ldapauth

package

v0.0.0-...-df9302d Latest Latest Go to latest Published: Feb 27, 2025 License: MIT Imports: 41 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bryanmcnulty/adauth

Documentation ¶

Index ¶

func ChannelBindingHash(cert *x509.Certificate) []byte
func Connect(ctx context.Context, authOpts *adauth.Options, ldapOpts *Options) (conn *ldap.Conn, err error)
func ConnectTo(ctx context.Context, creds *adauth.Credential, target *adauth.Target, ...) (conn *ldap.Conn, err error)
func TLSConfig(opts *Options, clientCert *x509.Certificate, clientCertKey crypto.PrivateKey, ...) (*tls.Config, error)
func UserAndDomainFromPFX(pfxFile string, password string) (user string, domain string, err error)
type Options
- func (opts *Options) RegisterFlags(flagset *pflag.FlagSet)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ChannelBindingHash ¶

func ChannelBindingHash(cert *x509.Certificate) []byte

ChannelBinding hash computes the channel binding token that can be included in the authentication handshake to make sure that the client has established a TLS connection to the correct server.

func Connect ¶

func Connect(ctx context.Context, authOpts *adauth.Options, ldapOpts *Options) (conn *ldap.Conn, err error)

Connect returns an authenticated LDAP connection to the domain controller's LDAP server.

func ConnectTo ¶

func ConnectTo(
	ctx context.Context, creds *adauth.Credential, target *adauth.Target, ldapOpts *Options,
) (conn *ldap.Conn, err error)

Connect returns an authenticated LDAP connection to the specified target.

func TLSConfig ¶

func TLSConfig(
	opts *Options, clientCert *x509.Certificate, clientCertKey crypto.PrivateKey, caCerts []*x509.Certificate,
) (*tls.Config, error)

TLSConfig returns a TLS config based on the default config in the provided LDAP options as well as PFX files.

func UserAndDomainFromPFX ¶

func UserAndDomainFromPFX(pfxFile string, password string) (user string, domain string, err error)

UserAndDomainFromPFX extracts the username and domain from UPNs in the certificate's otherName SAN extension.

Types ¶

type Options ¶

type Options struct {
	// LDAP scheme (ldap or ldaps).
	Scheme string
	// Verify indicates whether TLS verification should be performed.
	Verify bool
	// Timeout sets the request timeout for the LDAP connection.
	Timeout time.Duration
	// Debug can be set to enable debug output, for example with
	// adauth.NewDebugFunc(...).
	Debug func(string, ...any)
	// SimpleBind indicates that SimpleBind authentication should be used
	// instead of NTLM, Kerberos or mTLS. For this, a cleartext password is
	// required.
	SimpleBind bool
	// TLSConfig for LDAPS or LDAP+StartTLS. InsecureSkipVerify is ignored and
	// set according to Options.Verify. MaxVersion will be changed to 1.2 unless
	// Options.DisableChannelBinding is set.
	TLSConfig *tls.Config
	// DisableChannelBinding omits the TLS certificate hash in Kerberos and NTLM
	// authentication.
	DisableChannelBinding bool
	// StartTLS indicates that a TLS connection should be established even for
	// non-LDAPS connections before authenticating. For client-certificate
	// authentication on regular LDAP connections, StartTLS will be used even if
	// this option is disabled.
	StartTLS bool
	// DialOptions can be used to customize the connection. However
	// ldap.DialWithTLSConfig will be ignored, because TLS setup is handled
	// internally.
	DialOptions []ldap.DialOpt
	// PKINITOptions can be used to modify the behavior of PKINIT when it is
	// used.
	PKINITOptions []pkinit.Option
}

Options holds LDAP specific options.

func (*Options) RegisterFlags ¶

func (opts *Options) RegisterFlags(flagset *pflag.FlagSet)

RegisterFlags registers LDAP specific flags to a pflag.FlagSet such as the default flagset pflag.CommandLine.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL