Merge pull request #3324 from jumpserver/dev_ldap

[Update] LDAP 登录认证添加配置项：只有在用户列表中的用户会被允许认证

Merge pull request #3324 from jumpserver/dev_ldap
[Update] LDAP 登录认证添加配置项：只有在用户列表中的用户会被允许认证
4102dc68 · BaiJiangJie · GitHub · 7e7583e4 · d1dc3342 · 4102dc68
Unverified Commit 4102dc68 authored Oct 10, 2019 by BaiJiangJie Committed by GitHub Oct 10, 2019
Showing with 15 additions and 1 deletion

ldap.py apps/authentication/backends/ldap.py +7 -0

conf.py apps/jumpserver/conf.py +1 -0

settings.py apps/jumpserver/settings.py +1 -0

config_example.yml config_example.yml +6 -1

No files found.
--- a/apps/authentication/backends/ldap.py
+++ b/apps/authentication/backends/ldap.py
@@ -32,6 +32,13 @@ class LDAPAuthorizationBackend(LDAPBackend):
        if not username:
            logger.info('Authenticate failed: username is None')
            return None
+        if settings.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS:
+            user_model = self.get_user_model()
+            exist = user_model.objects.filter(username=username).exists()
+            if not exist:
+                msg = 'Authentication failed: user ({}) is not in the user list'
+                logger.info(msg.format(username))
+                return None
        ldap_user = LDAPUser(self, username=username.strip(), request=request)
        user = self.authenticate_ldap_user(ldap_user, password)
        logger.info('Authenticate user: {}'.format(user))

--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -378,6 +378,7 @@ defaults = {
    'AUTH_LDAP_SYNC_IS_PERIODIC': False,
    'AUTH_LDAP_SYNC_INTERVAL': None,
    'AUTH_LDAP_SYNC_CRONTAB': None,
+    'AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS': False,
    'HTTP_BIND_HOST': '0.0.0.0',
    'HTTP_LISTEN_PORT': 8080,
    'WS_LISTEN_PORT': 8070,

--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@@ -429,6 +429,7 @@ AUTH_LDAP_SEARCH_PAGED_SIZE = CONFIG.AUTH_LDAP_SEARCH_PAGED_SIZE
 AUTH_LDAP_SYNC_IS_PERIODIC = CONFIG.AUTH_LDAP_SYNC_IS_PERIODIC
 AUTH_LDAP_SYNC_INTERVAL = CONFIG.AUTH_LDAP_SYNC_INTERVAL
 AUTH_LDAP_SYNC_CRONTAB = CONFIG.AUTH_LDAP_SYNC_CRONTAB
+AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS = CONFIG.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS

 AUTH_LDAP_SERVER_URI = 'ldap://localhost:389'
 AUTH_LDAP_BIND_DN = 'cn=admin,dc=jumpserver,dc=org'

--- a/config_example.yml
+++ b/config_example.yml
@@ -72,13 +72,18 @@ REDIS_PORT: 6379
 # RADIUS_PORT: 1812
 # RADIUS_SECRET: 

-# LDAP/AD 设置定时同步参数
+# LDAP/AD settings
+# 定时同步用户
 # 启用/禁用
 # AUTH_LDAP_SYNC_IS_PERIODIC: True
 # 单位: 时
 # AUTH_LDAP_SYNC_INTERVAL: 12
 # Crontab 表达式
 # AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
+#
+# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
+# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
+

 # OTP settings
 # OTP/MFA 配置