From 1d3f4c4f5f9e8a81c71baed64305467ca298ae34 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 17 Apr 2023 11:52:34 -0400 Subject: [PATCH 1/4] sdk/ldap: update interface to use DialURL --- sdk/helper/ldaputil/client.go | 14 ++++++++++++-- sdk/helper/ldaputil/ldap.go | 13 +++---------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go index 54beac200977..4453ce6264fc 100644 --- a/sdk/helper/ldaputil/client.go +++ b/sdk/helper/ldaputil/client.go @@ -49,12 +49,18 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) { } var tlsConfig *tls.Config + dialer := net.Dialer{ + Timeout: time.Duration(cfg.ConnectionTimeout) * time.Second, + } + switch u.Scheme { case "ldap": if port == "" { port = "389" } - conn, err = c.LDAP.Dial("tcp", net.JoinHostPort(host, port)) + + opt := ldap.DialWithDialer(&dialer) + conn, err = c.LDAP.Dial(net.JoinHostPort(host, port), opt) if err != nil { break } @@ -77,7 +83,11 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) { if err != nil { break } - conn, err = c.LDAP.DialTLS("tcp", net.JoinHostPort(host, port), tlsConfig) + opt := ldap.DialWithTLSDialer(tlsConfig, &dialer) + conn, err = c.LDAP.Dial(net.JoinHostPort(host, port), opt) + if err != nil { + break + } default: retErr = multierror.Append(retErr, fmt.Errorf("invalid LDAP scheme in url %q", net.JoinHostPort(host, port))) continue diff --git a/sdk/helper/ldaputil/ldap.go b/sdk/helper/ldaputil/ldap.go index f03fa8948460..c98ebdf7425a 100644 --- a/sdk/helper/ldaputil/ldap.go +++ b/sdk/helper/ldaputil/ldap.go @@ -4,8 +4,6 @@ package ldaputil import ( - "crypto/tls" - "github.com/go-ldap/ldap/v3" ) @@ -16,16 +14,11 @@ func NewLDAP() LDAP { // LDAP provides ldap functionality, but through an interface // rather than statically. This allows faking it for tests. type LDAP interface { - Dial(network, addr string) (Connection, error) - DialTLS(network, addr string, config *tls.Config) (Connection, error) + Dial(addr string, opts ...ldap.DialOpt) (Connection, error) } type ldapIfc struct{} -func (l *ldapIfc) Dial(network, addr string) (Connection, error) { - return ldap.Dial(network, addr) -} - -func (l *ldapIfc) DialTLS(network, addr string, config *tls.Config) (Connection, error) { - return ldap.DialTLS(network, addr, config) +func (l *ldapIfc) Dial(addr string, opts ...ldap.DialOpt) (Connection, error) { + return ldap.DialURL(addr, opts...) } From 10aa179896888a56d356ad144ada552235bc2970 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 17 Apr 2023 12:41:54 -0400 Subject: [PATCH 2/4] Fix scheme --- sdk/helper/ldaputil/client.go | 9 +++++++-- sdk/helper/ldaputil/ldap.go | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go index 4453ce6264fc..cb6aaa57b259 100644 --- a/sdk/helper/ldaputil/client.go +++ b/sdk/helper/ldaputil/client.go @@ -59,8 +59,10 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) { port = "389" } + fullAddr := fmt.Sprintf("%s://%s", u.Scheme, net.JoinHostPort(host, port)) opt := ldap.DialWithDialer(&dialer) - conn, err = c.LDAP.Dial(net.JoinHostPort(host, port), opt) + + conn, err = c.LDAP.DialURL(fullAddr, opt) if err != nil { break } @@ -83,8 +85,11 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) { if err != nil { break } + + fullAddr := fmt.Sprintf("%s://%s", u.Scheme, net.JoinHostPort(host, port)) opt := ldap.DialWithTLSDialer(tlsConfig, &dialer) - conn, err = c.LDAP.Dial(net.JoinHostPort(host, port), opt) + + conn, err = c.LDAP.DialURL(fullAddr, opt) if err != nil { break } diff --git a/sdk/helper/ldaputil/ldap.go b/sdk/helper/ldaputil/ldap.go index c98ebdf7425a..bdf746e5c8cd 100644 --- a/sdk/helper/ldaputil/ldap.go +++ b/sdk/helper/ldaputil/ldap.go @@ -14,11 +14,11 @@ func NewLDAP() LDAP { // LDAP provides ldap functionality, but through an interface // rather than statically. This allows faking it for tests. type LDAP interface { - Dial(addr string, opts ...ldap.DialOpt) (Connection, error) + DialURL(addr string, opts ...ldap.DialOpt) (Connection, error) } type ldapIfc struct{} -func (l *ldapIfc) Dial(addr string, opts ...ldap.DialOpt) (Connection, error) { +func (l *ldapIfc) DialURL(addr string, opts ...ldap.DialOpt) (Connection, error) { return ldap.DialURL(addr, opts...) } From a1bbd032043cc0b301283b63e5864f7afedeec13 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 17 Apr 2023 13:06:30 -0400 Subject: [PATCH 3/4] Fix race condition --- sdk/helper/ldaputil/client.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go index cb6aaa57b259..48d18863230c 100644 --- a/sdk/helper/ldaputil/client.go +++ b/sdk/helper/ldaputil/client.go @@ -32,11 +32,6 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) { var conn Connection urls := strings.Split(cfg.Url, ",") - // Default timeout in the pacakge is 60 seconds, which we default to on our - // end. This is useful if you want to take advantage of the URL list to increase - // availability of LDAP. - ldap.DefaultTimeout = time.Duration(cfg.ConnectionTimeout) * time.Second - for _, uut := range urls { u, err := url.Parse(uut) if err != nil { From 38bbd7e344e6d15276c23419294aa76f66d9e0c9 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 17 Apr 2023 13:46:05 -0400 Subject: [PATCH 4/4] Add tls config dialopt --- sdk/helper/ldaputil/client.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go index 48d18863230c..f86bfd055a64 100644 --- a/sdk/helper/ldaputil/client.go +++ b/sdk/helper/ldaputil/client.go @@ -82,9 +82,10 @@ func (c *Client) DialLDAP(cfg *ConfigEntry) (Connection, error) { } fullAddr := fmt.Sprintf("%s://%s", u.Scheme, net.JoinHostPort(host, port)) - opt := ldap.DialWithTLSDialer(tlsConfig, &dialer) + opt := ldap.DialWithDialer(&dialer) + tls := ldap.DialWithTLSConfig(tlsConfig) - conn, err = c.LDAP.DialURL(fullAddr, opt) + conn, err = c.LDAP.DialURL(fullAddr, opt, tls) if err != nil { break }