providers/ldap: rework Schema and DSE (#5838)

* rework Root DSE

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* always parse filter objectClass

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start adding LDAP Schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update schema more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix cn for schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only include main DN in namingContexts

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use schema from gh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add description

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add response filtering

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix response filtering

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* don't return rootDSE entry when searching for singleLevel

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove currentTime

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix attribute filtering

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set SINGLE-VALUE

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix numbers

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/ldap/search/request.go

@@ -15,8 +15,9 @@ import (
 
 type Request struct {
 	ldap.SearchRequest
-	BindDN string
-	log    *log.Entry
+	BindDN            string
+	FilterObjectClass string
+	log               *log.Entry
 
 	id   string
 	conn net.Conn
@@ -40,13 +41,26 @@ func NewRequest(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (*Re
 	})
 	span.SetTag("ldap_filter", searchReq.Filter)
 	span.SetTag("ldap_base_dn", searchReq.BaseDN)
+	l := log.WithFields(log.Fields{
+		"bindDN":    bindDN,
+		"baseDN":    searchReq.BaseDN,
+		"requestId": rid,
+		"scope":     ldap.ScopeMap[searchReq.Scope],
+		"client":    utils.GetIP(conn.RemoteAddr()),
+		"filter":    searchReq.Filter,
+	})
+	filterOC, err := ldap.GetFilterObjectClass(searchReq.Filter)
+	if err != nil && len(searchReq.Filter) > 0 {
+		l.WithError(err).WithField("objectClass", filterOC).Warning("invalid filter object class")
+	}
 	return &Request{
-		SearchRequest: searchReq,
-		BindDN:        bindDN,
-		conn:          conn,
-		log:           log.WithField("bindDN", bindDN).WithField("requestId", rid).WithField("scope", ldap.ScopeMap[searchReq.Scope]).WithField("client", utils.GetIP(conn.RemoteAddr())).WithField("filter", searchReq.Filter).WithField("baseDN", searchReq.BaseDN),
-		id:            rid,
-		ctx:           span.Context(),
+		SearchRequest:     searchReq,
+		BindDN:            bindDN,
+		FilterObjectClass: filterOC,
+		conn:              conn,
+		log:               l,
+		id:                rid,
+		ctx:               span.Context(),
 	}, span
 }
 
@@ -61,3 +75,19 @@ func (r *Request) Log() *log.Entry {
 func (r *Request) RemoteAddr() string {
 	return utils.GetIP(r.conn.RemoteAddr())
 }
+
+func (r *Request) FilterLDAPAttributes(res ldap.ServerSearchResult, cb func(attr *ldap.EntryAttribute) bool) ldap.ServerSearchResult {
+	for _, e := range res.Entries {
+		newAttrs := []*ldap.EntryAttribute{}
+		for _, attr := range e.Attributes {
+			include := cb(attr)
+			if include {
+				newAttrs = append(newAttrs, attr)
+			} else {
+				r.Log().WithField("key", attr.Name).Trace("filtering out field based on LDAP request")
+			}
+		}
+		e.Attributes = newAttrs
+	}
+	return res
+}