auth with ldap

2025-08-07 23:34:00 +08:00 · 2020-04-01 20:30:44 +08:00
parent c31be0f753
commit 036e1d236b
6 changed files with 39 additions and 2 deletions
--- a/cmdb-api/api/lib/perm/auth.py
+++ b/cmdb-api/api/lib/perm/auth.py
@@ -13,8 +13,8 @@ from flask import request
 from flask import session
 from flask_login import login_user

-from api.models.acl import User
 from api.lib.perm.acl.cache import UserCache
+from api.models.acl import User


 def _auth_with_key():
--- a/cmdb-api/api/models/acl.py
+++ b/cmdb-api/api/models/acl.py
@@ -5,6 +5,7 @@ import copy
 import hashlib
 from datetime import datetime

+import ldap
 from flask import current_app
 from flask_sqlalchemy import BaseQuery

@@ -50,6 +51,32 @@ class UserQuery(BaseQuery):

        return user, authenticated

+    def authenticate_with_ldap(self, username, password):
+        ldap_conn = ldap.initialize(current_app.config.get('LDAP_SERVER'))
+        ldap_conn.protocol_version = 3
+        ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
+        if '@' in username:
+            who = '{0}@{1}'.format(username.split('@')[0], current_app.config.get('LDAP_DOMAIN'))
+        else:
+            who = '{0}@{1}'.format(username, current_app.config.get('LDAP_DOMAIN'))
+
+        username = username.split('@')[0]
+        user = self.get_by_username(username)
+        try:
+
+            if not password:
+                raise ldap.INVALID_CREDENTIALS
+
+            ldap_conn.simple_bind_s(who, password)
+
+            if not user:
+                from api.lib.perm.acl.user import UserCRUD
+                user = UserCRUD.add(username=username, email=who)
+
+            return user, True
+        except ldap.INVALID_CREDENTIALS:
+            return user, False
+
    def search(self, key):
        query = self.filter(db.or_(User.email == key,
                                   User.nickname.ilike('%' + key + '%'),
--- a/cmdb-api/api/views/account.py
+++ b/cmdb-api/api/views/account.py
@@ -26,7 +26,10 @@ class LoginView(APIView):
    def post(self):
        username = request.values.get("username") or request.values.get("email")
        password = request.values.get("password")
-        user, authenticated = User.query.authenticate(username, password)
+        if current_app.config.get('AUTH_WITH_LDAP'):
+            user, authenticated = User.query.authenticate_with_ldap(username, password)
+        else:
+            user, authenticated = User.query.authenticate(username, password)
        if not user:
            return abort(403, "User <{0}> does not exist".format(username))
        if not authenticated: