refactor: ldap登录配置迁移至系统配置

2025-11-03 16:00:25 +08:00 · 2023-08-25 23:26:14 +08:00
parent 3634c902d0
commit 649b2bb165
7 changed files with 143 additions and 183 deletions
--- a/server/internal/auth/api/ldap_login.go
+++ b/server/internal/auth/api/ldap_login.go
@@ -1,7 +1,7 @@
 package api

 import (
-	"errors"
+	"crypto/tls"
 	"fmt"
 	"mayfly-go/internal/auth/api/form"
 	msgapp "mayfly-go/internal/msg/application"
@@ -10,14 +10,15 @@ import (
 	"mayfly-go/pkg/biz"
 	"mayfly-go/pkg/cache"
 	"mayfly-go/pkg/captcha"
-	"mayfly-go/pkg/config"
 	"mayfly-go/pkg/ginx"
-	"mayfly-go/pkg/ldap"
 	"mayfly-go/pkg/req"
 	"mayfly-go/pkg/utils/cryptox"
 	"strconv"
+	"strings"
 	"time"

+	"github.com/go-ldap/ldap/v3"
+	"github.com/pkg/errors"
 	"gorm.io/gorm"
 )

@@ -29,12 +30,8 @@ type LdapLogin struct {

 // @router /auth/ldap/enabled [get]
 func (a *LdapLogin) GetLdapEnabled(rc *req.Ctx) {
-	if config.Conf.Ldap != nil {
-		rc.ResData = config.Conf.Ldap.Enabled
-		return
-	}
-
-	rc.ResData = false
+	ldapLoginConfig := a.ConfigApp.GetConfig(sysentity.ConfigKeyLdapLogin).ToLdapLogin()
+	rc.ResData = ldapLoginConfig.Enable
 }

 // @router /auth/ldap/login [post]
@@ -96,7 +93,7 @@ func (a *LdapLogin) createUser(userName, displayName string) {
 }

 func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, cols ...string) (*sysentity.Account, error) {
-	userInfo, err := ldap.Authenticate(userName, password)
+	userInfo, err := Authenticate(userName, password)
 	if err != nil {
 		return nil, errors.New("用户名密码错误")
 	}
@@ -110,3 +107,98 @@ func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, co
 	}
 	return account, nil
 }
+
+type UserInfo struct {
+	UserName    string
+	DisplayName string
+	Email       string
+}
+
+// Authenticate 通过 LDAP 验证用户名密码
+func Authenticate(username, password string) (*UserInfo, error) {
+	ldapConf := sysapp.GetConfigApp().GetConfig(sysentity.ConfigKeyLdapLogin).ToLdapLogin()
+	conn, err := Connect(ldapConf)
+	if err != nil {
+		return nil, errors.Errorf("connect: %v", err)
+	}
+	defer func() { _ = conn.Close() }()
+
+	sr, err := conn.Search(
+		ldap.NewSearchRequest(
+			ldapConf.BaseDN,
+			ldap.ScopeWholeSubtree,
+			ldap.NeverDerefAliases,
+			0,
+			0,
+			false,
+			strings.ReplaceAll(ldapConf.UserFilter, "%s", username),
+			[]string{"dn", ldapConf.UidMap, ldapConf.UdnMap, ldapConf.EmailMap},
+			nil,
+		),
+	)
+	if err != nil {
+		return nil, errors.Errorf("search user DN: %v", err)
+	} else if len(sr.Entries) != 1 {
+		return nil, errors.Errorf("expect 1 user DN but got %d", len(sr.Entries))
+	}
+	entry := sr.Entries[0]
+
+	// Bind as the user to verify their password
+	err = conn.Bind(entry.DN, password)
+	if err != nil {
+		return nil, errors.Errorf("bind user: %v", err)
+	}
+
+	userName := entry.GetAttributeValue(ldapConf.UidMap)
+	if userName == "" {
+		return nil, errors.Errorf("the attribute %q is not found or has empty value", ldapConf.UidMap)
+	}
+	return &UserInfo{
+		UserName:    userName,
+		DisplayName: entry.GetAttributeValue(ldapConf.UdnMap),
+		Email:       entry.GetAttributeValue(ldapConf.EmailMap),
+	}, nil
+}
+
+// Connect 创建 LDAP 连接
+func Connect(ldapConf *sysentity.ConfigLdapLogin) (*ldap.Conn, error) {
+	conn, err := dial(ldapConf)
+	if err != nil {
+		return nil, err
+	}
+
+	// Bind with a system account
+	err = conn.Bind(ldapConf.BindDN, ldapConf.BindPwd)
+	if err != nil {
+		_ = conn.Close()
+		return nil, errors.Errorf("bind: %v", err)
+	}
+	return conn, nil
+}
+
+func dial(ldapConf *sysentity.ConfigLdapLogin) (*ldap.Conn, error) {
+	addr := fmt.Sprintf("%s:%s", ldapConf.Host, ldapConf.Port)
+	tlsConfig := &tls.Config{
+		ServerName:         ldapConf.Host,
+		InsecureSkipVerify: ldapConf.SkipTLSVerify,
+	}
+	if ldapConf.SecurityProtocol == "LDAPS" {
+		conn, err := ldap.DialTLS("tcp", addr, tlsConfig)
+		if err != nil {
+			return nil, errors.Errorf("dial TLS: %v", err)
+		}
+		return conn, nil
+	}
+
+	conn, err := ldap.Dial("tcp", addr)
+	if err != nil {
+		return nil, errors.Errorf("dial: %v", err)
+	}
+	if ldapConf.SecurityProtocol == "StartTLS" {
+		if err = conn.StartTLS(tlsConfig); err != nil {
+			_ = conn.Close()
+			return nil, errors.Errorf("start TLS: %v", err)
+		}
+	}
+	return conn, nil
+}
--- a/server/internal/sys/domain/entity/config.go
+++ b/server/internal/sys/domain/entity/config.go
@@ -3,12 +3,14 @@ package entity
 import (
 	"encoding/json"
 	"mayfly-go/pkg/model"
+	"mayfly-go/pkg/utils/stringx"
 	"strconv"
 )

 const (
 	ConfigKeyAccountLoginSecurity string = "AccountLoginSecurity" // 账号登录安全配置
 	ConfigKeyOauth2Login          string = "Oauth2Login"          // oauth2认证登录配置
+	ConfigKeyLdapLogin            string = "LdapLogin"            // ldap登录配置
 	ConfigKeyDbQueryMaxCount      string = "DbQueryMaxCount"      // 数据库查询的最大数量
 	ConfigKeyDbSaveQuerySQL       string = "DbSaveQuerySQL"       // 数据库是否记录查询相关sql
 	ConfigUseWartermark           string = "UseWartermark"        // 是否使用水印
@@ -105,13 +107,46 @@ func (c *Config) ToOauth2Login() *ConfigOauth2Login {
 	ol.AuthorizationURL = jm["authorizationURL"]
 	ol.AccessTokenURL = jm["accessTokenURL"]
 	ol.RedirectURL = jm["redirectURL"]
-	ol.Scopes = jm["scopes"]
+	ol.Scopes = stringx.Trim(jm["scopes"])
 	ol.ResourceURL = jm["resourceURL"]
 	ol.UserIdentifier = jm["userIdentifier"]
 	ol.AutoRegister = c.ConvBool(jm["autoRegister"], true)
 	return ol
 }

+type ConfigLdapLogin struct {
+	Enable           bool // 是否启用
+	Host             string
+	Port             string `json:"port"`
+	SkipTLSVerify    bool   `json:"skipTLSVerify"`    // 客户端是否跳过 TLS 证书验证
+	SecurityProtocol string `json:"securityProtocol"` // 安全协议（为Null不使用安全协议），如: StartTLS, LDAPS
+	BindDN           string `json:"bindDn"`           // LDAP 服务的管理员账号，如: "cn=admin,dc=example,dc=com"
+	BindPwd          string `json:"bindPwd"`          // LDAP 服务的管理员密码
+	BaseDN           string `json:"baseDN"`           // 用户所在的 base DN, 如: "ou=users,dc=example,dc=com"
+	UserFilter       string `json:"userFilter"`       // 过滤用户的方式, 如: "(uid=%s)"
+	UidMap           string `json:"UidMap"`           // 用户id和 LDAP 字段名之间的映射关系
+	UdnMap           string `json:"UdnMap"`           // 用户姓名(dispalyName)和 LDAP 字段名之间的映射关系
+	EmailMap         string `json:"emailMap"`         // 用户email和 LDAP 字段名之间的映射关系
+}
+
+// 转换为LdapLogin结构体
+func (c *Config) ToLdapLogin() *ConfigLdapLogin {
+	jm := c.GetJsonMap()
+	ll := new(ConfigLdapLogin)
+	ll.Enable = c.ConvBool(jm["enable"], false)
+	ll.Host = jm["host"]
+	ll.SkipTLSVerify = c.ConvBool(jm["skipTLSVerify"], true)
+	ll.SecurityProtocol = jm["securityProtocol"]
+	ll.BindDN = stringx.Trim(jm["bindDN"])
+	ll.BindPwd = stringx.Trim(jm["bindPwd"])
+	ll.BaseDN = stringx.Trim(jm["baseDN"])
+	ll.UserFilter = stringx.Trim(jm["userFilter"])
+	ll.UidMap = stringx.Trim(jm["uidMap"])
+	ll.UdnMap = stringx.Trim(jm["udnMap"])
+	ll.EmailMap = stringx.Trim(jm["emailMap"])
+	return ll
+}
+
 // 转换配置中的值为bool类型（默认"1"或"true"为true，其他为false）
 func (c *Config) ConvBool(value string, defaultValue bool) bool {
 	if value == "" {