feat: support checking password through ldap server (#354)

Signed-off-by: Товарищ программист <2962928213@qq.com>
2025-05-23 02:35:49 +08:00 · 2021-12-10 22:45:01 +08:00 · 2021-12-10 22:45:01 +08:00 · 6947ebd152
commit 6947ebd152
parent 967113689d
3 changed files with 44 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -17,6 +17,7 @@

 .idea/
 *.iml
+.vscode/

 tmp/
 tmpFiles/
--- a/object/check.go
+++ b/object/check.go
@ -20,6 +20,7 @@ import (

 	"github.com/casbin/casdoor/cred"
 	"github.com/casbin/casdoor/util"
+	goldap "github.com/go-ldap/ldap/v3"
 )

 var reWhiteSpace *regexp.Regexp
@ -120,6 +121,42 @@ func CheckPassword(user *User, password string) string {
 	}
 }

+func checkLdapUserPassword(user *User, password string) (*User, string) {
+	ldaps := GetLdaps(user.Owner)
+	ldapLoginSuccess := false
+	for _, ldapServer := range ldaps {
+		conn, err := GetLdapConn(ldapServer.Host, ldapServer.Port, ldapServer.Admin, ldapServer.Passwd)
+		if err != nil {
+			continue
+		}
+		SearchFilter := fmt.Sprintf("(&(objectClass=posixAccount)(uid=%s))", user.Name)
+		searchReq := goldap.NewSearchRequest(ldapServer.BaseDn,
+			goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
+			SearchFilter, []string{}, nil)
+		searchResult, err := conn.Conn.Search(searchReq)
+		if err != nil {
+			return nil, err.Error()
+		}
+
+		if len(searchResult.Entries) == 0 {
+			continue
+		} else if len(searchResult.Entries) > 1 {
+			return nil, "Error: multiple accounts with same uid, please check your ldap server"
+		}
+
+		dn := searchResult.Entries[0].DN
+		if err := conn.Conn.Bind(dn, password); err == nil {
+			ldapLoginSuccess = true
+			break
+		}
+	}
+
+	if !ldapLoginSuccess {
+		return nil, "ldap user name or password incorrect"
+	}
+	return user, ""
+}
+
 func CheckUserPassword(organization string, username string, password string) (*User, string) {
 	user := GetUserByFields(organization, username)
 	if user == nil || user.IsDeleted == true {
@ -129,6 +166,10 @@ func CheckUserPassword(organization string, username string, password string) (*
 	if user.IsForbidden {
 		return nil, "the user is forbidden to sign in, please contact the administrator"
 	}
+	//for ldap users
+	if user.Ldap != "" {
+		return checkLdapUserPassword(user, password)
+	}

 	msg := CheckPassword(user, password)
 	if msg != "" {
--- a/object/ldap.go
+++ b/object/ldap.go
@ -17,10 +17,11 @@ package object
 import (
 	"errors"
 	"fmt"
+	"strings"
+
 	"github.com/casbin/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/thanhpk/randstr"
-	"strings"
 )

 type Ldap struct {