IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
5b1498f98f3e1e386381d4e8e630cea75653c5a9
grafana/pkg/services/ldap/multildap/multildap.go

262 lines
6.2 KiB
Go
Raw Normal View History

Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
package multildap
import (
"errors"
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
"github.com/grafana/grafana/pkg/cmd/grafana-cli/logger"
Multi-LDAP: Do not fail-fast on invalid credentials (#19261) * Multi-LDAP: Do not fail-fast on invalid credentials When configuring LDAP authentication, it is very common to have multiple servers configured. When using user bind (authenticating with LDAP using the same credentials as the user authenticating to Grafana) we don't expect all the users to be on all LDAP servers. Because of this use-case, we should not fail-fast when authenticating on multiple LDAP server configurations. Instead, we should continue to try the credentials with the next LDAP server configured. Fixes #19066
2019-09-23 13:34:05 +01:00
"github.com/grafana/grafana/pkg/infra/log"
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
"github.com/grafana/grafana/pkg/services/ldap"
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
"github.com/grafana/grafana/pkg/services/login"
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
"github.com/grafana/grafana/pkg/setting"
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
)
// GetConfig gets LDAP config
var GetConfig = ldap.GetConfig
LDAP: small improvements to various LDAP parts (#17662) * Add multildap config example * Publicize mocks for multildap module
2019-06-19 15:46:04 +02:00
// newLDAP return instance of the single LDAP server
var newLDAP = ldap.New
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
var (
// ErrInvalidCredentials is returned if username and password do not match
ErrInvalidCredentials = ldap.ErrInvalidCredentials
// ErrCouldNotFindUser is returned when username hasn't been found (not username+password)
ErrCouldNotFindUser = ldap.ErrCouldNotFindUser
// ErrNoLDAPServers is returned when there is no LDAP servers specified
ErrNoLDAPServers = errors.New("no LDAP servers are configured")
// ErrDidNotFindUser if request for user is unsuccessful
ErrDidNotFindUser = errors.New("did not find a user")
)
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
LDAP: Add API endpoint to query the LDAP server(s) status (#18868) * LDAP: Add API endpoint to query the LDAP server(s) status| This endpoint returns the current status(es) of the configured LDAP server(s). The status of each server is verified by dialling and if no error is returned we assume the server is operational. This is the last piece I'll produce as an API before moving into #18759 and see the view come to life.
2019-09-04 15:29:14 +01:00
// ServerStatus holds the LDAP server status
type ServerStatus struct {
Host string
Port int
Available bool
Error error
}
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
// IMultiLDAP is interface for MultiLDAP
type IMultiLDAP interface {
LDAP: Add API endpoint to query the LDAP server(s) status (#18868) * LDAP: Add API endpoint to query the LDAP server(s) status| This endpoint returns the current status(es) of the configured LDAP server(s). The status of each server is verified by dialling and if no error is returned we assume the server is operational. This is the last piece I'll produce as an API before moving into #18759 and see the view come to life.
2019-09-04 15:29:14 +01:00
Ping() ([]*ServerStatus, error)
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
Login(query *login.LoginUserQuery) (
*login.ExternalUserInfo, error,
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
)
Users(logins []string) (
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
[]*login.ExternalUserInfo, error,
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
)
User(login string) (
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
*login.ExternalUserInfo, ldap.ServerConfig, error,
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
)
}
// MultiLDAP is basic struct of LDAP authorization
type MultiLDAP struct {
configs []*ldap.ServerConfig
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
cfg *setting.Cfg
log log.Logger
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
// New creates the new LDAP auth
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
func New(configs []*ldap.ServerConfig, cfg *setting.Cfg) IMultiLDAP {
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
return &MultiLDAP{
configs: configs,
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
cfg: cfg,
log: log.New("ldap"),
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
}
LDAP: Add API endpoint to query the LDAP server(s) status (#18868) * LDAP: Add API endpoint to query the LDAP server(s) status| This endpoint returns the current status(es) of the configured LDAP server(s). The status of each server is verified by dialling and if no error is returned we assume the server is operational. This is the last piece I'll produce as an API before moving into #18759 and see the view come to life.
2019-09-04 15:29:14 +01:00
// Ping dials each of the LDAP servers and returns their status. If the server is unavailable, it also returns the error.
func (multiples *MultiLDAP) Ping() ([]*ServerStatus, error) {
if len(multiples.configs) == 0 {
return nil, ErrNoLDAPServers
}
serverStatuses := []*ServerStatus{}
for _, config := range multiples.configs {
status := &ServerStatus{}
status.Host = config.Host
status.Port = config.Port
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
server := newLDAP(config, multiples.cfg)
LDAP: Add API endpoint to query the LDAP server(s) status (#18868) * LDAP: Add API endpoint to query the LDAP server(s) status| This endpoint returns the current status(es) of the configured LDAP server(s). The status of each server is verified by dialling and if no error is returned we assume the server is operational. This is the last piece I'll produce as an API before moving into #18759 and see the view come to life.
2019-09-04 15:29:14 +01:00
err := server.Dial()
if err == nil {
status.Available = true
serverStatuses = append(serverStatuses, status)
Close the connection only if we establish it. (#18897)
2019-09-16 14:13:35 +01:00
server.Close()
LDAP: Add API endpoint to query the LDAP server(s) status (#18868) * LDAP: Add API endpoint to query the LDAP server(s) status| This endpoint returns the current status(es) of the configured LDAP server(s). The status of each server is verified by dialling and if no error is returned we assume the server is operational. This is the last piece I'll produce as an API before moving into #18759 and see the view come to life.
2019-09-04 15:29:14 +01:00
} else {
status.Available = false
status.Error = err
serverStatuses = append(serverStatuses, status)
}
}
return serverStatuses, nil
}
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
// Login tries to log in the user in multiples LDAP
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
func (multiples *MultiLDAP) Login(query *login.LoginUserQuery) (
*login.ExternalUserInfo, error,
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
) {
if len(multiples.configs) == 0 {
return nil, ErrNoLDAPServers
}
LDAP: Disable user in case it has been removed from LDAP directory (#60231) * Fix login flow * Align test * Fix comments * Improve test
2022-12-14 09:41:51 +01:00
ldapSilentErrors := []error{}
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
for index, config := range multiples.configs {
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
server := newLDAP(config, multiples.cfg)
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
if err := server.Dial(); err != nil {
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
logDialFailure(err, config)
// Only return an error if it is the last server so we can try next server
if index == len(multiples.configs)-1 {
return nil, err
}
continue
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
defer server.Close()
user, err := server.Login(query)
if err != nil {
Multi-LDAP: Do not fail-fast on invalid credentials (#19261) * Multi-LDAP: Do not fail-fast on invalid credentials When configuring LDAP authentication, it is very common to have multiple servers configured. When using user bind (authenticating with LDAP using the same credentials as the user authenticating to Grafana) we don't expect all the users to be on all LDAP servers. Because of this use-case, we should not fail-fast when authenticating on multiple LDAP server configurations. Instead, we should continue to try the credentials with the next LDAP server configured. Fixes #19066
2019-09-23 13:34:05 +01:00
if isSilentError(err) {
LDAP: Disable user in case it has been removed from LDAP directory (#60231) * Fix login flow * Align test * Fix comments * Improve test
2022-12-14 09:41:51 +01:00
ldapSilentErrors = append(ldapSilentErrors, err)
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
multiples.log.Debug(
Multi-LDAP: Do not fail-fast on invalid credentials (#19261) * Multi-LDAP: Do not fail-fast on invalid credentials When configuring LDAP authentication, it is very common to have multiple servers configured. When using user bind (authenticating with LDAP using the same credentials as the user authenticating to Grafana) we don't expect all the users to be on all LDAP servers. Because of this use-case, we should not fail-fast when authenticating on multiple LDAP server configurations. Instead, we should continue to try the credentials with the next LDAP server configured. Fixes #19066
2019-09-23 13:34:05 +01:00
"unable to login with LDAP - skipping server",
"host", config.Host,
"port", config.Port,
"error", err,
)
continue
}
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
return nil, err
}
LDAP: Disable user in case it has been removed from LDAP directory (#60231) * Fix login flow * Align test * Fix comments * Improve test
2022-12-14 09:41:51 +01:00
if user != nil {
return user, nil
}
}
// Return ErrInvalidCredentials in case any of the errors was ErrInvalidCredentials (means that the authentication has failed at least once)
for _, ldapErr := range ldapSilentErrors {
if errors.Is(ldapErr, ErrInvalidCredentials) {
return nil, ErrInvalidCredentials
}
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
LDAP: Disable user in case it has been removed from LDAP directory (#60231) * Fix login flow * Align test * Fix comments * Improve test
2022-12-14 09:41:51 +01:00
// Return ErrCouldNotFindUser if all of the configured LDAP servers returned with ErrCouldNotFindUser
return nil, ErrCouldNotFindUser
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
// User attempts to find an user by login/username by searching into all of the configured LDAP servers. Then, if the user is found it returns the user alongisde the server it was found.
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
func (multiples *MultiLDAP) User(login string) (
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
*login.ExternalUserInfo,
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
ldap.ServerConfig,
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
error,
) {
if len(multiples.configs) == 0 {
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
return nil, ldap.ServerConfig{}, ErrNoLDAPServers
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
search := []string{login}
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
for index, config := range multiples.configs {
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
server := newLDAP(config, multiples.cfg)
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
if err := server.Dial(); err != nil {
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
logDialFailure(err, config)
// Only return an error if it is the last server so we can try next server
if index == len(multiples.configs)-1 {
return nil, *config, err
}
continue
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
defer server.Close()
LDAP: Adds bind before searching LDAP for non-login cases. (#18023)
2019-07-10 12:25:21 +02:00
if err := server.Bind(); err != nil {
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
return nil, *config, err
LDAP: Adds bind before searching LDAP for non-login cases. (#18023)
2019-07-10 12:25:21 +02:00
}
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
users, err := server.Users(search)
if err != nil {
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
return nil, *config, err
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
if len(users) != 0 {
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
return users[0], *config, nil
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
}
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
return nil, ldap.ServerConfig{}, ErrDidNotFindUser
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
// Users gets users from multiple LDAP servers
func (multiples *MultiLDAP) Users(logins []string) (
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
[]*login.ExternalUserInfo,
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
error,
) {
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
var result []*login.ExternalUserInfo
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
if len(multiples.configs) == 0 {
return nil, ErrNoLDAPServers
}
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
for index, config := range multiples.configs {
LDAP: Move LDAP globals to Config (#63255) * structure dtos and private methods * add basic LDAP service * use LDAP service in ldap debug API * lower non fatal error * remove unused globals * wip * remove final globals * fix tests to use cfg enabled * restructure errors * remove logger from globals * use ldap service in authn * use ldap service in context handler * fix failed tests * fix ldap middleware provides * fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
server := newLDAP(config, multiples.cfg)
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
if err := server.Dial(); err != nil {
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
logDialFailure(err, config)
// Only return an error if it is the last server so we can try next server
if index == len(multiples.configs)-1 {
return nil, err
}
continue
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
}
defer server.Close()
LDAP: Adds bind before searching LDAP for non-login cases. (#18023)
2019-07-10 12:25:21 +02:00
if err := server.Bind(); err != nil {
return nil, err
}
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
users, err := server.Users(logins)
if err != nil {
return nil, err
}
result = append(result, users...)
}
return result, nil
}
Multi-LDAP: Do not fail-fast on invalid credentials (#19261) * Multi-LDAP: Do not fail-fast on invalid credentials When configuring LDAP authentication, it is very common to have multiple servers configured. When using user bind (authenticating with LDAP using the same credentials as the user authenticating to Grafana) we don't expect all the users to be on all LDAP servers. Because of this use-case, we should not fail-fast when authenticating on multiple LDAP server configurations. Instead, we should continue to try the credentials with the next LDAP server configured. Fixes #19066
2019-09-23 13:34:05 +01:00
// isSilentError evaluates an error and tells whenever we should fail the LDAP request
// immediately or if we should continue into other LDAP servers
func isSilentError(err error) bool {
continueErrs := []error{ErrInvalidCredentials, ErrCouldNotFindUser}
for _, cerr := range continueErrs {
Chore: Enable errorlint linter (#29227) * Enable errorlint linter * Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2020-11-19 14:47:17 +01:00
if errors.Is(err, cerr) {
Multi-LDAP: Do not fail-fast on invalid credentials (#19261) * Multi-LDAP: Do not fail-fast on invalid credentials When configuring LDAP authentication, it is very common to have multiple servers configured. When using user bind (authenticating with LDAP using the same credentials as the user authenticating to Grafana) we don't expect all the users to be on all LDAP servers. Because of this use-case, we should not fail-fast when authenticating on multiple LDAP server configurations. Instead, we should continue to try the credentials with the next LDAP server configured. Fixes #19066
2019-09-23 13:34:05 +01:00
return true
}
}
return false
}
LDAP: All LDAP servers should be tried even if one of them returns a connection error (#20077) All ldap servers are now being tried and the first one that gives back an answer is used if a previous one is failing. Applies to login and syncing
2019-11-05 08:58:59 +01:00
func logDialFailure(err error, config *ldap.ServerConfig) {
logger.Debug(
"unable to dial LDAP server",
"host", config.Host,
"port", config.Port,
"error", err,
)
}
Reference in New Issue Copy Permalink