南华-域用户

controllers/sys_admin.go

@@ -442,21 +442,28 @@ func (this *SysAdminController) Add() {
 		}
 	}
 
-	pwdByte, err := base64.StdEncoding.DecodeString(req.Password)
-	if err != nil {
-		br.Msg = "解析数据失败"
-		br.ErrMsg = "解析数据失败，Err:" + err.Error()
-		return
-	}
-	pwdStr := string(pwdByte)
-	//pwdStr = strings.ToLower(pwdStr)
-	if pwdStr == "" {
-		br.Msg = "请输入密码"
-		return
+	var pass string
+	if req.IsLdap == 0 {
+		pwdByte, e := base64.StdEncoding.DecodeString(req.Password)
+		if e != nil {
+			br.Msg = "解析数据失败"
+			br.ErrMsg = "解析数据失败，Err:" + e.Error()
+			return
+		}
+		pwdStr := string(pwdByte)
+		if pwdStr == "" {
+			br.Msg = "请输入密码"
+			return
+		}
+		if !utils.CheckPwd(pwdStr) {
+			br.Msg = "密码格式错误，请重新输入"
+			return
+		}
+		pass = utils.MD5(pwdStr)
 	}
-	if !utils.CheckPwd(pwdStr) {
-		br.Msg = "密码格式错误，请重新输入"
-		return
+	// 如果是域用户, 那么给个初始密码即可(实际登录用不到这个密码)
+	if req.IsLdap == 1 {
+		pass = utils.MD5(utils.LdapInitPassword)
 	}
 
 	// 员工工号
@@ -465,7 +472,7 @@ func (this *SysAdminController) Add() {
 	admin := new(system.Admin)
 	admin.AdminName = req.AdminName
 	admin.RealName = req.RealName
-	admin.Password = utils.MD5(pwdStr)
+	admin.Password = pass
 	admin.LastUpdatedPasswordTime = time.Now().Format(utils.FormatDateTime)
 	admin.Enabled = 1
 	admin.LastLoginTime = time.Now().Format(utils.FormatDateTime)

controllers/user_login.go

@@ -390,7 +390,6 @@ func (this *UserLoginController) Login() {
 				return
 			}
 			originPass := strings.Replace(string(passDecode), utils.UserLoginSalt, "", 1)
-			fmt.Println("originPass: ", originPass)
 			pass, e := services.LdapUserCheck(req.Username, originPass)
 			if e != nil {
 				br.Ret = models.BaseRespCodeLoginErr

go.mod

@@ -18,11 +18,11 @@ require (
 	github.com/beego/beego/v2 v2.0.7
 	github.com/beevik/etree v1.2.0
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/go-ldap/ldap v3.0.3+incompatible
 	github.com/go-sql-driver/mysql v1.7.0
 	github.com/go-xorm/xorm v0.7.9
 	github.com/gonum/stat v0.0.0-20181125101827-41a0da705a5b
 	github.com/gorilla/websocket v1.5.0
-	github.com/jtblin/go-ldap-client v0.0.0-20170223121919-b73f66626b33
 	github.com/kgiannakakis/mp3duration v0.0.0-20191013070830-d834f8d5ed53
 	github.com/minio/minio-go/v7 v7.0.63
 	github.com/mojocn/base64Captcha v1.3.5
@@ -116,7 +116,6 @@ require (
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ldap.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	xorm.io/builder v0.3.6 // indirect

go.sum

@@ -145,6 +145,8 @@ github.com/garyburd/redigo v1.6.3/go.mod h1:rTb6epsqigu3kYKBnaF028A7Tf/Aw5s0cqA4
 github.com/glendc/gopher-json v0.0.0-20170414221815-dc4743023d0c/go.mod h1:Gja1A+xZ9BoviGJNA2E9vFkPjjsl+CoJxSXiQM1UXtw=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-ldap/ldap v3.0.3+incompatible h1:HTeSZO8hWMS1Rgb2Ziku6b8a7qRIZZMHjsvuZyatzwk=
+github.com/go-ldap/ldap v3.0.3+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-redis/redis v6.14.2+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
@@ -250,8 +252,6 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jtblin/go-ldap-client v0.0.0-20170223121919-b73f66626b33 h1:XDpFOMOZq0u0Ar4F0p/wklqQXp/AMV1pTF5T5bDoUfQ=
-github.com/jtblin/go-ldap-client v0.0.0-20170223121919-b73f66626b33/go.mod h1:+0BcLY5d54TVv6irFzHoiFvwAHR6T0g9B+by/UaS9T0=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kgiannakakis/mp3duration v0.0.0-20191013070830-d834f8d5ed53 h1:+8X3HMX8A2QhvNg3dImiQTCiVUt6BQXz1mW+/DrWI+k=
@@ -628,8 +628,6 @@ gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ldap.v2 v2.5.1 h1:wiu0okdNfjlBzg6UWvd1Hn8Y+Ux17/u/4nlk4CQr6tU=
-gopkg.in/ldap.v2 v2.5.1/go.mod h1:oI0cpe/D7HRtBQl8aTg+ZmzFUAvu4lsv3eLXMLGFxWk=
 gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=

models/business_conf.go

@@ -40,6 +40,8 @@ const (
 	BusinessConfLoginSmsTplContent        = "LoginSmsTplContent"
 	BusinessConfLoginEmailTemplateSubject = "LoginEmailTemplateSubject"
 	BusinessConfLoginEmailTemplateContent = "LoginEmailTemplateContent"
+	BusinessConfLdapBindUserSuffix        = "LdapBindUserSuffix"
+	BusinessConfLdapUserFilter            = "LdapUserFilter"
 )
 
 const (

services/user_login.go

@@ -7,7 +7,7 @@ import (
 	"eta/eta_api/models/system"
 	"eta/eta_api/utils"
 	"fmt"
-	"github.com/jtblin/go-ldap-client"
+	"github.com/go-ldap/ldap"
 	"strconv"
 	"strings"
 	"time"
@@ -198,24 +198,44 @@ func LdapUserCheck(userName, password string) (pass bool, err error) {
 		return
 	}
 
-	client := &ldap.LDAPClient{
-		Base: confMap[models.BusinessConfLdapBase],
-		Host: confMap[models.BusinessConfLdapHost],
-		Port: ldapPort,
-		//UseSSL:       false,
-		//BindDN:       "uid=readonlysuer,ou=People,dc=example,dc=com",
-		//BindPassword: "readonlypassword",
-		UserFilter: "(uid=%s)",
-		//GroupFilter:  "(memberUid=%s)",
-		//Attributes:   []string{"givenName", "sn", "mail", "uid"},
+	// 连接ldap
+	addr := fmt.Sprintf("%s:%d", confMap[models.BusinessConfLdapHost], ldapPort)
+	conn, e := ldap.Dial("tcp", addr)
+	if e != nil {
+		err = fmt.Errorf("ldap Dial err: %s", e.Error())
+		return
+	}
+	defer conn.Close()
+
+	// 绑定用户
+	bindUserName := fmt.Sprintf("%s%s", userName, confMap[models.BusinessConfLdapBindUserSuffix])
+	if e = conn.Bind(bindUserName, password); e != nil {
+		err = fmt.Errorf("ldap Bind err: %s", e.Error())
+		return
 	}
-	defer client.Close()
 
-	ok, _, e := client.Authenticate(userName, password)
+	// 鉴权操作
+	searchRequest := ldap.NewSearchRequest(
+		confMap[models.BusinessConfLdapBase],
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf(confMap[models.BusinessConfLdapUserFilter], userName),
+		[]string{"dn"},
+		nil,
+	)
+	//b, _ := json.Marshal(searchRequest)
+	//fmt.Println("searchRequest: ", string(b))
+
+	sr, e := conn.Search(searchRequest)
 	if e != nil {
-		err = fmt.Errorf("AD域校验账号密码失败, Err: %s", e.Error())
+		err = fmt.Errorf("ldap Search err: %s", e.Error())
+		return
+	}
+
+	// 验证结果
+	if len(sr.Entries) != 1 {
+		utils.FileLog.Info("ldap check fail: user does not exist or too many entries returned")
 		return
 	}
-	pass = ok
+	pass = true
 	return
 }

utils/constants.go

@@ -408,3 +408,7 @@ var DataSourceEnMap = map[int]string{
 const (
 	TelAreaCodeHome = "86" // 大陆区号
 )
+
+const (
+	LdapInitPassword = "123456a" // 域用户初始密码
+)