Free-IPA Ldap Intergration with GO

Question

I am trying FreeIPA integration with golang using package "gopkg.in/ldap.v2", I created one role with name of "test" in FreeIPA UI and tried to search that role

via command line:

ldapsearch -D "cn=directory manager" -w "*****" -p 389 -h "ec2-test.eu-west-1.compute. amazonaws.com" -b "dc=ec2-test,dc=eu-west-1,dc=compute,dc=amazonaws,dc=com" -v -s sub "(&(objectclass=*)(cn=test))"

Output:

ldap_initialize( ldap://ec2-test.eu-west-1.compute.amazonaws.com:389 ) filter: (&(objectclass=*)(cn=test)) requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=ec2-test,dc=eu-west-1,dc=compute,dc=amazonaws,dc=com> with scope subtree
# filter: (&(objectclass=*)(cn=test))
# requesting: ALL
#

# test, roles, accounts, ec2-test.eu-west-1.compute.amazonaws.com
dn: cn=test,cn=roles,cn=accounts,dc=ec2-test,dc=eu-west-1,dc=compute,dc=amazonaws,dc=com
objectClass: groupofnames
objectClass: nestedgroup
objectClass: top
cn: test
member: uid=gow,cn=users,cn=accounts,dc=ec2-test,dc=eu-west-1,dc=comp  ute,dc=amazonaws,dc=com
member: cn=trov,cn=groups,cn=accounts,dc=ec2-test,dc=eu-west-1,dc=com  pute,dc=amazonaws,dc=com

# search result search: 2 result: 0 Success

# numResponses: 2
# numEntries: 1

I am trying to integrate this with my go code. My go code is:

filterValue := "(&(objectclass="*")(cn="test"))"
searchRequest := ldap.NewSearchRequest(
    baseDN, // The base dn to search
    ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
    filterValue, // The filter to apply
    []string{"givenName", "sn", "mail", "uid", "ou", "cn", "dc", "dn"}, // A list attributes to retrieve
    nil,
)
sr, err := ldap.Search(searchRequest)
if err!=nil {
    fmt.Println("Error: , err)
} else {
    fmt.Println("Result: , sr.Entries)
}

Unfortunately I am getting empty entries in sr.Entries

Can someone help me to get this with golang.

Note: Its working fine for users and groups.

Answer 1

You "probably" need to bind before you start the search using something like:

// The username and password we want to check
    username := "someuser"
    password := "userpassword"

    bindusername := "readonly"
    bindpassword := "password"

    l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))
    if err != nil {
        log.Fatal(err)
    }
    defer l.Close()

    // Reconnect with TLS
    err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
    if err != nil {
        log.Fatal(err)
    }

    // First bind with a read only user
    err = l.Bind(bindusername, bindpassword)
    if err != nil {
        log.Fatal(err)
    }

    // Search for the given username
    searchRequest := ldap.NewSearchRequest(
        "dc=example,dc=com",
        ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
        fmt.Sprintf("(&(objectClass=organizationalPerson)(uid=%s))", username),
        []string{"dn"},
        nil,
    )

Let me know how I can help.

Answer 2

A little late, perhaps, but if you're looking for an HTTP-based API (as you seem to do in one of the answer's comment), you could look at the following article:

http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA

There is actually a very complete JSON-RPC API that is accessible via HTTP. The article linked above gives an example of how to use it. Armed with the API browser included in the FreeIPA GUI you should be able to use the HTTP client in Go to code your own functions.

Barring that GitHub has two potential libraries for you:

• https://github.com/ubccr/goipa
• https://github.com/tehwalris/go-freeipa

The first implements only a few functions, but these could be enough for your needs. The other one is automatically generated but I don't know how good the result is.

Note that I have used neither, so I cannot command on their usability.