auto create account, sync ldap disabled flag

This commit is contained in:
Christoph Haas 2020-11-16 22:39:41 +01:00
parent 1dee239f4f
commit 7b651da1d7
8 changed files with 106 additions and 20 deletions

View File

@ -150,16 +150,17 @@
<ul> <ul>
<li>Firstname: {{$p.LdapUser.Firstname}}</li> <li>Firstname: {{$p.LdapUser.Firstname}}</li>
<li>Lastname: {{$p.LdapUser.Lastname}}</li> <li>Lastname: {{$p.LdapUser.Lastname}}</li>
<li>Phone: {{$p.UID}}</li> <li>Phone: {{index $p.LdapUser.RawLdapData.Attributes "telephoneNumber"}}</li>
<li>Mail: {{$p.LdapUser.Mail}}</li> <li>Mail: {{$p.LdapUser.Mail}}</li>
<li>Department: {{$p.UID}}</li> <li>Department: {{index $p.LdapUser.RawLdapData.Attributes "department"}}</li>
</ul> </ul>
{{end}} {{end}}
<h4>Traffic</h4> <h4>Connection / Traffic</h4>
{{if not $p.Peer}} {{if not $p.Peer}}
<p>No Traffic data available...</p> <p>No Traffic data available...</p>
{{else}} {{else}}
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p> <p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas network-wired" title="Last Endpoint"></i> {{formatBytes $p.Peer.Endpoint}}{{end}}</p>
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
{{end}} {{end}}
</div> </div>
<div id="t2{{$p.UID}}" class="tab-pane fade"> <div id="t2{{$p.UID}}" class="tab-pane fade">

View File

@ -54,15 +54,17 @@ func loadConfigEnv(cfg interface{}) error {
type Config struct { type Config struct {
Core struct { Core struct {
ListeningAddress string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"` ListeningAddress string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
ExternalUrl string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"` ExternalUrl string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
Title string `yaml:"title" envconfig:"WEBSITE_TITLE"` Title string `yaml:"title" envconfig:"WEBSITE_TITLE"`
CompanyName string `yaml:"company" envconfig:"COMPANY_NAME"` CompanyName string `yaml:"company" envconfig:"COMPANY_NAME"`
MailFrom string `yaml:"mailfrom" envconfig:"MAIL_FROM"` MailFrom string `yaml:"mailfrom" envconfig:"MAIL_FROM"`
AdminUser string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user AdminUser string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user
AdminPassword string `yaml:"adminPass" envconfig:"ADMIN_PASS"` AdminPassword string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
DatabasePath string `yaml:"database" envconfig:"DATABASE_PATH"` DatabasePath string `yaml:"database" envconfig:"DATABASE_PATH"`
EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"` EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
CreateInterfaceOnLogin bool `yaml:"createOnLogin" envconfig:"CREATE_INTERFACE_ON_LOGIN"`
SyncLdapStatus bool `yaml:"syncLdapStatus" envconfig:"SYNC_LDAP_STATUS"` // disable account if disabled in ldap
} `yaml:"core"` } `yaml:"core"`
Email MailConfig `yaml:"email"` Email MailConfig `yaml:"email"`
LDAP ldap.Config `yaml:"ldap"` LDAP ldap.Config `yaml:"ldap"`

View File

@ -63,7 +63,7 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
a.Cfg.BaseDN, a.Cfg.BaseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username), fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
[]string{"dn"}, []string{"dn", "userAccountControl"},
nil, nil,
) )
@ -78,6 +78,12 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
userDN := sr.Entries[0].DN userDN := sr.Entries[0].DN
// Check if user is disabled, if so deny login
uac := sr.Entries[0].GetAttributeValue("userAccountControl")
if uac != "" && IsLdapUserDisabled(uac) {
return false
}
// Bind as the user to verify their password // Bind as the user to verify their password
err = client.Bind(userDN, password) err = client.Bind(userDN, password)
if err != nil { if err != nil {

View File

@ -5,6 +5,7 @@ import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"sort" "sort"
"strconv"
"strings" "strings"
"sync" "sync"
"time" "time"
@ -214,7 +215,7 @@ func NewUserCache(config Config, store UserCacheHolder) *UserCache {
} }
log.Infof("Filling user cache...") log.Infof("Filling user cache...")
err := uc.Update(true) err := uc.Update(true, true)
log.Infof("User cache filled!") log.Infof("User cache filled!")
uc.LastError = err uc.LastError = err
@ -250,7 +251,7 @@ func (u UserCache) close(conn *ldap.Conn) {
} }
// Update updates the user cache in background, minimal locking will happen // Update updates the user cache in background, minimal locking will happen
func (u *UserCache) Update(filter bool) error { func (u *UserCache) Update(filter, withDisabledUsers bool) error {
log.Debugf("Updating ldap cache...") log.Debugf("Updating ldap cache...")
client, err := u.open() client, err := u.open()
if err != nil { if err != nil {
@ -290,8 +291,8 @@ func (u *UserCache) Update(filter bool) error {
continue // prefilter... continue // prefilter...
} }
if userAccountControl == "" || userAccountControl == "514" { if !withDisabledUsers && userAccountControl != "" && IsLdapUserDisabled(userAccountControl) {
continue // 514 means account is disabled continue
} }
if entry.DN != dn { if entry.DN != dn {
@ -323,3 +324,15 @@ func (u *UserCache) Update(filter bool) error {
return nil return nil
} }
func IsLdapUserDisabled(userAccountControl string) bool {
uacInt, err := strconv.Atoi(userAccountControl)
if err != nil {
return true
}
if int32(uacInt)&0x2 != 0 {
return true // bit 2 set means account is disabled
}
return false
}

View File

@ -157,7 +157,7 @@ func (s *Server) Run() {
go func(s *Server) { go func(s *Server) {
for { for {
time.Sleep(CacheRefreshDuration) time.Sleep(CacheRefreshDuration)
if err := s.ldapCacheUpdater.Update(true); err != nil { if err := s.ldapCacheUpdater.Update(true, true); err != nil {
log.Warnf("Failed to update ldap group cache: %v", err) log.Warnf("Failed to update ldap group cache: %v", err)
} }
log.Debugf("Refreshed LDAP permissions!") log.Debugf("Refreshed LDAP permissions!")
@ -165,6 +165,18 @@ func (s *Server) Run() {
}(s) }(s)
} }
if !s.ldapDisabled && s.config.Core.SyncLdapStatus {
go func(s *Server) {
for {
time.Sleep(CacheRefreshDuration)
if err := s.SyncLdapAttributesWithWireGuard(); err != nil {
log.Warnf("Failed to synchronize ldap attributes: %v", err)
}
log.Debugf("Synced LDAP attributes!")
}
}(s)
}
// Run web service // Run web service
err := s.server.Run(s.config.Core.ListeningAddress) err := s.server.Run(s.config.Core.ListeningAddress)
if err != nil { if err != nil {

View File

@ -4,6 +4,8 @@ import (
"net/http" "net/http"
"strings" "strings"
log "github.com/sirupsen/logrus"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
) )
@ -95,6 +97,21 @@ func (s *Server) PostLogin(c *gin.Context) {
} }
} }
// Check if user already has a peer setup, if not create one
if s.config.Core.CreateInterfaceOnLogin && !adminAuthenticated {
users := s.users.GetUsersByMail(sessionData.Email)
if len(users) == 0 { // Create vpn peer
err := s.CreateUser(User{
Identifier: sessionData.Firstname + " " + sessionData.Lastname + " (Default)",
Email: sessionData.Email,
CreatedBy: sessionData.Email,
UpdatedBy: sessionData.Email,
})
log.Errorf("Failed to automatically create vpn peer for %s: %v", sessionData.Email, err)
}
}
if err := s.updateSessionData(c, sessionData); err != nil { if err := s.updateSessionData(c, sessionData); err != nil {
s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session") s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
return return

View File

@ -0,0 +1,34 @@
package server
import (
"time"
"github.com/h44z/wg-portal/internal/ldap"
log "github.com/sirupsen/logrus"
)
// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
// Users will be automatically disabled once they are disabled in ldap.
// This method is blocking.
func (s *Server) SyncLdapAttributesWithWireGuard() error {
allUsers := s.users.GetAllUsers()
for i := range allUsers {
user := allUsers[i]
if user.LdapUser == nil {
continue // skip non ldap users
}
if user.DeactivatedAt != nil {
continue // skip already disabled interfaces
}
if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
now := time.Now()
user.DeactivatedAt = &now
if err := s.UpdateUser(user, now); err != nil {
log.Errorf("Failed to disable user %s: %v", user.Email, err)
}
}
}
return nil
}

View File

@ -10,7 +10,8 @@ DNS = {{ .Server.DNSStr }}
{{- end}} {{- end}}
{{- if ne .Server.Mtu 0 -}} {{- if ne .Server.Mtu 0 -}}
MTU = {{.Server.Mtu}} MTU = {{.Server.Mtu}}
{{- end -}} {{- end}}
[Peer] [Peer]
PublicKey = {{ .Server.PublicKey }} PublicKey = {{ .Server.PublicKey }}
{{- if .Client.PresharedKey -}} {{- if .Client.PresharedKey -}}