add mail attribute to user,

bump API version to 1.0.3
go mod tidy
2024-10-12 22:33:34 +00:00 · 2024-10-10 20:59:01 +00:00 · 2024-10-10 20:57:29 +00:00 · 2024-10-05 00:08:58 +00:00 · 2024-07-26 01:25:46 +00:00 · 2024-07-18 20:22:12 +00:00
7 changed files with 209 additions and 92 deletions
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 build: clean
-	go build -ldflags="-s -w" -o dist/ .
+	CGO_ENABLED=0 go build -ldflags="-s -w" -o dist/ .

 test: clean
 	go run .
--- a/README.md
+++ b/README.md
@@ -0,0 +1,36 @@
+# ProxmoxAAS LDAP - Simple REST API for LDAP
+
+ProxmoxAAS LDAP provides a simple API for managing users and groups in a simplified LDAP server. Expected LDAP configuration can be initialized using [open-ldap-setup](https://git.tronnet.net/tronnet/open-ldap-setup). 
+
+## Installation
+
+### Prerequisites
+
+- Initialized LDAP server with the following configuration
+    - Structure
+        - Users: ou=people,...
+            - objectType: inetOrgPerson
+            - At least 1 user which is a member of admin group
+        - Groups: ou=groups,...
+            - objectType: groupOfNames
+            - At least 1 admin group
+    - Permissions:
+        - Admin group should have write access
+        - Users should have write access to own attributes (cn, sn, userPassword)
+        - Enable anonymous binding
+    - Load MemberOf Policy:
+        - olcMemberOfDangling: ignore
+        - olcMemberOfRefInt: TRUE
+        - olcMemberOfGroupOC: groupOfNames
+        - olcMemberOfMemberAD: member
+        - olcMemberOfMemberOfAD: memberOf
+    - Password Policy and TLS are recommended but not required
+
+### Installation
+
+1. Download `proxmoxaas-ldap` binary and `template.config.json` file from [releases](releases)
+2. Rename `template.config.json` to `config.json` and modify:
+    - ldapURL: url to the ldap server ie. `ldap://ldap.domain.net`
+    - baseDN: base DN ie. `dc=domain,dc=net`
+    - sessionSecretKey: random value used to randomize cookie values, replace with any sufficiently large random string
+3. Run the binary
--- a/app/app.go
+++ b/app/app.go
@@ -15,15 +15,18 @@ import (
 )

 var LDAPSessions map[string]*LDAPClient
+var APIVersion = "1.0.3"

 func Run() {
 	gob.Register(LDAPClient{})

+	log.Printf("Starting ProxmoxAAS-LDAP version %s\n", APIVersion)
+
 	configPath := flag.String("config", "config.json", "path to config.json file")
 	flag.Parse()

 	config := GetConfig(*configPath)
-	log.Println("Initialized config from " + *configPath)
+	log.Printf("Read in config from %s\n", *configPath)

 	gin.SetMode(gin.ReleaseMode)
 	router := gin.Default()
@@ -36,8 +39,14 @@ func Run() {
 	})
 	router.Use(sessions.Sessions(config.SessionCookieName, store))

+	log.Printf("Started API router and cookie store (Name: %s Params: %+v)\n", config.SessionCookieName, config.SessionCookie)
+
 	LDAPSessions = make(map[string]*LDAPClient)

+	router.GET("/version", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"version": APIVersion})
+	})
+
 	router.POST("/ticket", func(c *gin.Context) {
 		var body Login
 		if err := c.ShouldBind(&body); err != nil { // bad request from binding
@@ -117,18 +126,22 @@ func Run() {
 			return
 		}

-		var body User
-		if err := c.ShouldBind(&body); err != nil { // bad request from binding
-			c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
-			return
-		}
-
 		// check if user already exists
 		status, res := LDAPSession.GetUser(c.Param("userid"))
 		if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
+			var body UserRequired                       // all user attributes required for new users
+			if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
+				c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
+				return
+			}
 			status, res = LDAPSession.AddUser(c.Param("userid"), body)
 			c.JSON(status, res)
 		} else { // user already exists, attempt to modify user
+			var body UserOptional                       // all user attributes optional for new users
+			if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
+				c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
+				return
+			}
 			status, res = LDAPSession.ModUser(c.Param("userid"), body)
 			c.JSON(status, res)
 		}
@@ -226,12 +239,12 @@ func Run() {
 			return
 		}

-		// check if user already exists
+		// check if group already exists
 		status, res := LDAPSession.GetGroup(c.Param("groupid"))
-		if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
+		if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // group does not already exist, create new group
 			status, res = LDAPSession.AddGroup(c.Param("groupid"), body)
 			c.JSON(status, res)
-		} else { // user already exists, attempt to modify user
+		} else { // group already exists, attempt to modify group
 			status, res = LDAPSession.ModGroup(c.Param("groupid"), body)
 			c.JSON(status, res)
 		}
@@ -291,5 +304,7 @@ func Run() {
 		c.JSON(status, res)
 	})

+	log.Printf("Starting LDAP API on port %s\n", strconv.Itoa(config.ListenPort))
+
 	router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort))
 }
--- a/app/ldap.go
+++ b/app/ldap.go
@@ -8,6 +8,7 @@ import (
 	"github.com/go-ldap/ldap/v3"
 )

+// LDAPClient wrapper struct containing the connection, baseDN, peopleDN, and groupsDN
 type LDAPClient struct {
 	client   *ldap.Conn
 	basedn   string
@@ -15,6 +16,7 @@ type LDAPClient struct {
 	groupsdn string
 }

+// returns a new LDAPClient from the config
 func NewLDAPClient(config Config) (*LDAPClient, error) {
 	LDAPConn, err := ldap.DialURL(config.LdapURL)
 	return &LDAPClient{
@@ -25,6 +27,7 @@ func NewLDAPClient(config Config) (*LDAPClient, error) {
 	}, err
 }

+// bind a user using username and password to the LDAPClient
 func (l LDAPClient) BindUser(username string, password string) error {
 	userdn := fmt.Sprintf("uid=%s,%s", username, l.peopledn)
 	return l.client.Bind(userdn, password)
@@ -34,8 +37,8 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
 	searchRequest := ldap.NewSearchRequest(
 		l.peopledn, // The base dn to search
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=inetOrgPerson))",          // The filter to apply
-		[]string{"dn", "cn", "sn", "mail", "uid"}, // A list attributes to retrieve
+		"(&(objectClass=inetOrgPerson))",                      // The filter to apply
+		[]string{"dn", "cn", "sn", "mail", "uid", "memberOf"}, // A list attributes to retrieve
 		nil,
 	)

@@ -50,15 +53,8 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
 	var results = []gin.H{} // create list of results

 	for _, entry := range searchResponse.Entries { // for each result,
-		results = append(results, gin.H{
-			"dn": entry.DN,
-			"attributes": gin.H{
-				"cn":   entry.GetAttributeValue("cn"),
-				"sn":   entry.GetAttributeValue("sn"),
-				"mail": entry.GetAttributeValue("mail"),
-				"uid":  entry.GetAttributeValue("uid"),
-			},
-		})
+		user := LDAPEntryToLDAPUser(entry)
+		results = append(results, LDAPUserToGin(user))
 	}

 	return http.StatusOK, gin.H{
@@ -68,11 +64,40 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
 	}
 }

-func (l LDAPClient) AddUser(uid string, user User) (int, gin.H) {
-	if user.CN == "" || user.SN == "" || user.UserPassword == "" {
+func (l LDAPClient) GetUser(uid string) (int, gin.H) {
+	searchRequest := ldap.NewSearchRequest( //  setup search for user by uid
+		fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		"(&(objectClass=inetOrgPerson))",                      // The filter to apply
+		[]string{"dn", "cn", "sn", "mail", "uid", "memberOf"}, // A list attributes to retrieve
+		nil,
+	)
+
+	searchResponse, err := l.client.Search(searchRequest) // perform search
+	if err != nil {
 		return http.StatusBadRequest, gin.H{
 			"ok":    false,
-			"error": "Missing one of required fields: cn, sn, userpassword",
+			"error": err,
+		}
+	}
+
+	entry := searchResponse.Entries[0]
+
+	user := LDAPEntryToLDAPUser(entry)
+	result := LDAPUserToGin(user)
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+		"user":  result,
+	}
+}
+
+func (l LDAPClient) AddUser(uid string, user UserRequired) (int, gin.H) {
+	if user.CN == "" || user.SN == "" || user.UserPassword == "" || user.Mail == "" {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": "Missing one of required fields: cn, sn, mail, userpassword",
 		}
 	}

@@ -82,7 +107,8 @@ func (l LDAPClient) AddUser(uid string, user User) (int, gin.H) {
 	)
 	addRequest.Attribute("sn", []string{user.SN})
 	addRequest.Attribute("cn", []string{user.CN})
-	addRequest.Attribute("userPassword", []string{user.CN})
+	addRequest.Attribute("mail", []string{user.Mail})
+	addRequest.Attribute("userPassword", []string{user.UserPassword})
 	addRequest.Attribute("objectClass", []string{"inetOrgPerson"})

 	err := l.client.Add(addRequest)
@@ -99,46 +125,11 @@ func (l LDAPClient) AddUser(uid string, user User) (int, gin.H) {
 	}
 }

-func (l LDAPClient) GetUser(uid string) (int, gin.H) {
-	searchRequest := ldap.NewSearchRequest( //  setup search for user by uid
-		fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=inetOrgPerson))",          // The filter to apply
-		[]string{"dn", "cn", "sn", "mail", "uid"}, // A list attributes to retrieve
-		nil,
-	)
-
-	searchResponse, err := l.client.Search(searchRequest) // perform search
-	if err != nil {
+func (l LDAPClient) ModUser(uid string, user UserOptional) (int, gin.H) {
+	if user.CN == "" && user.SN == "" && user.UserPassword == "" && user.Mail == "" {
 		return http.StatusBadRequest, gin.H{
 			"ok":    false,
-			"error": err,
-		}
-	}
-
-	entry := searchResponse.Entries[0]
-	result := gin.H{
-		"dn": entry.DN,
-		"attributes": gin.H{
-			"cn":   entry.GetAttributeValue("cn"),
-			"sn":   entry.GetAttributeValue("sn"),
-			"mail": entry.GetAttributeValue("mail"),
-			"uid":  entry.GetAttributeValue("uid"),
-		},
-	}
-
-	return http.StatusOK, gin.H{
-		"ok":    true,
-		"error": nil,
-		"user":  result,
-	}
-}
-
-func (l LDAPClient) ModUser(uid string, user User) (int, gin.H) {
-	if user.CN == "" && user.SN == "" && user.UserPassword == "" {
-		return http.StatusBadRequest, gin.H{
-			"ok":    false,
-			"error": "Requires one of fields: cn, sn, userpassword",
+			"error": "Requires one of fields: cn, sn, mail, userpassword",
 		}
 	}

@@ -152,6 +143,9 @@ func (l LDAPClient) ModUser(uid string, user User) (int, gin.H) {
 	if user.SN != "" {
 		modifyRequest.Replace("sn", []string{user.SN})
 	}
+	if user.Mail != "" {
+		modifyRequest.Replace("mail", []string{user.Mail})
+	}
 	if user.UserPassword != "" {
 		modifyRequest.Replace("userPassword", []string{user.UserPassword})
 	}
@@ -214,13 +208,8 @@ func (l LDAPClient) GetAllGroups() (int, gin.H) {
 	var results = []gin.H{} // create list of results

 	for _, entry := range searchResponse.Entries { // for each result,
-		results = append(results, gin.H{
-			"dn": entry.DN,
-			"attributes": gin.H{
-				"cn":     entry.GetAttributeValue("cn"),
-				"member": entry.GetAttributeValues("member"),
-			},
-		})
+		group := LDAPEntryToLDAPGroup(entry)
+		results = append(results, LDAPGroupToGin(group))
 	}

 	return http.StatusOK, gin.H{
@@ -248,13 +237,8 @@ func (l LDAPClient) GetGroup(gid string) (int, gin.H) {
 	}

 	entry := searchResponse.Entries[0]
-	result := gin.H{
-		"dn": entry.DN,
-		"attributes": gin.H{
-			"cn":     entry.GetAttributeValue("cn"),
-			"member": entry.GetAttributeValues("member"),
-		},
-	}
+	group := LDAPEntryToLDAPGroup(entry)
+	result := LDAPGroupToGin(group)

 	return http.StatusOK, gin.H{
 		"ok":    true,
--- a/app/utils.go
+++ b/app/utils.go
@@ -4,6 +4,9 @@ import (
 	"encoding/json"
 	"log"
 	"os"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
 )

 type Config struct {
@@ -38,11 +41,88 @@ type Login struct { // login body struct
 	Password string `form:"password" binding:"required"`
 }

-type User struct { // add or modify user body struct
+type LDAPUserAttributes struct {
+	CN       string
+	SN       string
+	Mail     string
+	UID      string
+	MemberOf []string
+}
+
+type LDAPUser struct {
+	DN         string
+	Attributes LDAPUserAttributes
+}
+
+func LDAPEntryToLDAPUser(entry *ldap.Entry) LDAPUser {
+	return LDAPUser{
+		DN: entry.DN,
+		Attributes: LDAPUserAttributes{
+			CN:       entry.GetAttributeValue("cn"),
+			SN:       entry.GetAttributeValue("sn"),
+			Mail:     entry.GetAttributeValue("mail"),
+			UID:      entry.GetAttributeValue("uid"),
+			MemberOf: entry.GetAttributeValues("memberOf"),
+		},
+	}
+}
+
+func LDAPUserToGin(user LDAPUser) gin.H {
+	return gin.H{
+		"dn": user.DN,
+		"attributes": gin.H{
+			"cn":       user.Attributes.CN,
+			"sn":       user.Attributes.SN,
+			"mail":     user.Attributes.Mail,
+			"uid":      user.Attributes.UID,
+			"memberOf": user.Attributes.MemberOf,
+		},
+	}
+}
+
+type LDAPGroupAttributes struct {
+	CN     string
+	Member []string
+}
+
+type LDAPGroup struct {
+	DN         string
+	Attributes LDAPGroupAttributes
+}
+
+func LDAPEntryToLDAPGroup(entry *ldap.Entry) LDAPGroup {
+	return LDAPGroup{
+		DN: entry.DN,
+		Attributes: LDAPGroupAttributes{
+			CN:     entry.GetAttributeValue("cn"),
+			Member: entry.GetAttributeValues("member"),
+		},
+	}
+}
+
+func LDAPGroupToGin(group LDAPGroup) gin.H {
+	return gin.H{
+		"dn": group.DN,
+		"attributes": gin.H{
+			"cn":     group.Attributes.CN,
+			"member": group.Attributes.Member,
+		},
+	}
+}
+
+type UserOptional struct { // add or modify user body struct
 	CN           string `form:"cn"`
 	SN           string `form:"sn"`
+	Mail         string `form:"mail"`
 	UserPassword string `form:"userpassword"`
 }

+type UserRequired struct { // add or modify user body struct
+	CN           string `form:"cn" binding:"required"`
+	SN           string `form:"sn" binding:"required"`
+	Mail         string `form:"mail" binding:"required"`
+	UserPassword string `form:"userpassword" binding:"required"`
+}
+
 type Group struct { // add or modify group body struct
 }
--- a/configs/template.config.json
+++ b/configs/template.config.json
@@ -8,6 +8,6 @@
        "path": "/",
        "httpOnly": true,
        "secure": false,
-        "maxAge": 7200000
+        "maxAge": 7200
    }
 }
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,8 @@
 module proxmoxaas-ldap

-go 1.22.4
+go 1.23
+
+toolchain go1.23.2

 require (
 	github.com/gin-contrib/sessions v1.0.1
@@ -11,35 +13,35 @@ require (

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/bytedance/sonic v1.11.8 // indirect
-	github.com/bytedance/sonic/loader v0.1.1 // indirect
+	github.com/bytedance/sonic v1.12.3 // indirect
+	github.com/bytedance/sonic/loader v0.2.0 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.22.0 // indirect
+	github.com/go-playground/validator/v10 v10.22.1 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/context v1.1.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/gorilla/sessions v1.3.0 // indirect
+	github.com/gorilla/sessions v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
-	golang.org/x/arch v0.8.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/arch v0.11.0 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
Author	SHA1	Message	Date
Arthur Lu	03177eb4d9	add mail attribute to user, bump API version to 1.0.3	2024-10-12 22:33:34 +00:00
Arthur Lu	95ad75b20d	go mod tidy	2024-10-10 20:59:01 +00:00
Arthur Lu	8cefdb0b01	update go version and dependencies	2024-10-10 20:57:29 +00:00
Arthur Lu	eacc349cac	fix critical userPassword bug, improve ldap user/group data handling	2024-10-05 00:08:58 +00:00
Arthur Lu	bf0596d385	add memberOf attribute to users, bump version to 1.0.1	2024-07-26 01:25:46 +00:00
Arthur Lu	f11e5ccc31	fix default session cookie max age, disable cgo in build	2024-07-18 20:22:12 +00:00
Arthur Lu	8f8f6bd1e8	add installation instructions to README	2024-07-06 03:11:30 +00:00
Arthur Lu	d41bca141c	add version route	2024-07-06 02:46:10 +00:00
Arthur Lu	05e0c02fe8	rename config.template,json to template.config.json	2024-06-27 02:40:09 +00:00
alu	eea5b8599e	Merge pull request 'Rewrite API in GO' (#1 ) from go-rewrite into main Reviewed-on: #1	2024-06-21 23:33:29 +00:00