package dbdata import ( "crypto/tls" "encoding/json" "errors" "fmt" "net" "reflect" "regexp" "strconv" "time" "github.com/go-ldap/ldap" ) type AuthLdap struct { Addr string `json:"addr"` Tls bool `json:"tls"` BindName string `json:"bind_name"` BindPwd string `json:"bind_pwd"` BaseDn string `json:"base_dn"` ObjectClass string `json:"object_class"` SearchAttr string `json:"search_attr"` MemberOf string `json:"member_of"` } func init() { authRegistry["ldap"] = reflect.TypeOf(AuthLdap{}) } func (auth AuthLdap) checkData(authData map[string]interface{}) error { authType := authData["type"].(string) bodyBytes, err := json.Marshal(authData[authType]) if err != nil { return errors.New("LDAP配置填写有误") } json.Unmarshal(bodyBytes, &auth) // 支持域名和IP, 必须填写端口 if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) { return errors.New("LDAP的服务器地址(含端口)填写有误") } if auth.BindName == "" { return errors.New("LDAP的管理员 DN不能为空") } if auth.BindPwd == "" { return errors.New("LDAP的管理员密码不能为空") } if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) { return errors.New("LDAP的Base DN填写有误") } if auth.ObjectClass == "" { return errors.New("LDAP的用户对象类填写有误") } if auth.SearchAttr == "" { return errors.New("LDAP的用户唯一ID不能为空") } if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) { return errors.New("LDAP的受限用户组填写有误") } return nil } func (auth AuthLdap) checkUser(name, pwd string, g *Group) error { pl := len(pwd) if name == "" || pl < 1 { return fmt.Errorf("%s %s", name, "密码错误") } authType := g.Auth["type"].(string) if _, ok := g.Auth[authType]; !ok { return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在") } bodyBytes, err := json.Marshal(g.Auth[authType]) if err != nil { return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误") } err = json.Unmarshal(bodyBytes, &auth) if err != nil { return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误") } // 检测服务器和端口的可用性 con, err := net.DialTimeout("tcp", auth.Addr, 3*time.Second) if err != nil { return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口") } defer con.Close() // 连接LDAP l, err := ldap.Dial("tcp", auth.Addr) if err != nil { return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error()) } defer l.Close() if auth.Tls { err = l.StartTLS(&tls.Config{InsecureSkipVerify: true}) if err != nil { return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error()) } } err = l.Bind(auth.BindName, auth.BindPwd) if err != nil { return fmt.Errorf("%s LDAP 管理员 DN或密码填写有误 %s", name, err.Error()) } if auth.ObjectClass == "" { auth.ObjectClass = "person" } filterAttr := "(objectClass=" + auth.ObjectClass + ")" filterAttr += "(" + auth.SearchAttr + "=" + name + ")" if auth.MemberOf != "" { filterAttr += "(memberOf:=" + auth.MemberOf + ")" } searchRequest := ldap.NewSearchRequest( auth.BaseDn, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false, fmt.Sprintf("(&%s)", filterAttr), []string{}, nil, ) sr, err := l.Search(searchRequest) if err != nil { return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error()) } if len(sr.Entries) != 1 { if len(sr.Entries) == 0 { return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name) } return fmt.Errorf("LDAP发现 %s 用户,存在多个账号", name) } err = parseEntries(sr) if err != nil { return fmt.Errorf("LDAP %s 用户 %s", name, err.Error()) } userDN := sr.Entries[0].DN err = l.Bind(userDN, pwd) if err != nil { return fmt.Errorf("%s LDAP 登入失败,请检查登入的账号或密码 %s", name, err.Error()) } return nil } func parseEntries(sr *ldap.SearchResult) error { for _, attr := range sr.Entries[0].Attributes { switch attr.Name { case "shadowExpire": // -1 启用, 1 停用, >1 从1970-01-01至到期日的天数 val, _ := strconv.ParseInt(attr.Values[0], 10, 64) if val == -1 { return nil } if val == 1 { return fmt.Errorf("账号已停用") } if val > 1 { expireTime := time.Unix(val*86400, 0) t := time.Date(expireTime.Year(), expireTime.Month(), expireTime.Day(), 23, 59, 59, 0, time.Local) if t.Before(time.Now()) { return fmt.Errorf("账号已过期(过期日期: %s)", t.Format("2006-01-02")) } return nil } return fmt.Errorf("账号shadowExpire值异常: %d", val) } } return nil } func ValidateDomainPort(addr string) bool { re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`) return re.MatchString(addr) } func ValidateDN(dn string) bool { re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`) return re.MatchString(dn) }