Merge pull request #1507 from cloudron-io/develop

Set IsAdmin using LDAP

conf/locale/locale_en-US.ini

@@ -761,6 +761,7 @@ auths.attribute_name = First name attribute
 auths.attribute_surname = Surname attribute
 auths.attribute_mail = E-mail attribute
 auths.filter = User Filter
+auths.admin_filter = Admin Filter
 auths.ms_ad_sa = Ms Ad SA
 auths.smtp_auth = SMTP Authorization Type
 auths.smtphost = SMTP Host

models/login.go

@@ -257,7 +257,7 @@ func UserSignIn(uname, passwd string) (*User, error) {
 // Return the same LoginUserPlain semantic
 // FIXME: https://github.com/gogits/gogs/issues/672
 func LoginUserLdapSource(u *User, name, passwd string, sourceId int64, cfg *LDAPConfig, autoRegister bool) (*User, error) {
-	fn, sn, mail, logged := cfg.Ldapsource.SearchEntry(name, passwd)
+	fn, sn, mail, admin, logged := cfg.Ldapsource.SearchEntry(name, passwd)
 	if !logged {
 		// User not in LDAP, do nothing
 		return nil, ErrUserNotExist{0, name}
@@ -281,6 +281,7 @@ func LoginUserLdapSource(u *User, name, passwd string, sourceId int64, cfg *LDAP
 		LoginName:   name,
 		Passwd:      passwd,
 		Email:       mail,
+		IsAdmin:     admin,
 		IsActive:    true,
 	}
 	return u, CreateUser(u)

modules/auth/auth_form.go

@@ -23,6 +23,7 @@ type AuthenticationForm struct {
 	AttributeSurname  string
 	AttributeMail     string
 	Filter            string
+	AdminFilter       string
 	IsActived         bool
 	SMTPAuth          string `form:"smtp_auth"`
 	SMTPHost          string `form:"smtp_host"`

modules/auth/ldap/ldap.go

@@ -26,6 +26,7 @@ type Ldapsource struct {
 	AttributeSurname string // Surname attribute
 	AttributeMail    string // E-mail attribute
 	Filter           string // Query filter to validate entry
+	AdminFilter      string // Query filter to check if user is admin
 	Enabled          bool   // if this source is disabled
 }
 
@@ -77,17 +78,17 @@ func (ls Ldapsource) FindUserDN(name string) (string, bool) {
 }
 
 // searchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
-func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool) {
+func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, bool, bool) {
 	userDN, found := ls.FindUserDN(name)
 	if !found {
-		return "", "", "", false
+		return "", "", "", false, false
 	}
 
 	l, err := ldapDial(ls)
 	if err != nil {
 		log.Error(4, "LDAP Connect error, %s:%v", ls.Host, err)
 		ls.Enabled = false
-		return "", "", "", false
+		return "", "", "", false, false
 	}
 
 	defer l.Close()
@@ -96,7 +97,7 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
 	err = l.Bind(userDN, passwd)
 	if err != nil {
 		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
-		return "", "", "", false
+		return "", "", "", false, false
 	}
 
 	log.Trace("Bound successfully with userDN: %s", userDN)
@@ -109,16 +110,32 @@ func (ls Ldapsource) SearchEntry(name, passwd string) (string, string, string, b
 	sr, err := l.Search(search)
 	if err != nil {
 		log.Error(4, "LDAP Search failed unexpectedly! (%v)", err)
-		return "", "", "", false
+		return "", "", "", false, false
 	} else if len(sr.Entries) < 1 {
 		log.Error(4, "LDAP Search failed unexpectedly! (0 entries)")
-		return "", "", "", false
+		return "", "", "", false, false
 	}
 
 	name_attr := sr.Entries[0].GetAttributeValue(ls.AttributeName)
 	sn_attr := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
 	mail_attr := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
-	return name_attr, sn_attr, mail_attr, true
+
+	search = ldap.NewSearchRequest(
+		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
+		[]string{ls.AttributeName},
+		nil)
+
+	sr, err = l.Search(search)
+	admin_attr := false
+	if err != nil {
+		log.Error(4, "LDAP Admin Search failed unexpectedly! (%v)", err)
+	} else if len(sr.Entries) < 1 {
+		log.Error(4, "LDAP Admin Search failed")
+	} else {
+		admin_attr = true
+	}
+
+	return name_attr, sn_attr, mail_attr, admin_attr, true
 }
 
 func ldapDial(ls Ldapsource) (*ldap.Conn, error) {

routers/admin/auths.go

@@ -71,6 +71,7 @@ func NewAuthSourcePost(ctx *middleware.Context, form auth.AuthenticationForm) {
 				BindPassword:      form.BindPassword,
 				UserBase:          form.UserBase,
 				Filter:            form.Filter,
+				AdminFilter:       form.AdminFilter,
 				AttributeName:     form.AttributeName,
 				AttributeSurname:  form.AttributeSurname,
 				AttributeMail:     form.AttributeMail,
@@ -160,6 +161,7 @@ func EditAuthSourcePost(ctx *middleware.Context, form auth.AuthenticationForm) {
 				AttributeSurname:  form.AttributeSurname,
 				AttributeMail:     form.AttributeMail,
 				Filter:            form.Filter,
+				AdminFilter:       form.AdminFilter,
 				Enabled:           true,
 			},
 		}

templates/admin/auth/edit.tmpl

@@ -59,6 +59,10 @@
                                     <label class="req" for="filter">{{.i18n.Tr "admin.auths.filter"}}</label>
                                     <input class="ipt ipt-large ipt-radius {{if .Err_Filter}}ipt-error{{end}}" id="filter" name="filter" value="{{.Source.LDAP.Filter}}" />
                                 </div>
+                                <div class="field">
+                                    <label class="req" for="filter">{{.i18n.Tr "admin.auths.admin_filter"}}</label>
+                                    <input class="ipt ipt-large ipt-radius {{if .Err_AdminFilter}}ipt-error{{end}}" id="admin_filter" name="admin_filter" value="{{.Source.LDAP.AdminFilter}}" />
+                                </div>
                                 <div class="field">
                                     <label for="attribute_name">{{.i18n.Tr "admin.auths.attribute_name"}}</label>
                                     <input class="ipt ipt-large ipt-radius {{if .Err_Attributes}}ipt-error{{end}}" id="attribute_name" name="attribute_name" value="{{.Source.LDAP.AttributeName}}" />

templates/admin/auth/new.tmpl

@@ -55,6 +55,10 @@
                                         <label class="req" for="filter">{{.i18n.Tr "admin.auths.filter"}}</label>
                                         <input class="ipt ipt-large ipt-radius {{if .Err_Filter}}ipt-error{{end}}" id="filter" name="filter" value="{{.filter}}" />
                                     </div>
+                                    <div class="field">
+                                        <label class="req" for="filter">{{.i18n.Tr "admin.auths.admin_filter"}}</label>
+                                        <input class="ipt ipt-large ipt-radius {{if .Err_AdminFilter}}ipt-error{{end}}" id="admin_filter" name="admin_filter" value="{{.admin_filter}}" />
+                                    </div>
                                     <div class="field">
                                         <label for="attribute_name">{{.i18n.Tr "admin.auths.attribute_name"}}</label>
                                         <input class="ipt ipt-large ipt-radius {{if .Err_AttributeName}}ipt-error{{end}}" id="attribute_name" name="attribute_name" value="{{.attribute_name}}" />