This module implements an ldap client.
docker pull registry.goingrid.io/services/ldap:v0.1.0The ldap service accepts following properties or controls:
| Key | Multivalue | Required | Description |
|---|---|---|---|
| LdapAttributes | yes | no | Attributes to change / Edit or update. |
| LdapDN | no | no | DN Attribute Control, if LdapDN_Ctrl is set. Use the content of this Property as DN |
| LdapOperation | no | no | Operation, if LdapOperation_Ctrl is set |
| LdapConvertUTF16LE | no | no | Convert the Attributes from this Property to UTF16LE (AD Password), if LdapConvertUTF16LE_Ctrl is set |
| LdapB64CodeAttributes | no | no | Convert the Atrtibutes from this Property to Base64 , if LdapB64CodeAttributes_Ctrl is set |
| LdapSearchBase | no | no | Ldap Search Base is taken from Attribute defined in LdapSearchBase_Ctrl |
| LdapSearchFetchAttrs | no | no | Ldap Search retrieved the Attributes defined in LdapSearchFetchAttrs_Ctrl Atttribute |
| LdapSearchAttrs | no | no | Ldap Searches for the Key Values defined in LdapSearchAttrs_Ctrl Atttribute |
| LdapSearchFilter | no | no | The Content of the Attribute defined in LdapSearchFilter_Ctrl is used as LDAP Filter |
| LdapSearchWildcard | no | no | The Attribute in LdapSearchWildcard_Ctrl defines the Attribute, where you can define the search behavior. Valid is true / false /prefix / suffix |
First it searches for the control, if no control for the defined name is given, it searches the data for a matching property
The ldap service lets you do the following:
To update an LDAP Object
Rest Call
LDAP Update givenName
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
dnattribute: DN
{
"ldap_op": ["Update"],
"displayName": ["Toaster"],
"DN": ["uid=admin,ou=system"]
}
Response
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Access-Control-Allow-Headers, Origin,Accept,Accept-Language, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Tue, 25 Aug 2020 07:07:24 GMT
Content-Length: 69
Connection: close
{
"Code": 200,
"Message": "Success",
"Data": {},
"List": []
}
LDAP Remove givenName
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
dnattribute: DN
{
"ldap_op": ["Remove"],
"displayName": ["Toaster"],
"DN": ["uid=admin,ou=system"]
}
Replace the givenName
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
dnattribute: DN
{
"ldap_op": ["Replace"],
"displayName": ["Toaster"],
"DN": ["uid=admin,ou=system"]
}
LDAP Get by dn
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
dnattribute: getdn
{
"ldap_op": ["Get"],
"getdn": ["uid=admin,ou=system"]
}
LDAP Search by displayName
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
{
"ldap_op": ["Search"],
"displayName": ["Toaster"]
}
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Access-Control-Allow-Headers, Origin,Accept,Accept-Language, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Tue, 06 Oct 2020 08:21:49 GMT
Content-Length: 128
Connection: close
{
"Code": 200,
"Message": "Success",
"Data": {
"displayName": [
"Toaster"
],
"searchdn": [
"uid=admin,ou=system"
],
"uid": [
"admin"
]
},
"List": []
}
Docker Config for all the Examples here
ldap:
image: registry.goingrid.io/services/ldap:v0.1.0
deploy:
restart_policy:
condition: on-failure
environment:
NAME: "ldap"
SERVERHOST: "hive"
SERVERAUTH: "file:///run/secrets/ing-hive-key"
INPUTCHANNEL: "ldap_cmd"
LOGLEVEL: trace
LOGFORMAT: raw
LDAPDN_CTRL: dnattribute
LDAPOPERATION_CTRL: ldap_op
LDAPATTRIBUTES: displayName
LDAPSERVER: localhost
LDAPPORT: 1038
LDAPTLS: true
FALLBACK: true
LDAPAUTHMODE: 1
LDAPAUTHUSER: uid=admin,ou=system
LDAPAUTHPASSWORD: secret
LDAPSEARCHFETCHATTRS: displayName;uid
LDAPSEARCHATTRS: displayName
LDAPGETFILTER: (objectClass=*)
LDAPGETFETCHATTRS: displayName;uid
LDAPSEARCHFILTER: (&(objectClass=*)(%s))
LDAPSEARCHBASE: ou=users,dc=example,dc=org
depends_on:
- hive
secrets:
- ing-hive-key
networks:
- ing-entry
- ing-middle
There are 4 Login Modes for the Worker itself. Login mode 1 sets the mode to fixed. The worker will allways use this credentials to do operations on the ldap Login mode 2 uses values from the doc. The worker will allways use the values provided in the doc on the ldap Login mode 3 will search use a the LdapAuthUser,LdapAuthPassword to auth and search for a user and then login with the given user and the provided password Login mode 4 uses the the LdapAuthLoginRegex as regex and and fetches the First group and placeing it into LdapAuthLoginString. The result will be used as login DN and the password is fetched from LdapAuthPassword_Ctrl
| Setting | Mode | Parameters involved | Docvalues |
|---|---|---|---|
| 1 | FIX | LdapAuthUser,LdapAuthPassword | |
| 2 | FQDNUSERNAME | LdapAuthLogin_Ctrl,LdapAuthPassword_Ctrl | FQDN-username in LoginAttribute, password in PasswordAttribute |
| 3 | SEARCH | LdapAuthUser,LdapAuthPassword,LdapDN or LdapDN_Ctrl, LdapAuthLogin_Ctrl, LdapAuthSearchBase or LdapAuthSearchBase_Ctrl ,LdapAuthSearchAttrs or LdapAuthSearchAttrs_Ctrl,LdapAuthLoginString,LdapAuthPassword_Ctrl | Search with the user LdapAuthUser and LdapAuthPassword in LdapDN or LdapDN_Ctrl for a user where the LdapAuthLogin_Ctrl value parsed by LdapAuthLoginString used to find the user and then login user with that user and password from LdapAuthPassword_Ctrl |
| 4 | REGEX | LdapAuthLoginString,LdapAuthLoginRegex,LdapAuthLoginAttribute or LdapAuthLoginAttribute_Ctrl,LdapAuthPassword_Ctrl | username in LoginAttribute, password in PasswordAttribute |
Request
### LDAP Search by displayName AUTH MODE 3
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
{
"ldap_op": ["Search"],
"userpassword": ["test"],
"uid": ["testuser"],
"displayName": ["Toaster"]
}
Docker Config:
ldap:
image: registry.goingrid.io/services/ldap:v0.1.0
deploy:
restart_policy:
condition: on-failure
environment:
NAME: "ldap"
SERVERHOST: "hive"
SERVERAUTH: "file:///run/secrets/ing-hive-key"
INPUTCHANNEL: "ldap_cmd"
LOGLEVEL: trace
LOGFORMAT: raw
LDAPDN_CTRL: dnattribute
LDAPOPERATION_CTRL: ldap_op
LDAPATTRIBUTES: displayName
LDAPSERVER: localhost
LDAPPORT: 1038
LDAPTLS: true
FALLBACK: true
LDAPAUTHMODE: 3
LDAPAUTHUSER: uid=admin,ou=system
LDAPAUTHPASSWORD: secret
LDAPAUTHPASSWORD_CTRL: userpassword
LDAPAUTHLOGIN: uid
LDAPAUTHSEARCHBASE: ou=system
LDAPAUTHSEARCHATTRS: uid
LDAPAUTHLOGINSTRING: (objectClass=person)
LDAPSEARCHFETCHATTRS: displayName;uid
LDAPSEARCHATTRS: displayName
LDAPGETFILTER: (objectClass=*)
LDAPGETFETCHATTRS: displayName;uid
LDAPSEARCHFILTER: (&(objectClass=*)(%s))
LDAPSEARCHBASE: ou=system
depends_on:
- hive
secrets:
- ing-hive-key
networks:
- ing-entry
- ing-middle
Request
### LDAP Search by displayName AUTH MODE 4
POST http://localhost:8085/ldap/cmd HTTP/1.1
content-type: application/json
Authorization: Basic admin nutz
{
"ldap_op": ["Search"],
"userpassword": ["test"],
"loginname": ["cn=testuser,ou=banane,o=olddir"],
"displayName": ["Toaster"]
}
Docker Config:
ldap:
image: registry.goingrid.io/services/ldap:v0.1.0
deploy:
restart_policy:
condition: on-failure
environment:
NAME: "ldap"
SERVERHOST: "hive"
SERVERAUTH: "file:///run/secrets/ing-hive-key"
INPUTCHANNEL: "ldap_cmd"
LOGLEVEL: trace
LOGFORMAT: raw
LDAPDN_CTRL: dnattribute
LDAPOPERATION_CTRL: ldap_op
LDAPATTRIBUTES: displayName
LDAPSERVER: localhost
LDAPPORT: 1038
LDAPTLS: true
FALLBACK: true
LDAPAUTHMODE: 4,
LDAPAUTHLOGINSTRING: uid=%s,ou=system
LDAPAUTHLOGINREGEX: ^cn=(.*),ou=.*$
LDAPAUTHLOGIN_CTRL: loginname
LDAPAUTHPASSWORD_CTRL: userpassw
LDAPSEARCHFETCHATTRS: displayName;uid
LDAPSEARCHATTRS: displayName
LDAPGETFILTER: (objectClass=*)
LDAPGETFETCHATTRS: displayName;uid
LDAPSEARCHFILTER: (&(objectClass=*)(%s))
LDAPSEARCHBASE: ou=system
depends_on:
- hive
secrets:
- ing-hive-key
networks:
- ing-entry
- ing-middle
Example Response:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Access-Control-Allow-Headers, Origin,Accept,Accept-Language, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Tue, 06 Oct 2020 09:30:29 GMT
Content-Length: 203
Connection: close
{
"Code": 200,
"Message": "Success",
"Data": {},
"List": [
{
"DN": [
"uid=admin,ou=system"
],
"displayName": [
"Toaster"
],
"uid": [
"admin"
]
},
{
"DN": [
"uid=testuser,ou=system"
],
"displayName": [
"Toaster"
],
"uid": [
"testuser"
]
}
]
}
Like every other service, the log service includes all properties of the service configuration and since it listens on input the input configuration.
The following parameters are specific to this service. They can be either used as environment variables (all uppercase) or within the CLI (- as prefix).
| Parameter | Default | Description |
|---|---|---|
| Fallback | false |
Fallback to simple / single ops if the given Fails ? |
| InputChannel string | "" |
Channel to be used as input |
| InputQueue string | "*" |
Channel to be used as input queue of the input channel |
| KeyFile string | "" |
Auth seed keyfile |
| LargeDataEnabled | true |
Set to false, to disable LargeData processing |
| LargeDataIP string | "" |
IP Address of this Module (leave empty for auto detect) |
| LargeDataLookupEnabled | "" |
Enable to lookup against defined LargeDataIP to retrieve the host ip |
| LargeDataPath string | "" |
Temp Directory to Store LargeData Files into (leave empty for os Default Temp Directory) |
| LargeDataPort string | "" |
Port to use for LargeData (leave empty for default port 7632) |
| LdapAttributes string | "" |
Apply changes only to these Attributes to the LDAP |
| LdapAttributes_Ctrl string | "" |
Control or Attribute to get Attributes from to apply to the LDAP |
| LdapAuthLoginAttribute string | "" |
Attribute in Doc to use as LoginName for the LoginString / Regex |
| LdapAuthLoginBase string | "" |
Use LoginSearchBase as Searchbase for Login with LoginAttribute |
| LdapAuthLoginRegex string | "" |
Regex to Modify LDAP LoginString |
| LdapAuthLoginString string | "" |
Login String / DN Template |
| LdapAuthMode int | 1 |
Login Auth Mechanics Mode (default 1) |
| LdapAuthPassword string | "" |
Tech Password / Password for the Tech User |
| LdapAuthPassword_Ctrl string | "" |
Control or Attribute to get the Password from |
| LdapAuthUser string | "" |
Tech Username / FQDN for Login Searches or Operations with a technical user |
| LdapB64CodeAttributes string | "" |
Byte atttribues will be converted to a base64 string (; delimited), used for objectGUID in Active Directory for example |
| LdapB64CodeAttributes_Ctrl string | "" |
Control attribute used to override LDAPBYTEATTRIBUTES at runtime |
| LdapByteAttributes string | "" |
Convert these Attributes to B64 on read / from B64 before write to LDAP (; delimited) |
| LdapByteAttributes_Ctrl string | "" |
Convert these Attributes from Doc by these name to B64 on read / from B64 before write to LDAP |
| LdapConvertUTF16LE string | "" |
Convert these Attributes to UTF16LE before write them (; delimited) |
| LdapConvertUTF16LE_Ctrl string | "" |
Convert these Attributes retrieved from this Field to UTF16LE before write them |
| LdapDN string | "DN" |
DN Attribute (default “DN”) |
| LdapDN_Ctrl string | "" |
Control or Attribute from the Doc to get the DNs name |
| LdapDropEmptyValues string | "" |
Drop empty values of these Attributes |
| LdapDropEmptyValues_Ctrl string | "" |
Drop empty values of these Attributes from Doc by this name |
| LdapOperation string | "" |
Apply changes only to these Attributes to the LDAP |
| LdapOperation_Ctrl string | "Operation" |
Control or Attribute to get Attributes from to apply to the LDAP |
| LdapPort int | "" |
LDAP Port to be used (default 389) |
| LdapSearchAttrs string | "" |
Search with this Attributes in the the LDAP |
| LdapSearchAttrs_Ctrl string | "" |
Control or Name of the Doc Value to use as Search Attributes for the Search |
| LdapSearchBase string | "" |
Use AuthDN as Searchbase for Login with LoginAttribute |
| LdapSearchBase_Ctrl string | "" |
Control or Attribute to use as SearchAttr for with the LoginAttribute value to find the User DN |
| LdapSearchFetchAttrs string | "" |
Fetch this Attributes from the LDAP |
| LdapSearchFetchAttrs_Ctrl string | "" |
Control or Name of the Doc Value to use as FetchAttrs |
| LdapSearchFilter string | "" |
Search with this Filter in the the LDAP |
| LdapSearchFilter_Ctrl string | "" |
Control or Name of the Doc Value to use as Search Filter for the Search |
| LdapSearchMaxSize string | 0 |
Maxiumum Numbers of Objects to retrieve by a search |
| LdapSearchPagecookie string | "cookie" |
Name of the Cookie for paged searches |
| LdapSearchPaging string | false |
Use Paging for LDAP Searches. Page size is LdapMaxSize |
| LdapSearchSSS string | "" |
Server Side Sorting Control |
| LdapSearchSSS_Ctrl string | "" |
Server Side Sorting Control Name of Control or Attribute from Doc |
| LdapSearchWildcard string | "" |
Search with Wildcard. Valid is true / false / prefix / suffix |
| LdapSearchWildcard_Ctrl string | "" |
Search with Wildcard from Control or Doc . Valid is true / false / prefix / suffix |
| LdapGetFetchAttrs string | "" |
Fetch this Attributes from the LDAP with Get operation |
| LdapGetFetchAttrs_Ctrl string | "" |
Control or Name of the Doc Value to use as GetFetchAttrs |
| LdapGetFilter string | "" |
Use this Filter in the the LDAP for Get operations |
| LdapGetFilter_Ctrl string | "" |
Control or Name of the Doc Value to use as Get Filter for Get operations |
| LdapServer string | "127.0.0.1" |
Ldap Server Name or IP |
| LdapTLS | "" |
Use TLS for LDAP Connections |