Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package main
- import (
- "fmt"
- "log"
- "gopkg.in/ldap.v3"
- )
- func main() {
- // The username and password we want to check
- username := "jodo"
- password := "7ujmsimme!"
- dc := "dc=smn,dc=local"
- ldapserver := "dc.smn.local"
- bindusername := "svc@smn.local"
- bindpassword := "7ujmsimme!"
- groups := []string{"Test", "WEB", "Web-lcal"}
- // Connect to LDAP-server
- conn, err := connection(ldapserver, bindusername, bindpassword)
- if err != nil {
- log.Fatal(err)
- }
- defer conn.Close()
- // Authenticate user
- usr, err := authUser(conn, dc, username, password, groups)
- if err != nil {
- log.Fatal(err)
- }
- if usr == true {
- log.Printf("%s is authenticated", username)
- }
- // Rebind as the read only user for any further queries
- err = conn.Bind(bindusername, bindpassword)
- if err != nil {
- log.Fatal(err)
- }
- }
- func connection(ldapserver string, bindusername string, bindpassword string) (*ldap.Conn, error) {
- // Connect to the LDAP-server
- conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapserver, 389))
- if err != nil {
- return nil, err
- }
- // Authenticate to the LDAP-server
- err = conn.Bind(bindusername, bindpassword)
- if err != nil {
- return nil, err
- }
- return conn, nil
- }
- func authUser(conn *ldap.Conn, dc, username, password string, groups []string) (bool, error) {
- if len(groups) == 0 {
- userRequest := ldap.NewSearchRequest(
- dc,
- ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
- fmt.Sprintf("(sAMAccountName=%s)", username),
- []string{"dn", "cn"},
- nil,
- )
- ur, err := checkUser(conn, userRequest, password)
- if err != nil {
- return false, err
- }
- if ur == true {
- return true, nil
- }
- } else {
- for _, group := range groups {
- groupRequest := ldap.NewSearchRequest(
- dc,
- ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
- fmt.Sprintf("(&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=%s,%s))", username, group, dc),
- []string{"dn", "cn"},
- nil,
- )
- gr, err := checkUser(conn, groupRequest, password)
- if err != nil {
- return false, err
- }
- if gr == true {
- return true, nil
- }
- }
- return false, nil
- }
- return false, nil
- }
- func checkUser(conn *ldap.Conn, searchRequest *ldap.SearchRequest, password string) (bool, error) {
- sr, err := conn.Search(searchRequest)
- if err != nil {
- return false, err
- }
- if len(sr.Entries) != 1 {
- return false, err
- } else if len(sr.Entries) == 1 {
- userdn := sr.Entries[0].DN
- // Bind as the user to verify their password
- err = conn.Bind(userdn, password)
- if err != nil {
- return false, err
- }
- return true, nil
- }
- return false, nil
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement