Golang与LDAP通信

时间:2016-01-15 15:48:12

标签: go ldap

我正在尝试使用golang将用户连接并验证为ldap。

我正在使用go-ldap-client以及以下示例代码:

package main

import (
    "log"
    "github.com/jtblin/go-ldap-client"
)

func main() {
    client := &ldap.LDAPClient{
        Base:         "dc=example,dc=com",
        Host:         "ldap.example.com",
        Port:         389,
        UseSSL:       false,
        BindDN:       "uid=readonlysuer,ou=People,dc=example,dc=com",
        BindPassword: "readonlypassword",
        UserFilter:   "(uid=%s)",
        GroupFilter: "(memberUid=%s)",
        Attributes:   []string{"givenName", "sn", "mail", "uid"},
    }
    # It is the responsibility of the caller to close the connection
    defer client.Close()

    ok, user, err := client.Authenticate("username", "password")
    if err != nil {
        log.Fatalf("Error authenticating user %s: %+v", "username", err)
    }
    if !ok {
        log.Fatalf("Authenticating failed for user %s", "username")
    }
    log.Printf("User: %+v", user)

    groups, err := client.GetGroupsOfUser("username")
    if err != nil {
        log.Fatalf("Error getting groups for user %s: %+v", "username", err)
    }
    log.Printf("Groups: %+v", groups) 
}

安装了对gopkg.in/ldap.v2的依赖性。

问题是我收到以下错误

2016/01/15 17:34:55 Error authenticating user username: LDAP Result Code 2 "Protocol Error": ldap: cannot StartTLS (unsupported extended operation)
exit status 1

有关此错误的任何提示?

4 个答案:

答案 0 :(得分:11)

好的,让我们尝试使用github.com/go-ldap/ldap进行身份验证。首先,您需要创建一个*ldap.Conn。如果您的LDAP服务器支持,我建议使用TLS:

// TLS, for testing purposes disable certificate verification, check https://golang.org/pkg/crypto/tls/#Config for further information.
tlsConfig := &tls.Config{InsecureSkipVerify: true}
l, err := ldap.DialTLS("tcp", "ldap.example.com:636", tlsConfig)

// No TLS, not recommended
l, err := ldap.Dial("tcp", "ldap.example.com:389")

现在您应该与LDAP服务器建立活动连接。使用此连接,您必须执行绑定:

err := l.Bind("user@test.com", "password")
if err != nil {
    // error in ldap bind
    log.Println(err)
}
// successful bind

答案 1 :(得分:0)

使用go-guardian LDAP strategy

的另一种可能的解决方案

基于Online LDAP Test Server

的工作示例
package main

import (
    "fmt"
    "github.com/shaj13/go-guardian/auth/strategies/ldap"
    "net/http"
)

func main() {
    cfg := ldap.Config{
        BaseDN:       "dc=example,dc=com",
        BindDN:       "cn=read-only-admin,dc=example,dc=com",
        Port:         "389",
        Host:         "ldap.forumsys.com",
        BindPassword: "password",
        Filter:       "(uid=%s)",
    }

    r, _ := http.NewRequest("GET", "/", nil)
    r.SetBasicAuth("tesla", "password")

    user, err := ldap.New(&cfg).Authenticate(r.Context(), r)
    fmt.Println(user, err)
}

答案 2 :(得分:0)

问题在于,默认情况下,上述LDAP客户端中未设置“ SkipTLS”标志。您需要将参数显式设置为false:

client := &ldap.LDAPClient{
        Base:         "dc=example,dc=com",
        Host:         "ldap.example.com",
        Port:         389,
        UseSSL:       false,
        BindDN:       "uid=readonlysuer,ou=People,dc=example,dc=com",
        BindPassword: "readonlypassword",
        UserFilter:   "(uid=%s)",
        GroupFilter:  "(memberUid=%s)",
        SkipTLS:      true,
        Attributes:   []string{"givenName", "sn", "mail", "uid"},
    }

我将SkipTLS设置为true,并且可以正常工作。 希望这会有所帮助!

答案 3 :(得分:-1)

在一行中我们可以说..

conn,err:= ldap.DialTLS(“tcp”,ldapServer,& tls.Config {InsecureSkipVerify:true})