You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
540 lines
17 KiB
540 lines
17 KiB
package ldap
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/md5"
|
|
enchex "encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"math/rand"
|
|
"strings"
|
|
|
|
"github.com/Azure/go-ntlmssp"
|
|
ber "github.com/go-asn1-ber/asn1-ber"
|
|
)
|
|
|
|
// SimpleBindRequest represents a username/password bind operation
|
|
type SimpleBindRequest struct {
|
|
// Username is the name of the Directory object that the client wishes to bind as
|
|
Username string
|
|
// Password is the credentials to bind with
|
|
Password string
|
|
// Controls are optional controls to send with the bind request
|
|
Controls []Control
|
|
// AllowEmptyPassword sets whether the client allows binding with an empty password
|
|
// (normally used for unauthenticated bind).
|
|
AllowEmptyPassword bool
|
|
}
|
|
|
|
// SimpleBindResult contains the response from the server
|
|
type SimpleBindResult struct {
|
|
Controls []Control
|
|
}
|
|
|
|
// NewSimpleBindRequest returns a bind request
|
|
func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
|
|
return &SimpleBindRequest{
|
|
Username: username,
|
|
Password: password,
|
|
Controls: controls,
|
|
AllowEmptyPassword: false,
|
|
}
|
|
}
|
|
|
|
func (req *SimpleBindRequest) appendTo(envelope *ber.Packet) error {
|
|
pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, req.Username, "User Name"))
|
|
pkt.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, req.Password, "Password"))
|
|
|
|
envelope.AppendChild(pkt)
|
|
if len(req.Controls) > 0 {
|
|
envelope.AppendChild(encodeControls(req.Controls))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SimpleBind performs the simple bind operation defined in the given request
|
|
func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
|
|
if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
|
|
return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
|
|
}
|
|
|
|
msgCtx, err := l.doRequest(simpleBindRequest)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer l.finishMessage(msgCtx)
|
|
|
|
packet, err := l.readPacket(msgCtx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
result := &SimpleBindResult{
|
|
Controls: make([]Control, 0),
|
|
}
|
|
|
|
if len(packet.Children) == 3 {
|
|
for _, child := range packet.Children[2].Children {
|
|
decodedChild, decodeErr := DecodeControl(child)
|
|
if decodeErr != nil {
|
|
return nil, fmt.Errorf("failed to decode child control: %s", decodeErr)
|
|
}
|
|
result.Controls = append(result.Controls, decodedChild)
|
|
}
|
|
}
|
|
|
|
err = GetLDAPError(packet)
|
|
return result, err
|
|
}
|
|
|
|
// Bind performs a bind with the given username and password.
|
|
//
|
|
// It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
|
|
// for that.
|
|
func (l *Conn) Bind(username, password string) error {
|
|
req := &SimpleBindRequest{
|
|
Username: username,
|
|
Password: password,
|
|
AllowEmptyPassword: false,
|
|
}
|
|
_, err := l.SimpleBind(req)
|
|
return err
|
|
}
|
|
|
|
// UnauthenticatedBind performs an unauthenticated bind.
|
|
//
|
|
// A username may be provided for trace (e.g. logging) purpose only, but it is normally not
|
|
// authenticated or otherwise validated by the LDAP server.
|
|
//
|
|
// See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
|
|
// See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
|
|
func (l *Conn) UnauthenticatedBind(username string) error {
|
|
req := &SimpleBindRequest{
|
|
Username: username,
|
|
Password: "",
|
|
AllowEmptyPassword: true,
|
|
}
|
|
_, err := l.SimpleBind(req)
|
|
return err
|
|
}
|
|
|
|
// DigestMD5BindRequest represents a digest-md5 bind operation
|
|
type DigestMD5BindRequest struct {
|
|
Host string
|
|
// Username is the name of the Directory object that the client wishes to bind as
|
|
Username string
|
|
// Password is the credentials to bind with
|
|
Password string
|
|
// Controls are optional controls to send with the bind request
|
|
Controls []Control
|
|
}
|
|
|
|
func (req *DigestMD5BindRequest) appendTo(envelope *ber.Packet) error {
|
|
request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
|
|
|
|
auth := ber.Encode(ber.ClassContext, ber.TypeConstructed, 3, "", "authentication")
|
|
auth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "DIGEST-MD5", "SASL Mech"))
|
|
request.AppendChild(auth)
|
|
envelope.AppendChild(request)
|
|
if len(req.Controls) > 0 {
|
|
envelope.AppendChild(encodeControls(req.Controls))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DigestMD5BindResult contains the response from the server
|
|
type DigestMD5BindResult struct {
|
|
Controls []Control
|
|
}
|
|
|
|
// MD5Bind performs a digest-md5 bind with the given host, username and password.
|
|
func (l *Conn) MD5Bind(host, username, password string) error {
|
|
req := &DigestMD5BindRequest{
|
|
Host: host,
|
|
Username: username,
|
|
Password: password,
|
|
}
|
|
_, err := l.DigestMD5Bind(req)
|
|
return err
|
|
}
|
|
|
|
// DigestMD5Bind performs the digest-md5 bind operation defined in the given request
|
|
func (l *Conn) DigestMD5Bind(digestMD5BindRequest *DigestMD5BindRequest) (*DigestMD5BindResult, error) {
|
|
if digestMD5BindRequest.Password == "" {
|
|
return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
|
|
}
|
|
|
|
msgCtx, err := l.doRequest(digestMD5BindRequest)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer l.finishMessage(msgCtx)
|
|
|
|
packet, err := l.readPacket(msgCtx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
|
|
if l.Debug {
|
|
if err = addLDAPDescriptions(packet); err != nil {
|
|
return nil, err
|
|
}
|
|
ber.PrintPacket(packet)
|
|
}
|
|
|
|
result := &DigestMD5BindResult{
|
|
Controls: make([]Control, 0),
|
|
}
|
|
var params map[string]string
|
|
if len(packet.Children) == 2 {
|
|
if len(packet.Children[1].Children) == 4 {
|
|
child := packet.Children[1].Children[0]
|
|
if child.Tag != ber.TagEnumerated {
|
|
return result, GetLDAPError(packet)
|
|
}
|
|
if child.Value.(int64) != 14 {
|
|
return result, GetLDAPError(packet)
|
|
}
|
|
child = packet.Children[1].Children[3]
|
|
if child.Tag != ber.TagObjectDescriptor {
|
|
return result, GetLDAPError(packet)
|
|
}
|
|
if child.Data == nil {
|
|
return result, GetLDAPError(packet)
|
|
}
|
|
data, _ := ioutil.ReadAll(child.Data)
|
|
params, err = parseParams(string(data))
|
|
if err != nil {
|
|
return result, fmt.Errorf("parsing digest-challenge: %s", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
if params != nil {
|
|
resp := computeResponse(
|
|
params,
|
|
"ldap/"+strings.ToLower(digestMD5BindRequest.Host),
|
|
digestMD5BindRequest.Username,
|
|
digestMD5BindRequest.Password,
|
|
)
|
|
packet = ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
|
|
packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
|
|
|
|
request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
|
|
|
|
auth := ber.Encode(ber.ClassContext, ber.TypeConstructed, 3, "", "authentication")
|
|
auth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "DIGEST-MD5", "SASL Mech"))
|
|
auth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, resp, "Credentials"))
|
|
request.AppendChild(auth)
|
|
packet.AppendChild(request)
|
|
msgCtx, err = l.sendMessage(packet)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("send message: %s", err)
|
|
}
|
|
defer l.finishMessage(msgCtx)
|
|
packetResponse, ok := <-msgCtx.responses
|
|
if !ok {
|
|
return nil, NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
|
|
}
|
|
packet, err = packetResponse.ReadPacket()
|
|
l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read packet: %s", err)
|
|
}
|
|
}
|
|
|
|
err = GetLDAPError(packet)
|
|
return result, err
|
|
}
|
|
|
|
func parseParams(str string) (map[string]string, error) {
|
|
m := make(map[string]string)
|
|
var key, value string
|
|
var state int
|
|
for i := 0; i <= len(str); i++ {
|
|
switch state {
|
|
case 0: //reading key
|
|
if i == len(str) {
|
|
return nil, fmt.Errorf("syntax error on %d", i)
|
|
}
|
|
if str[i] != '=' {
|
|
key += string(str[i])
|
|
continue
|
|
}
|
|
state = 1
|
|
case 1: //reading value
|
|
if i == len(str) {
|
|
m[key] = value
|
|
break
|
|
}
|
|
switch str[i] {
|
|
case ',':
|
|
m[key] = value
|
|
state = 0
|
|
key = ""
|
|
value = ""
|
|
case '"':
|
|
if value != "" {
|
|
return nil, fmt.Errorf("syntax error on %d", i)
|
|
}
|
|
state = 2
|
|
default:
|
|
value += string(str[i])
|
|
}
|
|
case 2: //inside quotes
|
|
if i == len(str) {
|
|
return nil, fmt.Errorf("syntax error on %d", i)
|
|
}
|
|
if str[i] != '"' {
|
|
value += string(str[i])
|
|
} else {
|
|
state = 1
|
|
}
|
|
}
|
|
}
|
|
return m, nil
|
|
}
|
|
|
|
func computeResponse(params map[string]string, uri, username, password string) string {
|
|
nc := "00000001"
|
|
qop := "auth"
|
|
cnonce := enchex.EncodeToString(randomBytes(16))
|
|
x := username + ":" + params["realm"] + ":" + password
|
|
y := md5Hash([]byte(x))
|
|
|
|
a1 := bytes.NewBuffer(y)
|
|
a1.WriteString(":" + params["nonce"] + ":" + cnonce)
|
|
if len(params["authzid"]) > 0 {
|
|
a1.WriteString(":" + params["authzid"])
|
|
}
|
|
a2 := bytes.NewBuffer([]byte("AUTHENTICATE"))
|
|
a2.WriteString(":" + uri)
|
|
ha1 := enchex.EncodeToString(md5Hash(a1.Bytes()))
|
|
ha2 := enchex.EncodeToString(md5Hash(a2.Bytes()))
|
|
|
|
kd := ha1
|
|
kd += ":" + params["nonce"]
|
|
kd += ":" + nc
|
|
kd += ":" + cnonce
|
|
kd += ":" + qop
|
|
kd += ":" + ha2
|
|
resp := enchex.EncodeToString(md5Hash([]byte(kd)))
|
|
return fmt.Sprintf(
|
|
`username="%s",realm="%s",nonce="%s",cnonce="%s",nc=00000001,qop=%s,digest-uri="%s",response=%s`,
|
|
username,
|
|
params["realm"],
|
|
params["nonce"],
|
|
cnonce,
|
|
qop,
|
|
uri,
|
|
resp,
|
|
)
|
|
}
|
|
|
|
func md5Hash(b []byte) []byte {
|
|
hasher := md5.New()
|
|
hasher.Write(b)
|
|
return hasher.Sum(nil)
|
|
}
|
|
|
|
func randomBytes(len int) []byte {
|
|
b := make([]byte, len)
|
|
for i := 0; i < len; i++ {
|
|
b[i] = byte(rand.Intn(256))
|
|
}
|
|
return b
|
|
}
|
|
|
|
var externalBindRequest = requestFunc(func(envelope *ber.Packet) error {
|
|
pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
pkt.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
|
|
|
|
saslAuth := ber.Encode(ber.ClassContext, ber.TypeConstructed, 3, "", "authentication")
|
|
saslAuth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "EXTERNAL", "SASL Mech"))
|
|
saslAuth.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "SASL Cred"))
|
|
|
|
pkt.AppendChild(saslAuth)
|
|
|
|
envelope.AppendChild(pkt)
|
|
|
|
return nil
|
|
})
|
|
|
|
// ExternalBind performs SASL/EXTERNAL authentication.
|
|
//
|
|
// Use ldap.DialURL("ldapi://") to connect to the Unix socket before ExternalBind.
|
|
//
|
|
// See https://tools.ietf.org/html/rfc4422#appendix-A
|
|
func (l *Conn) ExternalBind() error {
|
|
msgCtx, err := l.doRequest(externalBindRequest)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer l.finishMessage(msgCtx)
|
|
|
|
packet, err := l.readPacket(msgCtx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return GetLDAPError(packet)
|
|
}
|
|
|
|
// NTLMBind performs an NTLMSSP bind leveraging https://github.com/Azure/go-ntlmssp
|
|
|
|
// NTLMBindRequest represents an NTLMSSP bind operation
|
|
type NTLMBindRequest struct {
|
|
// Domain is the AD Domain to authenticate too. If not specified, it will be grabbed from the NTLMSSP Challenge
|
|
Domain string
|
|
// Username is the name of the Directory object that the client wishes to bind as
|
|
Username string
|
|
// Password is the credentials to bind with
|
|
Password string
|
|
// Hash is the hex NTLM hash to bind with. Password or hash must be provided
|
|
Hash string
|
|
// Controls are optional controls to send with the bind request
|
|
Controls []Control
|
|
}
|
|
|
|
func (req *NTLMBindRequest) appendTo(envelope *ber.Packet) error {
|
|
request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
|
|
|
|
// generate an NTLMSSP Negotiation message for the specified domain (it can be blank)
|
|
negMessage, err := ntlmssp.NewNegotiateMessage(req.Domain, "")
|
|
if err != nil {
|
|
return fmt.Errorf("err creating negmessage: %s", err)
|
|
}
|
|
|
|
// append the generated NTLMSSP message as a TagEnumerated BER value
|
|
auth := ber.Encode(ber.ClassContext, ber.TypePrimitive, ber.TagEnumerated, negMessage, "authentication")
|
|
request.AppendChild(auth)
|
|
envelope.AppendChild(request)
|
|
if len(req.Controls) > 0 {
|
|
envelope.AppendChild(encodeControls(req.Controls))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// NTLMBindResult contains the response from the server
|
|
type NTLMBindResult struct {
|
|
Controls []Control
|
|
}
|
|
|
|
// NTLMBind performs an NTLMSSP Bind with the given domain, username and password
|
|
func (l *Conn) NTLMBind(domain, username, password string) error {
|
|
req := &NTLMBindRequest{
|
|
Domain: domain,
|
|
Username: username,
|
|
Password: password,
|
|
}
|
|
_, err := l.NTLMChallengeBind(req)
|
|
return err
|
|
}
|
|
|
|
// NTLMBindWithHash performs an NTLM Bind with an NTLM hash instead of plaintext password (pass-the-hash)
|
|
func (l *Conn) NTLMBindWithHash(domain, username, hash string) error {
|
|
req := &NTLMBindRequest{
|
|
Domain: domain,
|
|
Username: username,
|
|
Hash: hash,
|
|
}
|
|
_, err := l.NTLMChallengeBind(req)
|
|
return err
|
|
}
|
|
|
|
// NTLMChallengeBind performs the NTLMSSP bind operation defined in the given request
|
|
func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindResult, error) {
|
|
if ntlmBindRequest.Password == "" && ntlmBindRequest.Hash == "" {
|
|
return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
|
|
}
|
|
|
|
msgCtx, err := l.doRequest(ntlmBindRequest)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer l.finishMessage(msgCtx)
|
|
packet, err := l.readPacket(msgCtx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
|
|
if l.Debug {
|
|
if err = addLDAPDescriptions(packet); err != nil {
|
|
return nil, err
|
|
}
|
|
ber.PrintPacket(packet)
|
|
}
|
|
result := &NTLMBindResult{
|
|
Controls: make([]Control, 0),
|
|
}
|
|
var ntlmsspChallenge []byte
|
|
|
|
// now find the NTLM Response Message
|
|
if len(packet.Children) == 2 {
|
|
if len(packet.Children[1].Children) == 3 {
|
|
child := packet.Children[1].Children[1]
|
|
ntlmsspChallenge = child.ByteValue
|
|
// Check to make sure we got the right message. It will always start with NTLMSSP
|
|
if len(ntlmsspChallenge) < 7 || !bytes.Equal(ntlmsspChallenge[:7], []byte("NTLMSSP")) {
|
|
return result, GetLDAPError(packet)
|
|
}
|
|
l.Debug.Printf("%d: found ntlmssp challenge", msgCtx.id)
|
|
}
|
|
}
|
|
if ntlmsspChallenge != nil {
|
|
var err error
|
|
var responseMessage []byte
|
|
// generate a response message to the challenge with the given Username/Password if password is provided
|
|
if ntlmBindRequest.Password != "" {
|
|
responseMessage, err = ntlmssp.ProcessChallenge(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Password)
|
|
} else if ntlmBindRequest.Hash != "" {
|
|
responseMessage, err = ntlmssp.ProcessChallengeWithHash(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Hash)
|
|
} else {
|
|
err = fmt.Errorf("need a password or hash to generate reply")
|
|
}
|
|
if err != nil {
|
|
return result, fmt.Errorf("parsing ntlm-challenge: %s", err)
|
|
}
|
|
packet = ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
|
|
packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
|
|
|
|
request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
|
|
request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
|
|
request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
|
|
|
|
// append the challenge response message as a TagEmbeddedPDV BER value
|
|
auth := ber.Encode(ber.ClassContext, ber.TypePrimitive, ber.TagEmbeddedPDV, responseMessage, "authentication")
|
|
|
|
request.AppendChild(auth)
|
|
packet.AppendChild(request)
|
|
msgCtx, err = l.sendMessage(packet)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("send message: %s", err)
|
|
}
|
|
defer l.finishMessage(msgCtx)
|
|
packetResponse, ok := <-msgCtx.responses
|
|
if !ok {
|
|
return nil, NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
|
|
}
|
|
packet, err = packetResponse.ReadPacket()
|
|
l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read packet: %s", err)
|
|
}
|
|
|
|
}
|
|
|
|
err = GetLDAPError(packet)
|
|
return result, err
|
|
}
|
|
|