mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-25 03:22:36 +00:00 
			
		
		
		
	When the ldap synchronizer is look for an email address and fails at finding one, it falls back at creating one using "localhost.local" domain. This new field makes this domain name configurable. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3414 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Baptiste Daroussin <bapt@FreeBSD.org> Co-committed-by: Baptiste Daroussin <bapt@FreeBSD.org>
		
			
				
	
	
		
			122 lines
		
	
	
	
		
			4.5 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			122 lines
		
	
	
	
		
			4.5 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2021 The Gitea Authors. All rights reserved.
 | |
| // SPDX-License-Identifier: MIT
 | |
| 
 | |
| package ldap
 | |
| 
 | |
| import (
 | |
| 	"strings"
 | |
| 
 | |
| 	"code.gitea.io/gitea/models/auth"
 | |
| 	"code.gitea.io/gitea/modules/json"
 | |
| 	"code.gitea.io/gitea/modules/secret"
 | |
| 	"code.gitea.io/gitea/modules/setting"
 | |
| )
 | |
| 
 | |
| // .____     ________      _____ __________
 | |
| // |    |    \______ \    /  _  \\______   \
 | |
| // |    |     |    |  \  /  /_\  \|     ___/
 | |
| // |    |___  |    `   \/    |    \    |
 | |
| // |_______ \/_______  /\____|__  /____|
 | |
| //         \/        \/         \/
 | |
| 
 | |
| // Package ldap provide functions & structure to query a LDAP ldap directory
 | |
| // For now, it's mainly tested again an MS Active Directory service, see README.md for more information
 | |
| 
 | |
| // Source Basic LDAP authentication service
 | |
| type Source struct {
 | |
| 	Name                  string // canonical name (ie. corporate.ad)
 | |
| 	Host                  string // LDAP host
 | |
| 	Port                  int    // port number
 | |
| 	SecurityProtocol      SecurityProtocol
 | |
| 	SkipVerify            bool
 | |
| 	BindDN                string // DN to bind with
 | |
| 	BindPasswordEncrypt   string // Encrypted Bind BN password
 | |
| 	BindPassword          string // Bind DN password
 | |
| 	UserBase              string // Base search path for users
 | |
| 	UserDN                string // Template for the DN of the user for simple auth
 | |
| 	DefaultDomainName     string // DomainName used if none are in the field, default "localhost.local"
 | |
| 	AttributeUsername     string // Username attribute
 | |
| 	AttributeName         string // First name attribute
 | |
| 	AttributeSurname      string // Surname attribute
 | |
| 	AttributeMail         string // E-mail attribute
 | |
| 	AttributesInBind      bool   // fetch attributes in bind context (not user)
 | |
| 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute
 | |
| 	AttributeAvatar       string
 | |
| 	SearchPageSize        uint32 // Search with paging page size
 | |
| 	Filter                string // Query filter to validate entry
 | |
| 	AdminFilter           string // Query filter to check if user is admin
 | |
| 	RestrictedFilter      string // Query filter to check if user is restricted
 | |
| 	Enabled               bool   // if this source is disabled
 | |
| 	AllowDeactivateAll    bool   // Allow an empty search response to deactivate all users from this source
 | |
| 	GroupsEnabled         bool   // if the group checking is enabled
 | |
| 	GroupDN               string // Group Search Base
 | |
| 	GroupFilter           string // Group Name Filter
 | |
| 	GroupMemberUID        string // Group Attribute containing array of UserUID
 | |
| 	GroupTeamMap          string // Map LDAP groups to teams
 | |
| 	GroupTeamMapRemoval   bool   // Remove user from teams which are synchronized and user is not a member of the corresponding LDAP group
 | |
| 	UserUID               string // User Attribute listed in Group
 | |
| 	SkipLocalTwoFA        bool   `json:",omitempty"` // Skip Local 2fa for users authenticated with this source
 | |
| 
 | |
| 	// reference to the authSource
 | |
| 	authSource *auth.Source
 | |
| }
 | |
| 
 | |
| // FromDB fills up a LDAPConfig from serialized format.
 | |
| func (source *Source) FromDB(bs []byte) error {
 | |
| 	err := json.UnmarshalHandleDoubleEncode(bs, &source)
 | |
| 	if err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	if source.BindPasswordEncrypt != "" {
 | |
| 		source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt)
 | |
| 		source.BindPasswordEncrypt = ""
 | |
| 	}
 | |
| 	return err
 | |
| }
 | |
| 
 | |
| // ToDB exports a LDAPConfig to a serialized format.
 | |
| func (source *Source) ToDB() ([]byte, error) {
 | |
| 	var err error
 | |
| 	source.BindPasswordEncrypt, err = secret.EncryptSecret(setting.SecretKey, source.BindPassword)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	source.BindPassword = ""
 | |
| 	return json.Marshal(source)
 | |
| }
 | |
| 
 | |
| // SecurityProtocolName returns the name of configured security
 | |
| // protocol.
 | |
| func (source *Source) SecurityProtocolName() string {
 | |
| 	return SecurityProtocolNames[source.SecurityProtocol]
 | |
| }
 | |
| 
 | |
| // IsSkipVerify returns if SkipVerify is set
 | |
| func (source *Source) IsSkipVerify() bool {
 | |
| 	return source.SkipVerify
 | |
| }
 | |
| 
 | |
| // HasTLS returns if HasTLS
 | |
| func (source *Source) HasTLS() bool {
 | |
| 	return source.SecurityProtocol > SecurityProtocolUnencrypted
 | |
| }
 | |
| 
 | |
| // UseTLS returns if UseTLS
 | |
| func (source *Source) UseTLS() bool {
 | |
| 	return source.SecurityProtocol != SecurityProtocolUnencrypted
 | |
| }
 | |
| 
 | |
| // ProvidesSSHKeys returns if this source provides SSH Keys
 | |
| func (source *Source) ProvidesSSHKeys() bool {
 | |
| 	return len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
 | |
| }
 | |
| 
 | |
| // SetAuthSource sets the related AuthSource
 | |
| func (source *Source) SetAuthSource(authSource *auth.Source) {
 | |
| 	source.authSource = authSource
 | |
| }
 | |
| 
 | |
| func init() {
 | |
| 	auth.RegisterTypeConfig(auth.LDAP, &Source{})
 | |
| 	auth.RegisterTypeConfig(auth.DLDAP, &Source{})
 | |
| }
 |