diff --git a/biz/user.go b/biz/user.go index 16f29e1..d923fad 100644 --- a/biz/user.go +++ b/biz/user.go @@ -1,7 +1,9 @@ package biz import ( + "crypto/tls" "fmt" + "net" "time" "github.com/cuigh/auxo/data/guid" @@ -193,7 +195,6 @@ func (b *userBiz) loginInternal(user *model.User, pwd string) error { return nil } -// TODO: support tls func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error { setting, err := Setting.Get() if err != nil { @@ -204,7 +205,7 @@ func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error return ErrIncorrectAuth } - l, err := ldap.Dial("tcp", setting.LDAP.Address) + l, err := b.ldapDial(setting) if err != nil { return err } @@ -233,6 +234,38 @@ func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error return b.Create(user, nil) } +func (b *userBiz) ldapDial(setting *model.Setting) (*ldap.Conn, error) { + host, _, err := net.SplitHostPort(setting.LDAP.Address) + if err != nil { + return nil, err + } + + // TODO: support tls cert and verification + tc := &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + Certificates: nil, + } + + if setting.LDAP.Security == model.LDAPSecurityTLS { + return ldap.DialTLS("tcp", setting.LDAP.Address, tc) + } + + conn, err := ldap.Dial("tcp", setting.LDAP.Address) + if err != nil { + return nil, err + } + + if setting.LDAP.Security == model.LDAPSecurityStartTLS { + if err = conn.StartTLS(tc); err != nil { + conn.Close() + log.Get("user").Error("LDAP > Failed to switch to TLS: ", err) + return nil, err + } + } + return conn, nil +} + func (b *userBiz) ldapBind(setting *model.Setting, l *ldap.Conn, user *model.User, pwd string) (err error) { if setting.LDAP.Authentication == 0 { // simple auth diff --git a/model/setting.go b/model/setting.go index 9e4cbaf..56fa9ff 100644 --- a/model/setting.go +++ b/model/setting.go @@ -2,14 +2,25 @@ package model import "time" +const ( + LDAPSecurityNone = 0 + LDAPSecurityTLS = 1 + LDAPSecurityStartTLS = 2 +) + +const ( + LDAPAuthSimple = 0 + LDAPAuthBind = 1 +) + // Setting represents the options of swirl. type Setting struct { LDAP struct { - Enabled bool `bson:"enabled" json:"enabled,omitempty"` - Address string `bson:"address" json:"address,omitempty"` - Security int32 `bson:"security" json:"security,omitempty"` // 0-None/1-TLS/2-StartTLS - TLSCert string `bson:"tls_cert" json:"tls_cert,omitempty"` // TLS cert - TLSVerify bool `bson:"tls_verify" json:"tls_verify,omitempty"` // Verify cert + Enabled bool `bson:"enabled" json:"enabled,omitempty"` + Address string `bson:"address" json:"address,omitempty"` + Security int32 `bson:"security" json:"security,omitempty"` // 0-None/1-TLS/2-StartTLS + //TLSCert string `bson:"tls_cert" json:"tls_cert,omitempty"` // TLS cert + //TLSVerify bool `bson:"tls_verify" json:"tls_verify,omitempty"` // Verify cert Authentication int32 `bson:"auth" json:"auth,omitempty"` // 0-Simple/1-Bind BindDN string `bson:"bind_dn" json:"bind_dn,omitempty"` // DN to bind with BindPassword string `bson:"bind_pwd" json:"bind_pwd,omitempty"` // Bind DN password diff --git a/views/system/setting/index.jet b/views/system/setting/index.jet index efdd572..59a0ad0 100644 --- a/views/system/setting/index.jet +++ b/views/system/setting/index.jet @@ -112,8 +112,8 @@
{{ yield radio(id="ldap.security-none", name="ldap.security", value="0", label="None", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}} - {{ yield radio(id="ldap.security-tls", name="ldap.security", value="1", label="TLS", disabled=true) content}} data-type="integer"{{end}} - {{ yield radio(id="ldap.security-starttls", name="ldap.security", value="2", label="StartTLS", disabled=true) content}} data-type="integer"{{end}} + {{ yield radio(id="ldap.security-tls", name="ldap.security", value="1", label="TLS", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}} + {{ yield radio(id="ldap.security-starttls", name="ldap.security", value="2", label="StartTLS", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}