diff --git a/src/common/models/ldap.go b/src/common/models/ldap.go index 5429426d0..e26cdfe3f 100644 --- a/src/common/models/ldap.go +++ b/src/common/models/ldap.go @@ -31,6 +31,7 @@ type LdapUser struct { Username string `json:"ldap_username"` Email string `json:"ldap_email"` Realname string `json:"ldap_realname"` + DN string `json:"-"` } //LdapImportUser ... diff --git a/src/common/utils/ldap/ldap.go b/src/common/utils/ldap/ldap.go index 3dfda26d2..7bda13a54 100644 --- a/src/common/utils/ldap/ldap.go +++ b/src/common/utils/ldap/ldap.go @@ -151,7 +151,7 @@ func ConnectTest(ldapConfs models.LdapConf) error { var ldapConn *goldap.Conn var err error - ldapConn, err = dialLDAP(ldapConfs, ldapConn) + ldapConn, err = dialLDAP(ldapConfs) if err != nil { return err @@ -175,7 +175,7 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) { var ldapConn *goldap.Conn var err error - ldapConn, err = dialLDAP(ldapConfs, ldapConn) + ldapConn, err = dialLDAP(ldapConfs) if err != nil { return nil, err @@ -217,6 +217,7 @@ func SearchUser(ldapConfs models.LdapConf) ([]models.LdapUser, error) { u.Email = val } } + u.DN = ldapEntry.DN ldapUsers = append(ldapUsers, u) } @@ -312,11 +313,25 @@ func ImportUser(user models.LdapUser) (int64, error) { return UserID, nil } -func dialLDAP(ldapConfs models.LdapConf, ldap *goldap.Conn) (*goldap.Conn, error) { +// Bind establish a connection to ldap based on ldapConfs and bind the user with given parameters. +func Bind(ldapConfs models.LdapConf, dn string, password string) error { + conn, err := dialLDAP(ldapConfs) + if err != nil { + return err + } + defer conn.Close() + if ldapConfs.LdapSearchDn != "" { + if err := bindLDAPSearchDN(ldapConfs, conn); err != nil { + return err + } + } + return conn.Bind(dn, password) +} + +func dialLDAP(ldapConfs models.LdapConf) (*goldap.Conn, error) { + var err error - - //log.Debug("ldapConfs.LdapURL:", ldapConfs.LdapURL) - + var ldap *goldap.Conn splitLdapURL := strings.Split(ldapConfs.LdapURL, "://") protocol, hostport := splitLdapURL[0], splitLdapURL[1] diff --git a/src/ui/auth/ldap/ldap.go b/src/ui/auth/ldap/ldap.go index 7b2132f7a..b1fd9883a 100644 --- a/src/ui/auth/ldap/ldap.go +++ b/src/ui/auth/ldap/ldap.go @@ -75,6 +75,12 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) { u.Email = ldapUsers[0].Email u.Realname = ldapUsers[0].Realname + dn := ldapUsers[0].DN + + log.Debugf("username: %s, dn: %s", u.Username, dn) + if err := ldapUtils.Bind(ldapConfs, dn, m.Password); err != nil { + return nil, fmt.Errorf("Failed to bind user, username: %s, dn: %s, error: %v", u.Username, dn, err) + } exist, err := dao.UserExists(u, "username") if err != nil { return nil, err @@ -87,11 +93,6 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) { } u.UserID = currentUser.UserID } else { - // u.Password = "12345678AbC" - // u.Comment = "from LDAP." - // if u.Email == "" { - // u.Email = u.Username + "@placeholder.com" - // } userID, err := ldapUtils.ImportUser(ldapUsers[0]) if err != nil { log.Errorf("Can't import user %s, error: %v", ldapUsers[0].Username, err) diff --git a/src/ui/auth/ldap/ldap_test.go b/src/ui/auth/ldap/ldap_test.go index 02ed47e53..5557ddb97 100644 --- a/src/ui/auth/ldap/ldap_test.go +++ b/src/ui/auth/ldap/ldap_test.go @@ -122,4 +122,10 @@ func TestAuthenticate(t *testing.T) { if user.Username != "test" { t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username) } + person.Principal = "test" + person.Password = "1" + _, err = auth.Authenticate(person) + if err == nil { + t.Errorf("Expected error for wrong password") + } }