Skip to content

Commit 4ee2b75

Browse files
butonicbutonic
committed
reuse global ldap connection
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
1 parent 97a0085 commit 4ee2b75

3 files changed

Lines changed: 48 additions & 27 deletions

File tree

go.mod

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ require (
1010
github.com/deckarep/golang-set v1.8.0
1111
github.com/gabriel-vasile/mimetype v1.4.1
1212
github.com/ghodss/yaml v1.0.0
13-
github.com/go-ldap/ldap/v3 v3.4.2
13+
github.com/go-ldap/ldap/v3 v3.4.4
1414
github.com/gofrs/uuid v4.2.0+incompatible
1515
github.com/golang-jwt/jwt/v4 v4.4.3
1616
github.com/google/go-querystring v1.1.0
@@ -26,7 +26,7 @@ require (
2626
github.com/russellhaering/goxmldsig v1.1.1
2727
github.com/sirupsen/logrus v1.9.0
2828
github.com/spf13/cobra v1.5.0
29-
golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064
29+
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
3030
golang.org/x/net v0.8.0
3131
golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
3232
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65
@@ -37,11 +37,11 @@ require (
3737
)
3838

3939
require (
40-
github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
40+
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
4141
github.com/beorn7/perks v1.0.1 // indirect
4242
github.com/cespare/xxhash/v2 v2.1.2 // indirect
4343
github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
44-
github.com/go-asn1-ber/asn1-ber v1.5.3 // indirect
44+
github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
4545
github.com/golang/protobuf v1.5.2 // indirect
4646
github.com/inconshreveable/mousetrap v1.0.0 // indirect
4747
github.com/jonboulle/clockwork v0.2.2 // indirect

go.sum

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,8 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
3131
cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
3232
cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
3333
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
34-
github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
35-
github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
34+
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft7pkxDf6WoUvEZJ/uOKsvtpjLnn8MU=
35+
github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
3636
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
3737
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
3838
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -79,18 +79,17 @@ github.com/gabriel-vasile/mimetype v1.4.1 h1:TRWk7se+TOjCYgRth7+1/OYLNiRNIotknkF
7979
github.com/gabriel-vasile/mimetype v1.4.1/go.mod h1:05Vi0w3Y9c/lNvJOdmIwvrrAhX3rYhfQQCaf9VJcv7M=
8080
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
8181
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
82-
github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
83-
github.com/go-asn1-ber/asn1-ber v1.5.3 h1:u7utq56RUFiynqUzgVMFDymapcOtQ/MZkh3H4QYkxag=
84-
github.com/go-asn1-ber/asn1-ber v1.5.3/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
82+
github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
83+
github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
8584
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
8685
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
8786
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
8887
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
8988
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
9089
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
9190
github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
92-
github.com/go-ldap/ldap/v3 v3.4.2 h1:zFZKcXKLqZpFMrMQGHeHWKXbDTdNCmhGY9AK41zPh+8=
93-
github.com/go-ldap/ldap/v3 v3.4.2/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
91+
github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
92+
github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
9493
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
9594
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
9695
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
@@ -282,8 +281,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
282281
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
283282
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
284283
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
285-
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
286284
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
285+
github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
286+
github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
287287
github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
288288
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
289289
github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -298,11 +298,10 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
298298
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
299299
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
300300
golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
301-
golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
302301
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
303302
golang.org/x/crypto v0.0.0-20220128200615-198e4374d7ed/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
304-
golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064 h1:S25/rfnfsMVgORT4/J61MJ7rdyseOZOyvLIrZEZ7s6s=
305-
golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
303+
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
304+
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
306305
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
307306
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
308307
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -584,8 +583,9 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
584583
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
585584
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
586585
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
587-
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
588586
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
587+
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
588+
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
589589
gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
590590
gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
591591
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

identifier/backends/ldap/ldap.go

Lines changed: 32 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ import (
2626
"net/url"
2727
"strconv"
2828
"strings"
29+
"sync"
2930
"time"
3031

3132
"github.com/go-ldap/ldap/v3"
@@ -71,6 +72,9 @@ type LDAPIdentifierBackend struct {
7172

7273
timeout int
7374
limiter *rate.Limiter
75+
76+
connLock sync.Mutex
77+
conn *ldap.Conn
7478
}
7579

7680
type ldapAttributeMapping map[string]string
@@ -115,7 +119,7 @@ func newLdapUser(entryID string, mapping ldapAttributeMapping, entry *ldap.Entry
115119
for n, mapped := range mapping {
116120
// LDAP attribute descriptors / short names are case insensitive. See
117121
// https://tools.ietf.org/html/rfc4512#page-4.
118-
if strings.ToLower(attribute.Name) == strings.ToLower(mapped) {
122+
if strings.EqualFold(attribute.Name, mapped) {
119123
// Check if we need conversion.
120124
switch mapping[fmt.Sprintf("%s_type", n)] {
121125
case AttributeValueTypeBinary:
@@ -370,9 +374,8 @@ func (b *LDAPIdentifierBackend) Logon(ctx context.Context, audience, username, p
370374

371375
l, err := b.connect(ctx)
372376
if err != nil {
373-
return false, nil, nil, nil, fmt.Errorf("ldap identifier backend logon connect error: %v", err)
377+
return false, nil, nil, nil, fmt.Errorf("ldap identifier backend logon global connect error: %v", err)
374378
}
375-
defer l.Close()
376379

377380
// Search for the given username.
378381
entry, err := b.searchUsername(l, username, b.attributeMapping.attributes())
@@ -387,8 +390,15 @@ func (b *LDAPIdentifierBackend) Logon(ctx context.Context, audience, username, p
387390
return false, nil, nil, nil, fmt.Errorf("ldap identifier backend logon search returned wrong user")
388391
}
389392

390-
// Bind as the user to verify the password.
391-
err = l.Bind(entry.DN, password)
393+
// use a temporary connection for the user Bind to verify the password.
394+
ul, err := b.createConnection(ctx, entry.DN, password)
395+
if err != nil {
396+
return false, nil, nil, nil, fmt.Errorf("ldap identifier backend logon user connect error: %v", err)
397+
}
398+
// always close the temporary connection
399+
defer ul.Close()
400+
401+
err = ul.Bind(entry.DN, password)
392402
switch {
393403
case ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials):
394404
return false, nil, nil, nil, nil
@@ -431,7 +441,6 @@ func (b *LDAPIdentifierBackend) ResolveUserByUsername(ctx context.Context, usern
431441
if err != nil {
432442
return nil, fmt.Errorf("ldap identifier backend resolve connect error: %v", err)
433443
}
434-
defer l.Close()
435444

436445
// Search for the given username.
437446
entry, err := b.searchUsername(l, username, b.attributeMapping.attributes())
@@ -464,7 +473,6 @@ func (b *LDAPIdentifierBackend) GetUser(ctx context.Context, entryID string, ses
464473
if err != nil {
465474
return nil, fmt.Errorf("ldap identifier backend get user connect error: %v", err)
466475
}
467-
defer l.Close()
468476

469477
entry, err := b.getUser(l, entryID, b.attributeMapping.attributes())
470478
if err != nil {
@@ -517,7 +525,7 @@ func (b *LDAPIdentifierBackend) Name() string {
517525
return ldapIdentifierBackendName
518526
}
519527

520-
func (b *LDAPIdentifierBackend) connect(parentCtx context.Context) (*ldap.Conn, error) {
528+
func (b *LDAPIdentifierBackend) createConnection(parentCtx context.Context, bindDN, bindPassword string) (*ldap.Conn, error) {
521529
// A timeout for waiting for a limiter slot. The timeout also includes the
522530
// time to connect to the LDAP server which as a consequence means that both
523531
// getting a free slot and establishing the connection are one timeout.
@@ -550,9 +558,8 @@ func (b *LDAPIdentifierBackend) connect(parentCtx context.Context) (*ldap.Conn,
550558

551559
l.Start()
552560

553-
// Bind with general user (which is preferably read only).
554-
if b.bindDN != "" {
555-
err = l.Bind(b.bindDN, b.bindPassword)
561+
if bindDN != "" {
562+
err = l.Bind(bindDN, bindPassword)
556563
if err != nil {
557564
return nil, err
558565
}
@@ -561,6 +568,20 @@ func (b *LDAPIdentifierBackend) connect(parentCtx context.Context) (*ldap.Conn,
561568
return l, nil
562569
}
563570

571+
// connect establishes a global connection that is used for all requests except the user Bind to check the password in the Logon call.
572+
func (b *LDAPIdentifierBackend) connect(parentCtx context.Context) (*ldap.Conn, error) {
573+
b.connLock.Lock()
574+
defer b.connLock.Unlock()
575+
576+
if b.conn != nil && !b.conn.IsClosing() {
577+
return b.conn, nil
578+
}
579+
var err error
580+
b.conn, err = b.createConnection(parentCtx, b.bindDN, b.bindPassword)
581+
582+
return b.conn, err
583+
}
584+
564585
func (b *LDAPIdentifierBackend) searchUsername(l *ldap.Conn, username string, attributes []string) (*ldap.Entry, error) {
565586
base, filter := b.baseAndSearchFilterFromUsername(username)
566587
// Search for the given username.

0 commit comments

Comments
 (0)