private void Init()
{
if (_options.LdapIgnoreTlsErrors || _options.LdapIgnoreTlsValidation)
{
_ldapRemoteCertValidator = CustomServerCertValidation;
}
// Validate required options
if (_options == null)
{
throw new Exception("missing configuration options");
}
if (_options.LdapHostnames?.Count() < 1)
{
throw new ArgumentException("options must specify at least one LDAP hostname",
nameof(_options.LdapHostnames));
}
if (string.IsNullOrEmpty(_options.LdapBindUserDN))
{
throw new ArgumentException("options missing or invalid LDAP bind distinguished name (DN)",
nameof(_options.LdapBindUserDN));
}
if (string.IsNullOrEmpty(_options.LdapBindPassword))
{
throw new ArgumentException("options missing or invalid LDAP bind password",
nameof(_options.LdapBindPassword));
}
if (string.IsNullOrEmpty(_options.LdapSearchBase))
{
throw new ArgumentException($"options must specify LDAP search base",
nameof(_options.LdapSearchBase));
}
// All other configuration is optional, but some may warrant attention
if (!_options.HideUserNotFound)
{
_logger.LogWarning($"option [{nameof(_options.HideUserNotFound)}] is DISABLED;"
+ " the presence or absence of usernames can be harvested");
}
if (!_options.LdapIgnoreTlsErrors)
{
_logger.LogWarning($"option [{nameof(_options.LdapIgnoreTlsErrors)}] is ENABLED;"
+ " invalid certificates will be allowed");
}
else if (!_options.LdapIgnoreTlsValidation)
{
_logger.LogWarning($"option [{nameof(_options.LdapIgnoreTlsValidation)}] is ENABLED;"
+ " untrusted certificate roots will be allowed");
}
if (_options.LdapPort != LdapConnection.DEFAULT_SSL_PORT && !_options.LdapStartTls)
{
_logger.LogWarning($"option [{nameof(_options.LdapStartTls)}] is DISABLED"
+ $" in combination with non-standard TLS port [{_options.LdapPort}]");
}
}
private void Init()
{
if (_options.LdapIgnoreTlsErrors || _options.LdapIgnoreTlsValidation)
{
_ldapRemoteCertValidator = CustomServerCertValidation;
}
// Validate required options
if (_options == null)
{
throw new Exception("missing configuration options");
}
// LDAP Host Names
ValidateAndLogConfig(nameof(_options.LdapHostnames), _options.LdapHostnames,
(true, (_options.LdapHostnames?.Length ?? 0) < 1,
"options must specify at least one LDAP hostname"));
// LDAP Bind Credentials
ValidateAndLogConfig(nameof(_options.LdapBindDistName), _options.LdapBindDistName,
(true, string.IsNullOrEmpty(_options.LdapBindDistName),
"options missing or invalid LDAP bind distinguished name (DN)"));
ValidateAndLogConfig(nameof(_options.LdapBindPassword), "****** (MASKED)",
(true, string.IsNullOrEmpty(_options.LdapBindPassword),
"options missing or invalid LDAP bind password"));
// LDAP Search Base
ValidateAndLogConfig(nameof(_options.LdapSearchBase), _options.LdapSearchBase,
(true, string.IsNullOrEmpty(_options.LdapSearchBase),
$"options must specify LDAP search base"));
// All other configuration is optional, but some may warrant attention
ValidateAndLogConfig(nameof(_options.HideUserNotFound), _options.HideUserNotFound,
(false, !_options.HideUserNotFound,
"is DISABLED; the presence or absence of usernames can be harvested"));
ValidateAndLogConfig(nameof(_options.LdapPort), _options.LdapPort);
ValidateAndLogConfig(nameof(_options.LdapStartTls), _options.LdapStartTls,
(false, _options.LdapPort != LdapConnection.DEFAULT_SSL_PORT && !_options.LdapStartTls,
"is DISABLED; in combination with non-standard TLS port"));
ValidateAndLogConfig(nameof(_options.LdapIgnoreTlsErrors), _options.LdapIgnoreTlsErrors,
(false, _options.LdapIgnoreTlsErrors,
"is ENABLED; invalid certificates will be allowed"));
ValidateAndLogConfig(nameof(_options.LdapIgnoreTlsValidation), _options.LdapIgnoreTlsValidation,
(false, _options.LdapIgnoreTlsValidation,
"is ENABLED; untrusted certificate roots will be allowed"));
void ValidateAndLogConfig(string name, object value,
params (bool throwIfFail, bool isFail, string failMsg)[] validations)
private void Init()
{
// Validate required options
if (!(Settings is LdapPasswordChangeOptions options))
{
throw new Exception("missing configuration options");
}
if (options.LdapIgnoreTlsErrors || options.LdapIgnoreTlsValidation)
{
_ldapRemoteCertValidator = CustomServerCertValidation;
}
if (options.LdapHostnames?.Length < 1)
{
throw new ArgumentException("options must specify at least one LDAP hostname",
nameof(options.LdapHostnames));
}
if (string.IsNullOrEmpty(options.LdapUsername))
{
throw new ArgumentException("options missing or invalid LDAP bind distinguished name (DN)",
nameof(options.LdapUsername));
}
if (string.IsNullOrEmpty(options.LdapPassword))
{
throw new ArgumentException("options missing or invalid LDAP bind password",
nameof(options.LdapPassword));
}
if (string.IsNullOrEmpty(options.LdapSearchBase))
{
throw new ArgumentException("options must specify LDAP search base",
nameof(options.LdapSearchBase));
}
if (string.IsNullOrWhiteSpace(options.LdapSearchFilter))
{
throw new ArgumentException(
"No ldapSearchFilter is set. Fill attribute ldapSearchFilter in file appsettings.json",
nameof(options.LdapSearchFilter));
}
if (!options.LdapSearchFilter.Contains("{Username}"))
{
throw new ArgumentException(
"The ldapSearchFilter should include {{Username}} value in the template string",
nameof(options.LdapSearchFilter));
}
// All other configuration is optional, but some may warrant attention
if (!options.HideUserNotFound)
{
_logger.LogWarning($"option [{nameof(options.HideUserNotFound)}] is DISABLED; the presence or absence of usernames can be harvested");
}
if (!options.LdapIgnoreTlsErrors)
{
_logger.LogWarning($"option [{nameof(options.LdapIgnoreTlsErrors)}] is ENABLED; invalid certificates will be allowed");
}
else if (!options.LdapIgnoreTlsValidation)
{
_logger.LogWarning($"option [{nameof(options.LdapIgnoreTlsValidation)}] is ENABLED; untrusted certificate roots will be allowed");
}
if (options.LdapPort != LdapConnection.DEFAULT_SSL_PORT && !options.LdapStartTls)
{
_logger.LogWarning($"option [{nameof(options.LdapStartTls)}] is DISABLED in combination with non-standard TLS port [{options.LdapPort}]");
}
}