outposts/ldap: save user DN to determine who can search

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

outpost/pkg/ldap/instance_search.go

@@ -1,12 +1,13 @@
 package ldap
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"strconv"
 	"strings"
 
-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 	"goauthentik.io/outpost/pkg/client/core"
 )
 
@@ -26,6 +27,16 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", bindDN, pi.BaseDN)
 	}
 
+	pi.boundUsersMutex.RLock()
+	defer pi.boundUsersMutex.RUnlock()
+	flags, ok := pi.boundUsers[bindDN]
+	if !ok {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("Access denied")
+	}
+	if !flags.CanSearch {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("Access denied")
+	}
+
 	switch filterEntity {
 	default:
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, searchReq.Filter)