Merge pull request #39 from naokij/ldap

实现ldap功能
2025-05-07 07:13:41 +08:00 · 2017-05-25 08:58:29 +08:00 · 2017-05-25 08:58:29 +08:00 · 2b1ba118c4
commit 2b1ba118c4
parent 056edb71fc b7a9af8beb
4 changed files with 165 additions and 90 deletions
--- a/commands/install.go
+++ b/commands/install.go
@ -32,7 +32,6 @@ func initialization() {

 	o := orm.NewOrm()

-
 	_, err := o.Raw(`INSERT INTO md_options (option_title, option_name, option_value) SELECT '是否启用注册','ENABLED_REGISTER','false' WHERE NOT exists(SELECT * FROM md_options WHERE option_name = 'ENABLED_REGISTER');`).Exec()

 	if err != nil {
@ -64,6 +63,7 @@ func initialization() {
 		member.Account = "admin"
 		member.Avatar = "/static/images/headimgurl.jpg"
 		member.Password = "123456"
+		member.AuthMethod = "local"
 		member.Role = 0
 		member.Email = "admin@iminho.me"

--- a/conf/app.conf.example
+++ b/conf/app.conf.example
@ -77,11 +77,23 @@ cdnimg=
 ################百度地图密钥#################
 baidumapkey=

-
-
-
-
-
+################Active Directory/LDAP################
+#是否启用ldap
+ldap_enable=false
+#ldap主机名
+ldap_host=ad.example.com
+#ldap端口
+ldap_port=3268
+#ldap内哪个属性作为用户名
+ldap_attribute=sAMAccountName
+#搜索范围
+ldap_base=DC=example,DC=com
+#第一次绑定ldap用户dn
+ldap_user=CN=ldap helper,OU=example.com,DC=example,DC=com
+#第一次绑定ldap用户密码
+ldap_password=superSecret
+#自动注册用户角色：0 超级管理员 /1 管理员/ 2 普通用户 
+ldap_user_role=2



--- a/models/errors.go
+++ b/models/errors.go
@ -9,6 +9,17 @@ var(
 	ErrMemberDisabled = errors.New("用户被禁用")
 	// ErrorMemberPasswordError 密码错误.
 	ErrorMemberPasswordError = errors.New("用户密码错误")
+	//ErrorMemberAuthMethodInvalid 不支持此认证方式
+	ErrMemberAuthMethodInvalid = errors.New("不支持此认证方式")
+	//ErrLDAPConnect 无法连接到LDAP服务器
+	ErrLDAPConnect = errors.New("无法连接到LDAP服务器")
+	//ErrLDAPFirstBind 第一次LDAP绑定失败
+	ErrLDAPFirstBind = errors.New("第一次LDAP绑定失败")
+	//ErrLDAPSearch LDAP搜索失败
+	ErrLDAPSearch = errors.New("LDAP搜索失败")
+	//ErrLDAPUserNotFoundOrTooMany
+	ErrLDAPUserNotFoundOrTooMany = errors.New("LDAP用户不存在或者多于一个")
+
 	// ErrDataNotExist 指定的服务已存在.
 	ErrDataNotExist = errors.New("数据不存在")

--- a/models/member.go
+++ b/models/member.go
@ -2,20 +2,27 @@
 package models

 import (
-	"time"
-	"github.com/astaxie/beego/orm"
-	"github.com/lifei6671/godoc/utils"
-	"github.com/lifei6671/godoc/conf"
-	"github.com/astaxie/beego/logs"
 	"errors"
+	"fmt"
 	"regexp"
 	"strings"
+	"time"
+
+	ldap "gopkg.in/ldap.v2"
+
+	"github.com/astaxie/beego"
+	"github.com/astaxie/beego/logs"
+	"github.com/astaxie/beego/orm"
+	"github.com/lifei6671/godoc/conf"
+	"github.com/lifei6671/godoc/utils"
 )

 type Member struct {
 	MemberId int    `orm:"pk;auto;unique;column(member_id)" json:"member_id"`
 	Account  string `orm:"size(100);unique;column(account)" json:"account"`
 	Password string `orm:"size(1000);column(password)" json:"-"`
+	//认证方式: local 本地数据库 /ldap LDAP
+	AuthMethod  string `orm:"size(10);column(auth_method);default(local)" json:"auth_method)"`
 	Description string `orm:"column(description);size(2000)" json:"description"`
 	Email       string `orm:"size(100);column(email);unique" json:"email"`
 	Phone       string `orm:"size(255);column(phone);null;default(null)" json:"phone"`
@ -27,13 +34,13 @@ type Member struct {
 	CreateTime    time.Time `orm:"type(datetime);column(create_time);auto_now_add" json:"create_time"`
 	CreateAt      int       `orm:"type(int);column(create_at)" json:"create_at"`
 	LastLoginTime time.Time `orm:"type(datetime);column(last_login_time);null" json:"last_login_time"`
-
 }

 // TableName 获取对应数据库表名.
 func (m *Member) TableName() string {
 	return "members"
 }
+
 // TableEngine 获取数据使用的引擎.
 func (m *Member) TableEngine() string {
 	return "INNODB"
@ -53,25 +60,86 @@ func (m *Member) Login(account string,password string) (*Member,error) {

 	member := &Member{}

-	err := o.QueryTable(m.TableNameWithPrefix()).Filter("account",account).Filter("status",0).One(member);
+	err := o.QueryTable(m.TableNameWithPrefix()).Filter("account", account).Filter("status", 0).One(member)

 	if err != nil {
+		if beego.AppConfig.DefaultBool("ldap_enable", false) == true {
+			logs.Info("转入LDAP登陆")
+			return member.ldapLogin(account, password)
+		} else {
 			logs.Error("用户登录 => ", err)
 			return member, ErrMemberNoExist
 		}
+	}

-	ok,err := utils.PasswordVerify(member.Password,password) ;
-
+	switch member.AuthMethod {
+	case "local":
+		ok, err := utils.PasswordVerify(member.Password, password)
 		if ok && err == nil {
 			m.ResolveRoleName()
 			return member, nil
 		}
+	case "ldap":
+		return member.ldapLogin(account, password)
+	default:
+		return member, ErrMemberAuthMethodInvalid
+	}

 	return member, ErrorMemberPasswordError
 }

+//ldapLogin 通过LDAP登陆
+func (m *Member) ldapLogin(account string, password string) (*Member, error) {
+	if beego.AppConfig.DefaultBool("ldap_enable", false) == false {
+		return m, ErrMemberAuthMethodInvalid
+	}
+	var err error
+	lc, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", beego.AppConfig.String("ldap_host"), beego.AppConfig.DefaultInt("ldap_port", 3268)))
+	if err != nil {
+		return m, ErrLDAPConnect
+	}
+	defer lc.Close()
+	err = lc.Bind(beego.AppConfig.String("ldap_user"), beego.AppConfig.String("ldap_password"))
+	if err != nil {
+		return m, ErrLDAPFirstBind
+	}
+	searchRequest := ldap.NewSearchRequest(
+		beego.AppConfig.String("ldap_base"),
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectClass=User)(%s=%s))", beego.AppConfig.String("ldap_attribute"), account),
+		[]string{"dn", "mail"},
+		nil,
+	)
+	searchResult, err := lc.Search(searchRequest)
+	if err != nil {
+		return m, ErrLDAPSearch
+	}
+	if len(searchResult.Entries) != 1 {
+		return m, ErrLDAPUserNotFoundOrTooMany
+	}
+	userdn := searchResult.Entries[0].DN
+	err = lc.Bind(userdn, password)
+	if err != nil {
+		return m, ErrorMemberPasswordError
+	}
+	if m.Account == "" {
+		m.Account = account
+		m.Email = searchResult.Entries[0].GetAttributeValue("mail")
+		m.AuthMethod = "ldap"
+		m.Avatar = "/static/images/headimgurl.jpg"
+		m.Role = beego.AppConfig.DefaultInt("ldap_user_role", 2)
+		err = m.Add()
+		if err != nil {
+			logs.Error("自动注册LDAP用户错误", err)
+			return m, ErrorMemberPasswordError
+		}
+		m.ResolveRoleName()
+	}
+	return m, nil
+}
+
 // Add 添加一个用户.
-func (m *Member) Add () (error) {
+func (m *Member) Add() error {
 	o := orm.NewOrm()

 	if ok, err := regexp.MatchString(conf.RegexpAccount, m.Account); m.Account == "" || !ok || err != nil {
@ -83,14 +151,16 @@ func (m *Member) Add () (error) {
 	if ok, err := regexp.MatchString(conf.RegexpEmail, m.Email); !ok || err != nil || m.Email == "" {
 		return errors.New("邮箱格式不正确")
 	}
+	if m.AuthMethod == "local" {
 		if l := strings.Count(m.Password, ""); l < 6 || l >= 50 {
 			return errors.New("密码不能为空且必须在6-50个字符之间")
 		}
+	}
 	if c, err := o.QueryTable(m.TableNameWithPrefix()).Filter("email", m.Email).Count(); err == nil && c > 0 {
 		return errors.New("邮箱已被使用")
 	}

-	hash ,err := utils.PasswordHash(m.Password);
+	hash, err := utils.PasswordHash(m.Password)

 	if err != nil {
 		return err
@ -108,7 +178,7 @@ func (m *Member) Add () (error) {
 }

 // Update 更新用户信息.
-func (m *Member) Update(cols... string) (error) {
+func (m *Member) Update(cols ...string) error {
 	o := orm.NewOrm()

 	if m.Email == "" {
@ -177,7 +247,6 @@ func (m *Member) FindToPager(pageIndex, pageSize int) ([]*Member,int64,error)  {
 	return members, totalCount, nil
 }

-
 func (c *Member) IsAdministrator() bool {
 	if c == nil || c.MemberId <= 0 {
 		return false
@ -192,20 +261,3 @@ func (m *Member) FindByFieldFirst(field string,value interface{}) (*Member,error

 	return m, err
 }
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-