Merge pull request #1042 from Tencent/dev/Support-LDAP

TCA Support LDAP

scripts/config.sh

@@ -140,3 +140,21 @@ export API_TICKET_TOKEN='tca@public@2021'
 ## ScmProxy
 export SCMPROXY_HOST="127.0.0.1"
 export SCMPROXY_PORT=8009
+
+## LDAP相关配置
+## Notice：如果要开启LDAP 认证，请根据实际情况配置以下参数
+## LDAP_ENABLE  默认关闭，开启请设置为true
+## LDAP_BIND_DN  LDAP管理员账号，如果允许匿名访问则不需要设置
+## LDAP_BIND_PASSWORD  LDAP管理员密码 如果允许匿名访问则不需要设置
+## LDAP_SERVER  ldap服务器地址
+## LDAP_PORT  ldap默认端口号 389 如果需要更改请重新设置
+## LDAP_BASE_DN  ldap 基础 DN
+## LDAP_USER_SEARCH_FILTER  用户搜索过滤器
+
+export LDAP_ENABLE=${LDAP_ENABLE:-false}
+export LDAP_BIND_DN=""
+export LDAP_BIND_PASSWORD=""
+export LDAP_SERVER=""
+export LDAP_PORT=389
+export LDAP_BASE_DN=""
+export LDAP_USER_SEARCH_FILTER=""

server/dockerconfs/.env.local

@@ -154,3 +154,21 @@ API_TICKET_TOKEN=tca@public@2021
 ## ScmProxy
 SCMPROXY_HOST=0.0.0.0
 SCMPROXY_PORT=8009
+
+## LDAP相关配置
+## Notice：如果要开启LDAP 认证，请根据实际情况配置以下参数
+## LDAP_ENABLE  默认关闭，开启请设置为true
+## LDAP_BIND_DN  LDAP管理员账号，如果允许匿名访问则不需要设置
+## LDAP_BIND_PASSWORD  LDAP管理员密码 如果允许匿名访问则不需要设置
+## LDAP_SERVER  ldap服务器地址
+## LDAP_PORT  ldap默认端口号 389 如果需要更改请重新设置
+## LDAP_BASE_DN  ldap 基础 DN
+## LDAP_USER_SEARCH_FILTER  用户搜索过滤器
+
+export LDAP_ENABLE=${LDAP_ENABLE:-false}
+export LDAP_BIND_DN=""
+export LDAP_BIND_PASSWORD=""
+export LDAP_SERVER=""
+export LDAP_PORT=389
+export LDAP_BASE_DN=""
+export LDAP_USER_SEARCH_FILTER=""

server/dockerconfs/Dockerfile-common-mirror

@@ -5,7 +5,7 @@ RUN mv /etc/apt/sources.list /etc/apt/sources.list.bak && \
     echo 'deb http://mirrors.tencent.com/debian/ bullseye-updates main non-free contrib' >> /etc/apt/sources.list && \
     echo 'deb http://mirrors.tencent.com/debian-security bullseye-security main non-free contrib' >> /etc/apt/sources.list
 
-ARG EXTRA_TOOLS="gnupg curl wget jq vim-tiny net-tools procps python3-dev default-libmysqlclient-dev locales inotify-tools gcc subversion git telnet iputils-ping vim openssh-client"
+ARG EXTRA_TOOLS="gnupg curl wget jq vim-tiny net-tools procps python3-dev default-libmysqlclient-dev locales inotify-tools gcc subversion git telnet iputils-ping vim openssh-client libsasl2-dev libldap2-dev libssl-dev"
 
 RUN set -ex && cd / \
     && apt-get update \

server/projects/login/apps/settings/open_base.py

@@ -20,6 +20,9 @@
 import os
 from os.path import join
 
+import ldap
+from django_auth_ldap.config import LDAPSearch
+
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 
 # SECURITY WARNING: keep the secret key used in production secret!
@@ -41,6 +44,35 @@
     'login',
 ]
 
+if os.environ.get("LDAP_ENABLE", False):
+    # 代码不能覆盖全部 ldap 使用方式, 如果出现错误又不知道怎么配置, 看下面文档
+    # https://django-auth-ldap.readthedocs.io/en/latest/example.html
+
+    AUTHENTICATION_BACKENDS = [
+        'django_auth_ldap.backend.LDAPBackend',
+    ]
+    LDAP_SERVER = os.environ.get("LDAP_SERVER")
+    LDAP_PORT = os.environ.get("LDAP_PORT")
+    LDAP_BASE_DN = os.environ.get("LDAP_BASE_DN")
+    LDAP_USER_SEARCH_FILTER = os.environ.get("LDAP_USER_SEARCH_FILTER"),
+
+    AUTH_LDAP_BIND_DN = os.environ.get("LDAP_BIND_DN")
+    AUTH_LDAP_BIND_PASSWORD = os.environ.get("LDAP_BIND_PASSWORD")
+    AUTH_LDAP_SERVER_URI = "ldap://%s:%s" % (LDAP_SERVER, LDAP_PORT)
+
+    AUTH_LDAP_USER_SEARCH = LDAPSearch(
+        "%s" % LDAP_BASE_DN,
+        ldap.SCOPE_SUBTREE,
+        "%s" % LDAP_USER_SEARCH_FILTER
+    )
+
+    # 这里的配置是将ldap中的字段映射到django的字段, 请按照实际情况修改
+    AUTH_LDAP_USER_ATTR_MAP = {'nickname': 'givenName', 'uid': 'cn', 'mail': 'mail', 'mobile': 'mobile'}
+
+    # 下面两个配置一般不需要更改，如果要改请了解清楚
+    AUTH_LDAP_ALWAYS_UPDATE_USER = True
+    AUTH_LDAP_CACHE_TIMEOUT = 600
+
 MIDDLEWARE = [
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',

server/projects/login/login/apis/v3.py

@@ -18,6 +18,7 @@
 from django.forms.models import model_to_dict
 from django.http import HttpResponse
 from django.shortcuts import redirect, get_object_or_404
+from django.contrib.auth import authenticate
 from rest_framework import filters, generics
 from rest_framework import status
 from rest_framework.exceptions import NotAuthenticated, ParseError
@@ -31,6 +32,7 @@
 from login import serializers
 from login.lib import cdcrypto as crypto
 from login.models import UserInfo, UserAuth
+from login.core import UserManager
 
 logger = logging.getLogger(__name__)
 
@@ -206,10 +208,20 @@ def post(self, request, *args, **kwargs):
             credential = data.get("password", "")
             params = {}
             logger.debug("Current Login User: %s" % identifier)
-            auth = UserAuth.objects.filter(identifier=identifier,
-                                           identity_type="oapassword",
-                                           credential=crypto.encrypt(credential, settings.PASSWORD_KEY)).first()
+
+            auth = authenticate(username=identifier, password=credential)
+
+            # 判断账号是否存在，如果不存在就创建
+            if not (auth and UserManager.get_or_create_account(identifier)):
+                auth = False
+
+            if not auth:
+                auth = UserAuth.objects.filter(identifier=identifier,
+                                        identity_type="oapassword",
+                                        credential=crypto.encrypt(credential, settings.PASSWORD_KEY)).first()
+
             if auth:
+                auth = UserAuth.objects.filter(user=identifier).first()
                 serializer = self.get_serializer(data={"uid": auth.uid})
                 serializer.is_valid(raise_exception=True)
                 params["access_token"] = serializer.validated_data["access"]

server/projects/login/requirements.txt

@@ -22,3 +22,7 @@ cryptography===42.0.4
 
 # for exception log
 sentry-sdk==1.14.0
+
+# ldap
+django-auth-ldap==4.1.0
+python-ldap==3.4.3