ldap - compare DNs using DN.Equal (#60)

* ldap - compare DNs using DN.Equal * ldap/isAdmin- restructure & remove code duplication Co-authored-by: Markus Koetter <koetter@cispa.de>
2025-02-26 05:49:14 +00:00 · 2021-10-14 08:57:03 +02:00 · 2021-10-14 08:57:03 +02:00 · d7b52eba1c
commit d7b52eba1c
parent 04bc0b7a81
3 changed files with 29 additions and 16 deletions
--- a/internal/ldap/config.go
+++ b/internal/ldap/config.go
@ -1,5 +1,10 @@
 package ldap
 import (
 	gldap "github.com/go-ldap/ldap/v3"
 )
 type Type string
 const (
@ -24,4 +29,5 @@ type Config struct {
 	LoginFilter    string `yaml:"loginFilter" envconfig:"LDAP_LOGIN_FILTER"` // {{login_identifier}} gets replaced with the login email address
 	SyncFilter     string `yaml:"syncFilter" envconfig:"LDAP_SYNC_FILTER"`
 	AdminLdapGroup string `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"` // Members of this group receive admin rights in WG-Portal
 	AdminLdapGroup_ *gldap.DN `yaml:"-"`
 }
--- a/internal/server/configuration.go
+++ b/internal/server/configuration.go
@ -12,6 +12,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 	gldap "github.com/go-ldap/ldap/v3"
 )
 var ErrInvalidSpecification = errors.New("specification must be a struct pointer")
@ -130,6 +132,10 @@ func NewConfig() *Config {
 	if err != nil {
 		logrus.Warnf("unable to load environment config: %v", err)
 	}
 	cfg.LDAP.AdminLdapGroup_, err = gldap.ParseDN(cfg.LDAP.AdminLdapGroup)
 	if err != nil {
 		logrus.Warnf("Parsing AdminLDAPGroup failed: %v", err)
 	}
 	if cfg.WG.ManageIPAddresses && runtime.GOOS != "linux" {
 		logrus.Warnf("managing IP addresses only works on linux, feature disabled...")
--- a/internal/server/ldapsync.go
+++ b/internal/server/ldapsync.go
@ -8,6 +8,8 @@ import (
 	"github.com/h44z/wg-portal/internal/users"
 	"github.com/sirupsen/logrus"
 	"gorm.io/gorm"
 	gldap "github.com/go-ldap/ldap/v3"
 )
 func (s *Server) SyncLdapWithUserDatabase() {
@ -42,6 +44,19 @@ func (s *Server) SyncLdapWithUserDatabase() {
 	logrus.Info("ldap user synchronization stopped")
 }
 func (s Server)userIsInAdminGroup(ldapData *ldap.RawLdapData) bool {
 	if s.config.LDAP.AdminLdapGroup_ == nil {
 			return false
 	}
 	for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
 		var dn,_ = gldap.ParseDN(string(group))
 		if s.config.LDAP.AdminLdapGroup_.Equal(dn) {
            return true
 		}
 	}
 	return false
 }
 func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
 	if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
 		return true
@ -63,14 +78,7 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)
 		return true
 	}
-	ldapAdmin := false
+	if user.IsAdmin != s.userIsInAdminGroup(ldapData) {
 	for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
 		if string(group) == s.config.LDAP.AdminLdapGroup {
 			ldapAdmin = true
 			break
 		}
 	}
 	if user.IsAdmin != ldapAdmin {
 		return true
 	}
@ -143,17 +151,10 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
 			user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
 			user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
 			user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
-			user.IsAdmin = false
+			user.IsAdmin = s.userIsInAdminGroup(&ldapUsers[i])
 			user.Source = users.UserSourceLdap
 			user.DeletedAt = gorm.DeletedAt{} // Not deleted
 			for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
 				if string(group) == s.config.LDAP.AdminLdapGroup {
 					user.IsAdmin = true
 					break
 				}
 			}
 			if err = s.users.UpdateUser(user); err != nil {
 				logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
 				continue