providers/ldap: Added auto-generated uidNumber and guidNumber generated attributes for use with SSSD and similar software. (#1138)

* Added auto-generated uidNumber and guidNumber generated attributes for use with SSSD and similar software. The starting number for uid/gid can be configured iva environtment variables and is by default 2000 which should work fine for most instances unless there are more than 999 local accounts on the server/computer. The uidNumber is just the users Pk + the starting number. The guidNumber is calculated by the last couple of bytes in the uuid of the group + the starting number, this should have a low enough chance for collisions that it's going to be fine for most use cases. I have not added any interface stuff for configuring the environment variables as I couldn't really find my way around all the places I'd have to edit to add it and the default values should in my opinion be fine for 99% use cases. * Add a 'fake' primary group for each user * First attempt att adding config to interface * Updated API to support new fields * Refactor code, update documentation and remove obsolete comment Simplify `GetRIDForGroup`, was a bit overcomplicated before. Add an additional class/struct `LDAPGroup` which is the new argument for `pi.GroupEntry` and util functions to create `LDAPGroup` from api.Group and api.User Add proper support in the interface for changing gidNumber and uidNumber starting points * make lint-fix for the migration files
2021-07-14 09:17:01 +02:00
parent 7fd78a591d
commit 7f39399c32
13 changed files with 232 additions and 16 deletions
--- a/outpost/pkg/ldap/api.go
+++ b/outpost/pkg/ldap/api.go
@ -37,8 +37,10 @@ func (ls *LDAPServer) Refresh() error {
 			boundUsersMutex:     sync.RWMutex{},
 			boundUsers:          make(map[string]UserFlags),
 			s:                   ls,
-			log:                 logger,
+			log:                 log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
 			tlsServerName:       provider.TlsServerName,
+			uidStartNumber:		 *provider.UidStartNumber,
+			gidStartNumber:		 *provider.GidStartNumber,
 		}
 		if provider.Certificate.Get() != nil {
 			logger.WithField("provider", provider.Name).Debug("Enabling TLS")
--- a/outpost/pkg/ldap/instance_search.go
+++ b/outpost/pkg/ldap/instance_search.go
@ -54,8 +54,18 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
 		}
 		pi.log.WithField("count", len(groups.Results)).Trace("Got results from API")
+
 		for _, g := range groups.Results {
-			entries = append(entries, pi.GroupEntry(g))
+			entries = append(entries, pi.GroupEntry(pi.APIGroupToLDAPGroup(g)))
+		}
+
+		users, _, err := pi.s.ac.Client.CoreApi.CoreUsersList(context.Background()).Execute()
+		if err != nil {
+			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
+		}
+
+		for _, u := range users.Results {
+			entries = append(entries, pi.GroupEntry(pi.APIUserToLDAPGroup(u)))
 		}
 	case UserObjectClass, "":
 		users, _, err := pi.s.ac.Client.CoreApi.CoreUsersList(context.Background()).Execute()
@ -96,6 +106,14 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 			Name:   "objectClass",
 			Values: []string{UserObjectClass, "organizationalPerson", "goauthentik.io/ldap/user"},
 		},
+		{
+			Name:   "uidNumber",
+			Values: []string{ pi.GetUidNumber(u) },
+		},
+		{
+			Name:   "gidNumber",
+			Values: []string{ pi.GetUidNumber(u) },
+		},
 	}

 	attrs = append(attrs, &ldap.EntryAttribute{Name: "memberOf", Values: pi.GroupsForUser(u)})
@ -114,26 +132,40 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
 	return &ldap.Entry{DN: dn, Attributes: attrs}
 }

-func (pi *ProviderInstance) GroupEntry(g api.Group) *ldap.Entry {
+func (pi *ProviderInstance) GroupEntry(g LDAPGroup) *ldap.Entry {
 	attrs := []*ldap.EntryAttribute{
 		{
 			Name:   "cn",
-			Values: []string{g.Name},
+			Values: []string{g.cn},
 		},
 		{
 			Name:   "uid",
-			Values: []string{string(g.Pk)},
+			Values: []string{g.uid},
 		},
 		{
-			Name:   "objectClass",
-			Values: []string{GroupObjectClass, "goauthentik.io/ldap/group"},
+			Name:   "gidNumber",
+			Values: []string{ g.gidNumber },
 		},
 	}
-	attrs = append(attrs, &ldap.EntryAttribute{Name: "member", Values: pi.UsersForGroup(g)})
-	attrs = append(attrs, &ldap.EntryAttribute{Name: "goauthentik.io/ldap/superuser", Values: []string{BoolToString(*g.IsSuperuser)}})

-	attrs = append(attrs, AKAttrsToLDAP(g.Attributes)...)
+	if (g.isVirtualGroup) {
+		attrs = append(attrs, &ldap.EntryAttribute{
+			Name: "objectClass",
+			Values: []string{GroupObjectClass, "goauthentik.io/ldap/group", "goauthentik.io/ldap/virtual-group"},
+		})
+	} else {
+		attrs = append(attrs, &ldap.EntryAttribute{
+			Name: "objectClass",
+			Values: []string{GroupObjectClass, "goauthentik.io/ldap/group"},
+		})
+	}

-	dn := pi.GetGroupDN(g)
-	return &ldap.Entry{DN: dn, Attributes: attrs}
+	attrs = append(attrs, &ldap.EntryAttribute{Name: "member", Values: g.member})
+	attrs = append(attrs, &ldap.EntryAttribute{Name: "goauthentik.io/ldap/superuser", Values: []string{BoolToString(g.isSuperuser)}})
+
+	if (g.akAttributes != nil) {
+		attrs = append(attrs, AKAttrsToLDAP(g.akAttributes)...)
+	}
+
+	return &ldap.Entry{DN: g.dn, Attributes: attrs}
 }
--- a/outpost/pkg/ldap/ldap.go
+++ b/outpost/pkg/ldap/ldap.go
@ -32,6 +32,9 @@ type ProviderInstance struct {
 	searchAllowedGroups []*strfmt.UUID
 	boundUsersMutex     sync.RWMutex
 	boundUsers          map[string]UserFlags
+
+	uidStartNumber int32
+	gidStartNumber int32
 }

 type UserFlags struct {
@ -47,6 +50,17 @@ type LDAPServer struct {
 	providers   []*ProviderInstance
 }

+type LDAPGroup struct {
+	dn string
+	cn string
+	uid string
+	gidNumber string
+	member []string
+	isSuperuser bool
+	isVirtualGroup bool
+	akAttributes interface{}
+}
+
 func NewServer(ac *ak.APIController) *LDAPServer {
 	s := ldap.NewServer()
 	s.EnforceLDAP = true
--- a/outpost/pkg/ldap/utils.go
+++ b/outpost/pkg/ldap/utils.go
@ -2,6 +2,9 @@ package ldap

 import (
 	"fmt"
+	"strings"
+	"math/big"
+	"strconv"
 	"reflect"

 	"github.com/nmcclain/ldap"
@ -77,6 +80,34 @@ func (pi *ProviderInstance) UsersForGroup(group api.Group) []string {
 	return users
 }

+func (pi *ProviderInstance) APIGroupToLDAPGroup(g api.Group) LDAPGroup {
+	return LDAPGroup{
+		dn:				pi.GetGroupDN(g),
+		cn:				g.Name,
+		uid:			string(g.Pk),
+		gidNumber:		pi.GetGidNumber(g),
+		member:			pi.UsersForGroup(g),
+		isVirtualGroup:	false,
+		isSuperuser:	*g.IsSuperuser,
+		akAttributes:	g.Attributes,
+	}
+}
+
+func (pi *ProviderInstance) APIUserToLDAPGroup(u api.User) LDAPGroup {
+	dn := fmt.Sprintf("cn=%s,%s", u.Username, pi.GroupDN)
+
+	return LDAPGroup{
+		dn:				dn,
+		cn:				u.Username,
+		uid:			u.Uid,
+		gidNumber:		pi.GetUidNumber(u),
+		member:			[]string{dn},
+		isVirtualGroup:	true,
+		isSuperuser:	false,
+		akAttributes:	nil,
+	}
+}
+
 func (pi *ProviderInstance) GetUserDN(user string) string {
 	return fmt.Sprintf("cn=%s,%s", user, pi.UserDN)
 }
@ -84,3 +115,26 @@ func (pi *ProviderInstance) GetUserDN(user string) string {
 func (pi *ProviderInstance) GetGroupDN(group api.Group) string {
 	return fmt.Sprintf("cn=%s,%s", group.Name, pi.GroupDN)
 }
+
+func (pi *ProviderInstance) GetUidNumber(user api.User) string {
+	return strconv.FormatInt(int64(pi.uidStartNumber + user.Pk), 10)
+}
+
+func (pi *ProviderInstance) GetGidNumber(group api.Group) string {
+	return strconv.FormatInt(int64(pi.gidStartNumber + pi.GetRIDForGroup(group.Pk)), 10)
+}
+
+func (pi *ProviderInstance) GetRIDForGroup(uid string) int32 {
+    var i big.Int
+    i.SetString(strings.Replace(uid, "-", "", -1), 16)
+	intStr := i.String()
+
+	// Get the last 5 characters/digits of the int-version of the UUID
+	gid, err := strconv.Atoi(intStr[len(intStr)-5:])
+
+	if err != nil {
+		panic(err)
+	}
+
+	return int32(gid)
+}