feat: add LDAP signin method (#2591)

Add support for LDAP login methods
Add option to control LDAP user in password login method.

object/application.go

@@ -201,7 +201,7 @@ func extendApplicationWithOrg(application *Application) (err error) {
 func extendApplicationWithSigninMethods(application *Application) (err error) {
 	if len(application.SigninMethods) == 0 {
 		if application.EnablePassword {
-			signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "None"}
+			signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
 			application.SigninMethods = append(application.SigninMethods, signinMethod)
 		}
 		if application.EnableCodeSignin {
@@ -212,10 +212,12 @@ func extendApplicationWithSigninMethods(application *Application) (err error) {
 			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
 			application.SigninMethods = append(application.SigninMethods, signinMethod)
 		}
+		signinMethod := &SigninMethod{Name: "LDAP", DisplayName: "LDAP", Rule: "None"}
+		application.SigninMethods = append(application.SigninMethods, signinMethod)
 	}
 
 	if len(application.SigninMethods) == 0 {
-		signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "None"}
+		signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
 		application.SigninMethods = append(application.SigninMethods, signinMethod)
 	}
 
@@ -544,6 +546,19 @@ func (application *Application) IsPasswordEnabled() bool {
 	}
 }
 
+func (application *Application) IsPasswordWithLdapEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnablePassword
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Password" && signinMethod.Rule == "All" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
 func (application *Application) IsCodeSigninViaEmailEnabled() bool {
 	if len(application.SigninMethods) == 0 {
 		return application.EnableCodeSignin
@@ -570,6 +585,17 @@ func (application *Application) IsCodeSigninViaSmsEnabled() bool {
 	}
 }
 
+func (application *Application) IsLdapEnabled() bool {
+	if len(application.SigninMethods) > 0 {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "LDAP" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func IsOriginAllowed(origin string) (bool, error) {
 	applications, err := GetApplications("")
 	if err != nil {

object/check.go

@@ -278,8 +278,12 @@ func checkLdapUserPassword(user *User, password string, lang string) error {
 
 func CheckUserPassword(organization string, username string, password string, lang string, options ...bool) (*User, error) {
 	enableCaptcha := false
+	isSigninViaLdap := false
+	isPasswordWithLdapEnabled := false
 	if len(options) > 0 {
 		enableCaptcha = options[0]
+		isSigninViaLdap = options[1]
+		isPasswordWithLdapEnabled = options[2]
 	}
 	user, err := GetUserByFields(organization, username)
 	if err != nil {
@@ -294,7 +298,16 @@ func CheckUserPassword(organization string, username string, password string, la
 		return nil, fmt.Errorf(i18n.Translate(lang, "check:The user is forbidden to sign in, please contact the administrator"))
 	}
 
+	if isSigninViaLdap {
+		if user.Ldap == "" {
+			return nil, fmt.Errorf(i18n.Translate(lang, "check:The user: %s doesn't exist in LDAP server"), username)
+		}
+	}
+
 	if user.Ldap != "" {
+		if !isSigninViaLdap && !isPasswordWithLdapEnabled {
+			return nil, fmt.Errorf(i18n.Translate(lang, "check:password or code is incorrect"))
+		}
 		// only for LDAP users
 		err = checkLdapUserPassword(user, password, lang)
 		if err != nil {

object/init.go

@@ -184,6 +184,7 @@ func initBuiltInApplication() {
 			{Name: "Password", DisplayName: "Password", Rule: "None"},
 			{Name: "Verification code", DisplayName: "Verification code", Rule: "All"},
 			{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"},
+			{Name: "LDAP", DisplayName: "LDAP", Rule: "None"},
 		},
 		SignupItems: []*SignupItem{
 			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},