新增LDAP认证方式

2025-08-08 14:04:16 +08:00 · 2022-07-04 12:55:04 +08:00
parent 918859cc62
commit d1414c6b5d
6 changed files with 260 additions and 25 deletions
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -159,8 +159,7 @@ func SetGroup(g *Group) error {
 	if authType == "local" {
 		g.Auth = defAuth
 	} else {
-		_, ok := authRegistry[authType]
-		if !ok {
+		if _, ok := authRegistry[authType]; !ok {
 			return errors.New("未知的认证方式: " + authType)
 		}
 		auth := makeInstance(authType).(IUserAuth)
@@ -168,6 +167,11 @@ func SetGroup(g *Group) error {
 		if err != nil {
 			return err
 		}
+		// 重置Auth， 删除多余的key
+		g.Auth = map[string]interface{}{
+			"type":   authType,
+			authType: g.Auth[authType],
+		}
 	}

 	g.UpdatedAt = time.Now()
--- a/server/dbdata/group_test.go
+++ b/server/dbdata/group_test.go
@@ -41,8 +41,24 @@ func TestGetGroupNames(t *testing.T) {
 	err = SetGroup(&g6)
 	ast.Nil(err)

+	authData = map[string]interface{}{
+		"type": "ldap",
+		"ldap": map[string]interface{}{
+			"addr":        "192.168.8.12:389",
+			"tls":         true,
+			"bind_name":   "userfind@abc.com",
+			"bind_pwd":    "afdbfdsafds",
+			"base_dn":     "dc=abc,dc=com",
+			"search_attr": "sAMAccountName",
+			"member_of":   "cn=vpn,cn=user,dc=abc,dc=com",
+		},
+	}
+	g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
+	err = SetGroup(&g7)
+	ast.Nil(err)
+
 	// 判断所有数据
-	gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6"}
+	gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6", "g7"}
 	gs := GetGroupNames()
 	for _, v := range gs {
 		ast.Equal(true, utils.InArrStr(gAll, v))
--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -17,7 +17,7 @@ type Group struct {
 	DsIncludeDomains string                 `json:"ds_include_domains" xorm:"Text"`
 	LinkAcl          []GroupLinkAcl         `json:"link_acl" xorm:"Text"`
 	Bandwidth        int                    `json:"bandwidth" xorm:"Int"`                           // 带宽限制
-	Auth             map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(255)"` // 认证方式
+	Auth             map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(500)"` // 认证方式
 	Status           int8                   `json:"status" xorm:"Int"`                              // 1正常
 	CreatedAt        time.Time              `json:"created_at" xorm:"DateTime created"`
 	UpdatedAt        time.Time              `json:"updated_at" xorm:"DateTime updated"`
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -56,7 +56,6 @@ func TestCheckUser(t *testing.T) {
 	err = CheckUser("aaa", "bbbbbbb", group2)
 	if ast.NotNil(err) {
 		ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
-
 	}
 	// 添加用户策略
 	dns2 := []ValData{{Val: "8.8.8.8"}}
@@ -66,4 +65,25 @@ func TestCheckUser(t *testing.T) {
 	ast.Nil(err)
 	err = CheckUser("aaa", u.PinCode, group)
 	ast.Nil(err)
+	// 添加一个ldap组
+	group3 := "group3"
+	authData = map[string]interface{}{
+		"type": "ldap",
+		"ldap": map[string]interface{}{
+			"addr":        "192.168.8.12:389",
+			"tls":         true,
+			"bind_name":   "userfind@abc.com",
+			"bind_pwd":    "afdbfdsafds",
+			"base_dn":     "dc=abc,dc=com",
+			"search_attr": "sAMAccountName",
+			"member_of":   "cn=vpn,cn=user,dc=abc,dc=com",
+		},
+	}
+	g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
+	err = SetGroup(&g3)
+	ast.Nil(err)
+	err = CheckUser("aaa", "bbbbbbb", group3)
+	if ast.NotNil(err) {
+		ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
+	}
 }
--- a/server/dbdata/userauth_ldap.go
+++ b/server/dbdata/userauth_ldap.go
@@ -0,0 +1,136 @@
+package dbdata
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"reflect"
+	"regexp"
+	"time"
+
+	"github.com/go-ldap/ldap"
+)
+
+type AuthLdap struct {
+	Addr       string `json:"addr"`
+	Tls        bool   `json:"tls"`
+	BindName   string `json:"bind_name"`
+	BindPwd    string `json:"bind_pwd"`
+	BaseDn     string `json:"base_dn"`
+	SearchAttr string `json:"search_attr"`
+	MemberOf   string `json:"member_of"`
+}
+
+func init() {
+	authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
+}
+
+func (auth AuthLdap) checkData(authData map[string]interface{}) error {
+	authType := authData["type"].(string)
+	bodyBytes, err := json.Marshal(authData[authType])
+	if err != nil {
+		return errors.New("LDAP配置填写有误")
+	}
+	json.Unmarshal(bodyBytes, &auth)
+	// 支持域名和IP, 必须填写端口
+	if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) {
+		return errors.New("LDAP的服务器地址(含端口)填写有误")
+	}
+	if auth.BindName == "" {
+		return errors.New("LDAP的用户查询账号不能为空")
+	}
+	if auth.BindPwd == "" {
+		return errors.New("LDAP的用户查询密码不能为空")
+	}
+	if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
+		return errors.New("LDAP的BaseName填写有误")
+	}
+	if auth.SearchAttr == "" {
+		return errors.New("LDAP的搜索属性不能为空")
+	}
+	if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) {
+		return errors.New("LDAP的绑定DN填写有误")
+	}
+	return nil
+}
+
+func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+	pl := len(pwd)
+	if name == "" || pl < 1 {
+		return fmt.Errorf("%s %s", name, "密码错误")
+	}
+	authType := g.Auth["type"].(string)
+	if _, ok := g.Auth[authType]; !ok {
+		return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
+	}
+	bodyBytes, err := json.Marshal(g.Auth[authType])
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
+	}
+	err = json.Unmarshal(bodyBytes, &auth)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
+	}
+	// 检测服务器和端口的可用性
+	_, err = net.DialTimeout("tcp", auth.Addr, 3*time.Second)
+	if err != nil {
+		return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
+	}
+	// 连接LDAP
+	l, err := ldap.Dial("tcp", auth.Addr)
+	if err != nil {
+		return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
+	}
+	defer l.Close()
+	if auth.Tls {
+		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
+		}
+	}
+	err = l.Bind(auth.BindName, auth.BindPwd)
+	if err != nil {
+		return fmt.Errorf("%s LDAP 查询用户的账密有误,请重新检查 %s", name, err.Error())
+	}
+	filterAttr := "(objectClass=person)"
+	filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
+	if auth.MemberOf != "" {
+		filterAttr += "(memberOf:=" + auth.MemberOf + ")"
+	}
+	searchRequest := ldap.NewSearchRequest(
+		auth.BaseDn,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
+		fmt.Sprintf("(&%s)", filterAttr),
+		[]string{},
+		nil,
+	)
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
+	}
+	if len(sr.Entries) != 1 {
+		if len(sr.Entries) == 0 {
+			return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
+		}
+		return fmt.Errorf("LDAP发现 %s 用户，存在多个账号", name)
+	}
+	userDN := sr.Entries[0].DN
+	fmt.Println(userDN)
+	err = l.Bind(userDN, pwd)
+	if err != nil {
+		return fmt.Errorf("%s LDAP 登入失败，请检查登入的账号或密码 %s", name, err.Error())
+	}
+	return nil
+}
+
+func ValidateDomainPort(addr string) bool {
+	re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
+	return re.MatchString(addr)
+}
+
+func ValidateDN(dn string) bool {
+	re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`)
+	return re.MatchString(dn)
+}