Add simple support for LDAP with TLS

2024-12-28 23:02:02 +00:00 · 2017-11-13 18:49:00 +08:00 · 2017-11-13 18:49:00 +08:00 · 3005cd6edb
commit 3005cd6edb
parent d5fb909ffc
3 changed files with 53 additions and 9 deletions
--- a/biz/user.go
+++ b/biz/user.go
@ -1,7 +1,9 @@
 package biz

 import (
+	"crypto/tls"
 	"fmt"
+	"net"
 	"time"

 	"github.com/cuigh/auxo/data/guid"
@ -193,7 +195,6 @@ func (b *userBiz) loginInternal(user *model.User, pwd string) error {
 	return nil
 }

-// TODO: support tls
 func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error {
 	setting, err := Setting.Get()
 	if err != nil {
@ -204,7 +205,7 @@ func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error
 		return ErrIncorrectAuth
 	}

-	l, err := ldap.Dial("tcp", setting.LDAP.Address)
+	l, err := b.ldapDial(setting)
 	if err != nil {
 		return err
 	}
@ -233,6 +234,38 @@ func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error
 	return b.Create(user, nil)
 }

+func (b *userBiz) ldapDial(setting *model.Setting) (*ldap.Conn, error) {
+	host, _, err := net.SplitHostPort(setting.LDAP.Address)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO: support tls cert and verification
+	tc := &tls.Config{
+		ServerName:         host,
+		InsecureSkipVerify: true,
+		Certificates:       nil,
+	}
+
+	if setting.LDAP.Security == model.LDAPSecurityTLS {
+		return ldap.DialTLS("tcp", setting.LDAP.Address, tc)
+	}
+
+	conn, err := ldap.Dial("tcp", setting.LDAP.Address)
+	if err != nil {
+		return nil, err
+	}
+
+	if setting.LDAP.Security == model.LDAPSecurityStartTLS {
+		if err = conn.StartTLS(tc); err != nil {
+			conn.Close()
+			log.Get("user").Error("LDAP > Failed to switch to TLS: ", err)
+			return nil, err
+		}
+	}
+	return conn, nil
+}
+
 func (b *userBiz) ldapBind(setting *model.Setting, l *ldap.Conn, user *model.User, pwd string) (err error) {
 	if setting.LDAP.Authentication == 0 {
 		// simple auth
--- a/model/setting.go
+++ b/model/setting.go
@ -2,14 +2,25 @@ package model

 import "time"

+const (
+	LDAPSecurityNone     = 0
+	LDAPSecurityTLS      = 1
+	LDAPSecurityStartTLS = 2
+)
+
+const (
+	LDAPAuthSimple = 0
+	LDAPAuthBind   = 1
+)
+
 // Setting represents the options of swirl.
 type Setting struct {
 	LDAP struct {
-		Enabled        bool   `bson:"enabled" json:"enabled,omitempty"`
-		Address        string `bson:"address" json:"address,omitempty"`
-		Security       int32  `bson:"security" json:"security,omitempty"`       // 0-None/1-TLS/2-StartTLS
-		TLSCert        string `bson:"tls_cert" json:"tls_cert,omitempty"`       // TLS cert
-		TLSVerify      bool   `bson:"tls_verify" json:"tls_verify,omitempty"`   // Verify cert
+		Enabled  bool   `bson:"enabled" json:"enabled,omitempty"`
+		Address  string `bson:"address" json:"address,omitempty"`
+		Security int32  `bson:"security" json:"security,omitempty"` // 0-None/1-TLS/2-StartTLS
+		//TLSCert        string `bson:"tls_cert" json:"tls_cert,omitempty"`       // TLS cert
+		//TLSVerify      bool   `bson:"tls_verify" json:"tls_verify,omitempty"`   // Verify cert
 		Authentication int32  `bson:"auth" json:"auth,omitempty"`               // 0-Simple/1-Bind
 		BindDN         string `bson:"bind_dn" json:"bind_dn,omitempty"`         // DN to bind with
 		BindPassword   string `bson:"bind_pwd" json:"bind_pwd,omitempty"`       // Bind DN password
--- a/views/system/setting/index.jet
+++ b/views/system/setting/index.jet
@ -112,8 +112,8 @@
            <div class="field">
              <div class="control">
                {{ yield radio(id="ldap.security-none", name="ldap.security", value="0", label="None", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
-                {{ yield radio(id="ldap.security-tls", name="ldap.security", value="1", label="TLS", disabled=true) content}} data-type="integer"{{end}}
-                {{ yield radio(id="ldap.security-starttls", name="ldap.security", value="2", label="StartTLS", disabled=true) content}} data-type="integer"{{end}}
+                {{ yield radio(id="ldap.security-tls", name="ldap.security", value="1", label="TLS", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
+                {{ yield radio(id="ldap.security-starttls", name="ldap.security", value="2", label="StartTLS", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
              </div>
            </div>
          </div>