Allow for both TLS and non-TLS connections

author: Alex Auvolat <alex@adnab.me> 2020-01-27 16:32:39 +0100
committer: Alex Auvolat <alex@adnab.me> 2020-01-27 16:32:39 +0100
commit: dce432426e325ab43757da9485c612421c912957 (patch)
tree: c0c545881343db783369de26fd55530facc81e75 /main.go
parent: 66c64797706a2e62424c3523564b99f0597cde03 (diff)
download: bottin-dce432426e325ab43757da9485c612421c912957.tar.gz
bottin-dce432426e325ab43757da9485c612421c912957.zip
1 files changed, 73 insertions, 45 deletions
diff --git a/main.go b/main.go
index 88ea3dd..a8acc18 100644
--- a/main.go
+++ b/main.go
@@ -35,24 +35,24 @@ const ATTR_MODIFYTIMESTAMP = "modifytimestamp"
 
 type ConfigFile struct {
 	Suffix        string   `json:"suffix"`
-	BindAddress   string   `json:"bind_address"`
+	Bind          string   `json:"bind"`
+	BindSecure    string   `json:"bind_secure"`
 	ConsulHost    string   `json:"consul_host"`
 	Acl           []string `json:"acl"`
 	TLSCertFile   string   `json:"tls_cert_file"`
 	TLSKeyFile    string   `json:"tls_key_file"`
 	TLSServerName string   `json:"tls_server_name"`
-	UseStartTLS   bool     `json:"use_starttls"`
 }
 
 type Config struct {
-	Suffix      string
-	BindAddress string
-	ConsulHost  string
+	Suffix     string
+	Bind       string
+	BindSecure string
+	ConsulHost string
 
 	Acl ACL
 
-	TLSConfig   *tls.Config
-	UseStartTLS bool
+	TLSConfig *tls.Config
 }
 
 type Server struct {
@@ -71,7 +71,8 @@ var configFlag = flag.String("config", "./config.json", "Configuration file path
 
 func readConfig() Config {
 	config_file := ConfigFile{
-		BindAddress: "0.0.0.0:389",
+		Bind:       "0.0.0.0:389",
+		BindSecure: "0.0.0.0:636",
 	}
 
 	bytes, err := ioutil.ReadFile(*configFlag)
@@ -90,11 +91,11 @@ func readConfig() Config {
 	}
 
 	ret := Config{
-		Suffix:      config_file.Suffix,
-		BindAddress: config_file.BindAddress,
-		ConsulHost:  config_file.ConsulHost,
-		Acl:         acl,
-		UseStartTLS: config_file.UseStartTLS,
+		Suffix:     config_file.Suffix,
+		Bind:       config_file.Bind,
+		BindSecure: config_file.BindSecure,
+		ConsulHost: config_file.ConsulHost,
+		Acl:        acl,
 	}
 
 	if config_file.TLSCertFile != "" && config_file.TLSKeyFile != "" && config_file.TLSServerName != "" {
@@ -116,8 +117,6 @@ func readConfig() Config {
 			Certificates: []tls.Certificate{cert},
 			ServerName:   config_file.TLSServerName,
 		}
-	} else {
-		log.Printf("Warning: no TLS configuration provided, running an insecure server.")
 	}
 
 	return ret
@@ -152,17 +151,7 @@ func main() {
 		panic(err)
 	}
 
-	//Create a new LDAP Server
-	ldapserver := ldap.NewServer()
-	ldapserver.NewUserState = func() ldap.UserState {
-		return &State{
-			login: Login{
-				user:   "ANONYMOUS",
-				groups: []string{},
-			},
-		}
-	}
-
+	// Create routes
 	routes := ldap.NewRouteMux()
 
 	routes.Bind(gobottin.handleBind)
@@ -172,33 +161,72 @@ func main() {
 	routes.Delete(gobottin.handleDelete)
 	routes.Modify(gobottin.handleModify)
 
-	if config.TLSConfig != nil && config.UseStartTLS {
+	if config.TLSConfig != nil {
 		routes.Extended(gobottin.handleStartTLS).
 			RequestName(ldap.NoticeOfStartTLS).Label("StartTLS")
 	}
 
-	ldapserver.Handle(routes)
+	// Create LDAP servers
+	var ldapServer, ldapServerSecure *ldap.Server = nil, nil
 
-	go func() {
-		// When CTRL+C, SIGINT and SIGTERM signal occurs
-		// Then stop server gracefully
-		ch := make(chan os.Signal)
-		signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
-		<-ch
-		close(ch)
-		ldapserver.Stop()
-	}()
+	// Bind on standard LDAP port without TLS
+	if config.Bind != "" {
+		ldapServer = ldap.NewServer()
+		ldapServer.Handle(routes)
+		ldapServer.NewUserState = gobottin.newUserState
+		go func() {
+			err := ldapServer.ListenAndServe(config.Bind)
+			if err != nil {
+				panic(err)
+			}
+		}()
+	}
 
-	if config.TLSConfig != nil && !config.UseStartTLS {
-		secureConn := func(s *ldap.Server) {
-			s.Listener = tls.NewListener(s.Listener, config.TLSConfig)
+	// Bind on LDAP secure port with TLS
+	if config.BindSecure != "" {
+		if config.TLSConfig != nil {
+			ldapServerSecure := ldap.NewServer()
+			ldapServerSecure.Handle(routes)
+			ldapServerSecure.NewUserState = gobottin.newUserState
+			secureConn := func(s *ldap.Server) {
+				s.Listener = tls.NewListener(s.Listener, config.TLSConfig)
+			}
+			go func() {
+				err := ldapServerSecure.ListenAndServe(config.BindSecure, secureConn)
+				if err != nil {
+					panic(err)
+				}
+			}()
+		} else {
+			fmt.Printf("Warning: no valid TLS configuration was provided, not binding on %s", config.BindSecure)
 		}
-		err = ldapserver.ListenAndServe(config.BindAddress, secureConn)
-	} else {
-		err = ldapserver.ListenAndServe(config.BindAddress)
 	}
-	if err != nil {
-		panic(err)
+
+	if ldapServer == nil && ldapServerSecure == nil {
+		panic("Not doing anything.")
+	}
+
+	// When CTRL+C, SIGINT and SIGTERM signal occurs
+	// Then stop server gracefully
+	ch := make(chan os.Signal)
+	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
+	<-ch
+	close(ch)
+
+	if ldapServer != nil {
+		ldapServer.Stop()
+	}
+	if ldapServerSecure != nil {
+		ldapServerSecure.Stop()
+	}
+}
+
+func (server *Server) newUserState() ldap.UserState {
+	return &State{
+		login: Login{
+			user:   "ANONYMOUS",
+			groups: []string{},
+		},
 	}
 }
author	Alex Auvolat <alex@adnab.me>	2020-01-27 16:32:39 +0100
committer	Alex Auvolat <alex@adnab.me>	2020-01-27 16:32:39 +0100
commit	dce432426e325ab43757da9485c612421c912957 (patch)
tree	c0c545881343db783369de26fd55530facc81e75 /main.go
parent	66c64797706a2e62424c3523564b99f0597cde03 (diff)
download	bottin-dce432426e325ab43757da9485c612421c912957.tar.gz bottin-dce432426e325ab43757da9485c612421c912957.zip