feat: fix LDAP server handle filter without CN field as * (#1705)

* fix: set ldap server default filter name as *

* fix: default use built-in organization to bind

* chore: use cache reduce the ci test time

ldap/server.go

@@ -0,0 +1,122 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ldap
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/object"
+	ldap "github.com/forestmgy/ldapserver"
+	"github.com/lor00x/goldap/message"
+)
+
+func StartLdapServer() {
+	server := ldap.NewServer()
+	routes := ldap.NewRouteMux()
+
+	routes.Bind(handleBind)
+	routes.Search(handleSearch).Label(" SEARCH****")
+
+	server.Handle(routes)
+	err := server.ListenAndServe("0.0.0.0:" + conf.GetConfigString("ldapServerPort"))
+	if err != nil {
+		return
+	}
+}
+
+func handleBind(w ldap.ResponseWriter, m *ldap.Message) {
+	r := m.GetBindRequest()
+	res := ldap.NewBindResponse(ldap.LDAPResultSuccess)
+
+	if r.AuthenticationChoice() == "simple" {
+		bindUsername, bindOrg, err := getNameAndOrgFromDN(string(r.Name()))
+		if err != "" {
+			log.Printf("Bind failed ,ErrMsg=%s", err)
+			res.SetResultCode(ldap.LDAPResultInvalidDNSyntax)
+			res.SetDiagnosticMessage("bind failed ErrMsg: " + err)
+			w.Write(res)
+			return
+		}
+
+		bindPassword := string(r.AuthenticationSimple())
+		bindUser, err := object.CheckUserPassword(object.CasdoorOrganization, bindUsername, bindPassword, "en")
+		if err != "" {
+			log.Printf("Bind failed User=%s, Pass=%#v, ErrMsg=%s", string(r.Name()), r.Authentication(), err)
+			res.SetResultCode(ldap.LDAPResultInvalidCredentials)
+			res.SetDiagnosticMessage("invalid credentials ErrMsg: " + err)
+			w.Write(res)
+			return
+		}
+
+		if bindOrg == "built-in" || bindUser.IsGlobalAdmin {
+			m.Client.IsGlobalAdmin, m.Client.IsOrgAdmin = true, true
+		} else if bindUser.IsAdmin {
+			m.Client.IsOrgAdmin = true
+		}
+
+		m.Client.IsAuthenticated = true
+		m.Client.UserName = bindUsername
+		m.Client.OrgName = bindOrg
+	} else {
+		res.SetResultCode(ldap.LDAPResultAuthMethodNotSupported)
+		res.SetDiagnosticMessage("Authentication method not supported,Please use Simple Authentication")
+	}
+	w.Write(res)
+}
+
+func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
+	res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
+	if !m.Client.IsAuthenticated {
+		res.SetResultCode(ldap.LDAPResultUnwillingToPerform)
+		w.Write(res)
+		return
+	}
+
+	r := m.GetSearchRequest()
+	if r.FilterString() == "(objectClass=*)" {
+		w.Write(res)
+		return
+	}
+
+	// Handle Stop Signal (server stop / client disconnected / Abandoned request....)
+	select {
+	case <-m.Done:
+		log.Print("Leaving handleSearch...")
+		return
+	default:
+	}
+
+	users, code := GetFilteredUsers(m)
+	if code != ldap.LDAPResultSuccess {
+		res.SetResultCode(code)
+		w.Write(res)
+		return
+	}
+
+	for _, user := range users {
+		dn := fmt.Sprintf("cn=%s,%s", user.Name, string(r.BaseObject()))
+		e := ldap.NewSearchResultEntry(dn)
+		e.AddAttribute("cn", message.AttributeValue(user.Name))
+		e.AddAttribute("uid", message.AttributeValue(user.Name))
+		e.AddAttribute("email", message.AttributeValue(user.Email))
+		e.AddAttribute("mobile", message.AttributeValue(user.Phone))
+		e.AddAttribute("userPassword", message.AttributeValue(getUserPasswordWithType(user)))
+		// e.AddAttribute("postalAddress", message.AttributeValue(user.Address[0]))
+		w.Write(e)
+	}
+	w.Write(res)
+}