feat: add ldap login support (#5706)
* feat: add ldap login support * fix: ldap permission config group
This commit is contained in:
Guobao
GitHub
159
server/handles/ldap_login.go
Normal file
159
server/handles/ldap_login.go
Normal file
@ -0,0 +1,159 @@
|
||||
package handles
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/alist-org/alist/v3/internal/conf"
|
||||
"github.com/alist-org/alist/v3/internal/db"
|
||||
"github.com/alist-org/alist/v3/internal/model"
|
||||
"github.com/alist-org/alist/v3/internal/op"
|
||||
"github.com/alist-org/alist/v3/internal/setting"
|
||||
"github.com/alist-org/alist/v3/pkg/utils"
|
||||
"github.com/alist-org/alist/v3/pkg/utils/random"
|
||||
"github.com/alist-org/alist/v3/server/common"
|
||||
"github.com/gin-gonic/gin"
|
||||
"gopkg.in/ldap.v3"
|
||||
)
|
||||
|
||||
func LoginLdap(c *gin.Context) {
|
||||
var req LoginReq
|
||||
if err := c.ShouldBind(&req); err != nil {
|
||||
common.ErrorResp(c, err, 400)
|
||||
return
|
||||
}
|
||||
loginLdap(c, &req)
|
||||
}
|
||||
|
||||
func loginLdap(c *gin.Context, req *LoginReq) {
|
||||
enabled := setting.GetBool(conf.LdapLoginEnabled)
|
||||
if !enabled {
|
||||
common.ErrorStrResp(c, "ldap is not enabled", 403)
|
||||
return
|
||||
}
|
||||
|
||||
// check count of login
|
||||
ip := c.ClientIP()
|
||||
count, ok := loginCache.Get(ip)
|
||||
if ok && count >= defaultTimes {
|
||||
common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
|
||||
loginCache.Expire(ip, defaultDuration)
|
||||
return
|
||||
}
|
||||
|
||||
// Auth start
|
||||
ldapServer := setting.GetStr(conf.LdapServer)
|
||||
ldapManagerDN := setting.GetStr(conf.LdapManagerDN)
|
||||
ldapManagerPassword := setting.GetStr(conf.LdapManagerPassword)
|
||||
ldapUserSearchBase := setting.GetStr(conf.LdapUserSearchBase)
|
||||
ldapUserSearchFilter := setting.GetStr(conf.LdapUserSearchFilter) // (uid=%s)
|
||||
|
||||
var tlsEnabled bool = false
|
||||
if strings.HasPrefix(ldapServer, "ldaps://") {
|
||||
tlsEnabled = true
|
||||
ldapServer = strings.TrimPrefix(ldapServer, "ldaps://")
|
||||
} else if strings.HasPrefix(ldapServer, "ldap://") {
|
||||
ldapServer = strings.TrimPrefix(ldapServer, "ldap://")
|
||||
}
|
||||
|
||||
l, err := ldap.Dial("tcp", ldapServer)
|
||||
if err != nil {
|
||||
utils.Log.Errorf("failed to connect to LDAP: %v", err)
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
defer l.Close()
|
||||
|
||||
if tlsEnabled {
|
||||
// Reconnect with TLS
|
||||
err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
|
||||
if err != nil {
|
||||
utils.Log.Errorf("failed to start tls: %v", err)
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// First bind with a read only user
|
||||
if ldapManagerDN != "" && ldapManagerPassword != "" {
|
||||
err = l.Bind(ldapManagerDN, ldapManagerPassword)
|
||||
if err != nil {
|
||||
utils.Log.Errorf("Failed to bind to LDAP: %v", err)
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Search for the given username
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
ldapUserSearchBase,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf(ldapUserSearchFilter, req.Username),
|
||||
[]string{"dn"},
|
||||
nil,
|
||||
)
|
||||
sr, err := l.Search(searchRequest)
|
||||
if err != nil {
|
||||
utils.Log.Errorf("LDAP search failed: %v", err)
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
if len(sr.Entries) != 1 {
|
||||
utils.Log.Errorf("User does not exist or too many entries returned")
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
userDN := sr.Entries[0].DN
|
||||
|
||||
// Bind as the user to verify their password
|
||||
err = l.Bind(userDN, req.Password)
|
||||
if err != nil {
|
||||
utils.Log.Errorf("Failed to auth. %v", err)
|
||||
common.ErrorResp(c, err, 400)
|
||||
loginCache.Set(ip, count+1)
|
||||
return
|
||||
} else {
|
||||
utils.Log.Infof("Auth successful username:%s", req.Username)
|
||||
}
|
||||
// Auth finished
|
||||
|
||||
user, err := op.GetUserByName(req.Username)
|
||||
if err != nil {
|
||||
user, err = ladpRegister(req.Username)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 400)
|
||||
loginCache.Set(ip, count+1)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// generate token
|
||||
token, err := common.GenerateToken(user)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 400, true)
|
||||
return
|
||||
}
|
||||
common.SuccessResp(c, gin.H{"token": token})
|
||||
loginCache.Del(ip)
|
||||
}
|
||||
|
||||
func ladpRegister(username string) (*model.User, error) {
|
||||
if username == "" {
|
||||
return nil, errors.New("cannot get username from ldap provider")
|
||||
}
|
||||
user := &model.User{
|
||||
ID: 0,
|
||||
Username: username,
|
||||
Password: random.String(16),
|
||||
Permission: int32(setting.GetInt(conf.LdapDefaultPermission, 0)),
|
||||
BasePath: setting.GetStr(conf.LdapDefaultDir),
|
||||
Role: 0,
|
||||
Disabled: false,
|
||||
}
|
||||
if err := db.CreateUser(user); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return user, nil
|
||||
}
|
||||
@ -48,6 +48,7 @@ func Init(e *gin.Engine) {
|
||||
|
||||
api.POST("/auth/login", handles.Login)
|
||||
api.POST("/auth/login/hash", handles.LoginHash)
|
||||
api.POST("/auth/login/ldap", handles.LoginLdap)
|
||||
auth.GET("/me", handles.CurrentUser)
|
||||
auth.POST("/me/update", handles.UpdateCurrent)
|
||||
auth.POST("/auth/2fa/generate", handles.Generate2FA)
|
||||
|
||||
Reference in New Issue
Block a user