From 9cc9e6e986cc1b3247bcee5020ae32f731c22fba Mon Sep 17 00:00:00 2001
From: Michael Aldridge <aldridge.mac@gmail.com>
Date: Sat, 27 Aug 2022 17:35:45 -0500
Subject: [PATCH] internal/ldap: Add option to bind anonmyously

---
 internal/ldap/bind.go   |  5 +++++
 internal/ldap/option.go |  5 +++++
 internal/ldap/type.go   |  2 ++
 main.go                 | 10 +++++++++-
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/internal/ldap/bind.go b/internal/ldap/bind.go
index 8d6bbd1..2adda68 100644
--- a/internal/ldap/bind.go
+++ b/internal/ldap/bind.go
@@ -22,6 +22,11 @@ func (s *server) handleBind(w ldap.ResponseWriter, m *ldap.Message) {
 
 	s.l.Debug("Bind from dn", "dn", r.Name())
 
+	if s.allowAnon && r.Name() == "" {
+		res := ldap.NewBindResponse(ldap.LDAPResultSuccess)
+		w.Write(res)
+	}
+
 	entityID, err := s.entityIDFromDN(r.Name())
 	if err != nil {
 		res := ldap.NewBindResponse(ldap.LDAPResultInvalidDNSyntax)
diff --git a/internal/ldap/option.go b/internal/ldap/option.go
index cb2ad0a..598227a 100644
--- a/internal/ldap/option.go
+++ b/internal/ldap/option.go
@@ -12,3 +12,8 @@ func WithLogger(l hclog.Logger) Option { return func(s *server) { s.l = l.Named(
 
 // WithNetAuth sets the NetAuth client for the server.
 func WithNetAuth(n naClient) Option { return func(s *server) { s.c = n } }
+
+// WithAnonBind enables anonymous bind support which is necessary in
+// some cases that the client wishes to do an initial anonymous bind,
+// followed by an immediate rebind as a real entity.
+func WithAnonBind(a bool) Option { return func(s *server) { s.allowAnon = a } }
diff --git a/internal/ldap/type.go b/internal/ldap/type.go
index 486b9d4..d36c03f 100644
--- a/internal/ldap/type.go
+++ b/internal/ldap/type.go
@@ -27,4 +27,6 @@ type server struct {
 	l hclog.Logger
 
 	nc []string
+
+	allowAnon bool
 }
diff --git a/main.go b/main.go
index f2a58f7..f0932a7 100644
--- a/main.go
+++ b/main.go
@@ -18,6 +18,7 @@ func init() {
 	viper.SetDefault("ldap.tls", false)
 	viper.SetDefault("ldap.key", "/var/lib/netauth/keys/ldap.key")
 	viper.SetDefault("ldap.cert", "/var/lib/netauth/keys/ldap.cert")
+	viper.SetDefault("ldap.allow_anon", false)
 }
 
 func main() {
@@ -51,6 +52,9 @@ func main() {
 	viper.AddConfigPath("/etc/netauth/")
 	viper.AddConfigPath("$HOME/.netauth/")
 	viper.AddConfigPath(".")
+	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+	viper.SetEnvPrefix("NETAUTH")
+	viper.AutomaticEnv()
 	if err := viper.ReadInConfig(); err != nil {
 		appLogger.Error("Error loading config", "error", err)
 		os.Exit(5)
@@ -62,7 +66,11 @@ func main() {
 		os.Exit(2)
 	}
 
-	ls := ldap.New(ldap.WithLogger(appLogger), ldap.WithNetAuth(nacl))
+	ls := ldap.New(
+		ldap.WithLogger(appLogger),
+		ldap.WithNetAuth(nacl),
+		ldap.WithAnonBind(viper.GetBool("ldap.allow_anon")),
+	)
 
 	ls.SetDomain(viper.GetString("ldap.domain"))