summaryrefslogtreecommitdiff
path: root/sys-auth
diff options
context:
space:
mode:
Diffstat (limited to 'sys-auth')
-rw-r--r--sys-auth/Manifest.gzbin10882 -> 10883 bytes
-rw-r--r--sys-auth/docker_auth/Manifest4
-rw-r--r--sys-auth/docker_auth/docker_auth-1.3.1.ebuild88
-rw-r--r--sys-auth/docker_auth/files/docker_auth-ldap-group-support-2.patch427
-rw-r--r--sys-auth/nss-pam-ldapd/Manifest6
-rw-r--r--sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.8.14-r2.ebuild6
-rw-r--r--sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.8.ebuild6
-rw-r--r--sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.9.ebuild4
8 files changed, 530 insertions, 11 deletions
diff --git a/sys-auth/Manifest.gz b/sys-auth/Manifest.gz
index 02a82878bb9e..2343636382da 100644
--- a/sys-auth/Manifest.gz
+++ b/sys-auth/Manifest.gz
Binary files differ
diff --git a/sys-auth/docker_auth/Manifest b/sys-auth/docker_auth/Manifest
index 821669b0e77a..12fc76cdec81 100644
--- a/sys-auth/docker_auth/Manifest
+++ b/sys-auth/docker_auth/Manifest
@@ -1,10 +1,13 @@
AUX docker_auth-ldap-cacert.patch 2806 BLAKE2B 3af756a2c0cd1dd41e0f17550885f0fd03520dbf8c0ae0b8e7747bd8b66f653c88c7aae366170528ff2345c0cfa4b42640882e5fecf1955f118b0bb2be91d7e8 SHA512 ae86f8d2adae073fae30753c054627a737ddbd05dd94107a65abe2935043a14a9eaf5987a83f06a5b7f827862a8df3510554f34f34693d5e97d77008d7da3b97
AUX docker_auth-ldap-group-support-1.patch 13612 BLAKE2B 0f61d633858ca42b0f460b912f8b014fda1008359ab9ec4b7e097e4db119fec6c7676b1378413c3d4b5b03d08dacf29c05df32deb9c294eac6b5cdb63d327f7f SHA512 3479435540fd371ef2b294261e2d7196f4ee92e5621178e25c8ee240c066c49a2a846abae860b3baba5bac4e8787e0795b33a7bd1fb6689aa9961acdbd728a16
+AUX docker_auth-ldap-group-support-2.patch 15137 BLAKE2B 0774a94db7825d1b103a812547de79aa75c324fd37426bf0f609d0e19d85add35ae1569afe96fa45fe3bc0ec547dc1983b11ce5973d9363d613ea12f258d7bdf SHA512 6897b1fa232290f3f26e3779fa4297089e1288904462c03ea9ffa2dbcb8141740dc07c6da181d4f4a8884e16fd2757b7b880611bec04bc7e497a71d0bce93eea
AUX docker_auth.confd 71 BLAKE2B 63190ce49fe26406107db51be1d0b87a0e3686287733ce2061e76fa14ed0811d0648049adaf448fbe8e4721cbe9eaf284c9d1f38c9c0aa7291cc78eaca1fd6db SHA512 b089b5ea299b701c3e0ed682e59e87e3f1fe1af4f097f21be80ed2e33c8dd021b9dca0c4310ab453518310306af3c7f2c084a4d17db1504cf1f392dcc993d337
AUX docker_auth.initd 596 BLAKE2B 42722f51138e8d32d991b37436dddfafa0e6e460fea6ee9e3be080e6373330366ddce1ce992046569929ee660f5c1cc4c43e0baaf57d4cb82257e6e743cc656b SHA512 11dd3d6c3a947571a719b3fcb76a4fe75af4ee1d1b8957f4b0b3b7ee14cefec7acca9fb52e438b185651c38519e820ab0016d439405652f419399c823e74579c
AUX docker_auth.logrotated 109 BLAKE2B 0ba5c48e905ee8d8987058ca68f817d4a1f3f53e5dff25cf6aa5074e587101fe02664f5b72da60400f7159699b9692ed085b924aa353f402504d3ffab27251d8 SHA512 b2b93aa327b4023481b9524649fe2be4b1ccf97f88b76969b8ab23b9a852627db92426fd0286a875c06555f51c0a61e50b789646acffdbd7916b7be3580d8751
AUX version.go 71 BLAKE2B 1ccf8ded93aa946112fe37182688dc8ef9ce65494bd9140a5f16fd268929224bb33b5d04f93b2bcd61d89907eab304ed7f7ac300e18d7615c50a16ae63190522 SHA512 48f7727bda3a0e59f33235d8e343beca581f153ceaa227eaa65bd783d05c06f1c598c764743ef41910fd72a2309e7069bddc5f57f89700f2f88536bfe3100d79
+DIST docker_auth-1.3.1.tar.gz 49687 BLAKE2B 7c7c8235ad4eb139d1b964de3583a714040747b0823f33bd529469834c75539c583bdca56b0a6cbabeed4eb3435845f831f10a65ae2ef4a445b7b13d4a16695c SHA512 fe5a37a3975fe33c38db649be0560f87b8c179273bb3d2e044f2df3840e316f8a9f292a94ea601896cbe8c137560200be98628b873a0cd53b2d6b17c5164537d
DIST docker_auth-1.3.tar.gz 48970 BLAKE2B 06a5aaffaa9b1dee2c371fb3dcf51ae14e4a2fc1c8d5fbf8ec9804c77abd9b2178507ed37b906886ff1ed20ac255aaf681422dfee194fa23e17b110278b5e044 SHA512 c0964a643d0269b2c7c4a1a747b421dfea8d8c42e3812a6b0dc2fa989e9e81fd6d6fd34672b19ea4472bf05be53bdd4d1c343fd241eab55d9b3496b47b3fa0c8
+DIST github.com-GoogleCloudPlatform-gcloud-golang-20d4028b8a750c2aca76bf9fefa8ed2d0109b573.tar.gz 873021 BLAKE2B f6bd3a08081b7ddd9c61884ba3157654139c70982ffa7245ed988bb1f0fd80af98ccac556168e90ea871ccc0909d03e7f1ee7bcf7cbf2160bbf764e412d123ad SHA512 e98f269d70927bb59fee31059e2d24a5ba71837adbf1f6619b1d9df0a3ec11ef58a2bdf46de6dc45f9ee0a3985c37bc05004beac34b94bc790093aa1550c939a
DIST github.com-GoogleCloudPlatform-gcloud-golang-bbf380d59635bf267fc8a8df03d6d261c448ee3c.tar.gz 1082782 BLAKE2B 47eba3e3ad6af13a7b7710b20e970219d27e2a5aa3e3e57cdaf015d43ca6ac758104e822735841cbfc01f6598ef5b83dd85759881ec39ae55b0d485ea76ec8f9 SHA512 d4b8f145a5007668d7b67ea63ffc221d4b56b76bfabfc7ba7b8182ca579edeca707638b4d81746ea1d7ae30915358028d026e17524e1e49a14d3f70c0efb85c2
DIST github.com-cesanta-glog-22eb27a0ae192b290b25537b8e876556fc25129c.tar.gz 20273 BLAKE2B 982093a19a04611d3e1e9c06dd499fd7eb4730c49057e2c86042acecbf7f1920b6dd83133eb0ae07938ab995cbf809aa7d2236c67a805e3f16ff2c2535e2f66b SHA512 3c4b757fc0d0e45382b1ef0180eea2f0429e8c7ecac0089fca79bc717f6c0a04918b91a144ca78331178cc914b808b40596c6a6e214157d2f812858be31c13d6
DIST github.com-dchest-uniuri-8902c56451e9b58ff940bbe5fec35d5f9c04584a.tar.gz 2471 BLAKE2B 9cc560893309347a9f012cdb32009bc7201511fa337339c8ced7c671e4b43100e36370dc71c47001e33e411b7707c30787a36e953fa5d15990a1f0edf38accc2 SHA512 70421b526e3040a49e63be6c892de2953b4f9ecdb01b148eb2bab3814f610a8c39bd98aad858cbaf9dcf621b52ee9ef952f0cdcdc6eca77da8ebf80dbbf1c04c
@@ -33,4 +36,5 @@ DIST github.com-grpc-grpc-go-35170916ff58e89ae03f52e778228e18207e0e02.tar.gz 315
DIST github.com-schwarmco-go-cartesian-product-c2c0aca869a6cbf51e017ce148b949d9dee09bc3.tar.gz 2433 BLAKE2B 104d5f15bfa0b6166b8269e2647b39c5889fb2ff706d5c2d2ba6328ff2292cb2896a9b1d0298c7d00d962dc18a254885e3fb3d6a2e442bea7f92044e9b1a89e3 SHA512 a1767b2c5c6340cb2649d63beac11571ec3c9b2c98011234d5a51eb337d221ea411e517660ae966fd4f582ffef18b088d7125d29ba271bece8b51254dcac940b
DIST github.com-syndtr-goleveldb-3c5717caf1475fd25964109a0fc640bd150fce43.tar.gz 137276 BLAKE2B 6f74b19157edb319c01fc2a8ed682904ec12a52cb3995dddf06396fcb127e2ec3e433d723fa848744b74d09161edd50973f008c3a6b1458625f709ddc9ada93e SHA512 bac364a68737f5faed9ec052d47db01dc4aa0eca4ef786a43766b844ff27d8d9f87a94159a17c58745dd4ba002a9a83cd091ab2561a61d01b0a672a82002c1d4
EBUILD docker_auth-1.3-r2.ebuild 3788 BLAKE2B 76b0bbc4ea91a4aed60b207c2ae706786934422efb5e65f81e48ec0eabf11e20e9b4128df09eec71d184214e17d62eca654d41b7a9219f34e25db0469a329348 SHA512 e89dab1db49e5c196f9a18d971d1ff4220f5adc03777836b22e87aa99ed4f1b46275fa7071def353b21a73934dae1476dbf16476c0d7a054dec7a910150410c5
+EBUILD docker_auth-1.3.1.ebuild 3742 BLAKE2B f0234e9007e13c99b03f20984884816bdde8874f912df1b99c5f6932d3bc4cac436b023ac4bd35820db19bcb36d7aa965f0ef1129f33a2ea6d9081824b1dfaa5 SHA512 52e3d58f3e322c6a7960c37ef5b565c1c437dbb6b7d99a2e81e78c3b6ae687fbd0483c9ce95b573e758d4a21ed6b0a8121a2a180870a8d9ca119f5f91419af51
MISC metadata.xml 329 BLAKE2B e38d2771b4a8390d7a12702b70a5e5cee8067aab659acf457b6665425b10f08459f42f8246a9e4aa299df2085c75a850eac51563d4479e4e0b3a82b9b3cfc391 SHA512 83a99677c1de5a527b72abdb632ea1ea0b0be3fedac28b6c20efb7b76999b0024e6d0a072e9b28b5458b79be14df1293b4f6a314448f5e41965ce4f2e9c65904
diff --git a/sys-auth/docker_auth/docker_auth-1.3.1.ebuild b/sys-auth/docker_auth/docker_auth-1.3.1.ebuild
new file mode 100644
index 000000000000..9fe0af56b043
--- /dev/null
+++ b/sys-auth/docker_auth/docker_auth-1.3.1.ebuild
@@ -0,0 +1,88 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+EGO_PN="github.com/cesanta/docker_auth"
+
+EGO_VENDOR=(
+ "github.com/dchest/uniuri 8902c56451e9b58ff940bbe5fec35d5f9c04584a"
+ "github.com/deckarep/golang-set fc8930a5e645572ee00bf66358ed3414f3c13b90"
+ "github.com/docker/distribution 0700fa570d7bcc1b3e46ee127c4489fd25f4daa3"
+ "github.com/docker/libtrust aabc10ec26b754e797f9028f4589c5b7bd90dc20"
+ "github.com/facebookgo/httpdown a3b1354551a26449fbe05f5d855937f6e7acbd71"
+ "github.com/facebookgo/clock 600d898af40aa09a7a93ecb9265d87b0504b6f03"
+ "github.com/facebookgo/stats 1b76add642e42c6ffba7211ad7b3939ce654526e"
+ "github.com/go-ldap/ldap 13cedcf58a1ea124045dea529a66c849d3444c8e"
+ "github.com/cesanta/glog 22eb27a0ae192b290b25537b8e876556fc25129c"
+ "github.com/schwarmco/go-cartesian-product c2c0aca869a6cbf51e017ce148b949d9dee09bc3"
+ "github.com/syndtr/goleveldb 3c5717caf1475fd25964109a0fc640bd150fce43"
+ "github.com/golang/snappy 553a641470496b2327abcac10b36396bd98e45c9"
+ "gopkg.in/asn1-ber.v1 4e86f4367175e39f69d9358a5f17b4dda270378d github.com/go-asn1-ber/asn1-ber"
+ "gopkg.in/fsnotify.v1 629574ca2a5df945712d3079857300b5e4da0236 github.com/fsnotify/fsnotify"
+ "gopkg.in/mgo.v2 3f83fa5005286a7fe593b055f0d7771a7dce4655 github.com/go-mgo/mgo"
+ "gopkg.in/yaml.v2 a3f3340b5840cee44f372bddb5880fcbc419b46a github.com/go-yaml/yaml"
+ "golang.org/x/crypto e1a4589e7d3ea14a3352255d04b6f1a418845e5e github.com/golang/crypto"
+ "golang.org/x/sys 493114f68206f85e7e333beccfabc11e98cba8dd github.com/golang/sys"
+ "golang.org/x/net 859d1a86bb617c0c20d154590c3c5d3fcb670b07 github.com/golang/net"
+ "google.golang.org/api 39c3dd417c5a443607650f18e829ad308da08dd2 github.com/google/google-api-go-client"
+ "google.golang.org/grpc 35170916ff58e89ae03f52e778228e18207e0e02 github.com/grpc/grpc-go"
+ "github.com/golang/protobuf 11b8df160996e00fd4b55cbaafb3d84ec6d50fa8"
+ "golang.org/x/oauth2 13449ad91cb26cb47661c1b080790392170385fd github.com/golang/oauth2"
+ "cloud.google.com/go 20d4028b8a750c2aca76bf9fefa8ed2d0109b573 github.com/GoogleCloudPlatform/gcloud-golang"
+ "golang.org/x/text ab5ac5f9a8deb4855a60fab02bc61a4ec770bd49 github.com/golang/text"
+ "github.com/googleapis/gax-go 8c160ca1523d8eea3932fbaa494c8964b7724aa8"
+ "google.golang.org/genproto 595979c8a7bf586b2d293fb42246bf91a0b893d9 github.com/google/go-genproto"
+ )
+
+inherit user golang-build golang-vcs-snapshot
+EGIT_COMMIT="509a03a9622f460ded806a2c7b7b27717b3cb1f5"
+SHORT_COMMIT=${EGIT_COMMIT:0:7}
+SRC_URI="https://${EGO_PN}/archive/${PV}.tar.gz -> ${P}.tar.gz
+ ${EGO_VENDOR_URI}"
+KEYWORDS="~amd64"
+
+DESCRIPTION="Docker Registry 2 authentication server"
+HOMEPAGE="https://github.com/cesanta/docker_auth"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE=""
+
+RESTRICT="test"
+
+pkg_setup() {
+ enewgroup ${PN}
+ enewuser ${PN} -1 -1 /dev/null ${PN}
+}
+
+src_prepare() {
+ default
+ pushd src/${EGO_PN}
+ eapply "${FILESDIR}/${PN}-ldap-group-support-2.patch"
+ cp "${FILESDIR}/version.go" auth_server/version.go || die
+ sed -i -e "s/{version}/${PV}/" -e "s/{build_id}/${SHORT_COMMIT}/" auth_server/version.go || die
+ popd || die
+}
+
+src_compile() {
+ pushd src/${EGO_PN}/auth_server || die
+ GOPATH="${WORKDIR}/${P}" go build -o "bin/auth_server" || die
+ popd || die
+}
+
+src_install() {
+ pushd src/${EGO_PN} || die
+ dodoc README.md docs/Backend_MongoDB.md
+ insinto /usr/share/${PF}
+ doins -r examples
+ insinto /etc/docker_auth/
+ newins examples/reference.yml config.yml.example
+ dobin auth_server/bin/auth_server
+ popd || die
+ newinitd "${FILESDIR}"/${PN}.initd ${PN}
+ newconfd "${FILESDIR}"/${PN}.confd ${PN}
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}"/${PN}.logrotated ${PN}
+ keepdir /var/log/docker_auth
+ fowners ${PN}:${PN} /var/log/docker_auth
+}
diff --git a/sys-auth/docker_auth/files/docker_auth-ldap-group-support-2.patch b/sys-auth/docker_auth/files/docker_auth-ldap-group-support-2.patch
new file mode 100644
index 000000000000..7c8bba4a80b2
--- /dev/null
+++ b/sys-auth/docker_auth/files/docker_auth-ldap-group-support-2.patch
@@ -0,0 +1,427 @@
+From 2ee85ad8040bab72a929958b4c3c8037dbcd31ae Mon Sep 17 00:00:00 2001
+From: Kevin <kcd83@users.noreply.github.com>
+Date: Mon, 27 Feb 2017 19:09:52 +1300
+Subject: [PATCH 1/5] Initial proof of concept mapping memberOf CN to the label
+ groups #63
+
+(cherry picked from commit 4a33badac6b74617dfe3797a716a6907cf018b27)
+---
+ auth_server/authn/ldap_auth.go | 73 ++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 60 insertions(+), 13 deletions(-)
+
+diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
+index a3425ed..5769057 100644
+--- a/auth_server/authn/ldap_auth.go
++++ b/auth_server/authn/ldap_auth.go
+@@ -17,7 +17,6 @@
+ package authn
+
+ import (
+- "bytes"
+ "crypto/tls"
+ "crypto/x509"
+ "fmt"
+@@ -73,10 +72,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
+ account = la.escapeAccountInput(account)
+
+ filter := la.getFilter(account)
+- accountEntryDN, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &[]string{})
++
++ // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute
++ groupAttribute := "memberOf"
++ dnAndGroupAttr := []string{"DN", groupAttribute}
++
++ entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr)
+ if uSearchErr != nil {
+ return false, nil, uSearchErr
+ }
++ if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 {
++ return false, nil, NoMatch // User does not exist
++ }
++
++ accountEntryDN := entryAttrMap["DN"][0]
+ if accountEntryDN == "" {
+ return false, nil, NoMatch // User does not exist
+ }
+@@ -95,6 +104,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
+ return false, nil, bindErr
+ }
+
++ // Extract group names from the attribute values
++ if entryAttrMap[groupAttribute] != nil {
++ rawGroups := entryAttrMap[groupAttribute]
++ labels := make(map[string][]string)
++ var groups []string
++ for _, value := range rawGroups {
++ cn := la.getCNFromDN(value)
++ groups = append(groups, cn)
++ }
++ labels["groups"] = groups
++
++ return true, labels, nil
++ }
++
+ return true, nil, nil
+ }
+
+@@ -185,9 +208,9 @@ func (la *LDAPAuth) getFilter(account string) string {
+
+ //ldap search and return required attributes' value from searched entries
+ //default return entry's DN value if you leave attrs array empty
+-func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, error) {
++func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) {
+ if l == nil {
+- return "", fmt.Errorf("No ldap connection!")
++ return nil, fmt.Errorf("No ldap connection!")
+ }
+ glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter)
+ searchRequest := ldap.NewSearchRequest(
+@@ -198,30 +221,54 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att
+ nil)
+ sr, err := l.Search(searchRequest)
+ if err != nil {
+- return "", err
++ return nil, err
+ }
+
+ if len(sr.Entries) == 0 {
+- return "", nil // User does not exist
++ return nil, nil // User does not exist
+ } else if len(sr.Entries) > 1 {
+- return "", fmt.Errorf("Too many entries returned.")
++ return nil, fmt.Errorf("Too many entries returned.")
+ }
+
+- var buffer bytes.Buffer
++ result := make(map[string][]string)
+ for _, entry := range sr.Entries {
++
+ if len(*attrs) == 0 {
+ glog.V(2).Infof("Entry DN = %s", entry.DN)
+- buffer.WriteString(entry.DN)
++ result["DN"] = []string{entry.DN}
+ } else {
+ for _, attr := range *attrs {
+- values := strings.Join(entry.GetAttributeValues(attr), " ")
+- glog.V(2).Infof("Entry %s = %s", attr, values)
+- buffer.WriteString(values)
++ var values []string
++ if attr == "DN" {
++ // DN is excluded from attributes
++ values = []string{entry.DN}
++ } else {
++ values = entry.GetAttributeValues(attr)
++ }
++ valuesString := strings.Join(values, "\n")
++ glog.V(2).Infof("Entry %s = %s", attr, valuesString)
++ result[attr] = values
++ }
++ }
++ }
++
++ return result, nil
++}
++
++func (la *LDAPAuth) getCNFromDN(dn string) string {
++ parsedDN, err := ldap.ParseDN(dn)
++ if err != nil || len(parsedDN.RDNs) > 0 {
++ for _, rdn := range parsedDN.RDNs {
++ for _, rdnAttr := range rdn.Attributes {
++ if rdnAttr.Type == "CN" {
++ return rdnAttr.Value
++ }
+ }
+ }
+ }
+
+- return buffer.String(), nil
++ // else try using raw DN
++ return dn
+ }
+
+ func (la *LDAPAuth) Stop() {
+
+From 3f5e1b78519238ca65e6084f48cbdd56531e4c84 Mon Sep 17 00:00:00 2001
+From: Kevin <kcd83@users.noreply.github.com>
+Date: Tue, 28 Feb 2017 18:09:55 +1300
+Subject: [PATCH 2/5] Apply attribute mapping from configuration
+
+(cherry picked from commit ddde2fa779e746d7e74cd972a4c6795c72f17ee6)
+---
+ auth_server/authn/ldap_auth.go | 127 ++++++++++++++++++++++++-----------------
+ 1 file changed, 75 insertions(+), 52 deletions(-)
+
+diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
+index 5769057..99c9146 100644
+--- a/auth_server/authn/ldap_auth.go
++++ b/auth_server/authn/ldap_auth.go
+@@ -27,17 +27,23 @@ import (
+ "github.com/cesanta/glog"
+ )
+
++type LabelMap struct {
++ Attribute string `yaml:"attribute,omitempty"`
++ ParseCN bool `yaml:"parse_cn,omitempty"`
++}
++
+ type LDAPAuthConfig struct {
+- Addr string `yaml:"addr,omitempty"`
+- TLS string `yaml:"tls,omitempty"`
+- InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
+- CACertificate string `yaml:"ca_certificate,omitempty"`
+- Base string `yaml:"base,omitempty"`
+- Filter string `yaml:"filter,omitempty"`
+- BindDN string `yaml:"bind_dn,omitempty"`
+- BindPasswordFile string `yaml:"bind_password_file,omitempty"`
+- GroupBaseDN string `yaml:"group_base_dn,omitempty"`
+- GroupFilter string `yaml:"group_filter,omitempty"`
++ Addr string `yaml:"addr,omitempty"`
++ TLS string `yaml:"tls,omitempty"`
++ InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
++ CACertificate string `yaml:"ca_certificate,omitempty"`
++ Base string `yaml:"base,omitempty"`
++ Filter string `yaml:"filter,omitempty"`
++ BindDN string `yaml:"bind_dn,omitempty"`
++ BindPasswordFile string `yaml:"bind_password_file,omitempty"`
++ LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
++ GroupBaseDN string `yaml:"group_base_dn,omitempty"`
++ GroupFilter string `yaml:"group_filter,omitempty"`
+ }
+
+ type LDAPAuth struct {
+@@ -73,22 +79,19 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
+
+ filter := la.getFilter(account)
+
+- // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute
+- groupAttribute := "memberOf"
+- dnAndGroupAttr := []string{"DN", groupAttribute}
++ labelAttributes, labelsConfigErr := la.getLabelAttributes()
++ if labelsConfigErr != nil {
++ return false, nil, labelsConfigErr
++ }
+
+- entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr)
++ accountEntryDN, entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &labelAttributes)
+ if uSearchErr != nil {
+ return false, nil, uSearchErr
+ }
+- if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 {
+- return false, nil, NoMatch // User does not exist
+- }
+-
+- accountEntryDN := entryAttrMap["DN"][0]
+ if accountEntryDN == "" {
+ return false, nil, NoMatch // User does not exist
+ }
++
+ // Bind as the user to verify their password
+ if len(accountEntryDN) > 0 {
+ err := l.Bind(accountEntryDN, string(password))
+@@ -104,21 +107,13 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
+ return false, nil, bindErr
+ }
+
+- // Extract group names from the attribute values
+- if entryAttrMap[groupAttribute] != nil {
+- rawGroups := entryAttrMap[groupAttribute]
+- labels := make(map[string][]string)
+- var groups []string
+- for _, value := range rawGroups {
+- cn := la.getCNFromDN(value)
+- groups = append(groups, cn)
+- }
+- labels["groups"] = groups
+-
+- return true, labels, nil
++ // Extract labels from the attribute values
++ labels, labelsExtractErr := la.getLabelsFromMap(entryAttrMap)
++ if labelsExtractErr != nil {
++ return false, nil, labelsExtractErr
+ }
+
+- return true, nil, nil
++ return true, labels, nil
+ }
+
+ func (la *LDAPAuth) bindReadOnlyUser(l *ldap.Conn) error {
+@@ -208,9 +203,9 @@ func (la *LDAPAuth) getFilter(account string) string {
+
+ //ldap search and return required attributes' value from searched entries
+ //default return entry's DN value if you leave attrs array empty
+-func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) {
++func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, map[string][]string, error) {
+ if l == nil {
+- return nil, fmt.Errorf("No ldap connection!")
++ return "", nil, fmt.Errorf("No ldap connection!")
+ }
+ glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter)
+ searchRequest := ldap.NewSearchRequest(
+@@ -221,38 +216,66 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att
+ nil)
+ sr, err := l.Search(searchRequest)
+ if err != nil {
+- return nil, err
++ return "", nil, err
+ }
+
+ if len(sr.Entries) == 0 {
+- return nil, nil // User does not exist
++ return "", nil, nil // User does not exist
+ } else if len(sr.Entries) > 1 {
+- return nil, fmt.Errorf("Too many entries returned.")
++ return "", nil, fmt.Errorf("Too many entries returned.")
+ }
+
+- result := make(map[string][]string)
++ attributes := make(map[string][]string)
++ var entryDn string
+ for _, entry := range sr.Entries {
+-
++ entryDn = entry.DN
+ if len(*attrs) == 0 {
+- glog.V(2).Infof("Entry DN = %s", entry.DN)
+- result["DN"] = []string{entry.DN}
++ glog.V(2).Infof("Entry DN = %s", entryDn)
+ } else {
+ for _, attr := range *attrs {
+- var values []string
+- if attr == "DN" {
+- // DN is excluded from attributes
+- values = []string{entry.DN}
+- } else {
+- values = entry.GetAttributeValues(attr)
+- }
+- valuesString := strings.Join(values, "\n")
+- glog.V(2).Infof("Entry %s = %s", attr, valuesString)
+- result[attr] = values
++ values := entry.GetAttributeValues(attr)
++ glog.V(2).Infof("Entry %s = %s", attr, strings.Join(values, "\n"))
++ attributes[attr] = values
+ }
+ }
+ }
+
+- return result, nil
++ return entryDn, attributes, nil
++}
++
++func (la *LDAPAuth) getLabelAttributes() ([]string, error) {
++ labelAttributes := make([]string, len(la.config.LabelMaps))
++ i := 0
++ for key, mapping := range la.config.LabelMaps {
++ if mapping.Attribute == "" {
++ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key)
++ }
++ labelAttributes[i] = mapping.Attribute
++ i++
++ }
++ return labelAttributes, nil
++}
++
++func (la *LDAPAuth) getLabelsFromMap(attrMap map[string][]string) (map[string][]string, error) {
++ labels := make(map[string][]string)
++ for key, mapping := range la.config.LabelMaps {
++ if mapping.Attribute == "" {
++ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key)
++ }
++
++ mappingValues := attrMap[mapping.Attribute]
++ if mappingValues != nil {
++ if mapping.ParseCN {
++ // shorten attribute to its common name
++ for i, value := range mappingValues {
++ cn := la.getCNFromDN(value)
++ mappingValues[i] = cn
++ }
++ }
++ labels[key] = mappingValues
++ }
++ }
++ return labels, nil
+ }
+
+ func (la *LDAPAuth) getCNFromDN(dn string) string {
+
+From 98c4191ee4eae3e3e823c91226179c740e77f3a9 Mon Sep 17 00:00:00 2001
+From: Kevin <kcd83@users.noreply.github.com>
+Date: Tue, 28 Feb 2017 18:27:16 +1300
+Subject: [PATCH 3/5] Remove unused configuration fields, never implemented?
+
+(cherry picked from commit cd37001980267a99a9faa19f1927891af63acb90)
+---
+ auth_server/authn/ldap_auth.go | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
+index 99c9146..1135dad 100644
+--- a/auth_server/authn/ldap_auth.go
++++ b/auth_server/authn/ldap_auth.go
+@@ -42,8 +42,6 @@ type LDAPAuthConfig struct {
+ BindDN string `yaml:"bind_dn,omitempty"`
+ BindPasswordFile string `yaml:"bind_password_file,omitempty"`
+ LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
+- GroupBaseDN string `yaml:"group_base_dn,omitempty"`
+- GroupFilter string `yaml:"group_filter,omitempty"`
+ }
+
+ type LDAPAuth struct {
+
+From 1b5d134966c8bd1cba9afaeca284476e66a495e5 Mon Sep 17 00:00:00 2001
+From: Kevin <kcd83@users.noreply.github.com>
+Date: Fri, 1 Sep 2017 22:50:19 +1200
+Subject: [PATCH 4/5] Add LDAP label map examples to the reference config
+
+(cherry picked from commit 2fd43be4e5c2cfe177d9e1d36bcd1b29f4d6f262)
+---
+ examples/reference.yml | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/examples/reference.yml b/examples/reference.yml
+index 6ab4ba2..26182fd 100644
+--- a/examples/reference.yml
++++ b/examples/reference.yml
+@@ -140,6 +140,16 @@ ldap_auth:
+ # User query settings. ${account} is expanded from auth request
+ base: o=example.com
+ filter: (&(uid=${account})(objectClass=person))
++ # Labels can be mapped from LDAP attributes
++ labels:
++ # Add the user's title to a label called title
++ title:
++ attribute: title
++ # Add the user's memberOf values to a label called groups
++ groups:
++ attribute: memberOf
++ # Special handling to simplify the values to just the common name
++ parse_cn: true
+
+ mongo_auth:
+ # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
+
+From 1bc75974e70ff7a84bdf3323889b81e44ea3dc00 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Manuel=20R=C3=BCger?= <manuel@rueg.eu>
+Date: Thu, 12 Apr 2018 15:00:51 +0200
+Subject: [PATCH 5/5] reference.yml: Add example ACL
+
+---
+ examples/reference.yml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/examples/reference.yml b/examples/reference.yml
+index 26182fd..4bdec24 100644
+--- a/examples/reference.yml
++++ b/examples/reference.yml
+@@ -263,6 +263,12 @@ acl:
+ - match: {name: "${labels:project}-{labels:tier}/*"}
+ actions: ["push", "pull"]
+ comment: "Users can push to a project-tier/* that they are assigned to"
++ - match: {labels: {"title": "Developer"}}
++ actions: ["*"]
++ comment: "If you call yourself a developer you can do anything (this ACL is an example for LDAP labels as defined above)"
++ - match: {labels: {"groups": "Admin"}}
++ actions: ["push"]
++ comment: "If you are part of the admin group you can push. (this ACL is an example for LDAP labels as defined above)"
+ # Access is denied by default.
+
+ # (optional) Define to query ACL from a MongoDB server.
diff --git a/sys-auth/nss-pam-ldapd/Manifest b/sys-auth/nss-pam-ldapd/Manifest
index 5d2359e6746f..d40ed1ba12f4 100644
--- a/sys-auth/nss-pam-ldapd/Manifest
+++ b/sys-auth/nss-pam-ldapd/Manifest
@@ -9,7 +9,7 @@ AUX pynslcd.initd 522 BLAKE2B 180d1ffa695a1cb6fccddfdc8719745e0d21ab082caeffbd0a
DIST nss-pam-ldapd-0.8.14.tar.gz 508949 BLAKE2B ad8532bf86ef93c62394b91b7c3c035dc1090a70b60ab190ed8af012d533e61fe067b4383388af0d3a53142dbc96da3468d2aa09c2a30f92b9cf56434160c6d6 SHA512 70abb1836b5b3304e583fd3b71f11fee7586e181b26f4630779ec1d90b856da6e4fcc76327c51b20a158aa36708dd12ceb5f543a33c826881f2ad3e092f542c9
DIST nss-pam-ldapd-0.9.8.tar.gz 771247 BLAKE2B bef3e5ede2b4747277ee400dfa8be620281e4e2a596acff236008e1f0bf6b79d6e309a4ca4bad852f6b0a8f79888cffcfffe09ddea8fde8e53b8450a894598eb SHA512 f0d24afd4cb5cea8155aa719b598448d3d81a896f7bc431f7d73e0617a7b2aa7e0ceb6de0b50163848c5554d96a3c415226e32a92e64ed91772fec4c64ad135b
DIST nss-pam-ldapd-0.9.9.tar.gz 772059 BLAKE2B 0c1da79d58f19f0c310c0589ca9f286a73ada025028d1a00df938d40dd1211f4dd5ba694de94a37a3596b64b5f8a511127c359a86a60271eb091082dec69e6bb SHA512 8148467523003da397d03b70bb01e52dbc63b0528540aea1d85f6af2ee8af69300e107617b69608397b210e825a2351cfd61b88c4fa146d2e8e9fb9c5cd358e3
-EBUILD nss-pam-ldapd-0.8.14-r2.ebuild 1997 BLAKE2B e46a35f959259a7d1236599c184a6f29f77f46dfb9fe5faa88dd6921c4ea9c005578fa0df10024e5fa5ba786f03d09498f60897212cda3b1ccefd60d24d0a225 SHA512 c9991819449891bc75b941388345871bc047f3f2202569265d9075ba6bd6bc095aca494f22f3411c59197f9401d0d0b109929ad2d0e287d2094c736aa2bcd8d4
-EBUILD nss-pam-ldapd-0.9.8.ebuild 3335 BLAKE2B c159de78ac105c9a24862da7b726c615a17a46dd6d2e3b770d1bd8a6052027c3652b35521b35901a09f0ffbe8e1528ba019c3178e29a39d52ea817a068fe111c SHA512 e7d4c7a05f10d4fb3d3f7ec5a570a63eec8b7adeda6e3474f5a54112d3112495a837c19f78f03db410c79978002e91cb76bd254abd99edcf8d17c5af9f1d5833
-EBUILD nss-pam-ldapd-0.9.9.ebuild 4175 BLAKE2B 7cc1d8ccbb135ec1acb241a772fb61437589e5fe2e25a95dcad2e7bcf5d303eed913784864031eb1f1113baa155a843145e34ba1411d491ce0f873cf38708af5 SHA512 3eeb621027bde4da7372536125f8cf6ef84dac2ecc6b2b554b4191f01f228505fc44e2251332501a5d8e1ac2bfa115d0722ea03ca1a63af39800c58524d24099
+EBUILD nss-pam-ldapd-0.8.14-r2.ebuild 1999 BLAKE2B 87751b3ceb0c761dca60bba6423b7f1e7fd65f04a788b5041f4c45f602343c543453fb05b2590337317b248e1c55d337fd45e7945428be70587fa1e869aa78eb SHA512 1fcdd8cf9be65a62d6703a947246dce9c78996fa6b5460c987fc1671e87e1713abfcc9c2bcd206f720db76dce20f06f0f5e91f27034f706191242c0caafad747
+EBUILD nss-pam-ldapd-0.9.8.ebuild 3337 BLAKE2B 640ffe29bc87802be8b87da38e86e59ed4f3d0d48fa07d5057ed9af456b7e68fd1448a6e145e8c754329286efa814e1c667641d1c90180c114932f2a7b309fb3 SHA512 13e2e210d0014611d8ccd715c93960bb935c335ea8a064e16de347a965d1ad38e48380530b56d59e02d3132f786728560a87137cf260613d598122ef3485385e
+EBUILD nss-pam-ldapd-0.9.9.ebuild 4177 BLAKE2B a06abfdfe830f26c06aac0b21672634ab91ca89788751c62a2e4a252b02aa41ff944570dd215d49a288030b01055ab3e8b4888cdc7544700f97f1527dbe6fe4a SHA512 9b6654460a1bfa665388c2c2cd2ed2ab14be09bbaa8f480c68c25b1d0720356a2887b73df7761015ff8efff08e1fa26c72f5ebff7738ca4b5cfe12fe95682ae0
MISC metadata.xml 1169 BLAKE2B 22b5c9adcafb123a6af088ddfcaa1962eaf250ed153020e65afe36a0e6473b1f8c624f770634a91c3a983c74ded1d43535bb4930f13c6470fad681f5a77fcd51 SHA512 ab658f7d791db370920a4eb57da8ead2713b1cabda6f2dccd24478855043802e7c70a07c3aeaa33829b19dc94a4317d8b5ebec07d1caebe07b4fb3bc59b27b4c
diff --git a/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.8.14-r2.ebuild b/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.8.14-r2.ebuild
index e25cca2ef612..4fc22ea33856 100644
--- a/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.8.14-r2.ebuild
+++ b/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.8.14-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
@@ -6,8 +6,8 @@ EAPI=5
inherit multilib-minimal user
DESCRIPTION="NSS module for name lookups using LDAP"
-HOMEPAGE="http://arthurdejong.org/nss-pam-ldapd/"
-SRC_URI="http://arthurdejong.org/nss-pam-ldapd/${P}.tar.gz"
+HOMEPAGE="https://arthurdejong.org/nss-pam-ldapd/"
+SRC_URI="https://arthurdejong.org/nss-pam-ldapd/${P}.tar.gz"
LICENSE="LGPL-2.1"
SLOT="0"
diff --git a/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.8.ebuild b/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.8.ebuild
index edce37919103..c57719dcc887 100644
--- a/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.8.ebuild
+++ b/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.8.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=5
@@ -7,8 +7,8 @@ PYTHON_COMPAT=(python2_7)
inherit eutils prefix user python-r1 multilib multilib-minimal systemd s6
DESCRIPTION="NSS module for name lookups using LDAP"
-HOMEPAGE="http://arthurdejong.org/nss-pam-ldapd/"
-SRC_URI="http://arthurdejong.org/${PN}/${P}.tar.gz"
+HOMEPAGE="https://arthurdejong.org/nss-pam-ldapd/"
+SRC_URI="https://arthurdejong.org/${PN}/${P}.tar.gz"
LICENSE="LGPL-2.1"
SLOT="0"
diff --git a/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.9.ebuild b/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.9.ebuild
index bdec7ea6e243..2ebd0f700a52 100644
--- a/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.9.ebuild
+++ b/sys-auth/nss-pam-ldapd/nss-pam-ldapd-0.9.9.ebuild
@@ -7,8 +7,8 @@ PYTHON_COMPAT=(python2_7)
inherit eutils prefix user python-r1 multilib multilib-minimal systemd s6
DESCRIPTION="NSS module for name lookups using LDAP"
-HOMEPAGE="http://arthurdejong.org/nss-pam-ldapd/"
-SRC_URI="http://arthurdejong.org/${PN}/${P}.tar.gz"
+HOMEPAGE="https://arthurdejong.org/nss-pam-ldapd/"
+SRC_URI="https://arthurdejong.org/${PN}/${P}.tar.gz"
LICENSE="LGPL-2.1"
SLOT="0"