ldap - compare DNs using DN.Equal (#60)

* ldap - compare DNs using DN.Equal * ldap/isAdmin- restructure & remove code duplication Co-authored-by: Markus Koetter <koetter@cispa.de>
2025-11-03 23:56:18 +00:00 · 2021-10-14 08:57:03 +02:00
parent 04bc0b7a81
commit d7b52eba1c
3 changed files with 29 additions and 16 deletions
--- a/internal/ldap/config.go
+++ b/internal/ldap/config.go
@@ -1,5 +1,10 @@
 package ldap

+import (
+	gldap "github.com/go-ldap/ldap/v3"
+)
+
+
 type Type string

 const (
@@ -24,4 +29,5 @@ type Config struct {
 	LoginFilter    string `yaml:"loginFilter" envconfig:"LDAP_LOGIN_FILTER"` // {{login_identifier}} gets replaced with the login email address
 	SyncFilter     string `yaml:"syncFilter" envconfig:"LDAP_SYNC_FILTER"`
 	AdminLdapGroup string `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"` // Members of this group receive admin rights in WG-Portal
+	AdminLdapGroup_ *gldap.DN `yaml:"-"`
 }
--- a/internal/server/configuration.go
+++ b/internal/server/configuration.go
@@ -12,6 +12,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
+
+	gldap "github.com/go-ldap/ldap/v3"
 )

 var ErrInvalidSpecification = errors.New("specification must be a struct pointer")
@@ -130,6 +132,10 @@ func NewConfig() *Config {
 	if err != nil {
 		logrus.Warnf("unable to load environment config: %v", err)
 	}
+	cfg.LDAP.AdminLdapGroup_, err = gldap.ParseDN(cfg.LDAP.AdminLdapGroup)
+	if err != nil {
+		logrus.Warnf("Parsing AdminLDAPGroup failed: %v", err)
+	}

 	if cfg.WG.ManageIPAddresses && runtime.GOOS != "linux" {
 		logrus.Warnf("managing IP addresses only works on linux, feature disabled...")
--- a/internal/server/ldapsync.go
+++ b/internal/server/ldapsync.go
@@ -8,6 +8,8 @@ import (
 	"github.com/h44z/wg-portal/internal/users"
 	"github.com/sirupsen/logrus"
 	"gorm.io/gorm"
+
+	gldap "github.com/go-ldap/ldap/v3"
 )

 func (s *Server) SyncLdapWithUserDatabase() {
@@ -42,6 +44,19 @@ func (s *Server) SyncLdapWithUserDatabase() {
 	logrus.Info("ldap user synchronization stopped")
 }

+func (s Server)userIsInAdminGroup(ldapData *ldap.RawLdapData) bool {
+	if s.config.LDAP.AdminLdapGroup_ == nil {
+			return false
+	}
+	for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
+		var dn,_ = gldap.ParseDN(string(group))
+		if s.config.LDAP.AdminLdapGroup_.Equal(dn) {
+            return true
+		}
+	}
+	return false
+}
+
 func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
 	if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
 		return true
@@ -63,14 +78,7 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)
 		return true
 	}

-	ldapAdmin := false
-	for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
-		if string(group) == s.config.LDAP.AdminLdapGroup {
-			ldapAdmin = true
-			break
-		}
-	}
-	if user.IsAdmin != ldapAdmin {
+	if user.IsAdmin != s.userIsInAdminGroup(ldapData) {
 		return true
 	}

@@ -143,17 +151,10 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
 			user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
 			user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
 			user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
-			user.IsAdmin = false
+			user.IsAdmin = s.userIsInAdminGroup(&ldapUsers[i])
 			user.Source = users.UserSourceLdap
 			user.DeletedAt = gorm.DeletedAt{} // Not deleted

-			for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
-				if string(group) == s.config.LDAP.AdminLdapGroup {
-					user.IsAdmin = true
-					break
-				}
-			}
-
 			if err = s.users.UpdateUser(user); err != nil {
 				logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
 				continue