forked from gitea/gitea
1
0
Fork 0

initial support for LDAP authentication/MSAD

This commit is contained in:
juju2013 2014-04-22 18:55:27 +02:00 committed by juju2013
parent dbdaf934e1
commit efc05ea1de
7 changed files with 216 additions and 8 deletions

1
.gitignore vendored
View File

@ -12,6 +12,7 @@ public/img/avatar/
*.o *.o
*.a *.a
*.so *.so
dev
# Folders # Folders
_obj _obj

38
models/ldap.go Normal file
View File

@ -0,0 +1,38 @@
// Copyright github.com/juju2013. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package models
import (
"strings"
"github.com/gogits/gogs/modules/auth/ldap"
"github.com/gogits/gogs/modules/log"
)
// Query if name/passwd can login against the LDAP direcotry pool
// Create a local user if success
// Return the same LoginUserPlain semantic
func LoginUserLdap(name, passwd string) (*User, error) {
mail, logged := ldap.LoginUser(name, passwd)
if !logged {
// user not in LDAP, do nothing
return nil, ErrUserNotExist
}
// fake a local user creation
user := User{
LowerName: strings.ToLower(name),
Name: strings.ToLower(name),
LoginType: 389,
IsActive: true,
Passwd: passwd,
Email: mail}
_, err := RegisterUser(&user)
if err != nil {
log.Debug("LDAP local user %s fond (%s) ", name, err)
}
// simulate local user login
localUser, err2 := GetUserByName(user.Name)
return localUser, err2
}

View File

@ -125,6 +125,7 @@ func GetUserSalt() string {
// RegisterUser creates record of a new user. // RegisterUser creates record of a new user.
func RegisterUser(user *User) (*User, error) { func RegisterUser(user *User) (*User, error) {
if !IsLegalName(user.Name) { if !IsLegalName(user.Name) {
return nil, ErrUserNameIllegal return nil, ErrUserNameIllegal
} }

View File

@ -0,0 +1,43 @@
LDAP authentication
===================
## Goal
Authenticat user against LDAP directories
It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers
The first OK wins.
If there's connection error, the server will be disabled and won't be checked again
## Usage
In the [security] section, set
> LDAP_AUTH = true
then for each LDAP source, set
> [LdapSource-someuniquename]
> name=canonicalName
> host=hostname-or-ip
> port=3268 # or regular LDAP port
> # the following settings depend highly how you've configured your AD
> basedn=dc=ACME,dc=COM
> MSADSAFORMAT=%s@ACME.COM
> filter=(&(objectClass=user)(sAMAccountName=%s))
### Limitation
Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)
This MSAD is a mess.
The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration
### Todo
* Define a timeout per server
* Check servers marked as "Disabled" when they'll come back online
* Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
* Check OpenLDAP server
* SSL support ?

86
modules/auth/ldap/ldap.go Normal file
View File

@ -0,0 +1,86 @@
// Copyright github.com/juju2013. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
// package ldap provide functions & structure to query a LDAP ldap directory
// For now, it's mainly tested again an MS Active Directory service, see README.md for more information
package ldap
import (
"fmt"
"github.com/gogits/gogs/modules/log"
goldap "github.com/juju2013/goldap"
)
// Basic LDAP authentication service
type ldapsource struct {
Name string // canonical name (ie. corporate.ad)
Host string // LDAP host
Port int // port number
BaseDN string // Base DN
Attributes string // Attribut to search
Filter string // Query filter to validate entry
MsAdSAFormat string // in the case of MS AD Simple Authen, the format to use (see: http://msdn.microsoft.com/en-us/library/cc223499.aspx)
Enabled bool // if this source is disabled
}
//Global LDAP directory pool
var (
Authensource []ldapsource
)
// Add a new source (LDAP directory) to the global pool
func AddSource(name string, host string, port int, basedn string, attributes string, filter string, msadsaformat string) {
ldaphost := ldapsource{name, host, port, basedn, attributes, filter, msadsaformat, true}
Authensource = append(Authensource, ldaphost)
}
//LoginUser : try to login an user to LDAP sources, return requested (attribut,true) if ok, ("",false) other wise
//First match wins
//Returns first attribute if exists
func LoginUser(name, passwd string) (a string, r bool) {
r = false
for _, ls := range Authensource {
a, r = ls.searchEntry(name, passwd)
if r {
return
}
}
return
}
// searchEntry : search an LDAP source if an entry (name, passwd) is valide and in the specific filter
func (ls ldapsource) searchEntry(name, passwd string) (string, bool) {
l, err := goldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))
if err != nil {
log.Debug("LDAP Connect error, disabled source %s", ls.Host)
ls.Enabled = false
return "", false
}
defer l.Close()
nx := fmt.Sprintf(ls.MsAdSAFormat, name)
err = l.Bind(nx, passwd)
if err != nil {
log.Debug("LDAP Authan failed for %s, reason: %s", nx, err.Error())
return "", false
}
search := goldap.NewSearchRequest(
ls.BaseDN,
goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf(ls.Filter, name),
[]string{ls.Attributes},
nil)
sr, err := l.Search(search)
if err != nil {
log.Debug("LDAP Authen OK but not in filter %s", name)
return "", false
}
log.Debug("LDAP Authen OK: %s", name)
if len(sr.Entries) > 0 {
r := sr.Entries[0].GetAttributeValue(ls.Attributes)
return r, true
}
return "", true
}

View File

@ -10,6 +10,7 @@ import (
"os/exec" "os/exec"
"path" "path"
"path/filepath" "path/filepath"
"regexp"
"strings" "strings"
"github.com/Unknwon/com" "github.com/Unknwon/com"
@ -19,6 +20,7 @@ import (
"github.com/gogits/cache" "github.com/gogits/cache"
"github.com/gogits/session" "github.com/gogits/session"
"github.com/gogits/gogs/modules/auth/ldap"
"github.com/gogits/gogs/modules/log" "github.com/gogits/gogs/modules/log"
) )
@ -51,6 +53,7 @@ var (
Domain string Domain string
SecretKey string SecretKey string
RunUser string RunUser string
LdapAuth bool
RepoRootPath string RepoRootPath string
ScriptType string ScriptType string
@ -83,13 +86,13 @@ var (
) )
var Service struct { var Service struct {
RegisterEmailConfirm bool RegisterEmailConfirm bool
DisableRegistration bool DisableRegistration bool
RequireSignInView bool RequireSignInView bool
EnableCacheAvatar bool EnableCacheAvatar bool
NotifyMail bool NotifyMail bool
ActiveCodeLives int ActiveCodeLives int
ResetPwdCodeLives int ResetPwdCodeLives int
} }
func ExecDir() (string, error) { func ExecDir() (string, error) {
@ -310,6 +313,33 @@ func NewConfigContext() {
CookieUserName = Cfg.MustValue("security", "COOKIE_USERNAME") CookieUserName = Cfg.MustValue("security", "COOKIE_USERNAME")
CookieRememberName = Cfg.MustValue("security", "COOKIE_REMEMBER_NAME") CookieRememberName = Cfg.MustValue("security", "COOKIE_REMEMBER_NAME")
// load LDAP authentication configuration if present
LdapAuth = Cfg.MustBool("security", "LDAP_AUTH", false)
if LdapAuth {
log.Debug("LDAP AUTHENTICATION activated")
nbsrc := 0
for _, v := range Cfg.GetSectionList() {
if matched, _ := regexp.MatchString("(?i)^LDAPSOURCE.*", v); matched {
ldapname := Cfg.MustValue(v, "name", v)
ldaphost := Cfg.MustValue(v, "host")
ldapport := Cfg.MustInt(v, "port", 389)
ldapbasedn := Cfg.MustValue(v, "basedn", "dc=*,dc=*")
ldapattribute := Cfg.MustValue(v, "attribute", "mail")
ldapfilter := Cfg.MustValue(v, "filter", "(*)")
ldapmsadsaformat := Cfg.MustValue(v, "MSADSAFORMAT", "%s")
ldap.AddSource(ldapname, ldaphost, ldapport, ldapbasedn, ldapattribute, ldapfilter, ldapmsadsaformat)
nbsrc += 1
log.Debug("%s added as LDAP source", ldapname)
}
}
if nbsrc == 0 {
log.Debug("No valide LDAP found, LDAP AUTHENTICATION NOT activated")
LdapAuth = false
}
} else {
log.Debug("LDAP AUTHENTICATION NOT activated")
}
PictureService = Cfg.MustValue("picture", "SERVICE") PictureService = Cfg.MustValue("picture", "SERVICE")
// Determine and create root git reposiroty path. // Determine and create root git reposiroty path.

View File

@ -89,7 +89,16 @@ func SignInPost(ctx *middleware.Context, form auth.LogInForm) {
return return
} }
user, err := models.LoginUserPlain(form.UserName, form.Password) var user *models.User
var err error
// try to login against LDAP if defined
if base.LdapAuth {
user, err = models.LoginUserLdap(form.UserName, form.Password)
}
// try local if not LDAP or it's failed
if (!base.LdapAuth) || (err != nil) {
user, err = models.LoginUserPlain(form.UserName, form.Password)
}
if err != nil { if err != nil {
if err == models.ErrUserNotExist { if err == models.ErrUserNotExist {
log.Trace("%s Log in failed: %s/%s", ctx.Req.RequestURI, form.UserName, form.Password) log.Trace("%s Log in failed: %s/%s", ctx.Req.RequestURI, form.UserName, form.Password)