diff --git a/server/dbdata/group.go b/server/dbdata/group.go
index 112805d..7e731cf 100644
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -159,8 +159,7 @@ func SetGroup(g *Group) error {
if authType == "local" {
g.Auth = defAuth
} else {
- _, ok := authRegistry[authType]
- if !ok {
+ if _, ok := authRegistry[authType]; !ok {
return errors.New("未知的认证方式: " + authType)
}
auth := makeInstance(authType).(IUserAuth)
@@ -168,6 +167,11 @@ func SetGroup(g *Group) error {
if err != nil {
return err
}
+ // 重置Auth, 删除多余的key
+ g.Auth = map[string]interface{}{
+ "type": authType,
+ authType: g.Auth[authType],
+ }
}
g.UpdatedAt = time.Now()
diff --git a/server/dbdata/group_test.go b/server/dbdata/group_test.go
index 7d27c7f..8b79b60 100644
--- a/server/dbdata/group_test.go
+++ b/server/dbdata/group_test.go
@@ -41,8 +41,24 @@ func TestGetGroupNames(t *testing.T) {
err = SetGroup(&g6)
ast.Nil(err)
+ authData = map[string]interface{}{
+ "type": "ldap",
+ "ldap": map[string]interface{}{
+ "addr": "192.168.8.12:389",
+ "tls": true,
+ "bind_name": "userfind@abc.com",
+ "bind_pwd": "afdbfdsafds",
+ "base_dn": "dc=abc,dc=com",
+ "search_attr": "sAMAccountName",
+ "member_of": "cn=vpn,cn=user,dc=abc,dc=com",
+ },
+ }
+ g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
+ err = SetGroup(&g7)
+ ast.Nil(err)
+
// 判断所有数据
- gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6"}
+ gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6", "g7"}
gs := GetGroupNames()
for _, v := range gs {
ast.Equal(true, utils.InArrStr(gAll, v))
diff --git a/server/dbdata/tables.go b/server/dbdata/tables.go
index 56b2dbe..4ba03cd 100644
--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -17,7 +17,7 @@ type Group struct {
DsIncludeDomains string `json:"ds_include_domains" xorm:"Text"`
LinkAcl []GroupLinkAcl `json:"link_acl" xorm:"Text"`
Bandwidth int `json:"bandwidth" xorm:"Int"` // 带宽限制
- Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(255)"` // 认证方式
+ Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(500)"` // 认证方式
Status int8 `json:"status" xorm:"Int"` // 1正常
CreatedAt time.Time `json:"created_at" xorm:"DateTime created"`
UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`
diff --git a/server/dbdata/user_test.go b/server/dbdata/user_test.go
index 8e46dcc..d9f3a69 100644
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -56,7 +56,6 @@ func TestCheckUser(t *testing.T) {
err = CheckUser("aaa", "bbbbbbb", group2)
if ast.NotNil(err) {
ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
-
}
// 添加用户策略
dns2 := []ValData{{Val: "8.8.8.8"}}
@@ -66,4 +65,25 @@ func TestCheckUser(t *testing.T) {
ast.Nil(err)
err = CheckUser("aaa", u.PinCode, group)
ast.Nil(err)
+ // 添加一个ldap组
+ group3 := "group3"
+ authData = map[string]interface{}{
+ "type": "ldap",
+ "ldap": map[string]interface{}{
+ "addr": "192.168.8.12:389",
+ "tls": true,
+ "bind_name": "userfind@abc.com",
+ "bind_pwd": "afdbfdsafds",
+ "base_dn": "dc=abc,dc=com",
+ "search_attr": "sAMAccountName",
+ "member_of": "cn=vpn,cn=user,dc=abc,dc=com",
+ },
+ }
+ g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
+ err = SetGroup(&g3)
+ ast.Nil(err)
+ err = CheckUser("aaa", "bbbbbbb", group3)
+ if ast.NotNil(err) {
+ ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
+ }
}
diff --git a/server/dbdata/userauth_ldap.go b/server/dbdata/userauth_ldap.go
new file mode 100644
index 0000000..868e764
--- /dev/null
+++ b/server/dbdata/userauth_ldap.go
@@ -0,0 +1,136 @@
+package dbdata
+
+import (
+ "crypto/tls"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "net"
+ "reflect"
+ "regexp"
+ "time"
+
+ "github.com/go-ldap/ldap"
+)
+
+type AuthLdap struct {
+ Addr string `json:"addr"`
+ Tls bool `json:"tls"`
+ BindName string `json:"bind_name"`
+ BindPwd string `json:"bind_pwd"`
+ BaseDn string `json:"base_dn"`
+ SearchAttr string `json:"search_attr"`
+ MemberOf string `json:"member_of"`
+}
+
+func init() {
+ authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
+}
+
+func (auth AuthLdap) checkData(authData map[string]interface{}) error {
+ authType := authData["type"].(string)
+ bodyBytes, err := json.Marshal(authData[authType])
+ if err != nil {
+ return errors.New("LDAP配置填写有误")
+ }
+ json.Unmarshal(bodyBytes, &auth)
+ // 支持域名和IP, 必须填写端口
+ if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) {
+ return errors.New("LDAP的服务器地址(含端口)填写有误")
+ }
+ if auth.BindName == "" {
+ return errors.New("LDAP的用户查询账号不能为空")
+ }
+ if auth.BindPwd == "" {
+ return errors.New("LDAP的用户查询密码不能为空")
+ }
+ if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
+ return errors.New("LDAP的BaseName填写有误")
+ }
+ if auth.SearchAttr == "" {
+ return errors.New("LDAP的搜索属性不能为空")
+ }
+ if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) {
+ return errors.New("LDAP的绑定DN填写有误")
+ }
+ return nil
+}
+
+func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+ pl := len(pwd)
+ if name == "" || pl < 1 {
+ return fmt.Errorf("%s %s", name, "密码错误")
+ }
+ authType := g.Auth["type"].(string)
+ if _, ok := g.Auth[authType]; !ok {
+ return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
+ }
+ bodyBytes, err := json.Marshal(g.Auth[authType])
+ if err != nil {
+ return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
+ }
+ err = json.Unmarshal(bodyBytes, &auth)
+ if err != nil {
+ return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
+ }
+ // 检测服务器和端口的可用性
+ _, err = net.DialTimeout("tcp", auth.Addr, 3*time.Second)
+ if err != nil {
+ return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
+ }
+ // 连接LDAP
+ l, err := ldap.Dial("tcp", auth.Addr)
+ if err != nil {
+ return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
+ }
+ defer l.Close()
+ if auth.Tls {
+ err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+ if err != nil {
+ return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
+ }
+ }
+ err = l.Bind(auth.BindName, auth.BindPwd)
+ if err != nil {
+ return fmt.Errorf("%s LDAP 查询用户的账密有误,请重新检查 %s", name, err.Error())
+ }
+ filterAttr := "(objectClass=person)"
+ filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
+ if auth.MemberOf != "" {
+ filterAttr += "(memberOf:=" + auth.MemberOf + ")"
+ }
+ searchRequest := ldap.NewSearchRequest(
+ auth.BaseDn,
+ ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
+ fmt.Sprintf("(&%s)", filterAttr),
+ []string{},
+ nil,
+ )
+ sr, err := l.Search(searchRequest)
+ if err != nil {
+ return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
+ }
+ if len(sr.Entries) != 1 {
+ if len(sr.Entries) == 0 {
+ return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
+ }
+ return fmt.Errorf("LDAP发现 %s 用户,存在多个账号", name)
+ }
+ userDN := sr.Entries[0].DN
+ fmt.Println(userDN)
+ err = l.Bind(userDN, pwd)
+ if err != nil {
+ return fmt.Errorf("%s LDAP 登入失败,请检查登入的账号或密码 %s", name, err.Error())
+ }
+ return nil
+}
+
+func ValidateDomainPort(addr string) bool {
+ re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
+ return re.MatchString(addr)
+}
+
+func ValidateDN(dn string) bool {
+ re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`)
+ return re.MatchString(dn)
+}
diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 7a1b08b..714416f 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -228,22 +228,45 @@
-
+
本地
Radius
+ LDAP
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -368,6 +391,19 @@ export default {
activeTab : "general",
readMore: {},
readMinRows : 5,
+ defAuth : {
+ type:'local',
+ radius:{addr:"", secret:""},
+ ldap:{
+ addr:"",
+ tls:false,
+ base_dn:"",
+ search_attr:"sAMAccountName",
+ member_of:"",
+ bind_name:"",
+ bind_pwd:"",
+ },
+ },
ruleForm: {
bandwidth: 0,
status: 1,
@@ -376,7 +412,7 @@ export default {
route_include: [{val: 'all', note: '默认全局代理'}],
route_exclude: [],
link_acl: [],
- auth : {"type":'local'}
+ auth : {},
},
rules: {
name: [
@@ -390,17 +426,37 @@ export default {
status: [
{required: true}
],
+ "auth.radius.addr": [
+ {required: true, message: '请输入Radius服务器', trigger: 'blur'}
+ ],
+ "auth.radius.secret": [
+ {required: true, message: '请输入Radius密钥', trigger: 'blur'}
+ ],
+ "auth.ldap.addr": [
+ {required: true, message: '请输入服务器地址(含端口)', trigger: 'blur'}
+ ],
+ "auth.ldap.bind_name": [
+ {required: true, message: '请输入查询账号', trigger: 'blur'}
+ ],
+ "auth.ldap.bind_pwd": [
+ {required: true, message: '请输入查询密码', trigger: 'blur'}
+ ],
+ "auth.ldap.base_dn": [
+ {required: true, message: '请输入BaseDN值', trigger: 'blur'}
+ ],
+ "auth.ldap.search_attr": [
+ {required: true, message: '请输入搜索属性', trigger: 'blur'}
+ ],
},
}
},
methods: {
setAuthData(row) {
- var defAuthData = {"type":'local',
- "radius":{"addr":"", "secret":""},
- }
- if (this.ruleForm.auth.type == "local" || !row) {
- this.ruleForm.auth = defAuthData;
- }
+ if (! row) {
+ this.ruleForm.auth = JSON.parse(JSON.stringify(this.defAuth));
+ return ;
+ }
+ this.ruleForm.auth = Object.assign(JSON.parse(JSON.stringify(this.defAuth)), row.auth);
},
handleDel(row) {
axios.post('/group/del?id=' + row.id).then(resp => {
@@ -503,6 +559,9 @@ export default {
this.$set(this.readMore, id, true);
}
},
+ authTypeChange() {
+ this.$refs['ruleForm'].clearValidate();
+ }
},
}