search

shaj13 / go-guardian

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.
MIT License
559 stars 56 forks source link

ldap over TLS : Result Code 200 "Network Error": ldap: already encrypted #97

Closed fl0riandre closed 3 years ago

fl0riandre commented 3 years ago

What version of Go are you using (go version)?

$ go version : go1.15.8

Does this issue reproduce with the latest release?

YES

What version of Go-Guardian are you using ?

Go-Guardian Version: v2.9.0

What did you do?

Here is the content of our setupGoGuardian

func setupGoGuardian() {

rootCA, err := x509.SystemCertPool()
if err != nil {
    log.Printf("Failed to load system cert:%v", err)
    // return nil, err
}
if rootCA == nil {
    log.Printf("root ca is nil")
    rootCA = x509.NewCertPool()
}

certs, _ := ioutil.ReadDir("ad_certs")
for _, cert := range certs {
    if !cert.IsDir() {
        ldapCert, err := ioutil.ReadFile(fmt.Sprintf("ad_certs/%s", cert.Name()))
        if err != nil {
            log.Printf("Failed to read ad cert:%v", err)
            continue
        }
        ok := rootCA.AppendCertsFromPEM(ldapCert)
        if !ok {
            log.Printf("AD cert of %s is not addeded.", cert.Name())
            continue
        }
    }
}

cfg := &ldap.Config{
    BaseDN: "xxxxxx",
    BindDN: "xxxxxx",
    Port: "636",
    Host: "xxxxx",
    TLS: &tls.Config{
        ServerName:         "xxxx",
        RootCAs:            rootCA,},
    BindPassword: "xxxx",
    Filter:       "xxxx",
}

cacheObj = libcache.FIFO.New(0)
cacheObj.SetTTL(time.Minute * 5)
cacheObj.RegisterOnExpired(func(key, _ interface{}) {
    cacheObj.Peek(key)
})

strategy = ldap.NewCached(cfg, cacheObj)
}

and a basic sample middleware :

func middleware(next http.Handler) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    log.Println("Executing Auth Middleware")
    user, err := strategy.Authenticate(r.Context(), r)
    if err != nil {
        code := http.StatusUnauthorized
        errorstring := fmt.Sprintf("%s", err)
        http.Error(w, errorstring, code)
        log.Printf("%s", err)
        return
    }
    log.Printf("User %s Authenticated\n", user.GetUserName())
    next.ServeHTTP(w, r)
})

What did you expect to see?

the authentication should be validated. that work perfectly without TLS (clear LDAP on port 389) ... but not supported soon

What did you see instead?

we got this error message from ldap provider : LDAP Result Code 200 "Network Error": ldap: already encrypted

Could you please drive us to the solution ?? Thank you so much for your help and have a nice day. Best regards.

fl0riandre commented 3 years ago

Oh... i just see the pull request !! https://github.com/shaj13/go-guardian/pull/92

fl0riandre commented 3 years ago

i will try the new version :) thank you !!!