Commit graph

43 commits

Author SHA1 Message Date
m.nabokikh
a5ad5eaf08 fix: Minor style fixes after merging PKCE implementation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-26 23:20:33 +04:00
m.nabokikh
1d83e4749d Add gocritic
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:54:27 +04:00
m.nabokikh
4d63e9cd68 fix: Bump golangci-lint version and fix some linter's problems
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-18 01:02:29 +04:00
batara666
6499f5bfd3
ldap.go: drop else on returned if block 2020-07-27 22:27:55 +07:00
Vitaliy Dmitriev
e20a795a2a connector/ldap: backward compatibility with single user to group mapping
Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
2020-01-14 11:00:32 +01:00
Vitaliy Dmitriev
f2e7823db9 connector/ldap: add multiple user to group mapping
Add an ability to fetch user's membership from
  groups of a different type by specifying multiple
  group attribute to user attribute value matchers
  in the Dex config:

    userMatchers:
    - userAttr: uid
      groupAttr: memberUid
    - userAttr: DN
      groupAttr: member

  In other words the user's groups can be fetched now from
  ldap structure similar to the following:

    dn: cn=john,ou=People,dc=example,dc=org
    objectClass: person
    objectClass: inetOrgPerson
    sn: doe
    cn: john
    uid: johndoe
    mail: johndoe@example.com
    userpassword: bar

    dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
    objectClass: groupOfNames
    cn: qa
    member: cn=john,ou=People,dc=example,dc=org

    dn: cn=logger,ou=UnixGroups,ou=Portland,dc=example,dc=org
    objectClass: posixGroup
    gidNumber: 1000
    cn: logger
    memberUid: johndoe

Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
2020-01-03 10:40:21 +01:00
Mark Sagi-Kazar
f141f2133b
Fix whitespace 2019-12-18 15:56:12 +01:00
Nandor Kracser
c1b421fa04 add preffered_username to idToken
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
2019-10-30 13:06:37 +01:00
Mark Sagi-Kazar
be581fa7ff
Add logger interface and stop relying on Logrus directly 2019-02-22 13:38:57 +01:00
Daniel Kessler
ee54a50956 LDAP connector - add emailSuffix config option 2019-01-08 19:01:42 -08:00
Stephan Renatus
c14b2fd5a5
connector/ldap: slightly improve error output
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-11-13 09:40:40 +01:00
veily
317f433a14
support self-signed certificates ldap
Format ldap.go

Format ldap.go: with a space for golint

with a space

Rename clientCA is to clientCert

Update ldap.go

modified the ldap client certificate file comments.

modified load ldap client cert error.

modified load ldap client cert error: fmt.Errorf("ldap: load client cert failed: %v", err)
2018-09-22 12:15:11 +08:00
Eric Chiang
bb75dcd793
Merge pull request #1283 from srenatus/sr/move-github-org/fix-imports
Finish GitHub org move
2018-09-05 09:14:06 -07:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Stephan Renatus
6a2d4ab6b4 connectors/ldap: treat 'constraint violation' on bind as bad credentials
Some directory servers (I think it's Oracle) return

    Constraint Violation: Exceed password retry limit. Account locked.

when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.

Hence, we should treat it as an "incorrect password" situation, not an
internal error.

It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 10:03:17 +02:00
pmcgrath
4aec353aec 1170 - Fix comment typos
BsaeDN should be BaseDN
2018-01-14 12:34:45 +00:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
Eric Chiang
aad328bb35 *: add log events for login, LDAP queries, and SAML responses 2017-08-11 12:00:06 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
0dd024d669 connector/ldap: correct a comment. 2017-05-04 15:39:08 -07:00
rithu john
6e3e174100 connector/ldap: check for blank passwords and return error. 2017-05-04 13:42:23 -07:00
zhuguihua
4e99ec3eeb Fix two typos
Signed-off-by: zhuguihua <zhuguihua@cmss.chinamobile.com>

Change storace to storage in cmd/dex/config.go,
change userSearch to groupSearch in connector/ldap/ldap.go
2017-04-14 03:30:12 +00:00
Eric Chiang
74f5eaf47e connector/ldap: support the StartTLS flow for secure connections
When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html
2017-04-12 15:25:42 -07:00
Eric Chiang
97813ff4fc connector/ldap: fix case where groups are listed on the user entity
Support schemas that determine membership by having fields on the
user entity, instead of listing users on a groups entity. E.g. the
following schema is now supported when it wasn't previously:

    cn=eric,cn=user,dn=exapmle,dn=com
    objectClass=myPerson
    cn: eric
    uid: eric
    email: eric@example.com
    memberOf: foo
    memberOf: bar

    cn=foo,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: foo

    cn=bar,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: bar
2017-04-11 09:48:48 -07:00
Eric Chiang
4a93b55c8b connector/ldap: add LDAP integration tests 2017-04-10 15:33:07 -07:00
Eric Chiang
777eeafabc *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
rithu john
6a728f107e connector/ldap: enable groupSearch to be empty 2016-12-27 11:07:03 -08:00
rithu john
9949a1313c server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
rithu john
2e22a948cf cmd/dex: add logging config and serve logger for different modules. 2016-12-12 15:56:50 -08:00
Eric Chiang
1e0cf3c068 connector/ldap: default email_verified to true 2016-12-09 13:22:19 -08:00
Eric Chiang
952e0f81f5 connector: add RefreshConnector interface 2016-11-22 12:53:46 -08:00
Eric Chiang
ae4c32bc3b connector/ldap: use gopkg.in/ldap.v2's escape filter
Use the escape filter method provided by the upstream LDAP package
instead of rolling our own.
2016-11-18 15:16:40 -08:00
Phu Kieu
d4aba443ac Allow getAttr to return DN
Specify "DN" as attribute name to return, but will only work if not present in ldap.Entry.Attributes
Use when full DN is stored in groupSearch's userAttr
2016-11-18 13:51:47 -08:00
Chris Jones
384ac87deb connector/ldap: Always set tls.Config.ServerName, to support LDAP servers with public CA certs. 2016-11-15 14:06:39 -07:00
Eric Chiang
0f31566b27 connector: accept base64 encoded CA and add convience open method 2016-11-03 16:28:23 -07:00
Eric Chiang
aa7f304bc1 *: switch to github.com/ghodss/yaml for more consistent YAML parsing
ghodss/yaml converts from YAML to JSON before attempting to unmarshal.
This allows us to:

* Get the correct behavor when decoding base64'd []byte slices.
* Use *json.RawMessage.
* Not have to support extravagant YAML features.
* Let our structs use `json:` tags
2016-11-03 14:39:32 -07:00
Eric Chiang
57a59d4631 *: don't error out if a username doesn't exist in the backing connector
Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.

NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
2016-11-01 14:10:55 -07:00
Eric Chiang
4329406158 connector/ldap: fix bug in switch statement 2016-10-28 10:11:18 -07:00
Eric Chiang
13f7dfaef0 connector/ldap: expand LDAP connector to include searches 2016-10-27 13:11:30 -07:00
Eric Chiang
bfe560ee21 rename 2016-08-10 22:31:42 -07:00
Eric Chiang
f4c5722e42 *: connectors use a different identity object than storage 2016-08-02 21:20:18 -07:00
Eric Chiang
cab271f304 initial commit 2016-07-26 15:51:24 -07:00