diff --git a/README.md b/README.md
index 2622f03..027e5a7 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,8 @@ AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过,如需要安装
> 对于线上环境,必须申请安全的 https 证书,不支持私有证书连接
>
> 客户端请使用群共享文件的版本,其他版本没有测试过,不保证使用正常
+>
+> 首次使用,请在浏览器访问 https://域名:443,浏览器提示安全后,在客户端输入 【域名:443】 即可
### 自行编译安装
@@ -73,6 +75,7 @@ sudo ./anylink
# 默认账号 密码
# admin 123456
+
```
## Feature
@@ -97,6 +100,7 @@ sudo ./anylink
- [x] IP 访问审计功能
- [x] 域名动态拆分隧道(域名路由功能)
- [x] radius认证支持
+- [x] LDAP认证支持
- [ ] 基于 ipvtap 设备的桥接访问模式
## Config
@@ -288,9 +292,11 @@ sh bridge-init.sh
## Discussion
-添加 QQ 群: 567510628
+添加微信群: 群共享文件有相关软件下载
+
+
+
-QQ 群共享文件有相关软件下载
## Contribution
diff --git a/doc/screenshot/contact_me_qr.png b/doc/screenshot/contact_me_qr.png
new file mode 100644
index 0000000..6b238f7
Binary files /dev/null and b/doc/screenshot/contact_me_qr.png differ
diff --git a/server/dbdata/group.go b/server/dbdata/group.go
index 112805d..7e731cf 100644
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -159,8 +159,7 @@ func SetGroup(g *Group) error {
if authType == "local" {
g.Auth = defAuth
} else {
- _, ok := authRegistry[authType]
- if !ok {
+ if _, ok := authRegistry[authType]; !ok {
return errors.New("未知的认证方式: " + authType)
}
auth := makeInstance(authType).(IUserAuth)
@@ -168,6 +167,11 @@ func SetGroup(g *Group) error {
if err != nil {
return err
}
+ // 重置Auth, 删除多余的key
+ g.Auth = map[string]interface{}{
+ "type": authType,
+ authType: g.Auth[authType],
+ }
}
g.UpdatedAt = time.Now()
diff --git a/server/dbdata/group_test.go b/server/dbdata/group_test.go
index 7d27c7f..8b79b60 100644
--- a/server/dbdata/group_test.go
+++ b/server/dbdata/group_test.go
@@ -41,8 +41,24 @@ func TestGetGroupNames(t *testing.T) {
err = SetGroup(&g6)
ast.Nil(err)
+ authData = map[string]interface{}{
+ "type": "ldap",
+ "ldap": map[string]interface{}{
+ "addr": "192.168.8.12:389",
+ "tls": true,
+ "bind_name": "userfind@abc.com",
+ "bind_pwd": "afdbfdsafds",
+ "base_dn": "dc=abc,dc=com",
+ "search_attr": "sAMAccountName",
+ "member_of": "cn=vpn,cn=user,dc=abc,dc=com",
+ },
+ }
+ g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
+ err = SetGroup(&g7)
+ ast.Nil(err)
+
// 判断所有数据
- gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6"}
+ gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6", "g7"}
gs := GetGroupNames()
for _, v := range gs {
ast.Equal(true, utils.InArrStr(gAll, v))
diff --git a/server/dbdata/tables.go b/server/dbdata/tables.go
index 56b2dbe..4ba03cd 100644
--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -17,7 +17,7 @@ type Group struct {
DsIncludeDomains string `json:"ds_include_domains" xorm:"Text"`
LinkAcl []GroupLinkAcl `json:"link_acl" xorm:"Text"`
Bandwidth int `json:"bandwidth" xorm:"Int"` // 带宽限制
- Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(255)"` // 认证方式
+ Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(500)"` // 认证方式
Status int8 `json:"status" xorm:"Int"` // 1正常
CreatedAt time.Time `json:"created_at" xorm:"DateTime created"`
UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`
diff --git a/server/dbdata/user_test.go b/server/dbdata/user_test.go
index 8e46dcc..d9f3a69 100644
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -56,7 +56,6 @@ func TestCheckUser(t *testing.T) {
err = CheckUser("aaa", "bbbbbbb", group2)
if ast.NotNil(err) {
ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
-
}
// 添加用户策略
dns2 := []ValData{{Val: "8.8.8.8"}}
@@ -66,4 +65,25 @@ func TestCheckUser(t *testing.T) {
ast.Nil(err)
err = CheckUser("aaa", u.PinCode, group)
ast.Nil(err)
+ // 添加一个ldap组
+ group3 := "group3"
+ authData = map[string]interface{}{
+ "type": "ldap",
+ "ldap": map[string]interface{}{
+ "addr": "192.168.8.12:389",
+ "tls": true,
+ "bind_name": "userfind@abc.com",
+ "bind_pwd": "afdbfdsafds",
+ "base_dn": "dc=abc,dc=com",
+ "search_attr": "sAMAccountName",
+ "member_of": "cn=vpn,cn=user,dc=abc,dc=com",
+ },
+ }
+ g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
+ err = SetGroup(&g3)
+ ast.Nil(err)
+ err = CheckUser("aaa", "bbbbbbb", group3)
+ if ast.NotNil(err) {
+ ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
+ }
}
diff --git a/server/dbdata/userauth_ldap.go b/server/dbdata/userauth_ldap.go
new file mode 100644
index 0000000..1ade05f
--- /dev/null
+++ b/server/dbdata/userauth_ldap.go
@@ -0,0 +1,136 @@
+package dbdata
+
+import (
+ "crypto/tls"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "net"
+ "reflect"
+ "regexp"
+ "time"
+
+ "github.com/go-ldap/ldap"
+)
+
+type AuthLdap struct {
+ Addr string `json:"addr"`
+ Tls bool `json:"tls"`
+ BindName string `json:"bind_name"`
+ BindPwd string `json:"bind_pwd"`
+ BaseDn string `json:"base_dn"`
+ SearchAttr string `json:"search_attr"`
+ MemberOf string `json:"member_of"`
+}
+
+func init() {
+ authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
+}
+
+func (auth AuthLdap) checkData(authData map[string]interface{}) error {
+ authType := authData["type"].(string)
+ bodyBytes, err := json.Marshal(authData[authType])
+ if err != nil {
+ return errors.New("LDAP配置填写有误")
+ }
+ json.Unmarshal(bodyBytes, &auth)
+ // 支持域名和IP, 必须填写端口
+ if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) {
+ return errors.New("LDAP的服务器地址(含端口)填写有误")
+ }
+ if auth.BindName == "" {
+ return errors.New("LDAP的管理员账号不能为空")
+ }
+ if auth.BindPwd == "" {
+ return errors.New("LDAP的管理员密码不能为空")
+ }
+ if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
+ return errors.New("LDAP的Base DN填写有误")
+ }
+ if auth.SearchAttr == "" {
+ return errors.New("LDAP的用户唯一ID不能为空")
+ }
+ if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) {
+ return errors.New("LDAP的受限用户组填写有误")
+ }
+ return nil
+}
+
+func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+ pl := len(pwd)
+ if name == "" || pl < 1 {
+ return fmt.Errorf("%s %s", name, "密码错误")
+ }
+ authType := g.Auth["type"].(string)
+ if _, ok := g.Auth[authType]; !ok {
+ return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
+ }
+ bodyBytes, err := json.Marshal(g.Auth[authType])
+ if err != nil {
+ return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
+ }
+ err = json.Unmarshal(bodyBytes, &auth)
+ if err != nil {
+ return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
+ }
+ // 检测服务器和端口的可用性
+ con, err := net.DialTimeout("tcp", auth.Addr, 3*time.Second)
+ if err != nil {
+ return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
+ }
+ defer con.Close()
+ // 连接LDAP
+ l, err := ldap.Dial("tcp", auth.Addr)
+ if err != nil {
+ return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
+ }
+ defer l.Close()
+ if auth.Tls {
+ err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+ if err != nil {
+ return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
+ }
+ }
+ err = l.Bind(auth.BindName, auth.BindPwd)
+ if err != nil {
+ return fmt.Errorf("%s LDAP 管理员账号或密码填写有误 %s", name, err.Error())
+ }
+ filterAttr := "(objectClass=person)"
+ filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
+ if auth.MemberOf != "" {
+ filterAttr += "(memberOf:=" + auth.MemberOf + ")"
+ }
+ searchRequest := ldap.NewSearchRequest(
+ auth.BaseDn,
+ ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
+ fmt.Sprintf("(&%s)", filterAttr),
+ []string{},
+ nil,
+ )
+ sr, err := l.Search(searchRequest)
+ if err != nil {
+ return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
+ }
+ if len(sr.Entries) != 1 {
+ if len(sr.Entries) == 0 {
+ return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
+ }
+ return fmt.Errorf("LDAP发现 %s 用户,存在多个账号", name)
+ }
+ userDN := sr.Entries[0].DN
+ err = l.Bind(userDN, pwd)
+ if err != nil {
+ return fmt.Errorf("%s LDAP 登入失败,请检查登入的账号或密码 %s", name, err.Error())
+ }
+ return nil
+}
+
+func ValidateDomainPort(addr string) bool {
+ re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
+ return re.MatchString(addr)
+}
+
+func ValidateDN(dn string) bool {
+ re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`)
+ return re.MatchString(dn)
+}
diff --git a/server/go.mod b/server/go.mod
index 4f3d552..55df247 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -4,6 +4,8 @@ go 1.16
require (
github.com/StackExchange/wmi v1.2.1 // indirect
+ github.com/go-ldap/ldap v3.0.3+incompatible // indirect
+ github.com/go-ldap/ldap/v3 v3.4.3 // indirect
github.com/go-sql-driver/mysql v1.6.0
github.com/golang-jwt/jwt/v4 v4.0.0
github.com/google/gopacket v1.1.19
@@ -22,9 +24,10 @@ require (
github.com/tklauser/go-sysconf v0.3.7 // indirect
github.com/xhit/go-simple-mail/v2 v2.10.0
github.com/xlzd/gotp v0.0.0-20181030022105-c8557ba2c119
- golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
- golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d
+ golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29
+ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
+ gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
xorm.io/xorm v1.2.2
)
diff --git a/web/src/pages/group/List.vue b/web/src/pages/group/List.vue
index 7a1b08b..72ab1b9 100644
--- a/web/src/pages/group/List.vue
+++ b/web/src/pages/group/List.vue
@@ -168,10 +168,11 @@
title="用户组"
:visible.sync="user_edit_dialog"
width="750px"
+ @close='closeDialog'
center>
-
+
@@ -228,22 +229,45 @@
-
+
本地
Radius
+ LDAP
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -336,7 +360,7 @@
保存
- 取消
+ 取消
@@ -368,6 +392,19 @@ export default {
activeTab : "general",
readMore: {},
readMinRows : 5,
+ defAuth : {
+ type:'local',
+ radius:{addr:"", secret:""},
+ ldap:{
+ addr:"",
+ tls:false,
+ base_dn:"",
+ search_attr:"sAMAccountName",
+ member_of:"",
+ bind_name:"",
+ bind_pwd:"",
+ },
+ },
ruleForm: {
bandwidth: 0,
status: 1,
@@ -376,7 +413,7 @@ export default {
route_include: [{val: 'all', note: '默认全局代理'}],
route_exclude: [],
link_acl: [],
- auth : {"type":'local'}
+ auth : {},
},
rules: {
name: [
@@ -390,17 +427,37 @@ export default {
status: [
{required: true}
],
+ "auth.radius.addr": [
+ {required: true, message: '请输入Radius服务器', trigger: 'blur'}
+ ],
+ "auth.radius.secret": [
+ {required: true, message: '请输入Radius密钥', trigger: 'blur'}
+ ],
+ "auth.ldap.addr": [
+ {required: true, message: '请输入服务器地址(含端口)', trigger: 'blur'}
+ ],
+ "auth.ldap.bind_name": [
+ {required: true, message: '请输入管理员账号', trigger: 'blur'}
+ ],
+ "auth.ldap.bind_pwd": [
+ {required: true, message: '请输入管理员密码', trigger: 'blur'}
+ ],
+ "auth.ldap.base_dn": [
+ {required: true, message: '请输入Base DN值', trigger: 'blur'}
+ ],
+ "auth.ldap.search_attr": [
+ {required: true, message: '请输入用户唯一ID', trigger: 'blur'}
+ ],
},
}
},
methods: {
setAuthData(row) {
- var defAuthData = {"type":'local',
- "radius":{"addr":"", "secret":""},
- }
- if (this.ruleForm.auth.type == "local" || !row) {
- this.ruleForm.auth = defAuthData;
- }
+ if (! row) {
+ this.ruleForm.auth = JSON.parse(JSON.stringify(this.defAuth));
+ return ;
+ }
+ this.ruleForm.auth = Object.assign(JSON.parse(JSON.stringify(this.defAuth)), row.auth);
},
handleDel(row) {
axios.post('/group/del?id=' + row.id).then(resp => {
@@ -417,10 +474,9 @@ export default {
console.log(error);
});
},
- handleEdit(row) {
+ handleEdit(row) {
!this.$refs['ruleForm'] || this.$refs['ruleForm'].resetFields();
- console.log(row)
- this.activeTab = "general"
+ console.log(row)
this.user_edit_dialog = true
if (!row) {
this.setAuthData(row)
@@ -503,6 +559,27 @@ export default {
this.$set(this.readMore, id, true);
}
},
+ authTypeChange() {
+ this.$refs['ruleForm'].clearValidate();
+ },
+ beforeTabLeave() {
+ var isSwitch = true
+ if (! this.user_edit_dialog) {
+ return isSwitch;
+ }
+ this.$refs['ruleForm'].validate((valid) => {
+ if (!valid) {
+ this.$message.error("错误:您有必填项没有填写。")
+ isSwitch = false;
+ return false;
+ }
+ });
+ return isSwitch;
+ },
+ closeDialog() {
+ this.user_edit_dialog = false;
+ this.activeTab = "general";
+ }
},
}
diff --git a/web/src/pages/user/Policy.vue b/web/src/pages/user/Policy.vue
index b2a852e..848a38e 100644
--- a/web/src/pages/user/Policy.vue
+++ b/web/src/pages/user/Policy.vue
@@ -136,10 +136,11 @@
:visible.sync="user_edit_dialog"
width="750px"
top="50px"
+ @close='closeDialog'
center>
-
+
@@ -283,7 +284,7 @@ export default {
re_upper_limit : 0,
},
rules: {
- name: [
+ username: [
{required: true, message: '请输入用户名', trigger: 'blur'},
{max: 30, message: '长度小于 30 个字符', trigger: 'blur'}
],
@@ -398,7 +399,25 @@ export default {
} else {
this.$set(this.readMore, id, true);
}
- },
+ },
+ beforeTabLeave() {
+ var isSwitch = true
+ if (! this.user_edit_dialog) {
+ return isSwitch;
+ }
+ this.$refs['ruleForm'].validate((valid) => {
+ if (!valid) {
+ this.$message.error("错误:您有必填项没有填写。")
+ isSwitch = false;
+ return false;
+ }
+ });
+ return isSwitch;
+ },
+ closeDialog() {
+ this.user_edit_dialog = false;
+ this.activeTab = "general";
+ },
},
}