My task is to implement LDAP authentication a monitoring tool called sensu-uchiwa since it doesn't implement it by default. To learn LDAP and Go, I started a small demo project, a simple API that requires LDAP authentication. I uses this package g o get github.com/shaj13/go-guardian
Here is my sample LDAP implementation
func setupGoGuardian() {
cfg := &ldap.Config{
Port: "389",
Host: "ldapadmin.test",
TLS: &tls.Config{},
BindDN: "cn=olivia,dc=ldapadmin,dc=test",
BindPassword: "root",
Attributes: []string{},
BaseDN: "dc=ldapadmin, dc=test",
Filter: "(uid=%s)",
}
authenticator = auth.New()
cache = store.NewFIFO(context.Background(), time.Minute*10)
strategy := ldap.NewCached(cfg, cache)
authenticator.EnableStrategy(ldap.StrategyKey, strategy)
}
I actually installed phpldadmin in my local machine, just to understand more.In the admin panel, I create a user called John with password John see screenshot
Now I tried to call the api
curl -k http://127.0.0.1:8081/v1/book/1449311601 -u john:john
I still unauthorized. Before using the local ldapadmin, I tried the online ldap test server ldap server with the following configuration
cfg := &ldap.Config{
BaseDN: "dc=example, dc=com",
BindDN: "cn=read-only-admin,dc=example,dc=com",
Port: "389",
Host: "ldap.forumsys.com",
BindPassword: "password",
Filter: "(uid=%s)",
}
And it works well. Now I know I missed or I have done something wrong in my code, but because I am new both to Go and ldap, I need help to figure it out to make work.
Here is the whole main.go
package main
import (
"context"
"crypto/tls"
"fmt"
"log"
"net/http"
"time"
"github.com/gorilla/mux"
"github.com/shaj13/go-guardian/auth"
"github.com/shaj13/go-guardian/auth/strategies/ldap"
"github.com/shaj13/go-guardian/store"
)
var authenticator auth.Authenticator
var cache store.Cache
func main() {
setupGoGuardian()
router := mux.NewRouter()
router.HandleFunc("/", getDefault).Methods("GET")
router.HandleFunc("/v1/book/{id}",
middleware(http.HandlerFunc(getBookAuthor))).Methods("GET")
log.Println("server started and listening on
http://127.0.0.1:8081")
http.ListenAndServe("127.0.0.1:8081", router)
}
func getDefault(w http.ResponseWriter, r *http.Request) {
fmt.Println("Ok default homepage")
w.Write([]byte("Homepage"))
}
func getBookAuthor(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
id := vars["id"]
books := map[string]string{
"1449311601": "Laura",
"1484250956x": "Yoman",
"1484220498": "Skill",
}
body := fmt.Sprintf("Author: %s \n", books[id])
w.Write([]byte(body))
}
func setupGoGuardian() {
//cfg := &ldap.Config{
// BaseDN: "dc=example, dc=com",
// BindDN: "cn=read-only-admin,dc=example,dc=com",
// Port: "389",
// Host: "ldap.forumsys.com",
// BindPassword: "password",
// Filter: "(uid=%s)",
// }
cfg := &ldap.Config{
Port: "389",
Host: "ldapadmin.test/phpldapadmin",
TLS: &tls.Config{},
BindDN: "cn=olivia,dc=ldapadmin,dc=test",
BindPassword: "root",
Attributes: []string{},
BaseDN: "dc=ldapadmin, dc=test",
Filter: "(uid=%s)",
}
authenticator = auth.New()
cache = store.NewFIFO(context.Background(), time.Minute*10)
strategy := ldap.NewCached(cfg, cache)
authenticator.EnableStrategy(ldap.StrategyKey, strategy)
}
func middleware(next http.Handler) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
log.Println("Executing Auth Middleware")
user, err := authenticator.Authenticate(r)
if err != nil {
code := http.StatusUnauthorized
http.Error(w, http.StatusText(code), code)
return
}
log.Printf("User %s Authenticated\n", user.UserName())
next.ServeHTTP(w, r)
})
}
My local ldap server is hosted at ldapadmin.test/phpldapadmin
Now when running slapcat
inside my ubunut20 machine, the results are
dn: dc=ldapadmin,dc=test
objectClass: top
objectClass: dcObject
objectClass: organization
o: tesldap
dc: ldapadmin
structuralObjectClass: organization
entryUUID: 001f85be-92c9-103b-9d45-bb8a7b47e3b6
creatorsName: cn=admin,dc=ldapadmin,dc=test
createTimestamp: 20210816103228Z
entryCSN: 20210816103228.907585Z#000000#000#000000
modifiersName: cn=admin,dc=ldapadmin,dc=test
modifyTimestamp: 20210816103228Z
dn: cn=admin,dc=ldapadmin,dc=test
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9M1V2a3ZLWlFlSStHVUdKQ0U0bzlneFpiRGZVcklsTUo=
structuralObjectClass: organizationalRole
entryUUID: 002078d4-92c9-103b-9d46-bb8a7b47e3b6
creatorsName: cn=admin,dc=ldapadmin,dc=test
createTimestamp: 20210816103228Z
entryCSN: 20210816103228.913850Z#000000#000#000000
modifiersName: cn=admin,dc=ldapadmin,dc=test
modifyTimestamp: 20210816103228Z
dn: ou=people,dc=ldapadmin,dc=test
objectClass: organizationalUnit
objectClass: top
ou: people
structuralObjectClass: organizationalUnit
entryUUID: 432694c6-92d1-103b-806c-51a5a293746f
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20210816113137Z
entryCSN: 20210816113137.335074Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210816113137Z
dn: ou=groups,dc=ldapadmin,dc=test
objectClass: organizationalUnit
objectClass: top
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 432774a4-92d1-103b-806d-51a5a293746f
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20210816113137Z
entryCSN: 20210816113137.340805Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210816113137Z
dn: uid=olivia,ou=people,dc=ldapadmin,dc=test
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: olivia
cn: olivia
sn: Nightingale
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/olivia
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0
structuralObjectClass: inetOrgPerson
entryUUID: a4283248-92d1-103b-806f-51a5a293746f
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20210816113420Z
userPassword:: e1NTSEF9Q3hOYWFQdnJEVW84dVRjNnhYKzM1MlFZcmlyRmk0Q0o=
entryCSN: 20210816113506.981478Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210816113506Z
dn: cn=olivia,ou=groups,dc=ldapadmin,dc=test
objectClass: posixGroup
cn: olivia
gidNumber: 10000
memberUid: olivia
structuralObjectClass: posixGroup
entryUUID: a428afd4-92d1-103b-8070-51a5a293746f
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20210816113420Z
entryCSN: 20210816113420.087860Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210816113420Z
dn: cn=readonly,ou=people,dc=ldapadmin,dc=test
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword:: e1NTSEF9RE5LUEdBMVdtdGtQVDVwRlRCb2NlS2pOQlpndGtKMy8=
description: Bind DN user for LDAP Operations
structuralObjectClass: organizationalRole
entryUUID: 39528972-92d2-103b-8071-51a5a293746f
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20210816113830Z
entryCSN: 20210816113830.342653Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210816113830Z
dn: cn=john doe,ou=people,dc=ldapadmin,dc=test
cn: john doe
givenName: john
gidNumber: 10000
homeDirectory: /home/users/jdoe
sn: doe
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e01ENX1VbnZWdGRhSjRzTXE2WFRHSXAvM2hRPT0=
uidNumber: 1000
uid: jdoe
structuralObjectClass: inetOrgPerson
entryUUID: a8633cf2-92dd-103b-8a45-b796d7b82159
creatorsName: cn=admin,dc=ldapadmin,dc=test
createTimestamp: 20210816130021Z
entryCSN: 20210816130021.143200Z#000000#000#000000
modifiersName: cn=admin,dc=ldapadmin,dc=test
modifyTimestamp: 20210816130021Z
It turns out I have incorrect configuration. After reading this link https://campus.barracuda.com/product/essentials/doc/3211273/how-to-configure-user-authentication-using-ldap/
I updated my ldap config
cfg := &ldap.Config{
Port: "389",
Host: "ldapadmin.test",
BindDN: "cn=admin,dc=ldapadmin,dc=test",
BindPassword: "root",
BaseDN: "dc=ldapadmin, dc=test",
Filter: "(uid=%s)",
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.