Skip to content

Commit

Permalink
feat: add ldap login support (#5706)
Browse files Browse the repository at this point in the history
* feat: add ldap login support

* fix: ldap permission config group
  • Loading branch information
JeremieCHN authored Dec 31, 2023
1 parent 299bfb4 commit 697a0ed
Show file tree
Hide file tree
Showing 7 changed files with 189 additions and 0 deletions.
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,8 @@ require (
google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
google.golang.org/grpc v1.57.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
gopkg.in/ldap.v3 v3.1.0 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -574,11 +574,15 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/ldap.v3 v3.1.0 h1:DIDWEjI7vQWREh0S8X5/NFPCZ3MCVd55LmXKPW4XLGE=
gopkg.in/ldap.v3 v3.1.0/go.mod h1:dQjCc0R0kfyFjIlWNMH1DORwUASZyDxo2Ry1B51dXaQ=
gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
Expand Down
11 changes: 11 additions & 0 deletions internal/bootstrap/data/setting.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,17 @@ func InitialSettings() []model.SettingItem {
{Key: conf.SSODefaultDir, Value: "/", Type: conf.TypeString, Group: model.SSO, Flag: model.PRIVATE},
{Key: conf.SSODefaultPermission, Value: "0", Type: conf.TypeNumber, Group: model.SSO, Flag: model.PRIVATE},
{Key: conf.SSOCompatibilityMode, Value: "false", Type: conf.TypeBool, Group: model.SSO, Flag: model.PUBLIC},

// ldap settings
{Key: conf.LdapLoginEnabled, Value: "false", Type: conf.TypeBool, Group: model.LDAP, Flag: model.PUBLIC},
{Key: conf.LdapServer, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapManagerDN, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapManagerPassword, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapUserSearchBase, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapUserSearchFilter, Value: "(uid=%s)", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapDefaultDir, Value: "/", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapDefaultPermission, Value: "0", Type: conf.TypeNumber, Group: model.LDAP, Flag: model.PRIVATE},
{Key: conf.LdapLoginTips, Value: "login with ldap", Type: conf.TypeString, Group: model.LDAP, Flag: model.PUBLIC},
}
initialSettingItems = append(initialSettingItems, tool.Tools.Items()...)
if flags.Dev {
Expand Down
11 changes: 11 additions & 0 deletions internal/conf/const.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,17 @@ const (
SSODefaultPermission = "sso_default_permission"
SSOCompatibilityMode = "sso_compatibility_mode"

//ldap
LdapLoginEnabled = "ldap_login_enabled"
LdapServer = "ldap_server"
LdapManagerDN = "ldap_manager_dn"
LdapManagerPassword = "ldap_manager_password"
LdapUserSearchBase = "ldap_user_search_base"
LdapUserSearchFilter = "ldap_user_search_filter"
LdapDefaultPermission = "ldap_default_permission"
LdapDefaultDir = "ldap_default_dir"
LdapLoginTips = "ldap_login_tips"

// qbittorrent
QbittorrentUrl = "qbittorrent_url"
QbittorrentSeedtime = "qbittorrent_seedtime"
Expand Down
1 change: 1 addition & 0 deletions internal/model/setting.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ const (
OFFLINE_DOWNLOAD
INDEX
SSO
LDAP
)

const (
Expand Down
159 changes: 159 additions & 0 deletions server/handles/ldap_login.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
package handles

import (
"crypto/tls"
"errors"
"fmt"
"strings"

"github.com/alist-org/alist/v3/internal/conf"
"github.com/alist-org/alist/v3/internal/db"
"github.com/alist-org/alist/v3/internal/model"
"github.com/alist-org/alist/v3/internal/op"
"github.com/alist-org/alist/v3/internal/setting"
"github.com/alist-org/alist/v3/pkg/utils"
"github.com/alist-org/alist/v3/pkg/utils/random"
"github.com/alist-org/alist/v3/server/common"
"github.com/gin-gonic/gin"
"gopkg.in/ldap.v3"
)

func LoginLdap(c *gin.Context) {
var req LoginReq
if err := c.ShouldBind(&req); err != nil {
common.ErrorResp(c, err, 400)
return
}
loginLdap(c, &req)
}

func loginLdap(c *gin.Context, req *LoginReq) {
enabled := setting.GetBool(conf.LdapLoginEnabled)
if !enabled {
common.ErrorStrResp(c, "ldap is not enabled", 403)
return
}

// check count of login
ip := c.ClientIP()
count, ok := loginCache.Get(ip)
if ok && count >= defaultTimes {
common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
loginCache.Expire(ip, defaultDuration)
return
}

// Auth start
ldapServer := setting.GetStr(conf.LdapServer)
ldapManagerDN := setting.GetStr(conf.LdapManagerDN)
ldapManagerPassword := setting.GetStr(conf.LdapManagerPassword)
ldapUserSearchBase := setting.GetStr(conf.LdapUserSearchBase)
ldapUserSearchFilter := setting.GetStr(conf.LdapUserSearchFilter) // (uid=%s)

var tlsEnabled bool = false
if strings.HasPrefix(ldapServer, "ldaps://") {
tlsEnabled = true
ldapServer = strings.TrimPrefix(ldapServer, "ldaps://")
} else if strings.HasPrefix(ldapServer, "ldap://") {
ldapServer = strings.TrimPrefix(ldapServer, "ldap://")
}

l, err := ldap.Dial("tcp", ldapServer)
if err != nil {
utils.Log.Errorf("failed to connect to LDAP: %v", err)
common.ErrorResp(c, err, 500)
return
}
defer l.Close()

if tlsEnabled {
// Reconnect with TLS
err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
if err != nil {
utils.Log.Errorf("failed to start tls: %v", err)
common.ErrorResp(c, err, 500)
return
}
}

// First bind with a read only user
if ldapManagerDN != "" && ldapManagerPassword != "" {
err = l.Bind(ldapManagerDN, ldapManagerPassword)
if err != nil {
utils.Log.Errorf("Failed to bind to LDAP: %v", err)
common.ErrorResp(c, err, 500)
return
}
}

// Search for the given username
searchRequest := ldap.NewSearchRequest(
ldapUserSearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf(ldapUserSearchFilter, req.Username),
[]string{"dn"},
nil,
)
sr, err := l.Search(searchRequest)
if err != nil {
utils.Log.Errorf("LDAP search failed: %v", err)
common.ErrorResp(c, err, 500)
return
}
if len(sr.Entries) != 1 {
utils.Log.Errorf("User does not exist or too many entries returned")
common.ErrorResp(c, err, 500)
return
}
userDN := sr.Entries[0].DN

// Bind as the user to verify their password
err = l.Bind(userDN, req.Password)
if err != nil {
utils.Log.Errorf("Failed to auth. %v", err)
common.ErrorResp(c, err, 400)
loginCache.Set(ip, count+1)
return
} else {
utils.Log.Infof("Auth successful username:%s", req.Username)
}
// Auth finished

user, err := op.GetUserByName(req.Username)
if err != nil {
user, err = ladpRegister(req.Username)
if err != nil {
common.ErrorResp(c, err, 400)
loginCache.Set(ip, count+1)
return
}
}

// generate token
token, err := common.GenerateToken(user)
if err != nil {
common.ErrorResp(c, err, 400, true)
return
}
common.SuccessResp(c, gin.H{"token": token})
loginCache.Del(ip)
}

func ladpRegister(username string) (*model.User, error) {
if username == "" {
return nil, errors.New("cannot get username from ldap provider")
}
user := &model.User{
ID: 0,
Username: username,
Password: random.String(16),
Permission: int32(setting.GetInt(conf.LdapDefaultPermission, 0)),
BasePath: setting.GetStr(conf.LdapDefaultDir),
Role: 0,
Disabled: false,
}
if err := db.CreateUser(user); err != nil {
return nil, err
}
return user, nil
}
1 change: 1 addition & 0 deletions server/router.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ func Init(e *gin.Engine) {

api.POST("/auth/login", handles.Login)
api.POST("/auth/login/hash", handles.LoginHash)
api.POST("/auth/login/ldap", handles.LoginLdap)
auth.GET("/me", handles.CurrentUser)
auth.POST("/me/update", handles.UpdateCurrent)
auth.POST("/auth/2fa/generate", handles.Generate2FA)
Expand Down

0 comments on commit 697a0ed

Please sign in to comment.