diff --git a/hack/ldapsearch/README.md b/hack/ldapsearch/README.md new file mode 100644 index 00000000..319bd046 --- /dev/null +++ b/hack/ldapsearch/README.md @@ -0,0 +1,19 @@ +# ldapsearch.sh + +Translate your `LDAPIdentityProvider` into `ldapsearch` queries for debugging purposes. + +Usage + +```shell +kubectl get ldapidentityprovider \ + --namespace= \ + --output=yaml | ./hack/ldapsearch/ldapsearch.sh +``` + +Add `--debug` for some additional output. + +```shell +kubectl get ldapidentityprovider \ + --namespace= \ + --output=yaml | ./hack/ldapsearch/ldapsearch.sh --debug +``` diff --git a/hack/ldapsearch/ldapsearch.sh b/hack/ldapsearch/ldapsearch.sh new file mode 100755 index 00000000..195f1949 --- /dev/null +++ b/hack/ldapsearch/ldapsearch.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +# Copyright 2023 the Pinniped contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +STDIN_DUMP=`mktemp` +trap "rm $STDIN_DUMP" EXIT + +# Read from STDIN +cat > $STDIN_DUMP + +LDAP_IDENTITY_PROVIDER_FILE=`mktemp` +trap "rm $LDAP_IDENTITY_PROVIDER_FILE" EXIT + +yq 'select(document_index == 0)' $STDIN_DUMP > $LDAP_IDENTITY_PROVIDER_FILE + +LDAP_IDP_NAME=`yq '.metadata.name' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_IDP_NAMESPACE=`yq '.metadata.namespace' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_HOST=`yq '.spec.host' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_USER_SEARCH_BASE_DN=`yq '.spec.userSearch.base' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_USER_SEARCH_FILTER=`yq '.spec.userSearch.filter' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_CA_BUNDLE=`yq '.spec.tls.certificateAuthorityData | @base64d' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_BIND_SECRETNAME=`yq '.spec.bind.secretName' $LDAP_IDENTITY_PROVIDER_FILE` +LDAP_BIND_DN="" +LDAP_BIND_PASSWORD="" + +if [[ -n "${LDAP_BIND_SECRETNAME}" ]]; then + LDAP_BIND_SECRET_FILE=`mktemp` + trap "rm $LDAP_BIND_SECRET_FILE" EXIT + + kubectl get secret "$LDAP_BIND_SECRETNAME" \ + --namespace "$LDAP_IDP_NAMESPACE" \ + --output yaml > $LDAP_BIND_SECRET_FILE + + LDAP_BIND_DN=`yq '.data.username | @base64d' $LDAP_BIND_SECRET_FILE` + LDAP_BIND_PASSWORD=`yq '.data.password | @base64d' $LDAP_BIND_SECRET_FILE` +fi + +if [[ "${1:-}" == "--debug" ]]; then + echo LDAP_IDP_NAME="$LDAP_IDP_NAME" + echo LDAP_IDP_NAMESPACE="$LDAP_IDP_NAMESPACE" + echo LDAP_HOST="$LDAP_HOST" + echo LDAP_USER_SEARCH_BASE_DN="$LDAP_USER_SEARCH_BASE_DN" + echo LDAP_USER_SEARCH_FILTER="$LDAP_USER_SEARCH_FILTER" + echo LDAP_CA_BUNDLE="$LDAP_CA_BUNDLE" + echo LDAP_BIND_SECRETNAME="$LDAP_BIND_SECRETNAME" + echo LDAP_BIND_DN="$LDAP_BIND_DN" + echo LDAP_BIND_PASSWORD="$LDAP_BIND_PASSWORD" +fi + +output=() + +if [[ -n "${LDAP_CA_BUNDLE}" ]]; then + LDAP_CA_BUNDLE_FILE=ldaptls_cacert.pem + echo "$LDAP_CA_BUNDLE" > $LDAP_CA_BUNDLE_FILE + + output+=("LDAPTLS_CACERT=$LDAP_CA_BUNDLE_FILE") +fi + +output+=("ldapsearch" "-x") +output+=("-H" "ldaps://$LDAP_HOST") + +if [[ -n "${LDAP_BIND_DN}" ]]; then + output+=("-D" "$LDAP_BIND_DN") +fi + +if [[ -n "${LDAP_BIND_PASSWORD}" ]]; then + output+=("-w" "$LDAP_BIND_PASSWORD") +fi + +output+=("-b" "$LDAP_USER_SEARCH_BASE_DN") +output+=("-s" "sub") +output+=("$LDAP_USER_SEARCH_FILTER") + +echo "${output[*]}" + +#LDAPTLS_CACERT=/path/to/ca-bundle.pem ldapsearch \ +#-x -H ldaps://LDAP_HOST -D LDAP_BIND_DN -w LDAP_BIND_PASSWORD \ +#-b LDAP_USER_SEARCH_BASE_DN \ +#-s sub (LDAP_USER_SEARCH_FILTER-with-placeholder-replaced-by-username) +#