feat: add ldap login support (#5706)

* feat: add ldap login support * fix: ldap permission config group
2023-12-31 13:46:13 +08:00 · 2023-12-31 13:46:13 +08:00 · 697a0ed2d3
parent 299bfb4d7b
commit 697a0ed2d3
7 changed files with 189 additions and 0 deletions
--- a/go.mod
+++ b/go.mod
@ -198,6 +198,8 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5 // indirect
 	google.golang.org/grpc v1.57.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
+	gopkg.in/ldap.v3 v3.1.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -574,11 +574,15 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
+gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/ldap.v3 v3.1.0 h1:DIDWEjI7vQWREh0S8X5/NFPCZ3MCVd55LmXKPW4XLGE=
+gopkg.in/ldap.v3 v3.1.0/go.mod h1:dQjCc0R0kfyFjIlWNMH1DORwUASZyDxo2Ry1B51dXaQ=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
--- a/internal/bootstrap/data/setting.go
+++ b/internal/bootstrap/data/setting.go
@ -165,6 +165,17 @@ func InitialSettings() []model.SettingItem {
 		{Key: conf.SSODefaultDir, Value: "/", Type: conf.TypeString, Group: model.SSO, Flag: model.PRIVATE},
 		{Key: conf.SSODefaultPermission, Value: "0", Type: conf.TypeNumber, Group: model.SSO, Flag: model.PRIVATE},
 		{Key: conf.SSOCompatibilityMode, Value: "false", Type: conf.TypeBool, Group: model.SSO, Flag: model.PUBLIC},
+
+		// ldap settings
+		{Key: conf.LdapLoginEnabled, Value: "false", Type: conf.TypeBool, Group: model.LDAP, Flag: model.PUBLIC},
+		{Key: conf.LdapServer, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapManagerDN, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapManagerPassword, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapUserSearchBase, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapUserSearchFilter, Value: "(uid=%s)", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapDefaultDir, Value: "/", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapDefaultPermission, Value: "0", Type: conf.TypeNumber, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapLoginTips, Value: "login with ldap", Type: conf.TypeString, Group: model.LDAP, Flag: model.PUBLIC},
 	}
 	initialSettingItems = append(initialSettingItems, tool.Tools.Items()...)
 	if flags.Dev {
--- a/internal/conf/const.go
+++ b/internal/conf/const.go
@ -73,6 +73,17 @@ const (
 	SSODefaultPermission = "sso_default_permission"
 	SSOCompatibilityMode = "sso_compatibility_mode"

+	//ldap
+	LdapLoginEnabled      = "ldap_login_enabled"
+	LdapServer            = "ldap_server"
+	LdapManagerDN         = "ldap_manager_dn"
+	LdapManagerPassword   = "ldap_manager_password"
+	LdapUserSearchBase    = "ldap_user_search_base"
+	LdapUserSearchFilter  = "ldap_user_search_filter"
+	LdapDefaultPermission = "ldap_default_permission"
+	LdapDefaultDir        = "ldap_default_dir"
+	LdapLoginTips         = "ldap_login_tips"
+
 	// qbittorrent
 	QbittorrentUrl      = "qbittorrent_url"
 	QbittorrentSeedtime = "qbittorrent_seedtime"
--- a/internal/model/setting.go
+++ b/internal/model/setting.go
@ -9,6 +9,7 @@ const (
 	OFFLINE_DOWNLOAD
 	INDEX
 	SSO
+	LDAP
 )

 const (
--- a/server/handles/ldap_login.go
+++ b/server/handles/ldap_login.go
@ -0,0 +1,159 @@
+package handles
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/alist-org/alist/v3/internal/conf"
+	"github.com/alist-org/alist/v3/internal/db"
+	"github.com/alist-org/alist/v3/internal/model"
+	"github.com/alist-org/alist/v3/internal/op"
+	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/alist-org/alist/v3/pkg/utils/random"
+	"github.com/alist-org/alist/v3/server/common"
+	"github.com/gin-gonic/gin"
+	"gopkg.in/ldap.v3"
+)
+
+func LoginLdap(c *gin.Context) {
+	var req LoginReq
+	if err := c.ShouldBind(&req); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
+	loginLdap(c, &req)
+}
+
+func loginLdap(c *gin.Context, req *LoginReq) {
+	enabled := setting.GetBool(conf.LdapLoginEnabled)
+	if !enabled {
+		common.ErrorStrResp(c, "ldap is not enabled", 403)
+		return
+	}
+
+	// check count of login
+	ip := c.ClientIP()
+	count, ok := loginCache.Get(ip)
+	if ok && count >= defaultTimes {
+		common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
+		loginCache.Expire(ip, defaultDuration)
+		return
+	}
+
+	// Auth start
+	ldapServer := setting.GetStr(conf.LdapServer)
+	ldapManagerDN := setting.GetStr(conf.LdapManagerDN)
+	ldapManagerPassword := setting.GetStr(conf.LdapManagerPassword)
+	ldapUserSearchBase := setting.GetStr(conf.LdapUserSearchBase)
+	ldapUserSearchFilter := setting.GetStr(conf.LdapUserSearchFilter) // (uid=%s)
+
+	var tlsEnabled bool = false
+	if strings.HasPrefix(ldapServer, "ldaps://") {
+		tlsEnabled = true
+		ldapServer = strings.TrimPrefix(ldapServer, "ldaps://")
+	} else if strings.HasPrefix(ldapServer, "ldap://") {
+		ldapServer = strings.TrimPrefix(ldapServer, "ldap://")
+	}
+
+	l, err := ldap.Dial("tcp", ldapServer)
+	if err != nil {
+		utils.Log.Errorf("failed to connect to LDAP: %v", err)
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	defer l.Close()
+
+	if tlsEnabled {
+		// Reconnect with TLS
+		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			utils.Log.Errorf("failed to start tls: %v", err)
+			common.ErrorResp(c, err, 500)
+			return
+		}
+	}
+
+	// First bind with a read only user
+	if ldapManagerDN != "" && ldapManagerPassword != "" {
+		err = l.Bind(ldapManagerDN, ldapManagerPassword)
+		if err != nil {
+			utils.Log.Errorf("Failed to bind to LDAP: %v", err)
+			common.ErrorResp(c, err, 500)
+			return
+		}
+	}
+
+	// Search for the given username
+	searchRequest := ldap.NewSearchRequest(
+		ldapUserSearchBase,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf(ldapUserSearchFilter, req.Username),
+		[]string{"dn"},
+		nil,
+	)
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		utils.Log.Errorf("LDAP search failed: %v", err)
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	if len(sr.Entries) != 1 {
+		utils.Log.Errorf("User does not exist or too many entries returned")
+		common.ErrorResp(c, err, 500)
+		return
+	}
+	userDN := sr.Entries[0].DN
+
+	// Bind as the user to verify their password
+	err = l.Bind(userDN, req.Password)
+	if err != nil {
+		utils.Log.Errorf("Failed to auth. %v", err)
+		common.ErrorResp(c, err, 400)
+		loginCache.Set(ip, count+1)
+		return
+	} else {
+		utils.Log.Infof("Auth successful username:%s", req.Username)
+	}
+	// Auth finished
+
+	user, err := op.GetUserByName(req.Username)
+	if err != nil {
+		user, err = ladpRegister(req.Username)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			loginCache.Set(ip, count+1)
+			return
+		}
+	}
+
+	// generate token
+	token, err := common.GenerateToken(user)
+	if err != nil {
+		common.ErrorResp(c, err, 400, true)
+		return
+	}
+	common.SuccessResp(c, gin.H{"token": token})
+	loginCache.Del(ip)
+}
+
+func ladpRegister(username string) (*model.User, error) {
+	if username == "" {
+		return nil, errors.New("cannot get username from ldap provider")
+	}
+	user := &model.User{
+		ID:         0,
+		Username:   username,
+		Password:   random.String(16),
+		Permission: int32(setting.GetInt(conf.LdapDefaultPermission, 0)),
+		BasePath:   setting.GetStr(conf.LdapDefaultDir),
+		Role:       0,
+		Disabled:   false,
+	}
+	if err := db.CreateUser(user); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
--- a/server/router.go
+++ b/server/router.go
@ -48,6 +48,7 @@ func Init(e *gin.Engine) {

 	api.POST("/auth/login", handles.Login)
 	api.POST("/auth/login/hash", handles.LoginHash)
+	api.POST("/auth/login/ldap", handles.LoginLdap)
 	auth.GET("/me", handles.CurrentUser)
 	auth.POST("/me/update", handles.UpdateCurrent)
 	auth.POST("/auth/2fa/generate", handles.Generate2FA)