From d5205c74cfe8a66cf4fa176b86a249e5f55c8501 Mon Sep 17 00:00:00 2001 From: lanrenwo Date: Thu, 12 Jan 2023 10:09:33 +0800 Subject: [PATCH] =?UTF-8?q?=E5=85=BC=E5=AE=B9=E7=BE=A4=E6=99=96LDAP=20Serv?= =?UTF-8?q?er=E7=9A=84=E5=81=9C=E7=94=A8=E8=B4=A6=E5=8F=B7=E5=8A=9F?= =?UTF-8?q?=E8=83=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/dbdata/userauth_ldap.go | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/server/dbdata/userauth_ldap.go b/server/dbdata/userauth_ldap.go index 1ade05f..9d25783 100644 --- a/server/dbdata/userauth_ldap.go +++ b/server/dbdata/userauth_ldap.go @@ -8,6 +8,7 @@ import ( "net" "reflect" "regexp" + "strconv" "time" "github.com/go-ldap/ldap" @@ -117,6 +118,10 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error { } return fmt.Errorf("LDAP发现 %s 用户,存在多个账号", name) } + err = parseEntries(sr) + if err != nil { + return fmt.Errorf("LDAP %s 用户 %s", name, err.Error()) + } userDN := sr.Entries[0].DN err = l.Bind(userDN, pwd) if err != nil { @@ -125,6 +130,32 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group) error { return nil } +func parseEntries(sr *ldap.SearchResult) error { + for _, attr := range sr.Entries[0].Attributes { + switch attr.Name { + case "shadowExpire": + // -1 启用, 1 停用, >1 从1970-01-01至到期日的天数 + val, _ := strconv.ParseInt(attr.Values[0], 10, 64) + if val == -1 { + return nil + } + if val == 1 { + return fmt.Errorf("账号已停用") + } + if val > 1 { + expireTime := time.Unix(val*86400, 0) + t := time.Date(expireTime.Year(), expireTime.Month(), expireTime.Day(), 23, 59, 59, 0, time.Local) + if t.Before(time.Now()) { + return fmt.Errorf("账号已过期(过期日期: %s)", t.Format("2006-01-02")) + } + return nil + } + return fmt.Errorf("账号shadowExpire值异常: %d", val) + } + } + return nil +} + func ValidateDomainPort(addr string) bool { re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`) return re.MatchString(addr)