mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-28 14:43:52 +03:00
initial support for LDAP authentication/MSAD
This commit is contained in:
parent
dbdaf934e1
commit
efc05ea1de
7 changed files with 216 additions and 8 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -12,6 +12,7 @@ public/img/avatar/
|
||||||
*.o
|
*.o
|
||||||
*.a
|
*.a
|
||||||
*.so
|
*.so
|
||||||
|
dev
|
||||||
|
|
||||||
# Folders
|
# Folders
|
||||||
_obj
|
_obj
|
||||||
|
|
38
models/ldap.go
Normal file
38
models/ldap.go
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
// Copyright github.com/juju2013. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package models
|
||||||
|
|
||||||
|
import (
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/gogits/gogs/modules/auth/ldap"
|
||||||
|
"github.com/gogits/gogs/modules/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Query if name/passwd can login against the LDAP direcotry pool
|
||||||
|
// Create a local user if success
|
||||||
|
// Return the same LoginUserPlain semantic
|
||||||
|
func LoginUserLdap(name, passwd string) (*User, error) {
|
||||||
|
mail, logged := ldap.LoginUser(name, passwd)
|
||||||
|
if !logged {
|
||||||
|
// user not in LDAP, do nothing
|
||||||
|
return nil, ErrUserNotExist
|
||||||
|
}
|
||||||
|
// fake a local user creation
|
||||||
|
user := User{
|
||||||
|
LowerName: strings.ToLower(name),
|
||||||
|
Name: strings.ToLower(name),
|
||||||
|
LoginType: 389,
|
||||||
|
IsActive: true,
|
||||||
|
Passwd: passwd,
|
||||||
|
Email: mail}
|
||||||
|
_, err := RegisterUser(&user)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("LDAP local user %s fond (%s) ", name, err)
|
||||||
|
}
|
||||||
|
// simulate local user login
|
||||||
|
localUser, err2 := GetUserByName(user.Name)
|
||||||
|
return localUser, err2
|
||||||
|
}
|
|
@ -125,6 +125,7 @@ func GetUserSalt() string {
|
||||||
|
|
||||||
// RegisterUser creates record of a new user.
|
// RegisterUser creates record of a new user.
|
||||||
func RegisterUser(user *User) (*User, error) {
|
func RegisterUser(user *User) (*User, error) {
|
||||||
|
|
||||||
if !IsLegalName(user.Name) {
|
if !IsLegalName(user.Name) {
|
||||||
return nil, ErrUserNameIllegal
|
return nil, ErrUserNameIllegal
|
||||||
}
|
}
|
||||||
|
|
43
modules/auth/ldap/README.md
Normal file
43
modules/auth/ldap/README.md
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
LDAP authentication
|
||||||
|
===================
|
||||||
|
|
||||||
|
## Goal
|
||||||
|
|
||||||
|
Authenticat user against LDAP directories
|
||||||
|
|
||||||
|
It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers
|
||||||
|
|
||||||
|
The first OK wins.
|
||||||
|
|
||||||
|
If there's connection error, the server will be disabled and won't be checked again
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
In the [security] section, set
|
||||||
|
> LDAP_AUTH = true
|
||||||
|
|
||||||
|
then for each LDAP source, set
|
||||||
|
|
||||||
|
> [LdapSource-someuniquename]
|
||||||
|
> name=canonicalName
|
||||||
|
> host=hostname-or-ip
|
||||||
|
> port=3268 # or regular LDAP port
|
||||||
|
> # the following settings depend highly how you've configured your AD
|
||||||
|
> basedn=dc=ACME,dc=COM
|
||||||
|
> MSADSAFORMAT=%s@ACME.COM
|
||||||
|
> filter=(&(objectClass=user)(sAMAccountName=%s))
|
||||||
|
|
||||||
|
### Limitation
|
||||||
|
|
||||||
|
Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)
|
||||||
|
|
||||||
|
This MSAD is a mess.
|
||||||
|
|
||||||
|
The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration
|
||||||
|
|
||||||
|
### Todo
|
||||||
|
* Define a timeout per server
|
||||||
|
* Check servers marked as "Disabled" when they'll come back online
|
||||||
|
* Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
|
||||||
|
* Check OpenLDAP server
|
||||||
|
* SSL support ?
|
86
modules/auth/ldap/ldap.go
Normal file
86
modules/auth/ldap/ldap.go
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
// Copyright github.com/juju2013. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// package ldap provide functions & structure to query a LDAP ldap directory
|
||||||
|
// For now, it's mainly tested again an MS Active Directory service, see README.md for more information
|
||||||
|
package ldap
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"github.com/gogits/gogs/modules/log"
|
||||||
|
goldap "github.com/juju2013/goldap"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Basic LDAP authentication service
|
||||||
|
type ldapsource struct {
|
||||||
|
Name string // canonical name (ie. corporate.ad)
|
||||||
|
Host string // LDAP host
|
||||||
|
Port int // port number
|
||||||
|
BaseDN string // Base DN
|
||||||
|
Attributes string // Attribut to search
|
||||||
|
Filter string // Query filter to validate entry
|
||||||
|
MsAdSAFormat string // in the case of MS AD Simple Authen, the format to use (see: http://msdn.microsoft.com/en-us/library/cc223499.aspx)
|
||||||
|
Enabled bool // if this source is disabled
|
||||||
|
}
|
||||||
|
|
||||||
|
//Global LDAP directory pool
|
||||||
|
var (
|
||||||
|
Authensource []ldapsource
|
||||||
|
)
|
||||||
|
|
||||||
|
// Add a new source (LDAP directory) to the global pool
|
||||||
|
func AddSource(name string, host string, port int, basedn string, attributes string, filter string, msadsaformat string) {
|
||||||
|
ldaphost := ldapsource{name, host, port, basedn, attributes, filter, msadsaformat, true}
|
||||||
|
Authensource = append(Authensource, ldaphost)
|
||||||
|
}
|
||||||
|
|
||||||
|
//LoginUser : try to login an user to LDAP sources, return requested (attribut,true) if ok, ("",false) other wise
|
||||||
|
//First match wins
|
||||||
|
//Returns first attribute if exists
|
||||||
|
func LoginUser(name, passwd string) (a string, r bool) {
|
||||||
|
r = false
|
||||||
|
for _, ls := range Authensource {
|
||||||
|
a, r = ls.searchEntry(name, passwd)
|
||||||
|
if r {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// searchEntry : search an LDAP source if an entry (name, passwd) is valide and in the specific filter
|
||||||
|
func (ls ldapsource) searchEntry(name, passwd string) (string, bool) {
|
||||||
|
l, err := goldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("LDAP Connect error, disabled source %s", ls.Host)
|
||||||
|
ls.Enabled = false
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
defer l.Close()
|
||||||
|
|
||||||
|
nx := fmt.Sprintf(ls.MsAdSAFormat, name)
|
||||||
|
err = l.Bind(nx, passwd)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("LDAP Authan failed for %s, reason: %s", nx, err.Error())
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
|
||||||
|
search := goldap.NewSearchRequest(
|
||||||
|
ls.BaseDN,
|
||||||
|
goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
|
||||||
|
fmt.Sprintf(ls.Filter, name),
|
||||||
|
[]string{ls.Attributes},
|
||||||
|
nil)
|
||||||
|
sr, err := l.Search(search)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("LDAP Authen OK but not in filter %s", name)
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
log.Debug("LDAP Authen OK: %s", name)
|
||||||
|
if len(sr.Entries) > 0 {
|
||||||
|
r := sr.Entries[0].GetAttributeValue(ls.Attributes)
|
||||||
|
return r, true
|
||||||
|
}
|
||||||
|
return "", true
|
||||||
|
}
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path"
|
"path"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/Unknwon/com"
|
"github.com/Unknwon/com"
|
||||||
|
@ -19,6 +20,7 @@ import (
|
||||||
"github.com/gogits/cache"
|
"github.com/gogits/cache"
|
||||||
"github.com/gogits/session"
|
"github.com/gogits/session"
|
||||||
|
|
||||||
|
"github.com/gogits/gogs/modules/auth/ldap"
|
||||||
"github.com/gogits/gogs/modules/log"
|
"github.com/gogits/gogs/modules/log"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -51,6 +53,7 @@ var (
|
||||||
Domain string
|
Domain string
|
||||||
SecretKey string
|
SecretKey string
|
||||||
RunUser string
|
RunUser string
|
||||||
|
LdapAuth bool
|
||||||
|
|
||||||
RepoRootPath string
|
RepoRootPath string
|
||||||
ScriptType string
|
ScriptType string
|
||||||
|
@ -83,13 +86,13 @@ var (
|
||||||
)
|
)
|
||||||
|
|
||||||
var Service struct {
|
var Service struct {
|
||||||
RegisterEmailConfirm bool
|
RegisterEmailConfirm bool
|
||||||
DisableRegistration bool
|
DisableRegistration bool
|
||||||
RequireSignInView bool
|
RequireSignInView bool
|
||||||
EnableCacheAvatar bool
|
EnableCacheAvatar bool
|
||||||
NotifyMail bool
|
NotifyMail bool
|
||||||
ActiveCodeLives int
|
ActiveCodeLives int
|
||||||
ResetPwdCodeLives int
|
ResetPwdCodeLives int
|
||||||
}
|
}
|
||||||
|
|
||||||
func ExecDir() (string, error) {
|
func ExecDir() (string, error) {
|
||||||
|
@ -310,6 +313,33 @@ func NewConfigContext() {
|
||||||
CookieUserName = Cfg.MustValue("security", "COOKIE_USERNAME")
|
CookieUserName = Cfg.MustValue("security", "COOKIE_USERNAME")
|
||||||
CookieRememberName = Cfg.MustValue("security", "COOKIE_REMEMBER_NAME")
|
CookieRememberName = Cfg.MustValue("security", "COOKIE_REMEMBER_NAME")
|
||||||
|
|
||||||
|
// load LDAP authentication configuration if present
|
||||||
|
LdapAuth = Cfg.MustBool("security", "LDAP_AUTH", false)
|
||||||
|
if LdapAuth {
|
||||||
|
log.Debug("LDAP AUTHENTICATION activated")
|
||||||
|
nbsrc := 0
|
||||||
|
for _, v := range Cfg.GetSectionList() {
|
||||||
|
if matched, _ := regexp.MatchString("(?i)^LDAPSOURCE.*", v); matched {
|
||||||
|
ldapname := Cfg.MustValue(v, "name", v)
|
||||||
|
ldaphost := Cfg.MustValue(v, "host")
|
||||||
|
ldapport := Cfg.MustInt(v, "port", 389)
|
||||||
|
ldapbasedn := Cfg.MustValue(v, "basedn", "dc=*,dc=*")
|
||||||
|
ldapattribute := Cfg.MustValue(v, "attribute", "mail")
|
||||||
|
ldapfilter := Cfg.MustValue(v, "filter", "(*)")
|
||||||
|
ldapmsadsaformat := Cfg.MustValue(v, "MSADSAFORMAT", "%s")
|
||||||
|
ldap.AddSource(ldapname, ldaphost, ldapport, ldapbasedn, ldapattribute, ldapfilter, ldapmsadsaformat)
|
||||||
|
nbsrc += 1
|
||||||
|
log.Debug("%s added as LDAP source", ldapname)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if nbsrc == 0 {
|
||||||
|
log.Debug("No valide LDAP found, LDAP AUTHENTICATION NOT activated")
|
||||||
|
LdapAuth = false
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
log.Debug("LDAP AUTHENTICATION NOT activated")
|
||||||
|
}
|
||||||
|
|
||||||
PictureService = Cfg.MustValue("picture", "SERVICE")
|
PictureService = Cfg.MustValue("picture", "SERVICE")
|
||||||
|
|
||||||
// Determine and create root git reposiroty path.
|
// Determine and create root git reposiroty path.
|
||||||
|
|
|
@ -89,7 +89,16 @@ func SignInPost(ctx *middleware.Context, form auth.LogInForm) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := models.LoginUserPlain(form.UserName, form.Password)
|
var user *models.User
|
||||||
|
var err error
|
||||||
|
// try to login against LDAP if defined
|
||||||
|
if base.LdapAuth {
|
||||||
|
user, err = models.LoginUserLdap(form.UserName, form.Password)
|
||||||
|
}
|
||||||
|
// try local if not LDAP or it's failed
|
||||||
|
if (!base.LdapAuth) || (err != nil) {
|
||||||
|
user, err = models.LoginUserPlain(form.UserName, form.Password)
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == models.ErrUserNotExist {
|
if err == models.ErrUserNotExist {
|
||||||
log.Trace("%s Log in failed: %s/%s", ctx.Req.RequestURI, form.UserName, form.Password)
|
log.Trace("%s Log in failed: %s/%s", ctx.Req.RequestURI, form.UserName, form.Password)
|
||||||
|
|
Loading…
Reference in a new issue