mirror of
https://github.com/cuigh/swirl
synced 2025-01-01 00:32:09 +00:00
Add simple support for LDAP with TLS
This commit is contained in:
cuigh
parent
d5fb909ffc
commit
3005cd6edb
37
biz/user.go
37
biz/user.go
@ -1,7 +1,9 @@
|
|||||||
package biz
|
package biz
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/cuigh/auxo/data/guid"
|
"github.com/cuigh/auxo/data/guid"
|
||||||
@ -193,7 +195,6 @@ func (b *userBiz) loginInternal(user *model.User, pwd string) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: support tls
|
|
||||||
func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error {
|
func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error {
|
||||||
setting, err := Setting.Get()
|
setting, err := Setting.Get()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -204,7 +205,7 @@ func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error
|
|||||||
return ErrIncorrectAuth
|
return ErrIncorrectAuth
|
||||||
}
|
}
|
||||||
|
|
||||||
l, err := ldap.Dial("tcp", setting.LDAP.Address)
|
l, err := b.ldapDial(setting)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -233,6 +234,38 @@ func (b *userBiz) loginLDAP(d dao.Interface, user *model.User, pwd string) error
|
|||||||
return b.Create(user, nil)
|
return b.Create(user, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (b *userBiz) ldapDial(setting *model.Setting) (*ldap.Conn, error) {
|
||||||
|
host, _, err := net.SplitHostPort(setting.LDAP.Address)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: support tls cert and verification
|
||||||
|
tc := &tls.Config{
|
||||||
|
ServerName: host,
|
||||||
|
InsecureSkipVerify: true,
|
||||||
|
Certificates: nil,
|
||||||
|
}
|
||||||
|
|
||||||
|
if setting.LDAP.Security == model.LDAPSecurityTLS {
|
||||||
|
return ldap.DialTLS("tcp", setting.LDAP.Address, tc)
|
||||||
|
}
|
||||||
|
|
||||||
|
conn, err := ldap.Dial("tcp", setting.LDAP.Address)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if setting.LDAP.Security == model.LDAPSecurityStartTLS {
|
||||||
|
if err = conn.StartTLS(tc); err != nil {
|
||||||
|
conn.Close()
|
||||||
|
log.Get("user").Error("LDAP > Failed to switch to TLS: ", err)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return conn, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (b *userBiz) ldapBind(setting *model.Setting, l *ldap.Conn, user *model.User, pwd string) (err error) {
|
func (b *userBiz) ldapBind(setting *model.Setting, l *ldap.Conn, user *model.User, pwd string) (err error) {
|
||||||
if setting.LDAP.Authentication == 0 {
|
if setting.LDAP.Authentication == 0 {
|
||||||
// simple auth
|
// simple auth
|
||||||
|
|||||||
@ -2,14 +2,25 @@ package model
|
|||||||
|
|
||||||
import "time"
|
import "time"
|
||||||
|
|
||||||
|
const (
|
||||||
|
LDAPSecurityNone = 0
|
||||||
|
LDAPSecurityTLS = 1
|
||||||
|
LDAPSecurityStartTLS = 2
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
LDAPAuthSimple = 0
|
||||||
|
LDAPAuthBind = 1
|
||||||
|
)
|
||||||
|
|
||||||
// Setting represents the options of swirl.
|
// Setting represents the options of swirl.
|
||||||
type Setting struct {
|
type Setting struct {
|
||||||
LDAP struct {
|
LDAP struct {
|
||||||
Enabled bool `bson:"enabled" json:"enabled,omitempty"`
|
Enabled bool `bson:"enabled" json:"enabled,omitempty"`
|
||||||
Address string `bson:"address" json:"address,omitempty"`
|
Address string `bson:"address" json:"address,omitempty"`
|
||||||
Security int32 `bson:"security" json:"security,omitempty"` // 0-None/1-TLS/2-StartTLS
|
Security int32 `bson:"security" json:"security,omitempty"` // 0-None/1-TLS/2-StartTLS
|
||||||
TLSCert string `bson:"tls_cert" json:"tls_cert,omitempty"` // TLS cert
|
//TLSCert string `bson:"tls_cert" json:"tls_cert,omitempty"` // TLS cert
|
||||||
TLSVerify bool `bson:"tls_verify" json:"tls_verify,omitempty"` // Verify cert
|
//TLSVerify bool `bson:"tls_verify" json:"tls_verify,omitempty"` // Verify cert
|
||||||
Authentication int32 `bson:"auth" json:"auth,omitempty"` // 0-Simple/1-Bind
|
Authentication int32 `bson:"auth" json:"auth,omitempty"` // 0-Simple/1-Bind
|
||||||
BindDN string `bson:"bind_dn" json:"bind_dn,omitempty"` // DN to bind with
|
BindDN string `bson:"bind_dn" json:"bind_dn,omitempty"` // DN to bind with
|
||||||
BindPassword string `bson:"bind_pwd" json:"bind_pwd,omitempty"` // Bind DN password
|
BindPassword string `bson:"bind_pwd" json:"bind_pwd,omitempty"` // Bind DN password
|
||||||
|
|||||||
@ -112,8 +112,8 @@
|
|||||||
<div class="field">
|
<div class="field">
|
||||||
<div class="control">
|
<div class="control">
|
||||||
{{ yield radio(id="ldap.security-none", name="ldap.security", value="0", label="None", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
|
{{ yield radio(id="ldap.security-none", name="ldap.security", value="0", label="None", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
|
||||||
{{ yield radio(id="ldap.security-tls", name="ldap.security", value="1", label="TLS", disabled=true) content}} data-type="integer"{{end}}
|
{{ yield radio(id="ldap.security-tls", name="ldap.security", value="1", label="TLS", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
|
||||||
{{ yield radio(id="ldap.security-starttls", name="ldap.security", value="2", label="StartTLS", disabled=true) content}} data-type="integer"{{end}}
|
{{ yield radio(id="ldap.security-starttls", name="ldap.security", value="2", label="StartTLS", checked=.Setting.LDAP.Security) content}} data-type="integer"{{end}}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user