CODEWITHSUNDEEP
goactive-directoryldap
tobeydw
tobeydw

Reputation: 107

How to bind to LDAP server with TLS using golang?

I have the following code that works perfectly when binding to an LDAP server without TLS/SSL but when I try to bind to a LDAP server that has TLS setup, it doesn't bind.



/*In order to use this program, the user needs to get the package by running the following command:
go get gopkg.in/ldap.v2*/
package main

import (
  "fmt"
  "strings"
  "gopkg.in/ldap.v2"
  "os"
)
//Gives constants to be used for binding to and searching the LDAP server.
const (
  ldapServer = "ldaps://test.com:636"
  ldapBind = "CN=ad_binder,CN=Users,DC=dev,DC=test,DC=com"
  ldapPassword = "Password"

  filterDN = "(objectclass=*)"
  baseDN = "dc=dev,dc=test,dc=com"

  loginUsername = "ad_binder"
  loginPassword = "Password"
)

//Main function, which is executed.
func main() {
  conn, err := connect()

  //If there is an error connecting to server, prints this
  if err != nil {
    fmt.Printf("Failed to connect. %s", err)
    return
  }
  //Close the connection at a later time.
  defer conn.Close()
  //Declares err to be list(conn), and checks if any errors. It prints the error(s) if there are any.
  if err := list(conn); err != nil {
    fmt.Printf("%v", err)
    return
  }

  
  //Declares err to be auth(conn), and checks if any errors. It prints the error(s) if there are any.
  if err := auth(conn); err != nil {
    fmt.Printf("%v", err)
    return
  }
}

//This function is used to connect to the LDAP server.
func connect() (*ldap.Conn, error) {
  conn, err := ldap.Dial("tcp", ldapServer)

  if err != nil {
    return nil, fmt.Errorf("Failed to connect. %s", err)
  }

  if err := conn.Bind(ldapBind, ldapPassword); err != nil {
    return nil, fmt.Errorf("Failed to bind. %s", err)
  }

  return conn, nil
}

//This function is used to search the LDAP server as well as output the attributes of the entries.
func list(conn *ldap.Conn) error {
  //This gets the command line argument and saves it in the form "(argument=*)"
  arg := ""
  filter := ""
  if len(os.Args) > 1{
    arg = os.Args[1]
    fmt.Println(arg)

    filter = "(" + arg + "=*)"
  } else{
    fmt.Println("You need to input an argument for an attribute to search. I.E. : \"go run anonymous_query.go cn\"")
  }

  result, err := conn.Search(ldap.NewSearchRequest(
    baseDN,
    ldap.ScopeWholeSubtree,
    ldap.NeverDerefAliases,
    0,
    0,
    false,
    fmt.Sprintf(filter),

    //To add anymore strings to the search, you need to add it here.
    []string{},
    nil,
  ))

  if err != nil {
    return fmt.Errorf("Failed to search users. %s", err)
  }

  //Prints all the attributes per entry
  for _, entry := range result.Entries {
    entry.Print()
    fmt.Println()
  }

  return nil
}

//This function authorizes the user and binds to the LDAP server.
func auth(conn *ldap.Conn) error {
  result, err := conn.Search(ldap.NewSearchRequest(
    baseDN,
    ldap.ScopeWholeSubtree,
    ldap.NeverDerefAliases,
    0,
    0,
    false,
    filter(loginUsername),
    []string{"dn"},
    nil,
  ))

  if err != nil {
    return fmt.Errorf("Failed to find user. %s", err)
  }

  if len(result.Entries) < 1 {
    return fmt.Errorf("User does not exist")
  }

  if len(result.Entries) > 1 {
    return fmt.Errorf("")
  }

  if err := conn.Bind(result.Entries[0].DN, loginPassword); err != nil {
    fmt.Printf("Failed to auth. %s", err)
  } else {
    fmt.Printf("Authenticated successfuly!")
  }

  return nil
}

func filter(needle string) string {
  res := strings.Replace(
    filterDN,
    "{username}",
    needle,
    -1,
  )

  return res
}

Here is the error I get when I try to run it:

Failed to connect. Failed to connect. LDAP Result Code 200 "Network Error": dial tcp: address ldaps://test.com:636: too many colons in address

Which is weird since it works with a different LDAP server just fine but with the following:

ldapServer = "10.1.30.47:389"

instead of

ldapServer = "ldaps://test.com:636"

So any help would be greatly appreciated, thanks!

Upvotes: 0

Views: 2161

Answers (1)

colm.anseo
colm.anseo

Reputation: 22097

gopkg.in/ldap.v2 does not support URI addressing (i.e. you cannot put the scheme ldap:// or ldaps:// before the network address).

Note: gopkg.in/ldap.v3 does support URI dialing (ldaps://test.com) via DialURL.

If you are using gopkg.in/ldap.v2, you can still establish a direct TLS connection, but you must use the function DialTLS, and use a network address (not a URI):

// addr    = "10.1.30.47:389"
// tlsAddr = "10.1.30.47:636"

// conn, err = ldap.Dial("tcp", addr)           // non-TLS

// serverName = "test.com"   TLS cert name will be verified
// serverName = ""           TLS verify will be disabled (DON'T DO THIS IN PRODUCTION)
tlsConf, err := getTLSconfig(serverName)

if err != nil { /* */ }

conn, err = ldap.DialTLS("tcp", tlsAddr, tlsConf)

the above needs a *tls.Config, so use a helper function like:

func getTLSconfig(tlsName string) (tlsC *tls.Config, err error) {
    if tlsName != "" {
        tlsC = &tls.Config{
            ServerName: tlsName,
        }
        return
    }

    log.Println("No TLS verification enabled! ***STRONGLY*** recommend adding a trust file to the config.")
    tlsC = &tls.Config{
        InsecureSkipVerify: true,
    }
    return
}

Upvotes: 1

Related Questions