TRKJ/mayfly-go
2
0
Fork 0
mirror of https://gitee.com/dromara/mayfly-go synced 2025-11-03 16:00:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor: ldap登录配置迁移至系统配置

Browse Source
This commit is contained in:
meilin.huang
2023-08-25 23:26:14 +08:00
parent 3634c902d0
commit 649b2bb165
7 changed files with 143 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
server/config.yml.example
View File

@@ -37,18 +37,4 @@ log:
level: info level: info
# file: # file:
# path: ./ # path: ./
# name: mayfly-go.log # name: mayfly-go.log
# ldap相关配置
ldap:
enabled: true
host: "ldap.example.com"
port: 389
baseDn: "ou=users,dc=example,dc=com"
bindDn: "cn=admin,dc=example,dc=com"
userFilter: "(&(objectClass=organizationalPerson)(uid=%s))"
bindPassword: "admin123."
fieldMapping:
identifier: "cn"
displayName: "displayName"
email: "mail"

112
server/internal/auth/api/ldap_login.go
View File

@@ -1,7 +1,7 @@
package api package api
import ( import (
"errors" "crypto/tls"
"fmt" "fmt"
"mayfly-go/internal/auth/api/form" "mayfly-go/internal/auth/api/form"
msgapp "mayfly-go/internal/msg/application" msgapp "mayfly-go/internal/msg/application"
@@ -10,14 +10,15 @@ import (
"mayfly-go/pkg/biz" "mayfly-go/pkg/biz"
"mayfly-go/pkg/cache" "mayfly-go/pkg/cache"
"mayfly-go/pkg/captcha" "mayfly-go/pkg/captcha"
"mayfly-go/pkg/config"
"mayfly-go/pkg/ginx" "mayfly-go/pkg/ginx"
"mayfly-go/pkg/ldap"
"mayfly-go/pkg/req" "mayfly-go/pkg/req"
"mayfly-go/pkg/utils/cryptox" "mayfly-go/pkg/utils/cryptox"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/go-ldap/ldap/v3"
"github.com/pkg/errors"
"gorm.io/gorm" "gorm.io/gorm"
) )
@@ -29,12 +30,8 @@ type LdapLogin struct {
// @router /auth/ldap/enabled [get] // @router /auth/ldap/enabled [get]
func (a *LdapLogin) GetLdapEnabled(rc *req.Ctx) { func (a *LdapLogin) GetLdapEnabled(rc *req.Ctx) {
if config.Conf.Ldap != nil { ldapLoginConfig := a.ConfigApp.GetConfig(sysentity.ConfigKeyLdapLogin).ToLdapLogin()
rc.ResData = config.Conf.Ldap.Enabled rc.ResData = ldapLoginConfig.Enable
return
}
rc.ResData = false
} }
// @router /auth/ldap/login [post] // @router /auth/ldap/login [post]
@@ -96,7 +93,7 @@ func (a *LdapLogin) createUser(userName, displayName string) {
} }
func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, cols ...string) (*sysentity.Account, error) { func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, cols ...string) (*sysentity.Account, error) {
userInfo, err := ldap.Authenticate(userName, password) userInfo, err := Authenticate(userName, password)
if err != nil { if err != nil {
return nil, errors.New("用户名密码错误") return nil, errors.New("用户名密码错误")
} }
@@ -110,3 +107,98 @@ func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, co
} }
return account, nil return account, nil
} }
type UserInfo struct {
UserName string
DisplayName string
Email string
}
// Authenticate 通过 LDAP 验证用户名密码
func Authenticate(username, password string) (*UserInfo, error) {
ldapConf := sysapp.GetConfigApp().GetConfig(sysentity.ConfigKeyLdapLogin).ToLdapLogin()
conn, err := Connect(ldapConf)
if err != nil {
return nil, errors.Errorf("connect: %v", err)
}
defer func() { _ = conn.Close() }()
sr, err := conn.Search(
ldap.NewSearchRequest(
ldapConf.BaseDN,
ldap.ScopeWholeSubtree,
ldap.NeverDerefAliases,
0,
0,
false,
strings.ReplaceAll(ldapConf.UserFilter, "%s", username),
[]string{"dn", ldapConf.UidMap, ldapConf.UdnMap, ldapConf.EmailMap},
nil,
),
)
if err != nil {
return nil, errors.Errorf("search user DN: %v", err)
} else if len(sr.Entries) != 1 {
return nil, errors.Errorf("expect 1 user DN but got %d", len(sr.Entries))
}
entry := sr.Entries[0]
// Bind as the user to verify their password
err = conn.Bind(entry.DN, password)
if err != nil {
return nil, errors.Errorf("bind user: %v", err)
}
userName := entry.GetAttributeValue(ldapConf.UidMap)
if userName == "" {
return nil, errors.Errorf("the attribute %q is not found or has empty value", ldapConf.UidMap)
}
return &UserInfo{
UserName: userName,
DisplayName: entry.GetAttributeValue(ldapConf.UdnMap),
Email: entry.GetAttributeValue(ldapConf.EmailMap),
}, nil
}
// Connect 创建 LDAP 连接
func Connect(ldapConf *sysentity.ConfigLdapLogin) (*ldap.Conn, error) {
conn, err := dial(ldapConf)
if err != nil {
return nil, err
}
// Bind with a system account
err = conn.Bind(ldapConf.BindDN, ldapConf.BindPwd)
if err != nil {
_ = conn.Close()
return nil, errors.Errorf("bind: %v", err)
}
return conn, nil
}
func dial(ldapConf *sysentity.ConfigLdapLogin) (*ldap.Conn, error) {
addr := fmt.Sprintf("%s:%s", ldapConf.Host, ldapConf.Port)
tlsConfig := &tls.Config{
ServerName: ldapConf.Host,
InsecureSkipVerify: ldapConf.SkipTLSVerify,
}
if ldapConf.SecurityProtocol == "LDAPS" {
conn, err := ldap.DialTLS("tcp", addr, tlsConfig)
if err != nil {
return nil, errors.Errorf("dial TLS: %v", err)
}
return conn, nil
}
conn, err := ldap.Dial("tcp", addr)
if err != nil {
return nil, errors.Errorf("dial: %v", err)
}
if ldapConf.SecurityProtocol == "StartTLS" {
if err = conn.StartTLS(tlsConfig); err != nil {
_ = conn.Close()
return nil, errors.Errorf("start TLS: %v", err)
}
}
return conn, nil
}

37
server/internal/sys/domain/entity/config.go
View File

@@ -3,12 +3,14 @@ package entity
import ( import (
"encoding/json" "encoding/json"
"mayfly-go/pkg/model" "mayfly-go/pkg/model"
"mayfly-go/pkg/utils/stringx"
"strconv" "strconv"
) )
const ( const (
ConfigKeyAccountLoginSecurity string = "AccountLoginSecurity" // 账号登录安全配置 ConfigKeyAccountLoginSecurity string = "AccountLoginSecurity" // 账号登录安全配置
ConfigKeyOauth2Login string = "Oauth2Login" // oauth2认证登录配置 ConfigKeyOauth2Login string = "Oauth2Login" // oauth2认证登录配置
ConfigKeyLdapLogin string = "LdapLogin" // ldap登录配置
ConfigKeyDbQueryMaxCount string = "DbQueryMaxCount" // 数据库查询的最大数量 ConfigKeyDbQueryMaxCount string = "DbQueryMaxCount" // 数据库查询的最大数量
ConfigKeyDbSaveQuerySQL string = "DbSaveQuerySQL" // 数据库是否记录查询相关sql ConfigKeyDbSaveQuerySQL string = "DbSaveQuerySQL" // 数据库是否记录查询相关sql
ConfigUseWartermark string = "UseWartermark" // 是否使用水印 ConfigUseWartermark string = "UseWartermark" // 是否使用水印
@@ -105,13 +107,46 @@ func (c *Config) ToOauth2Login() *ConfigOauth2Login {
ol.AuthorizationURL = jm["authorizationURL"] ol.AuthorizationURL = jm["authorizationURL"]
ol.AccessTokenURL = jm["accessTokenURL"] ol.AccessTokenURL = jm["accessTokenURL"]
ol.RedirectURL = jm["redirectURL"] ol.RedirectURL = jm["redirectURL"]
ol.Scopes = jm["scopes"] ol.Scopes = stringx.Trim(jm["scopes"])
ol.ResourceURL = jm["resourceURL"] ol.ResourceURL = jm["resourceURL"]
ol.UserIdentifier = jm["userIdentifier"] ol.UserIdentifier = jm["userIdentifier"]
ol.AutoRegister = c.ConvBool(jm["autoRegister"], true) ol.AutoRegister = c.ConvBool(jm["autoRegister"], true)
return ol return ol
} }
type ConfigLdapLogin struct {
Enable bool // 是否启用
Host string
Port string `json:"port"`
SkipTLSVerify bool `json:"skipTLSVerify"` // 客户端是否跳过 TLS 证书验证
SecurityProtocol string `json:"securityProtocol"` // 安全协议为Null不使用安全协议如: StartTLS, LDAPS
BindDN string `json:"bindDn"` // LDAP 服务的管理员账号,如: "cn=admin,dc=example,dc=com"
BindPwd string `json:"bindPwd"` // LDAP 服务的管理员密码
BaseDN string `json:"baseDN"` // 用户所在的 base DN, 如: "ou=users,dc=example,dc=com"
UserFilter string `json:"userFilter"` // 过滤用户的方式, 如: "(uid=%s)"
UidMap string `json:"UidMap"` // 用户id和 LDAP 字段名之间的映射关系
UdnMap string `json:"UdnMap"` // 用户姓名(dispalyName)和 LDAP 字段名之间的映射关系
EmailMap string `json:"emailMap"` // 用户email和 LDAP 字段名之间的映射关系
}
// 转换为LdapLogin结构体
func (c *Config) ToLdapLogin() *ConfigLdapLogin {
jm := c.GetJsonMap()
ll := new(ConfigLdapLogin)
ll.Enable = c.ConvBool(jm["enable"], false)
ll.Host = jm["host"]
ll.SkipTLSVerify = c.ConvBool(jm["skipTLSVerify"], true)
ll.SecurityProtocol = jm["securityProtocol"]
ll.BindDN = stringx.Trim(jm["bindDN"])
ll.BindPwd = stringx.Trim(jm["bindPwd"])
ll.BaseDN = stringx.Trim(jm["baseDN"])
ll.UserFilter = stringx.Trim(jm["userFilter"])
ll.UidMap = stringx.Trim(jm["uidMap"])
ll.UdnMap = stringx.Trim(jm["udnMap"])
ll.EmailMap = stringx.Trim(jm["emailMap"])
return ll
}
// 转换配置中的值为bool类型默认"1"或"true"为true其他为false // 转换配置中的值为bool类型默认"1"或"true"为true其他为false
func (c *Config) ConvBool(value string, defaultValue bool) bool { func (c *Config) ConvBool(value string, defaultValue bool) bool {
if value == "" { if value == "" {

7
server/mayfly-go.sql
View File

@@ -439,8 +439,9 @@ CREATE TABLE `t_sys_config` (
-- Records of t_sys_config -- Records of t_sys_config
-- ---------------------------- -- ----------------------------
BEGIN; BEGIN;
INSERT INTO `t_sys_config` (name, `key`, params, value, remark, permission, create_time, creator_id, creator, update_time, modifier_id, modifier) VALUES('账号登录安全设置', 'AccountLoginSecurity', '[{"name":"登录验证码","model":"useCaptcha","placeholder":"是否启用登录验证码","options":"true,false"},{"name":"双因素校验(OTP)","model":"useOtp","placeholder":"是否启用双因素(OTP)校验","options":"true,false"},{"name":"OTP签发人","model":"otpIssuer","placeholder":"otp签发人"},{"name":"允许失败次数","model":"loginFailCount","placeholder":"登录失败n次后禁止登录"},{"name":"禁止登录时间","model":"loginFailMin","placeholder":"登录失败指定次数后禁止m分钟内再次登录"}]', '{"useCaptcha":"true","useOtp":"false","loginFailCount":"5","loginFailMin":"10","otpIssuer":"mayfly-go"}', '系统账号登录相关安全设置', 'admin,', '2023-06-17 11:02:11', 1, 'admin', '2023-06-17 14:18:07', 1, 'admin'); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier) VALUES('账号登录安全设置', 'AccountLoginSecurity', '[{"name":"登录验证码","model":"useCaptcha","placeholder":"是否启用登录验证码","options":"true,false"},{"name":"双因素校验(OTP)","model":"useOtp","placeholder":"是否启用双因素(OTP)校验","options":"true,false"},{"name":"OTP签发人","model":"otpIssuer","placeholder":"otp签发人"},{"name":"允许失败次数","model":"loginFailCount","placeholder":"登录失败n次后禁止登录"},{"name":"禁止登录时间","model":"loginFailMin","placeholder":"登录失败指定次数后禁止m分钟内再次登录"}]', '{"useCaptcha":"true","useOtp":"false","loginFailCount":"5","loginFailMin":"10","otpIssuer":"mayfly-go"}', '系统账号登录相关安全设置', '2023-06-17 11:02:11', 1, 'admin', '2023-06-17 14:18:07', 1, 'admin');
INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier, is_deleted, delete_time) VALUES('oauth2登录配置', 'Oauth2Login', '[{"name":"是否启用","model":"enable","placeholder":"是否启用oauth2登录","options":"true,false"},{"name":"名称","model":"name","placeholder":"oauth2名称"},{"name":"Client ID","model":"clientId","placeholder":"Client ID"},{"name":"Client Secret","model":"clientSecret","placeholder":"Client Secret"},{"name":"Authorization URL","model":"authorizationURL","placeholder":"Authorization URL"},{"name":"AccessToken URL","model":"accessTokenURL","placeholder":"AccessToken URL"},{"name":"Redirect URL","model":"redirectURL","placeholder":"本系统地址"},{"name":"Scopes","model":"scopes","placeholder":"Scopes"},{"name":"Resource URL","model":"resourceURL","placeholder":"获取用户信息资源地址"},{"name":"UserIdentifier","model":"userIdentifier","placeholder":"用户唯一标识字段;格式为type:fieldPath(string:username)"},{"name":"是否自动注册","model":"autoRegister","placeholder":"","options":"true,false"}]', '', 'oauth2登录相关配置信息', '2023-07-22 13:58:51', 1, 'admin', '2023-07-22 19:34:37', 1, 'admin', 0, NULL); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, permission, create_time, creator_id, creator, update_time, modifier_id, modifier, is_deleted, delete_time) VALUES('oauth2登录配置', 'Oauth2Login', '[{"name":"是否启用","model":"enable","placeholder":"是否启用oauth2登录","options":"true,false"},{"name":"名称","model":"name","placeholder":"oauth2名称"},{"name":"Client ID","model":"clientId","placeholder":"Client ID"},{"name":"Client Secret","model":"clientSecret","placeholder":"Client Secret"},{"name":"Authorization URL","model":"authorizationURL","placeholder":"Authorization URL"},{"name":"AccessToken URL","model":"accessTokenURL","placeholder":"AccessToken URL"},{"name":"Redirect URL","model":"redirectURL","placeholder":"本系统地址"},{"name":"Scopes","model":"scopes","placeholder":"Scopes"},{"name":"Resource URL","model":"resourceURL","placeholder":"获取用户信息资源地址"},{"name":"UserIdentifier","model":"userIdentifier","placeholder":"用户唯一标识字段;格式为type:fieldPath(string:username)"},{"name":"是否自动注册","model":"autoRegister","placeholder":"","options":"true,false"}]', '', 'oauth2登录相关配置信息', 'admin,', '2023-07-22 13:58:51', 1, 'admin', '2023-07-22 19:34:37', 1, 'admin', 0, NULL);
INSERT INTO `t_sys_config` (name, `key`, params, value, remark, permission, create_time, creator_id, creator, update_time, modifier_id, modifier, is_deleted, delete_time) VALUES('ldap登录配置', 'LdapLogin', '[{"name":"是否启用","model":"enable","placeholder":"是否启用","options":"true,false"},{"name":"host","model":"host","placeholder":"host"},{"name":"port","model":"port","placeholder":"port"},{"name":"bindDN","model":"bindDN","placeholder":"LDAP 服务的管理员账号,如: \\"cn=admin,dc=example,dc=com\\""},{"name":"bindPwd","model":"bindPwd","placeholder":"LDAP 服务的管理员密码"},{"name":"baseDN","model":"baseDN","placeholder":"用户所在的 base DN, 如: \\"ou=users,dc=example,dc=com\\""},{"name":"userFilter","model":"userFilter","placeholder":"过滤用户的方式, 如: \\"(uid=%s)、(&(objectClass=organizationalPerson)(uid=%s))\\""},{"name":"uidMap","model":"uidMap","placeholder":"用户id和 LDAP 字段名之间的映射关系,如: cn"},{"name":"udnMap","model":"udnMap","placeholder":"用户姓名(dispalyName)和 LDAP 字段名之间的映射关系,如: displayName"},{"name":"emailMap","model":"emailMap","placeholder":"用户email和 LDAP 字段名之间的映射关系"},{"name":"skipTLSVerify","model":"skipTLSVerify","placeholder":"客户端是否跳过 TLS 证书验证","options":"true,false"},{"name":"安全协议","model":"securityProtocol","placeholder":"安全协议为Null不使用安全协议如: StartTLS, LDAPS","options":"Null,StartTLS,LDAPS"}]', '', 'ldap登录相关配置', 'admin,', '2023-08-25 21:47:20', 1, 'admin', '2023-08-25 22:56:07', 1, 'admin', 0, NULL);
INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('是否启用水印', 'UseWartermark', NULL, '1', '1: 启用、0: 不启用', '2022-08-25 23:36:35', 1, 'admin', '2022-08-26 10:02:52', 1, 'admin'); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('是否启用水印', 'UseWartermark', NULL, '1', '1: 启用、0: 不启用', '2022-08-25 23:36:35', 1, 'admin', '2022-08-26 10:02:52', 1, 'admin');
INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('数据库查询最大结果集', 'DbQueryMaxCount', '[]', '200', '允许sql查询的最大结果集数。注: 0=不限制', '2023-02-11 14:29:03', 1, 'admin', '2023-02-11 14:40:56', 1, 'admin'); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('数据库查询最大结果集', 'DbQueryMaxCount', '[]', '200', '允许sql查询的最大结果集数。注: 0=不限制', '2023-02-11 14:29:03', 1, 'admin', '2023-02-11 14:40:56', 1, 'admin');
INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('数据库是否记录查询SQL', 'DbSaveQuerySQL', '[]', '0', '1: 记录、0:不记录', '2023-02-11 16:07:14', 1, 'admin', '2023-02-11 16:44:17', 1, 'admin'); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('数据库是否记录查询SQL', 'DbSaveQuerySQL', '[]', '0', '1: 记录、0:不记录', '2023-02-11 16:07:14', 1, 'admin', '2023-02-11 16:44:17', 1, 'admin');
@@ -454,7 +455,7 @@ CREATE TABLE `t_sys_log` (
`id` bigint(20) unsigned NOT NULL AUTO_INCREMENT, `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
`type` tinyint(4) NOT NULL COMMENT '类型', `type` tinyint(4) NOT NULL COMMENT '类型',
`description` varchar(255) DEFAULT NULL COMMENT '描述', `description` varchar(255) DEFAULT NULL COMMENT '描述',
`req_param` varchar(1000) DEFAULT NULL COMMENT '请求信息', `req_param` varchar(2000) DEFAULT NULL COMMENT '请求信息',
`resp` varchar(1000) DEFAULT NULL COMMENT '响应信息', `resp` varchar(1000) DEFAULT NULL COMMENT '响应信息',
`creator` varchar(36) NOT NULL COMMENT '调用者', `creator` varchar(36) NOT NULL COMMENT '调用者',
`creator_id` bigint(20) NOT NULL COMMENT '调用者id', `creator_id` bigint(20) NOT NULL COMMENT '调用者id',

1
server/pkg/config/config.go
View File

@@ -43,7 +43,6 @@ type Config struct {
Mysql *Mysql `yaml:"mysql"` Mysql *Mysql `yaml:"mysql"`
Redis *Redis `yaml:"redis"` Redis *Redis `yaml:"redis"`
Log *Log `yaml:"log"` Log *Log `yaml:"log"`
Ldap *Ldap `yaml:"ldap"`
} }
// 配置文件内容校验 // 配置文件内容校验

45
server/pkg/config/ldap.go
View File

@@ -1,45 +0,0 @@
package config
// FieldMapping 表示用户属性和 LDAP 字段名之间的映射关系
type FieldMapping struct {
// Identifier 表示用户标识
Identifier string `yaml:"identifier,omitempty"`
// DisplayName 表示用户姓名
DisplayName string `yaml:"displayName,omitempty"`
// Email 表示 Email 地址
Email string `yaml:"email,omitempty"`
}
// SecurityProtocol 表示连接 LDAP 服务器的安全协议
type SecurityProtocol string
const (
// SecurityProtocolStartTLS 表示 StartTLS 安全协议
SecurityProtocolStartTLS SecurityProtocol = "starttls"
// SecurityProtocolLDAPS 表示 LDAPS 安全协议
SecurityProtocolLDAPS SecurityProtocol = "ldaps"
)
// Ldap 是 LDAP 服务配置
type Ldap struct {
// Enabled 表示是否启用 LDAP 登录
Enabled bool `yaml:"enabled"`
// Host 是 LDAP 服务地址, 如: "ldap.example.com"
Host string `yaml:"host"`
// Port 是 LDAP 服务端口号, 如: 389
Port int `yaml:"port"`
// SkipTLSVerify 控制客户端是否跳过 TLS 证书验证
SkipTLSVerify bool `yaml:"skipTlsVerify"`
// BindDN 是 LDAP 服务的管理员账号,如: "cn=admin,dc=example,dc=com"
BindDN string `yaml:"bindDn"`
// BindPassword 是 LDAP 服务的管理员密码
BindPassword string `yaml:"bindPassword"`
// BaseDN 是用户所在的 base DN, 如: "ou=users,dc=example,dc=com".
BaseDN string `yaml:"baseDn"`
// UserFilter 是过滤用户的方式, 如: "(uid=%s)".
UserFilter string `yaml:"userFilter"`
// SecurityProtocol 是连接使用的 LDAP 安全协议(为空不使用安全协议),如: StartTLS, LDAPS
SecurityProtocol SecurityProtocol `yaml:"securityProtocol"`
// FieldMapping 表示用户属性和 LDAP 字段名之间的映射关系
FieldMapping FieldMapping `yaml:"fieldMapping"`
}

108
server/pkg/ldap/ldap.go
View File

@@ -1,108 +0,0 @@
package ldap
import (
"crypto/tls"
"fmt"
"mayfly-go/pkg/config"
"strings"
"github.com/go-ldap/ldap/v3"
"github.com/pkg/errors"
)
type UserInfo struct {
UserName string
DisplayName string
Email string
}
func dial() (*ldap.Conn, error) {
conf := config.Conf.Ldap
addr := fmt.Sprintf("%s:%d", conf.Host, conf.Port)
tlsConfig := &tls.Config{
ServerName: conf.Host,
InsecureSkipVerify: conf.SkipTLSVerify,
}
if conf.SecurityProtocol == config.SecurityProtocolLDAPS {
conn, err := ldap.DialTLS("tcp", addr, tlsConfig)
if err != nil {
return nil, errors.Errorf("dial TLS: %v", err)
}
return conn, nil
}
conn, err := ldap.Dial("tcp", addr)
if err != nil {
return nil, errors.Errorf("dial: %v", err)
}
if conf.SecurityProtocol == config.SecurityProtocolStartTLS {
if err = conn.StartTLS(tlsConfig); err != nil {
_ = conn.Close()
return nil, errors.Errorf("start TLS: %v", err)
}
}
return conn, nil
}
// Connect 创建 LDAP 连接
func Connect() (*ldap.Conn, error) {
conn, err := dial()
if err != nil {
return nil, err
}
// Bind with a system account
conf := config.Conf.Ldap
err = conn.Bind(conf.BindDN, conf.BindPassword)
if err != nil {
_ = conn.Close()
return nil, errors.Errorf("bind: %v", err)
}
return conn, nil
}
// Authenticate 通过 LDAP 验证用户名密码
func Authenticate(username, password string) (*UserInfo, error) {
conn, err := Connect()
if err != nil {
return nil, errors.Errorf("connect: %v", err)
}
defer func() { _ = conn.Close() }()
conf := config.Conf.Ldap
sr, err := conn.Search(
ldap.NewSearchRequest(
conf.BaseDN,
ldap.ScopeWholeSubtree,
ldap.NeverDerefAliases,
0,
0,
false,
strings.ReplaceAll(conf.UserFilter, "%s", username),
[]string{"dn", conf.FieldMapping.Identifier, conf.FieldMapping.DisplayName, conf.FieldMapping.Email},
nil,
),
)
if err != nil {
return nil, errors.Errorf("search user DN: %v", err)
} else if len(sr.Entries) != 1 {
return nil, errors.Errorf("expect 1 user DN but got %d", len(sr.Entries))
}
entry := sr.Entries[0]
// Bind as the user to verify their password
err = conn.Bind(entry.DN, password)
if err != nil {
return nil, errors.Errorf("bind user: %v", err)
}
userName := entry.GetAttributeValue(conf.FieldMapping.Identifier)
if userName == "" {
return nil, errors.Errorf("the attribute %q is not found or has empty value", conf.FieldMapping.Identifier)
}
return &UserInfo{
UserName: userName,
DisplayName: entry.GetAttributeValue(conf.FieldMapping.DisplayName),
Email: entry.GetAttributeValue(conf.FieldMapping.Email),
}, nil
}