FAB-5531 Create 1.0.1 fabric-ca release

Single commit which squashes commits
from master for 1.0.1 release based
on FAB-5470

Change-Id: I1d2e555398eebfe22b0d00c8c149fbdbe1f0d7ef
Signed-off-by: Gari Singh <[email protected]>

[FAB-5334] Intermediate CA does not copy BCCSP config

Intermediate CA, when creating CSR with client, should pass
BCCSP FactoryOpts to the client.

Change-Id: I8ac47707aca33fac00ecbc49943a1a0717d11990
Signed-off-by: Volodymyr Paprotski <[email protected]>
(cherry picked from commit b9e8a8e)
Signed-off-by: Gari Singh <[email protected]>

[FAB-4126] Convert fatal message to error

log.Fatal exits the process with 1 , which is not we want
to do in util function, we will let caller to decide to
exit or not.

Change-Id: I403a3c621e77eb40b871ab1c0afa1dc2130535e8
Signed-off-by: Anil Ambati <[email protected]>
(cherry picked from commit 086cc2f)
Signed-off-by: Gari Singh <[email protected]>

[FAB-5434] Fix mysql config in fvt image

Ubuntu 16.04.1 recently updated the default
mysql-server package to version 5.7.19.
This is causing fvt tests in CI to fail
on x86_64 (s390x uses Debian Jessie which
uses mysql 5.5.55 so is not affected).

This change is based on work in the
mysql images available on Dockerhub.
The change basically dismisses the
postInstall config and initializes
the database and sets the password
when the image starts up.

Change-Id: Ia8cb6a7faa77a5712a8ebf4d061215186c491e5e
Signed-off-by: Gari Singh <[email protected]>
(cherry picked from commit bc2b642)
Signed-off-by: Gari Singh <[email protected]>

[FAB-4915] Fix timing bug in server stop

This fixes a timing bug in server stop which could only be reproduced
in CI.

See [FAB-4915] for more information.

Change-Id: I3fd36024ed7968b49d6f4e85a7a960f694cf1c7c
Signed-off-by: Keith Smith <[email protected]>
(cherry picked from commit 4e5c55f)
Signed-off-by: Gari Singh <[email protected]>

[FAB-3051] Input validation on CSR fields

RFC 3280 specifies upper bounds for fields in the
CSR. This change set enforces those bounds by
doing input validation on the CSR fields. These
checks will also prevents authentication issues
when the DN gets too long and token authenication
errors out.

For more information, see [FAB-3051]

Change-Id: I170b372f2732b147b3ae0811b071ad4328533d0e
Signed-off-by: Saad Karim <[email protected]>
(cherry picked from commit e03673c)
Signed-off-by: Gari Singh <[email protected]>

[FAB-5239] LDAP reconnect for idle timeout

The fabric-ca-server connects to the LDAP server and caches the connection.
If the LDAP server closes the connection because of inactivity, the
fabric-ca-server should reconnect.  That is what this change set does.

The openldap server is reconfigured to close connections after 1 second of
inactivity and the ldap test case to sleep for 3 seconds to hit this
condition.  The test case fails without the code change and passes with
the code change.

Change-Id: I38b06eb987fe939066acf8ebdc4f2d5b81a9b76f
Signed-off-by: Keith Smith <[email protected]>
(cherry picked from commit d31c0d7)
Signed-off-by: Gari Singh <[email protected]>

[FAB-3662] Document DB version support

Fabric CA documentation updated to state supported
database versions.

Change-Id: Ib03a8fbea01cd4354d47f3ffcb08e37b2c772c54
Signed-off-by: Saad Karim <[email protected]>
(cherry picked from commit dd60a58)
Signed-off-by: Gari Singh <[email protected]>

[FAB-4409] update vendored package cfssl

Updated cfssl package to the latest revision cfssl to pull the changes
required by fab-3026

Change-Id: I8b95769c254cacd2d58cd8442d1d601db143d475
Signed-off-by: Anil Ambati <[email protected]>
(cherry picked from commit 2abc451)
Signed-off-by: Gari Singh <[email protected]>

[FAB-4844] Store MSP intermediatecerts

The "fabric-ca-client enroll" command was not storing the intermediatecerts
as expected by MSP.  It was storing the entire chain in the cacerts directory.
This change set splits the CA chain and stores only the 1st one in the
cacerts directory and stores the rest in the intermediatecerts directory.

Unit tests and FVT tests cases fail w/o this fix and pass with it.

Change-Id: Iede943bad9601db08c6c18f79add5608e8dfeaae
Signed-off-by: Keith Smith <[email protected]>
Signed-off-by: Saad Karim <[email protected]>
(cherry picked from commit 3ba0088)
Signed-off-by: Gari Singh <[email protected]>

[FAB-3026] OOM for very large CRLs

A certificate containing a CRL URI that points
to an extremely large file causes the server
to crash with an out of memory exception.

A config option (CRLSizeLimit) has been added
to check and make sure that the requested CRL
does not exceed the size specified by CRLSizeLimit.
The default size limit is 512KB.

This will prevent a malicious intent to crash
server by pointing to a CRL that is very large.

See [FAB-3026] for more information

Change-Id: Ibbb0506faecf29b9a9c0a361c2ff701c9945a973
Signed-off-by: Saad Karim <[email protected]>
(cherry picked from commit f54aaf2)
Signed-off-by: Gari Singh <[email protected]>

[ FAB-5434 ] Fix mysql internal_DB permissions

Fixes the initialization error of mysql server
in fvt tests. This is a problem that is exclusive to
the x86 CI build machines.

Change-Id: I054911218d1906e7a6ecf221e89bc9bee129ac3c
Signed-off-by: rennman <[email protected]>
(cherry picked from commit d24c05c)
Signed-off-by: Gari Singh <[email protected]>

[ FAB-5009 ] Update intermediate CA test

The current intermediate test does not test using TLS,
nor does it test multiple backend DBs. This adds that support,
as well and add enroll/reenroll testing.

Since the addition of multiple server starts, the utility
files have been updated to speep up start detection. This
should improve the runtime of the tests.

Change-Id: I84c49878e2e17bd5ac98753b0c10c1a4d479d394
Signed-off-by: rennman <[email protected]>
(cherry picked from commit 72e010e)
Signed-off-by: Gari Singh <[email protected]>

FAB-5530 Vendor latest version of bccsp

See FAB-5407 for changes

Change-Id: I7ffa1aca4e729a79290342fc4f19ae871e78da8a
Signed-off-by: Gari Singh <[email protected]>
(cherry picked from commit fa60287)
Signed-off-by: Gari Singh <[email protected]>

[FAB-5510] Mask the identity password in the log

Identity password is printed in clear when CA config is printed to the log.
For example in the "Init CA with home" debug statement. This change set
fixes that problem.

Change-Id: I1d5d73465559a468ae2be369daf41848c7c1ff5f
Signed-off-by: Anil Ambati <[email protected]>
Signed-off-by: Gari Singh <[email protected]>
(cherry picked from commit 748467f)
Signed-off-by: Gari Singh <[email protected]>

README.md

@@ -84,7 +84,30 @@ Run `go tool pprof -h` to view the options supported by the pprof tool. For more
 See [FVT tests](scripts/fvt/README.md) for information on functional verification test cases.
 
 
+### Updating the cfssl vendored package
+Following are the steps to update cfssl package using version 1.0.8 of govendor tool. 
 
+* Remove cfssl from vendor folder
+ * cd $GOPATH/src/github.com/hyperledger/fabric-ca/vendor
+ * govendor remove github.com/cloudflare/cfssl/...
+ * rm -rf github.com/cloudflare/cfssl/
 
-<a rel="license" href="https://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.
-s
+* Clone cfssl repo
+ * cd $GOPATH/src/github.com/
+ * mkdir cloudflare
+ * cd cloudflare
+ * git clone https://github.com/cloudflare/cfssl.git
+
+* Add cfssl from $GOPATH to the vendor folder
+ * cd $GOPATH/src/github.com/hyperledger/fabric-ca/vendor
+ * govendor add github.com/cloudflare/cfssl/^
+ * You can optionally specify revision or tag to add a particular revision of code to the vendor folder
+ * govendor add github.com/cloudflare/cfssl/^@abc12032
+
+* Remove sqlx package from cfssl vendor folder. This is because certsql.NewAccessor (called by fabric-ca) requires sqlx.db object to be passed from the same package. If we were to have sqlx package both in fabric-ca and cfssl vendor folder, go compiler will throw an error
+ * rm -rf github.com/cloudflare/cfssl/vendor/github.com/jmoiron/sqlx
+
+* Remove the packages that are added to the fabric-ca vendor folder that are not needed by fabric-ca
+
+
+<a rel="license" href="https://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>

cmd/fabric-ca-client/getcacert.go

@@ -17,6 +17,8 @@ limitations under the License.
 package main
 
 import (
+ "encoding/pem"
+ "errors"
  "fmt"
  "net/url"
  "os"
@@ -89,16 +91,11 @@ func runGetCACert() error {
 }
 
 // Store the CAChain in the CACerts folder of MSP (Membership Service Provider)
+// The 1st cert in the chain goes into MSP 'cacerts' directory.
+// The others (if any) go into the MSP 'intermediates' directory.
 func storeCAChain(config *lib.ClientConfig, si *lib.GetServerInfoResponse) error {
  mspDir := config.MSPDir
- if !util.FileExists(mspDir) {
- return fmt.Errorf("Directory does not exist: %s", mspDir)
- }
- caCertsDir := path.Join(mspDir, "cacerts")
- err := os.MkdirAll(caCertsDir, 0755)
- if err != nil {
- return fmt.Errorf("Failed creating CA certificates directory: %s", err)
- }
+ // Get a unique name to use for filenames
  serverURL, err := url.Parse(config.URL)
  if err != nil {
  return err
@@ -109,11 +106,52 @@ func storeCAChain(config *lib.ClientConfig, si *lib.GetServerInfoResponse) error
  }
  fname = strings.Replace(fname, ":", "-", -1)
  fname = strings.Replace(fname, ".", "-", -1) + ".pem"
- path := path.Join(caCertsDir, fname)
- err = util.WriteFile(path, si.CAChain, 0644)
+ // Split the root and intermediate certs
+ block, intermediateCerts := pem.Decode(si.CAChain)
+ if block == nil {
+ return errors.New("No root certificate was found")
+ }
+ rootCert := pem.EncodeToMemory(block)
+ dirPrefix := dirPrefixByProfile(config.Enrollment.Profile)
+ // Store the root certificate in "cacerts"
+ certsDir := fmt.Sprintf("%scacerts", dirPrefix)
+ err = storeFile("CA root certificate", mspDir, certsDir, fname, rootCert)
  if err != nil {
- return fmt.Errorf("Failed to create CA root file: %s", err)
+ return err
+ }
+ // Store the intermediate certs if there are any
+ if len(intermediateCerts) > 0 {
+ certsDir = fmt.Sprintf("%sintermediatecerts", dirPrefix)
+ err = storeFile("CA intermediate certificates", mspDir, certsDir, fname, intermediateCerts)
+ if err != nil {
+ return err
+ }
  }
- log.Infof("Stored CA certificate chain at %s", path)
  return nil
 }
+
+func storeFile(what, mspDir, subDir, fname string, contents []byte) error {
+ dir := path.Join(mspDir, subDir)
+ err := os.MkdirAll(dir, 0755)
+ if err != nil {
+ return fmt.Errorf("Failed to create directory for %s at '%s': %s", what, dir, err)
+ }
+ fpath := path.Join(dir, fname)
+ err = util.WriteFile(fpath, contents, 0644)
+ if err != nil {
+ return fmt.Errorf("Failed to store %s at '%s': %s", what, fpath, err)
+ }
+ log.Infof("Stored %s at %s", what, fpath)
+ return nil
+}
+
+// Return the prefix to add to the "cacerts" and "intermediatecerts" directories
+// based on the target profile. If the profile is "tls", these directories become
+// "tlscacerts" and "tlsintermediatecerts", respectively. There is no prefix for
+// any other profile.
+func dirPrefixByProfile(profile string) string {
+ if profile == "tls" {
+ return "tls"
+ }
+ return ""
+}

cmd/fabric-ca-client/main_test.go

@@ -311,30 +311,37 @@ func testEnroll(t *testing.T) {
 
 // TestMOption tests to make sure that the key is stored in the correct
 // directory when the "-M" option is used.
+// This also ensures the intermediatecerts directory structure is populated
+// since we enroll with an intermediate CA.
 func TestMOption(t *testing.T) {
  os.RemoveAll(moptionDir)
- port := 7173
- s := startServer(path.Join(moptionDir, "server"), port, t)
- if s == nil {
+ defer os.RemoveAll(moptionDir)
+ rootCAPort := 7173
+ rootServer := startServer(path.Join(moptionDir, "rootServer"), rootCAPort, "", t)
+ if rootServer == nil {
  return
  }
+ defer rootServer.Stop()
+ rootCAURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootCAPort)
+ intCAPort := 7174
+ intServer := startServer(path.Join(moptionDir, "intServer"), intCAPort, rootCAURL, t)
+ if intServer == nil {
+ return
+ }
+ defer intServer.Stop()
  homedir := path.Join(moptionDir, "client")
  mspdir := "msp2" // relative to homedir
  err := RunMain([]string{
  cmdName, "enroll",
- "-u", fmt.Sprintf("https://admin:adminpw@localhost:%d", port),
+ "-u", fmt.Sprintf("https://admin:adminpw@localhost:%d", intCAPort),
  "-c", path.Join(homedir, "config.yaml"),
  "-M", mspdir, "-d"})
  if err != nil {
  t.Fatalf("client enroll -u failed: %s", err)
  }
- keystore := path.Join(homedir, mspdir, "keystore")
- count := getNumFiles(keystore, t)
- if count != 1 {
- t.Fatalf("client enroll -M failed: expecting 1 file in keystore %s but found %d",
- keystore, count)
- }
- s.Stop()
+ assertOneFileInDir(path.Join(homedir, mspdir, "keystore"), t)
+ assertOneFileInDir(path.Join(homedir, mspdir, "cacerts"), t)
+ assertOneFileInDir(path.Join(homedir, mspdir, "intermediatecerts"), t)
 }
 
 // TestReenroll tests fabric-ca-client reenroll
@@ -939,16 +946,19 @@ func extraArgErrorTest(in *TestData, t *testing.T) {
  }
 }
 
-// get the number of files in a directory
-func getNumFiles(dir string, t *testing.T) int {
+// Make sure there is exactly one file in a directory
+func assertOneFileInDir(dir string, t *testing.T) {
  files, err := ioutil.ReadDir(dir)
  if err != nil {
  t.Fatalf("Failed to get number of files in directory '%s': %s", dir, err)
  }
- return len(files)
+ count := len(files)
+ if count != 1 {
+ t.Fatalf("expecting 1 file in %s but found %d", dir, count)
+ }
 }
 
-func startServer(home string, port int, t *testing.T) *lib.Server {
+func startServer(home string, port int, parentURL string, t *testing.T) *lib.Server {
  affiliations := map[string]interface{}{"org1": nil}
  srv := &lib.Server{
  HomeDir: home,
@@ -965,6 +975,9 @@ func startServer(home string, port int, t *testing.T) *lib.Server {
  },
  },
  }
+ if parentURL != "" {
+ srv.CA.Config.Intermediate.ParentServer.URL = parentURL
+ }
  err := srv.RegisterBootstrapUser("admin", "adminpw", "")
  if err != nil {
  t.Fatalf("Failed to register bootstrap user: %s", err)

cmd/fabric-ca-server/config.go

@@ -84,6 +84,9 @@ port: 7054
 # Enables debug logging (default: false)
 debug: false
 
+# Size limit of an acceptable CRL in bytes (default: 512000)
+crlsizelimit: 512000
+
 #############################################################################
 # TLS section for the server's listening port
 #

docs/source/users-guide.rst

@@ -256,6 +256,7 @@ The following shows the Fabric CA server usage message.
  --cacount int Number of non-default CA instances
  --cafiles stringSlice A list of comma-separated CA configuration files
  -c, --config string Configuration file (default "fabric-ca-server-config.yaml")
+ --crlsizelimit int Size limit of an acceptable CRL in bytes (default 512000)
  --csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server
  --csr.hosts stringSlice A list of comma-separated host names in a certificate signing request to a parent fabric-ca-server
  --db.datasource string Data source which is database specific (default "fabric-ca-server.db")
@@ -360,6 +361,9 @@ the server's home directory (see `Fabric CA Server <#server>`__ section more inf
  # Enables debug logging (default: false)
  debug: false
 
+ # Size limit of an acceptable CRL in bytes (default: 512000)
+ crlsizelimit: 512000
+
  #############################################################################
  # TLS section for the server's listening port
  #
@@ -948,7 +952,11 @@ server's home directory.
 
 If you don't care about running the Fabric CA server in a cluster, you
 may skip this section; otherwise, you must configure either PostgreSQL or
-MySQL as described below.
+MySQL as described below. Fabric CA supports the following database
+versions in a cluster setup:
+
+- PostgreSQL: 9.5.5 or later
+- MySQL: 5.17.16 or later
 
 PostgreSQL
 ^^^^^^^^^^

images/fabric-ca-fvt/start.sh

@@ -12,7 +12,15 @@ PORTS=($POSTGRES_PORT $MYSQL_PORT $LDAP_PORT)
 
 timeout=12
 su postgres -c 'postgres -D /usr/local/pgsql/data' &
+chown -R mysql.mysql /var/lib/mysql
 /usr/bin/mysqld_safe --sql-mode=STRICT_TRANS_TABLES &
+# Set "olcIdleTimeout" to 1 second to force slapd (the LDAP server) to
+# close connections after they have been idle for 1 second. This is
+# necessary to adequately validate that the fabric-ca-server correctly
+# reconnects after the LDAP server has closed a connection.
+# This is not the recommended configuration of slapd from a performance
+# perspective.
+echo "olcIdleTimeout: 1" >> "/etc/ldap/slapd.d/cn=config.ldif"
 /etc/init.d/slapd start &
 
 for port in ${PORTS[*]}; do

lib/ca.go

@@ -257,6 +257,7 @@ func (ca *CA) getCACert() (cert []byte, err error) {
  clientCfg.TLS = ca.Config.Intermediate.TLS
  clientCfg.Enrollment = ca.Config.Intermediate.Enrollment
  clientCfg.CAName = ca.Config.Intermediate.ParentServer.CAName
+ clientCfg.CSP = ca.Config.CSP
  clientCfg.CSR = ca.Config.CSR
  if ca.Config.CSR.CN != "" {
  return nil, fmt.Errorf("CN '%s' cannot be specified for an intermediate CA. Remove CN from CSR section for enrollment of intermediate CA to be successful", ca.Config.CSR.CN)

lib/caconfig.go

@@ -117,7 +117,7 @@ type CAConfigIdentity struct {
 // the server to connect to
 type ParentServer struct {
  URL string `opt:"u" help:"URL of the parent fabric-ca-server (e.g. https://<username>:<password>@<address>:<port)"`
- CAName string `help:"Name of the CA to connect to on fabric-ca-serve"`
+ CAName string `help:"Name of the CA to connect to on fabric-ca-server"`
 }
 
 // IntermediateCA contains parent server information, TLS configuration, and
@@ -128,6 +128,6 @@ type IntermediateCA struct {
  Enrollment api.EnrollmentRequest
 }
 
-func (cc *CAConfigIdentity) String() string {
- return util.StructToString(cc)
+func (cc CAConfigIdentity) String() string {
+ return util.StructToString(&cc)
 }

lib/certdbaccessor.go

@@ -189,6 +189,24 @@ func (d *CertDBAccessor) GetUnexpiredCertificates() (crs []certdb.CertificateRec
  return crs, err
 }
 
+// GetRevokedAndUnexpiredCertificates returns all revoked and unexpired certificates
+func (d *CertDBAccessor) GetRevokedAndUnexpiredCertificates() ([]certdb.CertificateRecord, error) {
+ crs, err := d.accessor.GetRevokedAndUnexpiredCertificates()
+ if err != nil {
+ return nil, err
+ }
+ return crs, err
+}
+
+// GetRevokedAndUnexpiredCertificatesByLabel returns revoked and unexpired certificates matching the label
+func (d *CertDBAccessor) GetRevokedAndUnexpiredCertificatesByLabel(label string) ([]certdb.CertificateRecord, error) {
+ crs, err := d.accessor.GetRevokedAndUnexpiredCertificatesByLabel(label)
+ if err != nil {
+ return nil, err
+ }
+ return crs, err
+}
+
 // RevokeCertificatesByID updates all certificates for a given ID and marks them revoked.
 func (d *CertDBAccessor) RevokeCertificatesByID(id string, reasonCode int) (crs []CertRecord, err error) {
  log.Debugf("DB: Revoke certificate by ID (%s)", id)

lib/dbutil/dbutil.go

@@ -98,7 +98,7 @@ func createSQLiteDBTables(datasource string) error {
  }
  log.Debug("Created affiliation table")
 
- if _, err := db.Exec("CREATE TABLE IF NOT EXISTS certificates (id VARCHAR(64), serial_number bytea NOT NULL, authority_key_identifier bytea NOT NULL, ca_label bytea, status bytea NOT NULL, reason int, expiry timestamp, revoked_at timestamp, pem bytea NOT NULL, PRIMARY KEY(serial_number, authority_key_identifier))"); err != nil {
+ if _, err := db.Exec("CREATE TABLE IF NOT EXISTS certificates (id VARCHAR(64), serial_number blob NOT NULL, authority_key_identifier blob NOT NULL, ca_label blob, status blob NOT NULL, reason int, expiry timestamp, revoked_at timestamp, pem blob NOT NULL, PRIMARY KEY(serial_number, authority_key_identifier))"); err != nil {
  return fmt.Errorf("Error creating certificates table: %s", err)
  }
  log.Debug("Created certificates table")

lib/ldap/client.go

@@ -127,13 +127,10 @@ type Client struct {
 // for the requested attribute names
 func (lc *Client) GetUser(username string, attrNames []string) (spi.User, error) {
 
- log.Debugf("Getting user '%s'", username)
+ var sresp *ldap.SearchResult
+ var err error
 
- // Connect to the LDAP server as admin if not already connected
- err := lc.adminConnect()
- if err != nil {
- return nil, err
- }
+ log.Debugf("Getting user '%s'", username)
 
  // Search for the given username
  sreq := ldap.NewSearchRequest(
@@ -143,10 +140,37 @@ func (lc *Client) GetUser(username string, attrNames []string) (spi.User, error)
  attrNames,
  nil,
  )
- sresp, err := lc.AdminConn.Search(sreq)
- if err != nil {
- return nil, fmt.Errorf("LDAP search failure: %s; search request: %+v", err, sreq)
+
+ // Try to search using the cached connection, if there is one
+ conn := lc.AdminConn
+ if conn != nil {
+ log.Debugf("Searching for user '%s' using cached connection", username)
+ sresp, err = conn.Search(sreq)
+ if err != nil {
+ log.Debugf("LDAP search failed but will close connection and try again; error was: %s", err)
+ conn.Close()
+ lc.AdminConn = nil
+ }
+ }
+
+ // If there was no cached connection or the search failed for any reason
+ // (including because the server may have closed the cached connection),
+ // try with a new connection.
+ if sresp == nil {
+ log.Debugf("Searching for user '%s' using new connection", username)
+ conn, err = lc.newConnection()
+ if err != nil {
+ return nil, err
+ }
+ sresp, err = conn.Search(sreq)
+ if err != nil {
+ conn.Close()
+ return nil, fmt.Errorf("LDAP search failure: %s; search request: %+v", err, sreq)
+ }
+ // Cache the connection
+ lc.AdminConn = conn
  }
+
  // Make sure there was exactly one match found
  if len(sresp.Entries) < 1 {
  return nil, fmt.Errorf("User '%s' does not exist in LDAP directory", username)
@@ -221,18 +245,6 @@ func (lc *Client) DeleteAffiliation(name string) error {
  return errNotSupported
 }
 
-// Create an admin connection to the LDAP server and cache it in the client
-func (lc *Client) adminConnect() error {
- if lc.AdminConn == nil {
- conn, err := lc.newConnection()
- if err != nil {
- return err
- }
- lc.AdminConn = conn
- }
- return nil
-}
-
 // Connect to the LDAP server and bind as user as admin user as specified in LDAP URL
 func (lc *Client) newConnection() (conn *ldap.Conn, err error) {
  address := fmt.Sprintf("%s:%d", lc.Host, lc.Port)