Add ldapsearch hack script

[#185658904]
This commit is contained in:
Joshua Casey 2023-07-27 09:24:30 -05:00
parent e2e9819c58
commit 3aacc95412
2 changed files with 102 additions and 0 deletions

19
hack/ldapsearch/README.md Normal file
View File

@ -0,0 +1,19 @@
# ldapsearch.sh
Translate your `LDAPIdentityProvider` into `ldapsearch` queries for debugging purposes.
Usage
```shell
kubectl get ldapidentityprovider <name> \
--namespace=<namespace> \
--output=yaml | ./hack/ldapsearch/ldapsearch.sh
```
Add `--debug` for some additional output.
```shell
kubectl get ldapidentityprovider <name> \
--namespace=<namespace> \
--output=yaml | ./hack/ldapsearch/ldapsearch.sh --debug
```

83
hack/ldapsearch/ldapsearch.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
# Copyright 2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
set -euo pipefail
STDIN_DUMP=`mktemp`
trap "rm $STDIN_DUMP" EXIT
# Read from STDIN
cat > $STDIN_DUMP
LDAP_IDENTITY_PROVIDER_FILE=`mktemp`
trap "rm $LDAP_IDENTITY_PROVIDER_FILE" EXIT
yq 'select(document_index == 0)' $STDIN_DUMP > $LDAP_IDENTITY_PROVIDER_FILE
LDAP_IDP_NAME=`yq '.metadata.name' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_IDP_NAMESPACE=`yq '.metadata.namespace' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_HOST=`yq '.spec.host' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_USER_SEARCH_BASE_DN=`yq '.spec.userSearch.base' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_USER_SEARCH_FILTER=`yq '.spec.userSearch.filter' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_CA_BUNDLE=`yq '.spec.tls.certificateAuthorityData | @base64d' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_BIND_SECRETNAME=`yq '.spec.bind.secretName' $LDAP_IDENTITY_PROVIDER_FILE`
LDAP_BIND_DN=""
LDAP_BIND_PASSWORD=""
if [[ -n "${LDAP_BIND_SECRETNAME}" ]]; then
LDAP_BIND_SECRET_FILE=`mktemp`
trap "rm $LDAP_BIND_SECRET_FILE" EXIT
kubectl get secret "$LDAP_BIND_SECRETNAME" \
--namespace "$LDAP_IDP_NAMESPACE" \
--output yaml > $LDAP_BIND_SECRET_FILE
LDAP_BIND_DN=`yq '.data.username | @base64d' $LDAP_BIND_SECRET_FILE`
LDAP_BIND_PASSWORD=`yq '.data.password | @base64d' $LDAP_BIND_SECRET_FILE`
fi
if [[ "${1:-}" == "--debug" ]]; then
echo LDAP_IDP_NAME="$LDAP_IDP_NAME"
echo LDAP_IDP_NAMESPACE="$LDAP_IDP_NAMESPACE"
echo LDAP_HOST="$LDAP_HOST"
echo LDAP_USER_SEARCH_BASE_DN="$LDAP_USER_SEARCH_BASE_DN"
echo LDAP_USER_SEARCH_FILTER="$LDAP_USER_SEARCH_FILTER"
echo LDAP_CA_BUNDLE="$LDAP_CA_BUNDLE"
echo LDAP_BIND_SECRETNAME="$LDAP_BIND_SECRETNAME"
echo LDAP_BIND_DN="$LDAP_BIND_DN"
echo LDAP_BIND_PASSWORD="$LDAP_BIND_PASSWORD"
fi
output=()
if [[ -n "${LDAP_CA_BUNDLE}" ]]; then
LDAP_CA_BUNDLE_FILE=ldaptls_cacert.pem
echo "$LDAP_CA_BUNDLE" > $LDAP_CA_BUNDLE_FILE
output+=("LDAPTLS_CACERT=$LDAP_CA_BUNDLE_FILE")
fi
output+=("ldapsearch" "-x")
output+=("-H" "ldaps://$LDAP_HOST")
if [[ -n "${LDAP_BIND_DN}" ]]; then
output+=("-D" "$LDAP_BIND_DN")
fi
if [[ -n "${LDAP_BIND_PASSWORD}" ]]; then
output+=("-w" "$LDAP_BIND_PASSWORD")
fi
output+=("-b" "$LDAP_USER_SEARCH_BASE_DN")
output+=("-s" "sub")
output+=("$LDAP_USER_SEARCH_FILTER")
echo "${output[*]}"
#LDAPTLS_CACERT=/path/to/ca-bundle.pem ldapsearch \
#-x -H ldaps://LDAP_HOST -D LDAP_BIND_DN -w LDAP_BIND_PASSWORD \
#-b LDAP_USER_SEARCH_BASE_DN \
#-s sub (LDAP_USER_SEARCH_FILTER-with-placeholder-replaced-by-username)
#