			`if !ok {`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00			`}`
Added LDAP simple auth support. 2015-09-05 05:39:23 +02:00			`} else {`
			`log.Trace("LDAP will use BindDN.")`

			`var found bool`
			`userDN, found = ls.FindUserDN(name)`
			`if !found {`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
Added LDAP simple auth support. 2015-09-05 05:39:23 +02:00			`}`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`}`

Add LDAP over SSL support 2014-05-15 14:21:27 +02:00			`l, err := ldapDial(ls)`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`if err != nil {`
#1896 fatal when no needed update task 2015-11-05 03:57:10 +01:00			`log.Error(4, "LDAP Connect error (%s): %v", ls.Host, err)`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`ls.Enabled = false`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`
			`defer l.Close()`

Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`log.Trace("Binding with userDN: %s", userDN)`
			`err = l.Bind(userDN, passwd)`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`if err != nil {`
work on #986 and fix a LDAP crash 2015-08-17 22:03:11 +02:00			`log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`

Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`log.Trace("Bound successfully with userDN: %s", userDN)`
Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00			`userFilter, ok := ls.sanitizedUserQuery(name)`
			`if !ok {`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
Sanitizing input to LDAP authentication module. 2015-10-27 02:08:59 +01:00			`}`

Remove ldap dep 2014-09-08 02:04:47 +02:00			`search := ldap.NewSearchRequest(`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,`
			`[]string{ls.AttributeName, ls.AttributeSurname, ls.AttributeMail},`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`nil)`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`sr, err := l.Search(search)`
			`if err != nil {`
work on #986 and fix a LDAP crash 2015-08-17 22:03:11 +02:00			`log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)`
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`} else if len(sr.Entries) < 1 {`
Added LDAP simple auth support. 2015-09-05 05:39:23 +02:00			`if directBind {`
			`log.Error(4, "User filter inhibited user login.")`
			`} else {`
			`log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")`
			`}`

LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return "", "", "", "", false, false`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00
LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`username_attr := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)`
Significantly enhanced LDAP support in Gogs. 2015-08-13 01:58:27 +02:00			`name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName)`
			`sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)`
			`mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail)`
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation. 2015-08-19 06:34:03 +02:00
			`admin_attr := false`
#1554 check adminFilter length before LDAP search 2015-09-01 14:40:11 +02:00			`if len(ls.AdminFilter) > 0 {`
			`search = ldap.NewSearchRequest(`
			`userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,`
			`[]string{ls.AttributeName},`
			`nil)`

			`sr, err = l.Search(search)`
			`if err != nil {`
			`log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)`
			`} else if len(sr.Entries) < 1 {`
			`log.Error(4, "LDAP Admin Search failed")`
			`} else {`
			`admin_attr = true`
			`}`
Set IsAdmin using LDAP The IsAdmin flag is set based on whether the admin filter returned any result. The admin filter is applied with the user dn as the search root. In the future, we should update IsAdmin as well on each login. Alternately, we can have a periodic sync operation. 2015-08-19 06:34:03 +02:00			`}`

LDAP: Optional user name attribute specification Consider following LDAP search query example: (&(objectClass=Person)(\|(uid=%s)(mail=%s))) Right now on first login attempt Gogs will use the text supplied on login form as the newly created user name. In example query above the text matches against both e-mail or user name. So if user puts the e-mail then the new Gogs user name will be e-mail which may be undesired. Using optional user name attribute setting we can explicitly say we want Gogs user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail to login 1st time, the new account will receive correct user name. 2015-12-01 14:49:49 +01:00			`return username_attr, name_attr, sn_attr, mail_attr, admin_attr, true`
initial support for LDAP authentication/MSAD 2014-04-22 18:55:27 +02:00			`}`
Add LDAP over SSL support 2014-05-15 14:21:27 +02:00
#1637 able to skip verify for LDAP 2015-09-14 21:48:51 +02:00			`func ldapDial(ls Source) (ldap.Conn, error) {`
Add LDAP over SSL support 2014-05-15 14:21:27 +02:00			`if ls.UseSSL {`
#1637 able to skip verify for LDAP 2015-09-14 21:48:51 +02:00			`log.Debug("Using TLS for LDAP without verifying: %v", ls.SkipVerify)`
			`return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), &tls.Config{`
			`InsecureSkipVerify: ls.SkipVerify,`
			`})`
Add LDAP over SSL support 2014-05-15 14:21:27 +02:00			`} else {`
Remove ldap dep 2014-09-08 02:04:47 +02:00			`return ldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))`
Add LDAP over SSL support 2014-05-15 14:21:27 +02:00			`}`
			`}`