Merge pull request #19 from butonic/direct-accounts-access

directly talk to accounts
2026-06-21 22:38:55 -04:00 · 2020-06-19 15:33:02 +02:00
parent 44e252306a 9c1fb51906
commit 3e6aeb65cb
9 changed files with 979 additions and 154 deletions
--- a/docs/_index.md
+++ b/docs/_index.md
@@ -8,3 +8,7 @@ geekdocFilePath: _index.md
 ---

 This service provides a simple glauth world API which can be used by clients or other extensions.
+
+- reiner proxy
+ldap für eos und firewall
+- backend ist der accounts service
--- a/go.mod
+++ b/go.mod
@@ -4,18 +4,24 @@ go 1.13

 require (
 	contrib.go.opencensus.io/exporter/jaeger v0.2.0
-	contrib.go.opencensus.io/exporter/ocagent v0.6.0
+	contrib.go.opencensus.io/exporter/ocagent v0.7.0
 	contrib.go.opencensus.io/exporter/zipkin v0.1.1
+	github.com/GeertJohan/yubigo v0.0.0-20190917122436-175bc097e60e
 	github.com/UnnoTed/fileb0x v1.1.4
 	github.com/glauth/glauth v1.1.3-0.20200228160118-2d4f5d547682
 	github.com/go-logr/logr v0.1.0
-	github.com/micro/cli/v2 v2.1.1
-	github.com/oklog/run v1.0.0
+	github.com/micro/cli/v2 v2.1.2
+	github.com/micro/go-micro/v2 v2.6.0
+	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
+	github.com/nmcclain/ldap v0.0.0-20191021200707-3b3b69a7e9e3
+	github.com/oklog/run v1.1.0
 	github.com/openzipkin/zipkin-go v0.2.2
-	github.com/owncloud/ocis-pkg/v2 v2.0.1
+	github.com/owncloud/ocis-accounts v0.1.2-0.20200617152311-02e759f95e82
+	github.com/owncloud/ocis-pkg/v2 v2.2.1
 	github.com/restic/calens v0.2.0
-	github.com/rs/zerolog v1.17.2
-	github.com/spf13/afero v1.2.2 // indirect
-	github.com/spf13/viper v1.5.0
-	go.opencensus.io v0.22.2
+	github.com/rs/zerolog v1.19.0
+	github.com/spf13/viper v1.7.0
+	go.opencensus.io v0.22.4
 )
+
+replace google.golang.org/grpc => google.golang.org/grpc v1.26.0
--- a/go.sum
+++ b/go.sum
--- a/pkg/command/server.go
+++ b/pkg/command/server.go
@@ -2,25 +2,29 @@ package command

 import (
 	"context"
-	"github.com/owncloud/ocis-glauth/pkg/crypto"
 	"os"
 	"os/signal"
 	"strings"
 	"time"

+	"github.com/owncloud/ocis-glauth/pkg/crypto"
+
 	"contrib.go.opencensus.io/exporter/jaeger"
 	"contrib.go.opencensus.io/exporter/ocagent"
 	"contrib.go.opencensus.io/exporter/zipkin"
 	glauthcfg "github.com/glauth/glauth/pkg/config"
-	glauth "github.com/glauth/glauth/pkg/server"
+
 	"github.com/micro/cli/v2"
+	"github.com/micro/go-micro/v2"
+	"github.com/micro/go-micro/v2/client"
 	"github.com/oklog/run"
 	openzipkin "github.com/openzipkin/zipkin-go"
 	zipkinhttp "github.com/openzipkin/zipkin-go/reporter/http"
+	accounts "github.com/owncloud/ocis-accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis-glauth/pkg/config"
 	"github.com/owncloud/ocis-glauth/pkg/flagset"
-	"github.com/owncloud/ocis-glauth/pkg/mlogr"
 	"github.com/owncloud/ocis-glauth/pkg/server/debug"
+	"github.com/owncloud/ocis-glauth/pkg/server/glauth"
 	"go.opencensus.io/stats/view"
 	"go.opencensus.io/trace"
 )
@@ -36,8 +40,6 @@ func Server(cfg *config.Config) *cli.Command {
 				cfg.HTTP.Root = strings.TrimSuffix(cfg.HTTP.Root, "/")
 			}

-			cfg.Backend.Servers = c.StringSlice("backend-server")
-
 			return ParseConfig(c, cfg)
 		},
 		Action: func(c *cli.Context) error {
@@ -136,7 +138,6 @@ func Server(cfg *config.Config) *cli.Command {
 			defer cancel()

 			{
-				log := mlogr.New(&logger)
 				cfg := glauthcfg.Config{
 					LDAP: glauthcfg.LDAP{
 						Enabled: cfg.Ldap.Enabled,
@@ -149,101 +150,11 @@ func Server(cfg *config.Config) *cli.Command {
 						Key:     cfg.Ldaps.Key,
 					},
 					Backend: glauthcfg.Backend{
-						Datastore:   cfg.Backend.Datastore,
 						BaseDN:      cfg.Backend.BaseDN,
 						Insecure:    cfg.Backend.Insecure,
 						NameFormat:  cfg.Backend.NameFormat,
 						GroupFormat: cfg.Backend.GroupFormat,
-						Servers:     cfg.Backend.Servers,
 						SSHKeyAttr:  cfg.Backend.SSHKeyAttr,
-						UseGraphAPI: cfg.Backend.UseGraphAPI,
-					},
-					// TODO read users for the config backend from config file
-					Users: []glauthcfg.User{
-						glauthcfg.User{
-							Name:         "einstein",
-							GivenName:    "Albert",
-							SN:           "Einstein",
-							UnixID:       20000,
-							PrimaryGroup: 30000,
-							OtherGroups:  []int{30001, 30002, 30007},
-							Mail:         "einstein@example.org",
-							PassSHA256:   "69bf3575281a970f46e37ecd28b79cfbee6a46e55c10dc91dd36a43410387ab8", // relativity
-						},
-						glauthcfg.User{
-							Name:         "marie",
-							GivenName:    "Marie",
-							SN:           "Curie",
-							UnixID:       20001,
-							PrimaryGroup: 30000,
-							OtherGroups:  []int{30003, 30004, 30007},
-							Mail:         "marie@example.org",
-							PassSHA256:   "149a807f82e22b796942efa1010063f4a278cf078ff56ef1d3fc6c156037cef9", // radioactivity
-						},
-						glauthcfg.User{
-							Name:         "feynman",
-							GivenName:    "Richard",
-							SN:           "Feynman",
-							UnixID:       20002,
-							PrimaryGroup: 30000,
-							OtherGroups:  []int{30005, 30006, 30007},
-							Mail:         "feynman@example.org",
-							PassSHA256:   "1e2183d3a6017bb01131e27204bb66d3c5fa273acf421c8f9bd4bd633e3d70a8", // superfluidity
-						},
-
-						// technical users for ocis
-						glauthcfg.User{
-							Name:         "konnectd",
-							UnixID:       10000,
-							PrimaryGroup: 15000,
-							Mail:         "idp@example.org",
-							PassSHA256:   "e1b6c4460fda166b70f77093f8a2f9b9e0055a5141ed8c6a67cf1105b1af23ca", // konnectd
-						},
-						glauthcfg.User{
-							Name:         "reva",
-							UnixID:       10001,
-							PrimaryGroup: 15000,
-							Mail:         "storage@example.org",
-							PassSHA256:   "60a43483d1a41327e689c3ba0451c42661d6a101151e041aa09206305c83e74b", // reva
-						},
-					},
-					Groups: []glauthcfg.Group{
-						glauthcfg.Group{
-							Name:   "users",
-							UnixID: 30000,
-						},
-						glauthcfg.Group{
-							Name:   "sailing-lovers",
-							UnixID: 30001,
-						},
-						glauthcfg.Group{
-							Name:   "violin-haters",
-							UnixID: 30002,
-						},
-						glauthcfg.Group{
-							Name:   "radium-lovers",
-							UnixID: 30003,
-						},
-						glauthcfg.Group{
-							Name:   "polonium-lovers",
-							UnixID: 30004,
-						},
-						glauthcfg.Group{
-							Name:   "quantum-lovers",
-							UnixID: 30005,
-						},
-						glauthcfg.Group{
-							Name:   "philosophy-haters",
-							UnixID: 30006,
-						},
-						glauthcfg.Group{
-							Name:   "physics-lovers",
-							UnixID: 30007,
-						},
-						glauthcfg.Group{
-							Name:   "sysusers",
-							UnixID: 15000,
-						},
 					},
 				}

@@ -254,8 +165,14 @@ func Server(cfg *config.Config) *cli.Command {
 					}
 				}

-				server, err := glauth.NewServer(
-					glauth.Logger(log),
+				as, err := getAccountsService()
+				if err != nil {
+					return err
+				}
+
+				server, err := glauth.Server(
+					glauth.AccountsService(as),
+					glauth.Logger(logger),
 					glauth.Config(&cfg),
 				)

@@ -362,3 +279,19 @@ func Server(cfg *config.Config) *cli.Command {
 		},
 	}
 }
+
+// getAccountsService returns an ocis-accounts service
+func getAccountsService() (accounts.AccountsService, error) {
+	service := micro.NewService()
+
+	// parse command line flags
+	service.Init()
+
+	err := service.Client().Init(
+		client.ContentType("application/json"),
+	)
+	if err != nil {
+		return nil, err
+	}
+	return accounts.NewAccountsService("com.owncloud.api.accounts", service.Client()), nil
+}
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -46,14 +46,11 @@ type Ldaps struct {

 // Backend defined the available backend configuration.
 type Backend struct {
-	Datastore   string
 	BaseDN      string
 	Insecure    bool
 	NameFormat  string
 	GroupFormat string
-	Servers     []string
 	SSHKeyAttr  string
-	UseGraphAPI bool
 }

 // Config combines all available configuration parts.
--- a/pkg/flagset/flagset.go
+++ b/pkg/flagset/flagset.go
@@ -160,13 +160,6 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			Destination: &cfg.Ldaps.Key,
 		},

-		&cli.StringFlag{
-			Name:        "backend-datastore",
-			Value:       "config",
-			Usage:       "datastore to use as the backend. one of config, ldap or owncloud",
-			EnvVars:     []string{"GLAUTH_BACKEND_DATASTORE"},
-			Destination: &cfg.Backend.Datastore,
-		},
 		&cli.StringFlag{
 			Name:        "backend-basedn",
 			Value:       "dc=example,dc=org",
@@ -195,12 +188,6 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"GLAUTH_BACKEND_GROUP_FORMAT"},
 			Destination: &cfg.Backend.GroupFormat,
 		},
-		&cli.StringSliceFlag{
-			Name:    "backend-server",
-			Value:   cli.NewStringSlice("https://demo.owncloud.com"),
-			Usage:   `--backend-servers http://internal1.example.com [--backend-servers http://internal2.example.com]`,
-			EnvVars: []string{"GLAUTH_BACKEND_SERVERS"},
-		},
 		&cli.StringFlag{
 			Name:        "backend-ssh-key-attr",
 			Value:       "sshPublicKey",
@@ -208,12 +195,5 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"GLAUTH_BACKEND_SSH_KEY_ATTR"},
 			Destination: &cfg.Backend.SSHKeyAttr,
 		},
-		&cli.BoolFlag{
-			Name:        "backend-use-graphapi",
-			Value:       true,
-			Usage:       "use Graph API, only for owncloud datastore",
-			EnvVars:     []string{"GLAUTH_BACKEND_USE_GRAPHAPI"},
-			Destination: &cfg.Backend.UseGraphAPI,
-		},
 	}
 }
--- a/pkg/server/glauth/handler.go
+++ b/pkg/server/glauth/handler.go
@@ -0,0 +1,258 @@
+package glauth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"github.com/glauth/glauth/pkg/config"
+	"github.com/glauth/glauth/pkg/handler"
+	"github.com/glauth/glauth/pkg/stats"
+	ber "github.com/nmcclain/asn1-ber"
+	"github.com/nmcclain/ldap"
+	accounts "github.com/owncloud/ocis-accounts/pkg/proto/v0"
+	"github.com/owncloud/ocis-pkg/v2/log"
+)
+
+type ocisHandler struct {
+	as  accounts.AccountsService
+	log log.Logger
+	cfg *config.Config
+}
+
+func (h ocisHandler) Bind(bindDN, bindSimplePw string, conn net.Conn) (ldap.LDAPResultCode, error) {
+	bindDN = strings.ToLower(bindDN)
+	baseDN := strings.ToLower("," + h.cfg.Backend.BaseDN)
+
+	h.log.Debug().Str("binddn", bindDN).Str("basedn", h.cfg.Backend.BaseDN).Interface("src", conn.RemoteAddr()).Msg("Bind request")
+
+	stats.Frontend.Add("bind_reqs", 1)
+
+	// parse the bindDN - ensure that the bindDN ends with the BaseDN
+	if !strings.HasSuffix(bindDN, baseDN) {
+		h.log.Error().Str("binddn", bindDN).Str("basedn", h.cfg.Backend.BaseDN).Interface("src", conn.RemoteAddr()).Msg("BindDN not part of our BaseDN")
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
+	parts := strings.Split(strings.TrimSuffix(bindDN, baseDN), ",")
+	if len(parts) > 2 {
+		h.log.Error().Str("binddn", bindDN).Int("numparts", len(parts)).Interface("src", conn.RemoteAddr()).Msg("BindDN should have only one or two parts")
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
+	userName := strings.TrimPrefix(parts[0], "cn=")
+
+	// check password
+	_, err := h.as.ListAccounts(context.TODO(), &accounts.ListAccountsRequest{
+		//Query: fmt.Sprintf("username eq '%s'", username),
+		// TODO this allows lookung up users when you know the username using basic auth
+		// adding the password to the query is an option but sending the sover the wira a la scim seems ugly
+		// but to set passwords our accounts need it anyway
+		Query: fmt.Sprintf("login eq '%s' and password eq '%s'", userName, bindSimplePw),
+	})
+	if err != nil {
+		h.log.Error().Str("username", userName).Str("binddn", bindDN).Interface("src", conn.RemoteAddr()).Msg("Login failed")
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
+
+	stats.Frontend.Add("bind_successes", 1)
+	h.log.Debug().Str("binddn", bindDN).Interface("src", conn.RemoteAddr()).Msg("Bind success")
+	return ldap.LDAPResultSuccess, nil
+}
+
+func (h ocisHandler) Search(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
+	bindDN = strings.ToLower(bindDN)
+	baseDN := strings.ToLower("," + h.cfg.Backend.BaseDN)
+	searchBaseDN := strings.ToLower(searchReq.BaseDN)
+	h.log.Debug().Str("binddn", bindDN).Str("basedn", h.cfg.Backend.BaseDN).Str("filter", searchReq.Filter).Interface("src", conn.RemoteAddr()).Msg("Search request")
+	stats.Frontend.Add("search_reqs", 1)
+
+	// validate the user is authenticated and has appropriate access
+	if len(bindDN) < 1 {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("search error: Anonymous BindDN not allowed %s", bindDN)
+	}
+	if !strings.HasSuffix(bindDN, baseDN) {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("search error: BindDN %s not in our BaseDN %s", bindDN, h.cfg.Backend.BaseDN)
+	}
+	if !strings.HasSuffix(searchBaseDN, h.cfg.Backend.BaseDN) {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("search error: search BaseDN %s is not in our BaseDN %s", searchBaseDN, h.cfg.Backend.BaseDN)
+	}
+
+	qtype := ""
+	query := ""
+	var err error
+	if searchReq.Filter == "(&)" { // see Absolute True and False Filters in https://tools.ietf.org/html/rfc4526#section-2
+		query = ""
+	} else {
+		var cf *ber.Packet
+		cf, err = ldap.CompileFilter(searchReq.Filter)
+		if err != nil {
+			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", searchReq.Filter)
+		}
+		qtype, query, err = parseFilter(cf)
+		if err != nil {
+			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", searchReq.Filter)
+		}
+	}
+
+	entries := []*ldap.Entry{}
+	h.log.Debug().Str("binddn", bindDN).Str("basedn", h.cfg.Backend.BaseDN).Str("filter", searchReq.Filter).Str("qtype", qtype).Str("query", query).Msg("parsed query")
+	if qtype == "users" {
+		accounts, err := h.as.ListAccounts(context.TODO(), &accounts.ListAccountsRequest{
+			Query: query,
+		})
+		if err != nil {
+			h.log.Error().Err(err).Str("binddn", bindDN).Str("basedn", h.cfg.Backend.BaseDN).Str("filter", searchReq.Filter).Str("query", query).Interface("src", conn.RemoteAddr()).Msg("Could not list accounts")
+			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("search error: error getting users")
+		}
+		for i := range accounts.Accounts {
+			attrs := []*ldap.EntryAttribute{
+				{Name: "objectClass", Values: []string{"posixAccount", "inetOrgPerson", "organizationalPerson", "Person", "top"}},
+				{Name: "cn", Values: []string{accounts.Accounts[i].PreferredName}},
+				{Name: "uid", Values: []string{accounts.Accounts[i].PreferredName}},
+				{Name: "sn", Values: []string{accounts.Accounts[i].PreferredName}}, // must be set for a valid person
+			}
+			if accounts.Accounts[i].DisplayName != "" {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "displayName", Values: []string{accounts.Accounts[i].DisplayName}})
+			}
+			if accounts.Accounts[i].Mail != "" {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "mail", Values: []string{accounts.Accounts[i].Mail}})
+			}
+			if accounts.Accounts[i].UidNumber != 0 { // TODO no root?
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "uidnumber", Values: []string{strconv.FormatInt(accounts.Accounts[i].UidNumber, 10)}})
+			}
+			if accounts.Accounts[i].GidNumber != 0 {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "gidnumber", Values: []string{strconv.FormatInt(accounts.Accounts[i].GidNumber, 10)}})
+			}
+			if accounts.Accounts[i].Description != "" {
+				attrs = append(attrs, &ldap.EntryAttribute{Name: "description", Values: []string{accounts.Accounts[i].Description}})
+			}
+
+			dn := fmt.Sprintf("%s=%s,%s=%s,%s", h.cfg.Backend.NameFormat, accounts.Accounts[i].PreferredName, h.cfg.Backend.GroupFormat, "users", h.cfg.Backend.BaseDN)
+			entries = append(entries, &ldap.Entry{DN: dn, Attributes: attrs})
+		}
+	}
+
+	stats.Frontend.Add("search_successes", 1)
+	h.log.Debug().Str("binddn", bindDN).Str("basedn", h.cfg.Backend.BaseDN).Str("filter", searchReq.Filter).Interface("src", conn.RemoteAddr()).Msg("AP: Search OK")
+	return ldap.ServerSearchResult{Entries: entries, Referrals: []string{}, Controls: []ldap.Control{}, ResultCode: ldap.LDAPResultSuccess}, nil
+}
+
+// LDAP filters might ask for grouips and users at the same time, eg.
+// (|
+//   (&(objectClass=posixaccount)(cn=einstein))
+//   (&(objectClass=posixgroup)(cn=users))
+// )
+
+// (&(objectClass=posixaccount)(objectClass=posixgroup))
+// qtype is one of
+// "" not determined
+// "users"
+// "groups"
+func parseFilter(f *ber.Packet) (qtype string, q string, err error) {
+	switch ldap.FilterMap[f.Tag] {
+	case "Equality Match":
+		if len(f.Children) != 2 {
+			return "", "", errors.New("equality match must have only two children")
+		}
+		attribute := strings.ToLower(f.Children[0].Value.(string))
+		value := f.Children[1].Value.(string)
+
+		// replace attributes
+		switch attribute {
+		case "objectclass":
+			switch value {
+			case "posixaccount", "shadowaccount", "users", "person", "inetorgperson", "organizationalperson":
+				qtype = "users"
+			case "posixgroup", "groups":
+				qtype = "groups"
+			default:
+				qtype = ""
+			}
+			return qtype, "", nil
+		case "cn", "uid":
+			return "", fmt.Sprintf("preferred_name eq '%s'", strings.ReplaceAll(value, "'", "''")), nil
+		case "mail":
+			return "", fmt.Sprintf("mail eq '%s'", strings.ReplaceAll(value, "'", "''")), nil
+		case "displayname":
+			return "", fmt.Sprintf("display_name eq '%s'", strings.ReplaceAll(value, "'", "''")), nil
+		case "uidnumber":
+			return "", fmt.Sprintf("uid_number eq '%s'", strings.ReplaceAll(value, "'", "''")), nil
+		case "gidnumber":
+			return "", fmt.Sprintf("gid_number eq '%s'", strings.ReplaceAll(value, "'", "''")), nil
+		case "description":
+			return "", fmt.Sprintf("description eq '%s'", strings.ReplaceAll(value, "'", "''")), nil
+		}
+
+		return "", "", fmt.Errorf("filter by %s not implmented", attribute)
+	case "And":
+		subQueries := []string{}
+		for _, child := range f.Children {
+			var subQuery string
+			var qt string
+			qt, subQuery, err = parseFilter(child)
+			if err != nil {
+				return "", "", err
+			}
+			if qtype == "" {
+				qtype = qt
+			} else if qt != "" && qt != qtype {
+				return "", "", fmt.Errorf("mixing user and group filters not supported")
+			}
+			if subQuery != "" {
+				subQueries = append(subQueries, subQuery)
+			}
+		}
+		return qtype, strings.Join(subQueries, " and "), nil
+	case "Or":
+		subQueries := []string{}
+		for _, child := range f.Children {
+			var subQuery string
+			var qt string
+			qt, subQuery, err = parseFilter(child)
+			if err != nil {
+				return "", "", err
+			}
+			if qtype == "" {
+				qtype = qt
+			} else if qt != "" && qt != qtype {
+				return "", "", fmt.Errorf("mixing user and group filters not supported")
+			}
+			if subQuery != "" {
+				subQueries = append(subQueries, subQuery)
+			}
+		}
+		return qtype, strings.Join(subQueries, " or "), nil
+	case "Not":
+		if len(f.Children) != 1 {
+			return "", "", errors.New("not filter must have only one child")
+		}
+		qtype, subQuery, err := parseFilter(f.Children[0])
+		if err != nil {
+			return "", "", err
+		}
+		if subQuery != "" {
+			q = fmt.Sprintf("not %s", subQuery)
+		}
+		return qtype, q, nil
+	}
+	return
+}
+
+func (h ocisHandler) Close(boundDN string, conn net.Conn) error {
+	stats.Frontend.Add("closes", 1)
+	return nil
+}
+
+// NewOCISHandler implements a glauth backend with ocis-accounts as tdhe datasource
+func NewOCISHandler(opts ...Option) handler.Handler {
+	options := newOptions(opts...)
+
+	handler := ocisHandler{
+		log: options.Logger,
+		cfg: options.Config,
+		as:  options.AccountsService,
+	}
+	return handler
+}
--- a/pkg/server/glauth/option.go
+++ b/pkg/server/glauth/option.go
@@ -0,0 +1,59 @@
+package glauth
+
+import (
+	"context"
+
+	"github.com/glauth/glauth/pkg/config"
+	accounts "github.com/owncloud/ocis-accounts/pkg/proto/v0"
+	"github.com/owncloud/ocis-pkg/v2/log"
+)
+
+// Option defines a single option function.
+type Option func(o *Options)
+
+// Options defines the available options for this package.
+type Options struct {
+	Logger          log.Logger
+	Context         context.Context
+	Config          *config.Config
+	AccountsService accounts.AccountsService
+}
+
+// newOptions initializes the available default options.
+func newOptions(opts ...Option) Options {
+	opt := Options{}
+
+	for _, o := range opts {
+		o(&opt)
+	}
+
+	return opt
+}
+
+// Logger provides a function to set the logger option.
+func Logger(val log.Logger) Option {
+	return func(o *Options) {
+		o.Logger = val
+	}
+}
+
+// Context provides a function to set the context option.
+func Context(val context.Context) Option {
+	return func(o *Options) {
+		o.Context = val
+	}
+}
+
+// Config provides a function to set the config option.
+func Config(val *config.Config) Option {
+	return func(o *Options) {
+		o.Config = val
+	}
+}
+
+// AccountsService provides an AccountsService client to set the AccountsService option.
+func AccountsService(val accounts.AccountsService) Option {
+	return func(o *Options) {
+		o.AccountsService = val
+	}
+}
--- a/pkg/server/glauth/server.go
+++ b/pkg/server/glauth/server.go
@@ -0,0 +1,74 @@
+package glauth
+
+import (
+	"errors"
+
+	"github.com/GeertJohan/yubigo"
+	"github.com/glauth/glauth/pkg/config"
+	"github.com/go-logr/logr"
+	"github.com/nmcclain/ldap"
+	"github.com/owncloud/ocis-glauth/pkg/mlogr"
+)
+
+// LdapSvc holds the ldap server struct
+type LdapSvc struct {
+	log      logr.Logger
+	c        *config.Config
+	yubiAuth *yubigo.YubiAuth
+	l        *ldap.Server
+}
+
+// Server initializes the debug service and server.
+func Server(opts ...Option) (*LdapSvc, error) {
+	options := newOptions(opts...)
+
+	s := LdapSvc{
+		log: mlogr.New(&options.Logger),
+		c:   options.Config,
+	}
+
+	var err error
+
+	if len(s.c.YubikeyClientID) > 0 && len(s.c.YubikeySecret) > 0 {
+		s.yubiAuth, err = yubigo.NewYubiAuth(s.c.YubikeyClientID, s.c.YubikeySecret)
+
+		if err != nil {
+			return nil, errors.New("yubikey auth failed")
+		}
+	}
+
+	// configure the backend
+	s.l = ldap.NewServer()
+	s.l.EnforceLDAP = true
+	h := NewOCISHandler(
+		AccountsService(options.AccountsService),
+		Logger(options.Logger),
+		Config(s.c),
+	)
+	s.l.BindFunc("", h)
+	s.l.SearchFunc("", h)
+	s.l.CloseFunc("", h)
+
+	return &s, nil
+}
+
+// ListenAndServe listens on the TCP network address s.c.LDAP.Listen
+func (s *LdapSvc) ListenAndServe() error {
+	s.log.V(3).Info("LDAP server listening", "address", s.c.LDAP.Listen)
+	return s.l.ListenAndServe(s.c.LDAP.Listen)
+}
+
+// ListenAndServeTLS listens on the TCP network address s.c.LDAPS.Listen
+func (s *LdapSvc) ListenAndServeTLS() error {
+	s.log.V(3).Info("LDAPS server listening", "address", s.c.LDAPS.Listen)
+	return s.l.ListenAndServeTLS(
+		s.c.LDAPS.Listen,
+		s.c.LDAPS.Cert,
+		s.c.LDAPS.Key,
+	)
+}
+
+// Shutdown ends listeners by sending true to the ldap serves quit channel
+func (s *LdapSvc) Shutdown() {
+	s.l.Quit <- true
+}