teach/adlin
Archived
0
0
Fork 0
Code Issues 1 Pull requests 4 Releases Activity

validator: add LDAP auth

Browse source
This commit is contained in:
nemunaire 2018-02-18 14:41:06 +01:00
parent a750e2d7ce
commit 23ab4264f9
2 changed files with 99 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

90
validator/login.go
View file

@ -1,13 +1,30 @@
package main package main
import ( import (
"crypto/tls"
"encoding/json" "encoding/json"
"errors"
"fmt"
"io/ioutil"
"log" "log"
"net"
"net/http" "net/http"
"os"
"path"
"strings"
"text/template"
"gopkg.in/ldap.v2"
) )
type loginChecker struct{ type loginChecker struct {
students []Student students []Student
ldapAddr string
ldapPort int
ldapIsTLS bool
ldapBase string
ldapBindUsername string
ldapBindPassword string
} }
type loginUpload struct { type loginUpload struct {
@ -15,6 +32,65 @@ type loginUpload struct {
Password string Password string
} }
func (l loginChecker) ldapAuth(username, password string) (res bool, err error) {
tlsCnf := tls.Config{InsecureSkipVerify: true}
var c *ldap.Conn
if l.ldapIsTLS {
c, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort), &tlsCnf)
if err != nil {
return false, err
}
} else {
c, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort))
if err != nil {
return false, err
}
// Reconnect with TLS
err = c.StartTLS(&tlsCnf)
if err != nil {
return false, err
}
}
defer c.Close()
if l.ldapBindUsername != "" {
err = c.Bind(l.ldapBindUsername, l.ldapBindPassword)
if err != nil {
return false, err
}
}
// Search for the given username
searchRequest := ldap.NewSearchRequest(
l.ldapBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(&(objectClass=person)(uid=%s))", username),
[]string{"dn"},
nil,
)
sr, err := c.Search(searchRequest)
if err != nil {
return false, err
}
if len(sr.Entries) != 1 {
return false, errors.New("User does not exist or too many entries returned")
}
userdn := sr.Entries[0].DN
err = c.Bind(userdn, password)
if err != nil {
return false, err
}
return true, nil
}
func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if addr := r.Header.Get("X-Forwarded-For"); addr != "" { if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
r.RemoteAddr = addr r.RemoteAddr = addr
@ -59,6 +135,16 @@ func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return return
} }
if ok, err := l.ldapAuth(lu.Username, lu.Password); err != nil {
log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
http.Error(w, err.Error(), http.StatusUnauthorized)
return
} else if !ok {
log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
if err := l.lateLoginAction(lu.Username, r.RemoteAddr); err != nil { if err := l.lateLoginAction(lu.Username, r.RemoteAddr); err != nil {
log.Println("Error on late login action:", err) log.Println("Error on late login action:", err)
http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError) http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)

14
validator/main.go
View file

@ -12,10 +12,19 @@ var tftpDir string
func main() { func main() {
var studentsFile string var studentsFile string
var lc loginChecker
var bind = flag.String("bind", ":8081", "Bind port/socket") var bind = flag.String("bind", ":8081", "Bind port/socket")
flag.StringVar(&studentsFile, "students", "./students.csv", "Path to a CSV file containing students list") flag.StringVar(&studentsFile, "students", "./students.csv", "Path to a CSV file containing students list")
flag.StringVar(&ARPTable, "arp", ARPTable, "Path to ARP table") flag.StringVar(&ARPTable, "arp", ARPTable, "Path to ARP table")
flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory") flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory")
flag.StringVar(&lc.ldapAddr, "ldaphost", "auth.cri.epita.fr", "LDAP host")
flag.IntVar(&lc.ldapPort, "ldapport", 636, "LDAP port")
flag.BoolVar(&lc.ldapIsTLS, "ldaptls", false, "Is LDAP connection LDAPS?")
flag.StringVar(&lc.ldapBase, "ldapbase", "dc=epita,dc=net", "LDAP base")
flag.StringVar(&lc.ldapBindUsername, "ldapbindusername", "", "LDAP user to use in order to perform bind (optional if search can be made anonymously)")
flag.StringVar(&lc.ldapBindPassword, "ldapbindpassword", "", "Password for the bind user")
flag.Parse() flag.Parse()
var err error var err error
@ -26,8 +35,7 @@ func main() {
log.Fatal(err) log.Fatal(err)
} }
var students []Student lc.students, err = readStudentsList(studentsFile)
students, err = readStudentsList(studentsFile)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
@ -35,7 +43,7 @@ func main() {
log.Println("Registering handlers...") log.Println("Registering handlers...")
mux := http.NewServeMux() mux := http.NewServeMux()
mux.HandleFunc("/", Index) mux.HandleFunc("/", Index)
mux.Handle("/login", loginChecker{students}) mux.Handle("/login", lc)
http.HandleFunc("/", mux.ServeHTTP) http.HandleFunc("/", mux.ServeHTTP)
log.Println("Ready, listening on port", *bind) log.Println("Ready, listening on port", *bind)