VAULT 18227/introduce cap ldap library

builtin/credential/ldap/backend.go

@@ -8,6 +8,7 @@
 	"fmt"
 	"strings"
 
+	"github.com/hashicorp/cap/ldap"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 
 	"github.com/hashicorp/vault/sdk/framework"
@@ -76,82 +77,25 @@
 		return "", nil, logical.ErrorResponse("password cannot be of zero length when passwordless binds are being denied"), nil, nil
 	}
 
-	ldapClient := ldaputil.Client{
-		Logger: b.Logger(),
-		LDAP:   ldaputil.NewLDAP(),
-	}
-
-	c, err := ldapClient.DialLDAP(cfg.ConfigEntry)
+	ldapClient, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg.ConfigEntry))
 	if err != nil {
 		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
 	}
-	if c == nil {
-		return "", nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil, nil
-	}
 
 	// Clean connection
-	defer c.Close()
-
-	userBindDN, err := ldapClient.GetUserBindDN(cfg.ConfigEntry, c, username)
-	if err != nil {
-		if b.Logger().IsDebug() {
-			b.Logger().Debug("error getting user bind DN", "error", err)
-		}
-		return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
-	}
-
-	if b.Logger().IsDebug() {
-		b.Logger().Debug("user binddn fetched", "username", username, "binddn", userBindDN)
-	}
-
-	// Try to bind as the login user. This is where the actual authentication takes place.
-	if len(password) > 0 {
-		err = c.Bind(userBindDN, password)
-	} else {
-		err = c.UnauthenticatedBind(userBindDN)
-	}
-	if err != nil {
-		if b.Logger().IsDebug() {
-			b.Logger().Debug("ldap bind failed", "error", err)
-		}
-		return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
-	}
+	defer ldapClient.Close(ctx)
 
-	// We re-bind to the BindDN if it's defined because we assume
-	// the BindDN should be the one to search, not the user logging in.
-	if cfg.BindDN != "" && cfg.BindPassword != "" {
-		if err := c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
-			if b.Logger().IsDebug() {
-				b.Logger().Debug("error while attempting to re-bind with the BindDN User", "error", err)
-			}
-			return "", nil, logical.ErrorResponse("ldap operation failed: failed to re-bind with the BindDN user"), nil, logical.ErrInvalidCredentials
-		}
-		if b.Logger().IsDebug() {
-			b.Logger().Debug("re-bound to original binddn")
-		}
-	}
-
-	userDN, err := ldapClient.GetUserDN(cfg.ConfigEntry, c, userBindDN, username)
+	c, err := ldapClient.Authenticate(ctx, username, password, ldap.WithGroups(), ldap.WithUserAttributes())
 	if err != nil {
-		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
-	}
-
-	if cfg.AnonymousGroupSearch {
-		c, err = ldapClient.DialLDAP(cfg.ConfigEntry)
-		if err != nil {
-			return "", nil, logical.ErrorResponse("ldap operation failed: failed to connect to LDAP server"), nil, nil
+		if strings.Contains(err.Error(), "discovery of user bind DN failed") ||
+			strings.Contains(err.Error(), "unable to bind user") {
+			return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
 		}
-		defer c.Close() // Defer closing of this connection as the deferal above closes the other defined connection
-	}
 
-	ldapGroups, err := ldapClient.GetLdapGroups(cfg.ConfigEntry, c, userDN, username)
-	if err != nil {
 		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
 	}
-	if b.Logger().IsDebug() {
-		b.Logger().Debug("groups fetched from server", "num_server_groups", len(ldapGroups), "server_groups", ldapGroups)
-	}
 
+	ldapGroups := c.Groups
 	ldapResponse := &logical.Response{
 		Data: map[string]interface{}{},
 	}
@@ -162,6 +106,10 @@
 		ldapResponse.AddWarning(errString)
 	}
 
+	for _, warning := range c.Warnings {
+		ldapResponse.AddWarning(string(warning))
+	}
+
 	var allGroups []string
 	canonicalUsername := username
 	cs := *cfg.CaseSensitiveNames
@@ -206,13 +154,11 @@
 		return username, policies, ldapResponse, allGroups, nil
 	}
 
-	entityAliasAttribute, err := ldapClient.GetUserAliasAttributeValue(cfg.ConfigEntry, c, username)
-	if err != nil {
-		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
-	}
-	if entityAliasAttribute == "" {
+	userAttrValues := c.UserAttributes[cfg.UserAttr]
+	if len(userAttrValues) == 0 {
 		return "", nil, logical.ErrorResponse("missing entity alias attribute value"), nil, nil
 	}
+	entityAliasAttribute := userAttrValues[0]
 
 	return entityAliasAttribute, policies, ldapResponse, allGroups, nil
 }

changelog/22185.txt

@@ -0,0 +1,5 @@
+```release-note:improvement
+auth/ldap: introduce cap/ldap.Client for LDAP authentication
+auth/ldap: deprecates `connection_timeout` in favor of `request_timeout` for timeouts
+sdk/ldaputil: deprecates Client in favor of cap/ldap.Client
+```

go.mod

@@ -62,7 +62,7 @@ require (
 	github.com/go-errors/errors v1.5.0
 	github.com/go-git/go-git/v5 v5.7.0
 	github.com/go-jose/go-jose/v3 v3.0.0
-	github.com/go-ldap/ldap/v3 v3.4.4
+	github.com/go-ldap/ldap/v3 v3.4.5
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/go-test/deep v1.1.0
 	github.com/go-zookeeper/zk v1.0.3
@@ -75,6 +75,7 @@ require (
 	github.com/google/go-metrics-stackdriver v0.2.0
 	github.com/google/tink/go v1.7.0
 	github.com/hashicorp/cap v0.3.4
+	github.com/hashicorp/cap/ldap v0.0.0-20230907231022-8e71bfc048ed
 	github.com/hashicorp/consul-template v0.33.0
 	github.com/hashicorp/consul/api v1.23.0
 	github.com/hashicorp/errwrap v1.1.0

helper/testhelpers/ldap/ldaphelper.go

@@ -6,21 +6,15 @@ package ldap
 import (
 	"context"
 	"fmt"
-	"runtime"
-	"strings"
 	"testing"
 
-	hclog "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/cap/ldap"
+
 	"github.com/hashicorp/vault/sdk/helper/docker"
 	"github.com/hashicorp/vault/sdk/helper/ldaputil"
 )
 
 func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ldaputil.ConfigEntry) {
-	// Skipping on ARM, as this image can't run on ARM architecture
-	if strings.Contains(runtime.GOARCH, "arm") {
-		t.Skip("Skipping, as this image is not supported on ARM architectures")
-	}
-
 	runner, err := docker.NewServiceRunner(docker.RunOptions{
 		// Currently set to "michelvocks" until https://github.com/rroemhild/docker-test-openldap/pull/14
 		// has been merged.
@@ -48,19 +42,16 @@ func PrepareTestContainer(t *testing.T, version string) (cleanup func(), cfg *ld
 	svc, err := runner.StartService(context.Background(), func(ctx context.Context, host string, port int) (docker.ServiceConfig, error) {
 		connURL := fmt.Sprintf("ldap://%s:%d", host, port)
 		cfg.Url = connURL
-		logger := hclog.New(nil)
-		client := ldaputil.Client{
-			LDAP:   ldaputil.NewLDAP(),
-			Logger: logger,
-		}
 
-		conn, err := client.DialLDAP(cfg)
+		client, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg))
 		if err != nil {
 			return nil, err
 		}
-		defer conn.Close()
 
-		if _, err := client.GetUserBindDN(cfg, conn, "Philip J. Fry"); err != nil {
+		defer client.Close(ctx)
+
+		_, err = client.Authenticate(ctx, "Philip J. Fry", "fry")
+		if err != nil {
 			return nil, err
 		}
 

sdk/go.mod

@@ -11,11 +11,12 @@ require (
 	github.com/docker/go-connections v0.4.0
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/fatih/structs v1.1.0
-	github.com/go-ldap/ldap/v3 v3.4.1
+	github.com/go-ldap/ldap/v3 v3.4.5
 	github.com/go-test/deep v1.1.0
 	github.com/golang/protobuf v1.5.3
 	github.com/golang/snappy v0.0.4
-	github.com/google/tink/go v1.7.0
+	github.com/google/tink/go v1.6.1
+	github.com/hashicorp/cap/ldap v0.0.0-20230907231022-8e71bfc048ed
 	github.com/hashicorp/errwrap v1.1.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-hclog v1.5.0
@@ -56,15 +57,15 @@ require (
 	cloud.google.com/go/compute v1.20.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/containerd/containerd v1.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fatih/color v1.14.1 // indirect
 	github.com/frankban/quicktest v1.11.3 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/s2a-go v0.1.4 // indirect
@@ -109,6 +110,12 @@ require (
 	google.golang.org/api v0.134.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
+	golang.org/x/tools v0.6.0 // indirect
+	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

sdk/helper/ldaputil/client.go

@@ -18,12 +18,13 @@
 	"text/template"
 	"time"
 
 	"github.com/go-ldap/ldap/v3"
 	hclog "github.com/hashicorp/go-hclog"
 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/go-secure-stdlib/tlsutil"
 )
 
+// Deprecated: Use ldap.Client instead
 type Client struct {
 	Logger hclog.Logger
 	LDAP   LDAP

sdk/helper/ldaputil/config.go

@@ -12,7 +12,9 @@
 	"strings"
 	"text/template"
 
+	capldap "github.com/hashicorp/cap/ldap"
 	"github.com/hashicorp/go-secure-stdlib/tlsutil"
+
 	"github.com/hashicorp/vault/sdk/framework"
 
 	"github.com/hashicorp/errwrap"
@@ -461,7 +463,7 @@
 	UseTokenGroups           bool   `json:"use_token_groups"`
 	UsePre111GroupCNBehavior *bool  `json:"use_pre111_group_cn_behavior"`
 	RequestTimeout           int    `json:"request_timeout"`
-	ConnectionTimeout        int    `json:"connection_timeout"`
+	ConnectionTimeout        int    `json:"connection_timeout"` // deprecated: use RequestTimeout
 	DerefAliases             string `json:"dereference_aliases"`
 	MaximumPageSize          int    `json:"max_page_size"`
 
@@ -559,3 +561,53 @@
 	}
 	return nil
 }
+
+func ConvertConfig(cfg *ConfigEntry) *capldap.ClientConfig {
+	// cap/ldap doesn't have a notion of connection_timeout, and uses a single timeout value for
+	// both the net.Dialer and ldap connection timeout.
+	// So take the smaller of the two values and use that as the timeout value.
+	minTimeout := min(cfg.ConnectionTimeout, cfg.RequestTimeout)
+	urls := strings.Split(cfg.Url, ",")
+	config := &capldap.ClientConfig{
+		URLs:                                 urls,
+		UserDN:                               cfg.UserDN,
+		AnonymousGroupSearch:                 cfg.AnonymousGroupSearch,
+		GroupDN:                              cfg.GroupDN,
+		GroupFilter:                          cfg.GroupFilter,
+		GroupAttr:                            cfg.GroupAttr,
+		UPNDomain:                            cfg.UPNDomain,
+		UserFilter:                           cfg.UserFilter,
+		UserAttr:                             cfg.UserAttr,
+		ClientTLSCert:                        cfg.ClientTLSCert,
+		ClientTLSKey:                         cfg.ClientTLSKey,
+		InsecureTLS:                          cfg.InsecureTLS,
+		StartTLS:                             cfg.StartTLS,
+		BindDN:                               cfg.BindDN,
+		BindPassword:                         cfg.BindPassword,
+		AllowEmptyPasswordBinds:              !cfg.DenyNullBind,
+		DiscoverDN:                           cfg.DiscoverDN,
+		TLSMinVersion:                        cfg.TLSMinVersion,
+		TLSMaxVersion:                        cfg.TLSMaxVersion,
+		UseTokenGroups:                       cfg.UseTokenGroups,
+		RequestTimeout:                       minTimeout,
+		IncludeUserAttributes:                true,
+		ExcludedUserAttributes:               nil,
+		IncludeUserGroups:                    true,
+		MaximumPageSize:                      cfg.MaximumPageSize,
+		DerefAliases:                         cfg.DerefAliases,
+		DeprecatedVaultPre111GroupCNBehavior: cfg.UsePre111GroupCNBehavior,
+	}
+
+	if cfg.Certificate != "" {
+		config.Certificates = []string{cfg.Certificate}
+	}
+
+	return config
+}
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}

sdk/helper/ldaputil/connection.go

@@ -14,7 +14,7 @@ import (
 // but through an interface.
 type Connection interface {
 	Bind(username, password string) error
-	Close()
+	Close() error
 	Add(addRequest *ldap.AddRequest) error
 	Modify(modifyRequest *ldap.ModifyRequest) error
 	Del(delRequest *ldap.DelRequest) error

website/content/api-docs/secret/ldap.mdx

@@ -53,9 +53,6 @@ to search and change entry passwords in LDAP.
   string for authentication. The constructed UPN will appear as `[binddn]@[upndomain]`. For
   example, if `upndomain=example.com` and `binddn=admin`, the UPN string `admin@example.com`
   will be used to log in to Active Directory.
-- `connection_timeout` `(integer: 30 or string: "30s")` - Timeout, in seconds, 
-  when attempting to connect to the LDAP server before trying the next URL in 
-  the configuration.
 - `request_timeout` `(integer: 90, string: "90s" <optional>)` - Timeout, in seconds, for the connection when
   making requests against the server before returning back an error.
 - `starttls` `(bool: <optional>)` - If true, issues a `StartTLS` command after establishing an unencrypted connection.
@@ -71,6 +68,10 @@ to search and change entry passwords in LDAP.
 
 - `length` `(int: 64)` - The length of generated password strings. Note: some schemas may require shorter
   password lengths (such as `racf`). Mutually exclusive with `password_policy`
+- `connection_timeout` `(integer: 30 or string: "30s")` - Timeout, in seconds,
+  when attempting to connect to the LDAP server before trying the next URL in
+  the configuration. Note: Use request_timeout instead. When both `connection_timeout` and `request_timeout` are set,
+  the smaller value will be used for both connection and request timeouts.
 
 **Note about password generation**: