add stats and kill http calls

ldap.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"regexp"
 	"strings"
 	"time"
 
@@ -43,6 +44,61 @@ func (l *ldapConfig) addIPRange(s string) error {
 	return nil
 }
 
+// auth loop. Try all auth profiles from startProfile
+// return the last possible profile and the mail if we found a mail like login
+func (s *OpenVpnMgt) AuthLoop(startProfile, user, pass string, overridePwdCheck bool) (string, string) {
+	login := []string{user}
+	profile := startProfile
+	mail := ""
+
+	re := regexp.MustCompile("^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$")
+
+	for {
+		if re.MatchString(login[0]) && mail == "" {
+			mail = login[0]
+		}
+		n := profile
+
+		for k, ldap := range s.ldap {
+			if ldap.upgradeFrom != profile {
+				continue
+			}
+			err, userOk, passOk, secondary := ldap.Auth(login, pass)
+
+			// if there is an error, try the other configurations
+			if err != nil {
+				log.Printf("user %s not validated as %s\n", user, k)
+				continue
+			}
+
+			// we did find a valid User
+			if userOk {
+				// the login for the new auth level is given by the current one
+				login = secondary
+
+				if passOk && profile != "" {
+					// it's at least the second auth level, and we have a valid
+					// password on 2 different auth system. It's a dupplicate
+					// password, let's log it
+					log.Printf("User %s has a dupplicate password\n", user)
+				}
+
+				// we have either a positive auth ok a previous valid one
+				if passOk || profile != "" || overridePwdCheck {
+					profile = k
+				}
+			}
+		}
+
+		// no profile update this turn, no need to continue
+		if n == profile {
+			break
+		}
+	}
+
+	return profile, mail
+}
+
 // override the real DialTLS function
 func myDialTLS(network, addr string, config *tls.Config) (*ldap.Conn, error) {
 	dc, err := net.DialTimeout(network, addr, 3*time.Second)