Merge pull request #1507 from cloudron-io/develop

Set IsAdmin using LDAP
2025-06-17 11:59:30 +00:00 · 2015-08-19 18:46:28 +08:00 · 2015-08-19 18:46:28 +08:00 · 2b393f5b03
commit 2b393f5b03
parent a5e1ada474 24d7a86a8d
7 changed files with 38 additions and 8 deletions
--- a/modules/auth/auth_form.go
+++ b/modules/auth/auth_form.go
@ -23,6 +23,7 @@ type AuthenticationForm struct {
 	AttributeSurname  string
 	AttributeMail     string
 	Filter            string
+	AdminFilter       string
 	IsActived         bool
 	SMTPAuth          string `form:"smtp_auth"`
 	SMTPHost          string `form:"smtp_host"`
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@ -26,6 +26,7 @@ type Ldapsource struct {
 	AttributeSurname string // Surname attribute
 	AttributeMail    string // E-mail attribute
 	Filter           string // Query filter to validate entry
+	AdminFilter      string // Query filter to check if user is admin
 	Enabled          bool   // if this source is disabled
 }

@ -77,17 +78,17 @@ func (ls Ldapsource) FindUserDN(name string) (string, bool) {
 }

 // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
-func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool) {
+func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool, bool) {
 	userDN, found := ls.FindUserDN(name)
 	if !found {
-		return "", "", "", false
+		return "", "", "", false, false
 	}

 	l, err := ldapDial(ls)
 	if err != nil {
 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
 		ls.Enabled = false
-		return "", "", "", false
+		return "", "", "", false, false
 	}

 	defer l.Close()
@ -96,7 +97,7 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
 	err = l.Bind(userDN, passwd)
 	if err != nil {
 		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
-		return "", "", "", false
+		return "", "", "", false, false
 	}

 	log.Trace("Bound successfully with userDN: %s", userDN)
@ -109,16 +110,32 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
 	sr, err := l.Search(search)
 	if err != nil {
 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)
-		return "", "", "", false
+		return "", "", "", false, false
 	} else if len(sr.Entries) < 1 {
 		log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
-		return "", "", "", false
+		return "", "", "", false, false
 	}

 	name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName)
 	sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
 	mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
-	return name_attr, sn_attr, mail_attr, true
+
+	search = ldap.NewSearchRequest(
+		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
+		[]string{ls.AttributeName},
+		nil)
+
+	sr, err = l.Search(search)
+	admin_attr := false
+	if err != nil {
+		log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)
+	} else if len(sr.Entries) < 1 {
+		log.Error(4, "LDAP Admin Search failed")
+	} else {
+		admin_attr = true
+	}
+
+	return name_attr, sn_attr, mail_attr, admin_attr, true
 }

 func ldapDial(ls Ldapsource) (*ldap.Conn, error) {