outposts/ldap: add ability to use multiple providers on the same outpost

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

outpost/pkg/ldap/api.go

@@ -1,10 +1,38 @@
 package ldap
 
 import (
+	"errors"
+	"fmt"
+	"strings"
+
 	log "github.com/sirupsen/logrus"
+	"goauthentik.io/outpost/pkg/client/outposts"
 )
 
 func (ls *LDAPServer) Refresh() error {
+	outposts, err := ls.ac.Client.Outposts.OutpostsLdapList(outposts.NewOutpostsLdapListParams(), ls.ac.Auth)
+	if err != nil {
+		return err
+	}
+	if len(outposts.Payload.Results) < 1 {
+		return errors.New("no ldap provider defined")
+	}
+	providers := make([]*ProviderInstance, len(outposts.Payload.Results))
+	for idx, provider := range outposts.Payload.Results {
+		userDN := strings.ToLower(fmt.Sprintf("cn=users,%s", provider.BaseDn))
+		groupDN := strings.ToLower(fmt.Sprintf("cn=groups,%s", provider.BaseDn))
+		providers[idx] = &ProviderInstance{
+			BaseDN:   provider.BaseDn,
+			GroupDN:  groupDN,
+			UserDN:   userDN,
+			appSlug:  *provider.ApplicationSlug,
+			flowSlug: *provider.BindFlowSlug,
+			s:        ls,
+			log:      log.WithField("provider", provider.Name),
+		}
+	}
+	ls.providers = providers
+	ls.log.Info("Update providers")
 	return nil
 }
 

outpost/pkg/ldap/bind.go

@@ -1,20 +1,9 @@
 package ldap
 
 import (
-	"context"
-	"errors"
-	"fmt"
 	"net"
-	"net/http"
-	"net/http/cookiejar"
-	"strings"
-
-	goldap "github.com/go-ldap/ldap/v3"
-	httptransport "github.com/go-openapi/runtime/client"
 
 	"github.com/nmcclain/ldap"
-	"goauthentik.io/outpost/pkg/client/core"
-	"goauthentik.io/outpost/pkg/client/flows"
 )
 
 type UIDResponse struct {
@@ -25,106 +14,13 @@ type PasswordResponse struct {
 	Password string `json:"password"`
 }
 
-func (ls *LDAPServer) getUsername(dn string) (string, error) {
-	if !strings.HasSuffix(dn, ls.BaseDN) {
-		return "", errors.New("invalid base DN")
-	}
-	dns, err := goldap.ParseDN(dn)
-	if err != nil {
-		return "", err
-	}
-	for _, part := range dns.RDNs {
-		for _, attribute := range part.Attributes {
-			if attribute.Type == "DN" {
-				return attribute.Value, nil
-			}
-		}
-	}
-	return "", errors.New("failed to find dn")
-}
-
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	username, err := ls.getUsername(bindDN)
-	if err != nil {
-		ls.log.WithError(err).Warning("failed to parse user dn")
-		return ldap.LDAPResultInvalidCredentials, nil
-	}
-	ls.log.WithField("dn", username).Debug("bind")
-	jar, err := cookiejar.New(nil)
-	if err != nil {
-		ls.log.WithError(err).Warning("Failed to create cookiejar")
-		return ldap.LDAPResultOperationsError, nil
-	}
-	client := &http.Client{
-		Jar: jar,
-	}
-	passed, err := ls.solveFlowChallenge(username, bindPW, client)
-	if err != nil {
-		ls.log.WithField("dn", username).WithError(err).Warning("failed to solve challenge")
-		return ldap.LDAPResultOperationsError, nil
-	}
-	if !passed {
-		return ldap.LDAPResultInvalidCredentials, nil
-	}
-	_, err = ls.ac.Client.Core.CoreApplicationsCheckAccess(&core.CoreApplicationsCheckAccessParams{
-		Slug:       ls.appSlug,
-		Context:    context.Background(),
-		HTTPClient: client,
-	}, httptransport.PassThroughAuth)
-	if err != nil {
-		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
-			ls.log.WithField("dn", username).Info("Access denied for user")
-			return ldap.LDAPResultInvalidCredentials, nil
-		}
-		ls.log.WithField("dn", username).WithError(err).Warning("failed to check access")
-		return ldap.LDAPResultOperationsError, nil
-	}
-	ls.log.WithField("dn", username).Info("User has access")
-	return ldap.LDAPResultSuccess, nil
-}
-
-func (ls *LDAPServer) solveFlowChallenge(bindDN string, password string, client *http.Client) (bool, error) {
-	challenge, err := ls.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
-		FlowSlug:   ls.flowSlug,
-		Query:      "ldap=true",
-		Context:    context.Background(),
-		HTTPClient: client,
-	}, httptransport.PassThroughAuth)
-	if err != nil {
-		ls.log.WithError(err).Warning("Failed to get challenge")
-		return false, err
-	}
-	ls.log.WithField("component", challenge.Payload.Component).WithField("type", *challenge.Payload.Type).Debug("Got challenge")
-	responseParams := &flows.FlowsExecutorSolveParams{
-		FlowSlug:   ls.flowSlug,
-		Query:      "ldap=true",
-		Context:    context.Background(),
-		HTTPClient: client,
-	}
-	switch challenge.Payload.Component {
-	case "ak-stage-identification":
-		responseParams.Data = &UIDResponse{UIDFIeld: bindDN}
-	case "ak-stage-password":
-		responseParams.Data = &PasswordResponse{Password: password}
-	default:
-		return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)
-	}
-	response, err := ls.ac.Client.Flows.FlowsExecutorSolve(responseParams, httptransport.PassThroughAuth)
-	ls.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")
-	if *response.Payload.Type == "redirect" {
-		return true, nil
-	}
-	if err != nil {
-		ls.log.WithError(err).Warning("Failed to submit challenge")
-		return false, err
-	}
-	if len(response.Payload.ResponseErrors) > 0 {
-		for key, errs := range response.Payload.ResponseErrors {
-			for _, err := range errs {
-				ls.log.WithField("key", key).WithField("code", *err.Code).Debug(*err.String)
-				return false, nil
-			}
+	for _, instance := range ls.providers {
+		username, err := instance.getUsername(bindDN)
+		if err == nil {
+			return instance.Bind(username, bindPW, conn)
 		}
 	}
-	return ls.solveFlowChallenge(bindDN, password, client)
+	ls.log.WithField("dn", bindDN).WithField("request", "bind").Warning("No provider found for request")
+	return ldap.LDAPResultOperationsError, nil
 }

outpost/pkg/ldap/instance_bind.go

@@ -0,0 +1,115 @@
+package ldap
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/cookiejar"
+	"strings"
+
+	goldap "github.com/go-ldap/ldap/v3"
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/nmcclain/ldap"
+	"goauthentik.io/outpost/pkg/client/core"
+	"goauthentik.io/outpost/pkg/client/flows"
+)
+
+func (pi *ProviderInstance) getUsername(dn string) (string, error) {
+	if !strings.HasSuffix(dn, pi.BaseDN) {
+		return "", errors.New("invalid base DN")
+	}
+	dns, err := goldap.ParseDN(dn)
+	if err != nil {
+		return "", err
+	}
+	for _, part := range dns.RDNs {
+		for _, attribute := range part.Attributes {
+			if attribute.Type == "DN" {
+				return attribute.Value, nil
+			}
+		}
+	}
+	return "", errors.New("failed to find dn")
+}
+
+func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		pi.log.WithError(err).Warning("Failed to create cookiejar")
+		return ldap.LDAPResultOperationsError, nil
+	}
+	client := &http.Client{
+		Jar: jar,
+	}
+	passed, err := pi.solveFlowChallenge(username, bindPW, client)
+	if err != nil {
+		pi.log.WithField("dn", username).WithError(err).Warning("failed to solve challenge")
+		return ldap.LDAPResultOperationsError, nil
+	}
+	if !passed {
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
+	_, err = pi.s.ac.Client.Core.CoreApplicationsCheckAccess(&core.CoreApplicationsCheckAccessParams{
+		Slug:       pi.appSlug,
+		Context:    context.Background(),
+		HTTPClient: client,
+	}, httptransport.PassThroughAuth)
+	if err != nil {
+		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
+			pi.log.WithField("dn", username).Info("Access denied for user")
+			return ldap.LDAPResultInvalidCredentials, nil
+		}
+		pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
+		return ldap.LDAPResultOperationsError, nil
+	}
+	pi.log.WithField("dn", username).Info("User has access")
+	return ldap.LDAPResultSuccess, nil
+}
+
+func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client) (bool, error) {
+	challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
+		FlowSlug:   pi.flowSlug,
+		Query:      "ldap=true",
+		Context:    context.Background(),
+		HTTPClient: client,
+	}, httptransport.PassThroughAuth)
+	if err != nil {
+		pi.log.WithError(err).Warning("Failed to get challenge")
+		return false, err
+	}
+	pi.log.WithField("component", challenge.Payload.Component).WithField("type", *challenge.Payload.Type).Debug("Got challenge")
+	responseParams := &flows.FlowsExecutorSolveParams{
+		FlowSlug:   pi.flowSlug,
+		Query:      "ldap=true",
+		Context:    context.Background(),
+		HTTPClient: client,
+	}
+	switch challenge.Payload.Component {
+	case "ak-stage-identification":
+		responseParams.Data = &UIDResponse{UIDFIeld: bindDN}
+	case "ak-stage-password":
+		responseParams.Data = &PasswordResponse{Password: password}
+	default:
+		return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)
+	}
+	response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, httptransport.PassThroughAuth)
+	pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")
+	if *response.Payload.Type == "redirect" {
+		return true, nil
+	}
+	if err != nil {
+		pi.log.WithError(err).Warning("Failed to submit challenge")
+		return false, err
+	}
+	if len(response.Payload.ResponseErrors) > 0 {
+		for key, errs := range response.Payload.ResponseErrors {
+			for _, err := range errs {
+				pi.log.WithField("key", key).WithField("code", *err.Code).Debug(*err.String)
+				return false, nil
+			}
+		}
+	}
+	return pi.solveFlowChallenge(bindDN, password, client)
+}

outpost/pkg/ldap/instance_search.go

@@ -0,0 +1,115 @@
+package ldap
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"github.com/nmcclain/ldap"
+	"goauthentik.io/outpost/pkg/client/core"
+)
+
+func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
+	bindDN = strings.ToLower(bindDN)
+	baseDN := strings.ToLower("," + pi.BaseDN)
+
+	entries := []*ldap.Entry{}
+	filterEntity, err := ldap.GetFilterObjectClass(searchReq.Filter)
+	if err != nil {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", searchReq.Filter)
+	}
+	if len(bindDN) < 1 {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", bindDN)
+	}
+	if !strings.HasSuffix(bindDN, baseDN) {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", bindDN, pi.BaseDN)
+	}
+
+	switch filterEntity {
+	default:
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, searchReq.Filter)
+	case GroupObjectClass:
+		groups, err := pi.s.ac.Client.Core.CoreGroupsList(core.NewCoreGroupsListParams(), pi.s.ac.Auth)
+		if err != nil {
+			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
+		}
+		for _, g := range groups.Payload.Results {
+			attrs := []*ldap.EntryAttribute{
+				{
+					Name:   "cn",
+					Values: []string{*g.Name},
+				},
+				{
+					Name:   "uid",
+					Values: []string{string(g.Pk)},
+				},
+				{
+					Name:   "objectClass",
+					Values: []string{GroupObjectClass, "goauthentik.io/ldap/group"},
+				},
+			}
+			attrs = append(attrs, AKAttrsToLDAP(g.Attributes)...)
+			// attrs = append(attrs, &ldap.EntryAttribute{Name: "description", Values: []string{fmt.Sprintf("%s", g.Name)}})
+			// attrs = append(attrs, &ldap.EntryAttribute{Name: "gidNumber", Values: []string{fmt.Sprintf("%d", g.UnixID)}})
+			// attrs = append(attrs, &ldap.EntryAttribute{Name: "uniqueMember", Values: h.getGroupMembers(g.UnixID)})
+			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberUid", Values: h.getGroupMemberIDs(g.UnixID)})
+			dn := fmt.Sprintf("cn=%s,%s", *g.Name, pi.GroupDN)
+			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
+		}
+	case UserObjectClass, "":
+		users, err := pi.s.ac.Client.Core.CoreUsersList(core.NewCoreUsersListParams(), pi.s.ac.Auth)
+		if err != nil {
+			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
+		}
+		for _, u := range users.Payload.Results {
+			attrs := []*ldap.EntryAttribute{
+				{
+					Name:   "cn",
+					Values: []string{*u.Username},
+				},
+				{
+					Name:   "uid",
+					Values: []string{strconv.Itoa(int(u.Pk))},
+				},
+				{
+					Name:   "name",
+					Values: []string{*u.Name},
+				},
+				{
+					Name:   "displayName",
+					Values: []string{*u.Name},
+				},
+				{
+					Name:   "mail",
+					Values: []string{u.Email.String()},
+				},
+				{
+					Name:   "objectClass",
+					Values: []string{UserObjectClass, "organizationalPerson", "goauthentik.io/ldap/user"},
+				},
+			}
+
+			if u.IsActive {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "accountStatus", Values: []string{"inactive"}})
+			} else {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "accountStatus", Values: []string{"active"}})
+			}
+
+			if *u.IsSuperuser {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "superuser", Values: []string{"inactive"}})
+			} else {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "superuser", Values: []string{"active"}})
+			}
+
+			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: h.getGroupDNs(append(u.OtherGroups, u.PrimaryGroup))})
+
+			attrs = append(attrs, AKAttrsToLDAP(u.Attributes)...)
+
+			dn := fmt.Sprintf("cn=%s,%s", *u.Name, pi.UserDN)
+			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
+		}
+	}
+	pi.log.WithField("filter", searchReq.Filter).Debug("Search OK")
+	return ldap.ServerSearchResult{Entries: entries, Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess}, nil
+}

outpost/pkg/ldap/ldap.go

@@ -1,9 +1,6 @@
 package ldap
 
 import (
-	"fmt"
-	"strings"
-
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/outpost/pkg/ak"
 
@@ -13,33 +10,35 @@ import (
 const GroupObjectClass = "group"
 const UserObjectClass = "user"
 
-type LDAPServer struct {
+type ProviderInstance struct {
 	BaseDN string
 
-	userDN  string
-	groupDN string
+	UserDN  string
+	GroupDN string
 
+	appSlug  string
+	flowSlug string
+	s        *LDAPServer
+	log      *log.Entry
+}
+
+type LDAPServer struct {
 	s   *ldap.Server
 	log *log.Entry
 	ac  *ak.APIController
 
-	// TODO: Make configurable
-	flowSlug string
-	appSlug  string
+	providers []*ProviderInstance
 }
 
 func NewServer(ac *ak.APIController) *LDAPServer {
 	s := ldap.NewServer()
 	s.EnforceLDAP = true
 	ls := &LDAPServer{
-		s:   s,
-		log: log.WithField("logger", "ldap-server"),
-		ac:  ac,
-
-		BaseDN: "DC=ldap,DC=goauthentik,DC=io",
+		s:         s,
+		log:       log.WithField("logger", "ldap-server"),
+		ac:        ac,
+		providers: []*ProviderInstance{},
 	}
-	ls.userDN = strings.ToLower(fmt.Sprintf("cn=users,%s", ls.BaseDN))
-	ls.groupDN = strings.ToLower(fmt.Sprintf("cn=groups,%s", ls.BaseDN))
 	s.BindFunc("", ls)
 	s.SearchFunc("", ls)
 	return ls

outpost/pkg/ldap/search.go

@@ -1,115 +1,23 @@
 package ldap
 
 import (
-	"fmt"
+	"errors"
 	"net"
-	"strconv"
-	"strings"
 
+	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/nmcclain/ldap"
-	"goauthentik.io/outpost/pkg/client/core"
 )
 
-func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
-	bindDN = strings.ToLower(bindDN)
-	baseDN := strings.ToLower("," + ls.BaseDN)
-
-	entries := []*ldap.Entry{}
-	filterEntity, err := ldap.GetFilterObjectClass(searchReq.Filter)
+func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
+	bd, err := goldap.ParseDN(boundDN)
 	if err != nil {
-		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", searchReq.Filter)
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
 	}
-	if len(bindDN) < 1 {
-		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", bindDN)
-	}
-	if !strings.HasSuffix(bindDN, baseDN) {
-		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", bindDN, ls.BaseDN)
-	}
-
-	switch filterEntity {
-	default:
-		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, searchReq.Filter)
-	case GroupObjectClass:
-		groups, err := ls.ac.Client.Core.CoreGroupsList(core.NewCoreGroupsListParams(), ls.ac.Auth)
-		if err != nil {
-			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
-		}
-		for _, g := range groups.Payload.Results {
-			attrs := []*ldap.EntryAttribute{
-				{
-					Name:   "cn",
-					Values: []string{*g.Name},
-				},
-				{
-					Name:   "uid",
-					Values: []string{string(g.Pk)},
-				},
-				{
-					Name:   "objectClass",
-					Values: []string{GroupObjectClass, "goauthentik.io/ldap/group"},
-				},
-			}
-			attrs = append(attrs, AKAttrsToLDAP(g.Attributes)...)
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "description", Values: []string{fmt.Sprintf("%s", g.Name)}})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "gidNumber", Values: []string{fmt.Sprintf("%d", g.UnixID)}})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "uniqueMember", Values: h.getGroupMembers(g.UnixID)})
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberUid", Values: h.getGroupMemberIDs(g.UnixID)})
-			dn := fmt.Sprintf("cn=%s,%s", *g.Name, ls.groupDN)
-			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
-		}
-	case UserObjectClass, "":
-		users, err := ls.ac.Client.Core.CoreUsersList(core.NewCoreUsersListParams(), ls.ac.Auth)
-		if err != nil {
-			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
-		}
-		for _, u := range users.Payload.Results {
-			attrs := []*ldap.EntryAttribute{
-				{
-					Name:   "cn",
-					Values: []string{*u.Username},
-				},
-				{
-					Name:   "uid",
-					Values: []string{strconv.Itoa(int(u.Pk))},
-				},
-				{
-					Name:   "name",
-					Values: []string{*u.Name},
-				},
-				{
-					Name:   "displayName",
-					Values: []string{*u.Name},
-				},
-				{
-					Name:   "mail",
-					Values: []string{u.Email.String()},
-				},
-				{
-					Name:   "objectClass",
-					Values: []string{UserObjectClass, "organizationalPerson", "goauthentik.io/ldap/user"},
-				},
-			}
-
-			if u.IsActive {
-				attrs = append(attrs, &ldap.EntryAttribute{Name: "accountStatus", Values: []string{"inactive"}})
-			} else {
-				attrs = append(attrs, &ldap.EntryAttribute{Name: "accountStatus", Values: []string{"active"}})
-			}
-
-			if *u.IsSuperuser {
-				attrs = append(attrs, &ldap.EntryAttribute{Name: "superuser", Values: []string{"inactive"}})
-			} else {
-				attrs = append(attrs, &ldap.EntryAttribute{Name: "superuser", Values: []string{"active"}})
-			}
-
-			// attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: h.getGroupDNs(append(u.OtherGroups, u.PrimaryGroup))})
-
-			attrs = append(attrs, AKAttrsToLDAP(u.Attributes)...)
-
-			dn := fmt.Sprintf("cn=%s,%s", *u.Name, ls.userDN)
-			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
+	for _, provider := range ls.providers {
+		providerBase, _ := goldap.ParseDN(provider.BaseDN)
+		if providerBase.AncestorOf(bd) {
+			return provider.Search(boundDN, searchReq, conn)
 		}
 	}
-	ls.log.WithField("filter", searchReq.Filter).Debug("Search OK")
-	return ldap.ServerSearchResult{Entries: entries, Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess}, nil
+	return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
 }