added SASL EXTERNAL client cert example to both example_test.go files (#277)

* added SASL EXTERNAL client cert example to both example_test.go files

Author: 62726164

bind.go

@@ -10,9 +10,8 @@ import (
 	"math/rand"
 	"strings"
 
-	ber "github.com/go-asn1-ber/asn1-ber"
 	"github.com/Azure/go-ntlmssp"
-
+	ber "github.com/go-asn1-ber/asn1-ber"
 )
 
 // SimpleBindRequest represents a username/password bind operation
@@ -395,7 +394,7 @@ func (l *Conn) ExternalBind() error {
 // NTLMBindRequest represents an NTLMSSP bind operation
 type NTLMBindRequest struct {
 	// Domain is the AD Domain to authenticate too. If not specified, it will be grabbed from the NTLMSSP Challenge
-	Domain   string
+	Domain string
 	// Username is the name of the Directory object that the client wishes to bind as
 	Username string
 	// Password is the credentials to bind with

error.go

@@ -212,9 +212,9 @@ func GetLDAPError(packet *ber.Packet) error {
 			}
 			return &Error{
 				ResultCode: resultCode,
-				MatchedDN: response.Children[1].Value.(string),
-				Err: fmt.Errorf("%s", response.Children[2].Value.(string)),
-				Packet: packet,
+				MatchedDN:  response.Children[1].Value.(string),
+				Err:        fmt.Errorf("%s", response.Children[2].Value.(string)),
+				Packet:     packet,
 			}
 		}
 	}
@@ -246,6 +246,7 @@ func IsErrorAnyOf(err error, codes ...uint16) bool {
 
 	return false
 }
+
 // IsErrorWithCode returns true if the given error is an LDAP error with the given result code
 func IsErrorWithCode(err error, desiredResultCode uint16) bool {
 	return IsErrorAnyOf(err, desiredResultCode)

examples_test.go

@@ -2,7 +2,9 @@ package ldap
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"log"
 )
 
@@ -340,3 +342,52 @@ func ExampleControlPaging_manualPaging() {
 		break
 	}
 }
+
+// This example demonstrates how to use EXTERNAL SASL with TLS client certificates.
+func ExampleConn_ExternalBind() {
+	var ldapCert = "/path/to/cert.pem"
+	var ldapKey = "/path/to/key.pem"
+	var ldapCAchain = "/path/to/ca_chain.pem"
+
+	// Load client cert and key
+	cert, err := tls.LoadX509KeyPair(ldapCert, ldapKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Load CA chain
+	caCert, err := ioutil.ReadFile(ldapCAchain)
+	if err != nil {
+		log.Fatal(err)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	// Setup TLS with ldap client cert
+	tlsConfig := &tls.Config{
+		Certificates:       []tls.Certificate{cert},
+		RootCAs:            caCertPool,
+		InsecureSkipVerify: true,
+	}
+
+	// connect to ldap server
+	l, err := DialURL("ldap://ldap.example.com:389")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
+
+	// reconnect using tls
+	err = l.StartTLS(tlsConfig)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// sasl external bind
+	err = l.ExternalBind()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Conduct ldap queries
+}

v3/bind.go

@@ -10,9 +10,8 @@ import (
 	"math/rand"
 	"strings"
 
-	ber "github.com/go-asn1-ber/asn1-ber"
 	"github.com/Azure/go-ntlmssp"
-
+	ber "github.com/go-asn1-ber/asn1-ber"
 )
 
 // SimpleBindRequest represents a username/password bind operation
@@ -395,7 +394,7 @@ func (l *Conn) ExternalBind() error {
 // NTLMBindRequest represents an NTLMSSP bind operation
 type NTLMBindRequest struct {
 	// Domain is the AD Domain to authenticate too. If not specified, it will be grabbed from the NTLMSSP Challenge
-	Domain   string
+	Domain string
 	// Username is the name of the Directory object that the client wishes to bind as
 	Username string
 	// Password is the credentials to bind with

v3/error.go

@@ -212,9 +212,9 @@ func GetLDAPError(packet *ber.Packet) error {
 			}
 			return &Error{
 				ResultCode: resultCode,
-				MatchedDN: response.Children[1].Value.(string),
-				Err: fmt.Errorf("%s", response.Children[2].Value.(string)),
-				Packet: packet,
+				MatchedDN:  response.Children[1].Value.(string),
+				Err:        fmt.Errorf("%s", response.Children[2].Value.(string)),
+				Packet:     packet,
 			}
 		}
 	}
@@ -246,6 +246,7 @@ func IsErrorAnyOf(err error, codes ...uint16) bool {
 
 	return false
 }
+
 // IsErrorWithCode returns true if the given error is an LDAP error with the given result code
 func IsErrorWithCode(err error, desiredResultCode uint16) bool {
 	return IsErrorAnyOf(err, desiredResultCode)

v3/examples_test.go

@@ -2,7 +2,9 @@ package ldap
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"log"
 )
 
@@ -340,3 +342,52 @@ func ExampleControlPaging_manualPaging() {
 		break
 	}
 }
+
+// This example demonstrates how to use EXTERNAL SASL with TLS client certificates.
+func ExampleConn_ExternalBind() {
+	var ldapCert = "/path/to/cert.pem"
+	var ldapKey = "/path/to/key.pem"
+	var ldapCAchain = "/path/to/ca_chain.pem"
+
+	// Load client cert and key
+	cert, err := tls.LoadX509KeyPair(ldapCert, ldapKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Load CA chain
+	caCert, err := ioutil.ReadFile(ldapCAchain)
+	if err != nil {
+		log.Fatal(err)
+	}
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	// Setup TLS with ldap client cert
+	tlsConfig := &tls.Config{
+		Certificates:       []tls.Certificate{cert},
+		RootCAs:            caCertPool,
+		InsecureSkipVerify: true,
+	}
+
+	// connect to ldap server
+	l, err := DialURL("ldap://ldap.example.com:389")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer l.Close()
+
+	// reconnect using tls
+	err = l.StartTLS(tlsConfig)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// sasl external bind
+	err = l.ExternalBind()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Conduct ldap queries
+}