initial support for LDAP authentication/MSAD

11 years ago · efc05ea1de
parent dbdaf934e1
commit efc05ea1de
7 changed files with 216 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,6 +12,7 @@ public/img/avatar/
 *.o
 *.a
 *.so
 dev
 # Folders
 _obj
--- a/models/ldap.go
+++ b/models/ldap.go
@ -0,0 +1,38 @@
 // Copyright github.com/juju2013. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package models
 import (
 	"strings"
 	"github.com/gogits/gogs/modules/auth/ldap"
 	"github.com/gogits/gogs/modules/log"
 )
 // Query if name/passwd can login against the LDAP direcotry pool
 // Create a local user if success
 // Return the same LoginUserPlain semantic
 func LoginUserLdap(name, passwd string) (*User, error) {
 	mail, logged := ldap.LoginUser(name, passwd)
 	if !logged {
 		// user not in LDAP, do nothing
 		return nil, ErrUserNotExist
 	}
 	// fake a local user creation
 	user := User{
 		LowerName: strings.ToLower(name),
 		Name:      strings.ToLower(name),
 		LoginType: 389,
 		IsActive:  true,
 		Passwd:    passwd,
 		Email:     mail}
 	_, err := RegisterUser(&user)
 	if err != nil {
 		log.Debug("LDAP local user %s fond (%s) ", name, err)
 	}
 	// simulate local user login
 	localUser, err2 := GetUserByName(user.Name)
 	return localUser, err2
 }
--- a/models/user.go
+++ b/models/user.go
@ -125,6 +125,7 @@ func GetUserSalt() string {
 // RegisterUser creates record of a new user.
 func RegisterUser(user *User) (*User, error) {
 	if !IsLegalName(user.Name) {
 		return nil, ErrUserNameIllegal
 	}
--- a/modules/auth/ldap/README.md
+++ b/modules/auth/ldap/README.md
@ -0,0 +1,43 @@
 LDAP authentication
 ===================
 ## Goal
 Authenticat user against LDAP directories
 It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers
 The first OK wins.
 If there's connection error, the server will be disabled and won't be checked again
 ## Usage
 In the [security] section, set 
 >  LDAP_AUTH = true
 then for each LDAP source, set
 > [LdapSource-someuniquename]
 > name=canonicalName
 > host=hostname-or-ip
 > port=3268	# or regular LDAP port
 > # the following settings depend highly how you've configured your AD
 > basedn=dc=ACME,dc=COM
 > MSADSAFORMAT=%s@ACME.COM
 > filter=(&(objectClass=user)(sAMAccountName=%s))
 ### Limitation
 Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)
 This MSAD is a mess.
 The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration
 ### Todo
 * Define a timeout per server
 * Check servers marked as "Disabled" when they'll come back online
 * Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
 * Check OpenLDAP server
 * SSL support ?
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@ -0,0 +1,86 @@
 // Copyright github.com/juju2013. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 // package ldap provide functions & structure to query a LDAP ldap directory
 // For now, it's mainly tested again an MS Active Directory service, see README.md for more information
 package ldap
 import (
 	"fmt"
 	"github.com/gogits/gogs/modules/log"
 	goldap "github.com/juju2013/goldap"
 )
 // Basic LDAP authentication service
 type ldapsource struct {
 	Name         string // canonical name (ie. corporate.ad)
 	Host         string // LDAP host
 	Port         int    // port number
 	BaseDN       string // Base DN
 	Attributes   string // Attribut to search
 	Filter       string // Query filter to validate entry
 	MsAdSAFormat string // in the case of MS AD Simple Authen, the format to use (see: http://msdn.microsoft.com/en-us/library/cc223499.aspx)
 	Enabled      bool   // if this source is disabled
 }
 //Global LDAP directory pool
 var (
 	Authensource []ldapsource
 )
 // Add a new source (LDAP directory) to the global pool
 func AddSource(name string, host string, port int, basedn string, attributes string, filter string, msadsaformat string) {
 	ldaphost := ldapsource{name, host, port, basedn, attributes, filter, msadsaformat, true}
 	Authensource = append(Authensource, ldaphost)
 }
 //LoginUser : try to login an user to LDAP sources, return requested (attribut,true) if ok, ("",false) other wise
 //First match wins
 //Returns first attribute if exists
 func LoginUser(name, passwd string) (a string, r bool) {
 	r = false
 	for _, ls := range Authensource {
 		a, r = ls.searchEntry(name, passwd)
 		if r {
 			return
 		}
 	}
 	return
 }
 // searchEntry : search an LDAP source if an entry (name, passwd) is valide and in the specific filter
 func (ls ldapsource) searchEntry(name, passwd string) (string, bool) {
 	l, err := goldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))
 	if err != nil {
 		log.Debug("LDAP Connect error, disabled source %s", ls.Host)
 		ls.Enabled = false
 		return "", false
 	}
 	defer l.Close()
 	nx := fmt.Sprintf(ls.MsAdSAFormat, name)
 	err = l.Bind(nx, passwd)
 	if err != nil {
 		log.Debug("LDAP Authan failed for %s, reason: %s", nx, err.Error())
 		return "", false
 	}
 	search := goldap.NewSearchRequest(
 		ls.BaseDN,
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf(ls.Filter, name),
 		[]string{ls.Attributes},
 		nil)
 	sr, err := l.Search(search)
 	if err != nil {
 		log.Debug("LDAP Authen OK but not in filter %s", name)
 		return "", false
 	}
 	log.Debug("LDAP Authen OK: %s", name)
 	if len(sr.Entries) > 0 {
 		r := sr.Entries[0].GetAttributeValue(ls.Attributes)
 		return r, true
 	}
 	return "", true
 }
--- a/modules/base/conf.go
+++ b/modules/base/conf.go
@ -10,6 +10,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"github.com/Unknwon/com"
@ -19,6 +20,7 @@ import (
 	"github.com/gogits/cache"
 	"github.com/gogits/session"
 	"github.com/gogits/gogs/modules/auth/ldap"
 	"github.com/gogits/gogs/modules/log"
 )
@ -51,6 +53,7 @@ var (
 	Domain     string
 	SecretKey  string
 	RunUser    string
 	LdapAuth   bool
 	RepoRootPath string
 	ScriptType   string
@ -83,13 +86,13 @@ var (
 )
 var Service struct {
-	RegisterEmailConfirm   bool
+	RegisterEmailConfirm bool
-	DisableRegistration    bool
+	DisableRegistration  bool
-	RequireSignInView      bool
+	RequireSignInView    bool
-	EnableCacheAvatar      bool
+	EnableCacheAvatar    bool
-	NotifyMail             bool
+	NotifyMail           bool
-	ActiveCodeLives        int
+	ActiveCodeLives      int
-	ResetPwdCodeLives      int
+	ResetPwdCodeLives    int
 }
 func ExecDir() (string, error) {
@ -310,6 +313,33 @@ func NewConfigContext() {
 	CookieUserName = Cfg.MustValue("security", "COOKIE_USERNAME")
 	CookieRememberName = Cfg.MustValue("security", "COOKIE_REMEMBER_NAME")
 	// load LDAP authentication configuration if present
 	LdapAuth = Cfg.MustBool("security", "LDAP_AUTH", false)
 	if LdapAuth {
 		log.Debug("LDAP AUTHENTICATION activated")
 		nbsrc := 0
 		for _, v := range Cfg.GetSectionList() {
 			if matched, _ := regexp.MatchString("(?i)^LDAPSOURCE.*", v); matched {
 				ldapname := Cfg.MustValue(v, "name", v)
 				ldaphost := Cfg.MustValue(v, "host")
 				ldapport := Cfg.MustInt(v, "port", 389)
 				ldapbasedn := Cfg.MustValue(v, "basedn", "dc=*,dc=*")
 				ldapattribute := Cfg.MustValue(v, "attribute", "mail")
 				ldapfilter := Cfg.MustValue(v, "filter", "(*)")
 				ldapmsadsaformat := Cfg.MustValue(v, "MSADSAFORMAT", "%s")
 				ldap.AddSource(ldapname, ldaphost, ldapport, ldapbasedn, ldapattribute, ldapfilter, ldapmsadsaformat)
 				nbsrc += 1
 				log.Debug("%s added as LDAP source", ldapname)
 			}
 		}
 		if nbsrc == 0 {
 			log.Debug("No valide LDAP found, LDAP AUTHENTICATION NOT activated")
 			LdapAuth = false
 		}
 	} else {
 		log.Debug("LDAP AUTHENTICATION NOT activated")
 	}
 	PictureService = Cfg.MustValue("picture", "SERVICE")
 	// Determine and create root git reposiroty path.
--- a/routers/user/user.go
+++ b/routers/user/user.go
@ -89,7 +89,16 @@ func SignInPost(ctx *middleware.Context, form auth.LogInForm) {
 		return
 	}
-	user, err := models.LoginUserPlain(form.UserName, form.Password)
+	var user *models.User
 	var err error
 	// try to login against LDAP if defined
 	if base.LdapAuth {
 		user, err = models.LoginUserLdap(form.UserName, form.Password)
 	}
 	// try local if not LDAP or it's failed
 	if (!base.LdapAuth) || (err != nil) {
 		user, err = models.LoginUserPlain(form.UserName, form.Password)
 	}
 	if err != nil {
 		if err == models.ErrUserNotExist {
 			log.Trace("%s Log in failed: %s/%s", ctx.Req.RequestURI, form.UserName, form.Password)