mirror of
https://github.com/ergochat/ergo.git
synced 2024-12-22 10:42:52 +01:00
Add LDAP support
This commit is contained in:
parent
634470ba30
commit
d4afb027e5
@ -4,6 +4,7 @@
|
||||
package irc
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/smtp"
|
||||
@ -14,6 +15,7 @@ import (
|
||||
"time"
|
||||
"unicode"
|
||||
|
||||
"github.com/go-ldap/ldap"
|
||||
"github.com/oragono/oragono/irc/caps"
|
||||
"github.com/oragono/oragono/irc/passwd"
|
||||
"github.com/oragono/oragono/irc/utils"
|
||||
@ -828,8 +830,80 @@ func (am *AccountManager) checkPassphrase(accountName, passphrase string) (accou
|
||||
return
|
||||
}
|
||||
|
||||
func (am *AccountManager) checkLDAPPassphrase(accountName, passphrase string) (account ClientAccount, err error) {
|
||||
var (
|
||||
host, url string
|
||||
port int
|
||||
)
|
||||
|
||||
host = am.server.AccountConfig().LDAP.Servers.Host
|
||||
port = am.server.AccountConfig().LDAP.Servers.Port
|
||||
|
||||
account, err = am.LoadAccount(accountName)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if !account.Verified {
|
||||
err = errAccountUnverified
|
||||
return
|
||||
}
|
||||
|
||||
if am.server.AccountConfig().LDAP.Servers.UseSSL {
|
||||
url = fmt.Sprintf("ldaps://%s:%d", host, port)
|
||||
} else {
|
||||
url = fmt.Sprintf("ldap://%s:%d", host, port)
|
||||
}
|
||||
|
||||
l, err := ldap.DialURL(url)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer l.Close()
|
||||
|
||||
if am.server.AccountConfig().LDAP.Servers.StartTLS {
|
||||
err = l.StartTLS(&tls.Config{InsecureSkipVerify: am.server.AccountConfig().LDAP.Servers.SkipTLSVerify})
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
err = l.Bind(am.server.AccountConfig().LDAP.BindDN, am.server.AccountConfig().LDAP.BindPwd)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
for _, baseDN := range am.server.AccountConfig().LDAP.SearchBaseDNs {
|
||||
req := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, am.server.AccountConfig().LDAP.Timeout, false, fmt.Sprintf("(&(objectClass=organizationalPerson)(uid=%s))", accountName), []string{"dn"}, nil)
|
||||
sr, err := l.Search(req)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
userdn := sr.Entries[0].DN
|
||||
|
||||
if len(sr.Entries) > 0 {
|
||||
// verify the user passphrase
|
||||
err = l.Bind(userdn, passphrase)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (am *AccountManager) AuthenticateByPassphrase(client *Client, accountName string, passphrase string) error {
|
||||
account, err := am.checkPassphrase(accountName, passphrase)
|
||||
var account ClientAccount
|
||||
var err error
|
||||
|
||||
if am.server.AccountConfig().LDAP.Enabled {
|
||||
account, err = am.checkLDAPPassphrase(accountName, passphrase)
|
||||
}
|
||||
|
||||
account, err = am.checkPassphrase(accountName, passphrase)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -68,6 +68,7 @@ type AccountConfig struct {
|
||||
Exempted []string
|
||||
exemptedNets []net.IPNet
|
||||
} `yaml:"require-sasl"`
|
||||
LDAP LDAPConfig
|
||||
LoginThrottling struct {
|
||||
Enabled bool
|
||||
Duration time.Duration
|
||||
@ -82,6 +83,28 @@ type AccountConfig struct {
|
||||
VHosts VHostConfig
|
||||
}
|
||||
|
||||
type LDAPConfig struct {
|
||||
Timeout int
|
||||
Enabled bool
|
||||
AllowSignup bool `yaml:"allow-signup"`
|
||||
BindDN string `yaml:"bind-dn"`
|
||||
BindPwd string `yaml:"bind-password"`
|
||||
SearchFilter string `yaml:"search-filter"`
|
||||
SearchBaseDNs []string `yaml:"search-base-dns"`
|
||||
Attributes map[string]string
|
||||
Servers LDAPServerConfig
|
||||
}
|
||||
|
||||
type LDAPServerConfig struct {
|
||||
Host string
|
||||
Port int
|
||||
UseSSL bool `yaml:"use-ssl"`
|
||||
StartTLS bool `yaml:"start-tls"`
|
||||
SkipTLSVerify bool `yaml:"skip-tls-verify"`
|
||||
ClientCert string `yaml:"client-cert"`
|
||||
ClientKey string `yaml:"client-key"`
|
||||
}
|
||||
|
||||
// AccountRegistrationConfig controls account registration.
|
||||
type AccountRegistrationConfig struct {
|
||||
Enabled bool
|
||||
|
Loading…
Reference in New Issue
Block a user