auto create account, sync ldap disabled flag
This commit is contained in:
parent
1dee239f4f
commit
7b651da1d7
|
@ -150,16 +150,17 @@
|
|||
<ul>
|
||||
<li>Firstname: {{$p.LdapUser.Firstname}}</li>
|
||||
<li>Lastname: {{$p.LdapUser.Lastname}}</li>
|
||||
<li>Phone: {{$p.UID}}</li>
|
||||
<li>Phone: {{index $p.LdapUser.RawLdapData.Attributes "telephoneNumber"}}</li>
|
||||
<li>Mail: {{$p.LdapUser.Mail}}</li>
|
||||
<li>Department: {{$p.UID}}</li>
|
||||
<li>Department: {{index $p.LdapUser.RawLdapData.Attributes "department"}}</li>
|
||||
</ul>
|
||||
{{end}}
|
||||
<h4>Traffic</h4>
|
||||
<h4>Connection / Traffic</h4>
|
||||
{{if not $p.Peer}}
|
||||
<p>No Traffic data available...</p>
|
||||
{{else}}
|
||||
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
|
||||
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas network-wired" title="Last Endpoint"></i> {{formatBytes $p.Peer.Endpoint}}{{end}}</p>
|
||||
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
|
||||
{{end}}
|
||||
</div>
|
||||
<div id="t2{{$p.UID}}" class="tab-pane fade">
|
||||
|
|
|
@ -54,15 +54,17 @@ func loadConfigEnv(cfg interface{}) error {
|
|||
|
||||
type Config struct {
|
||||
Core struct {
|
||||
ListeningAddress string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
|
||||
ExternalUrl string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
|
||||
Title string `yaml:"title" envconfig:"WEBSITE_TITLE"`
|
||||
CompanyName string `yaml:"company" envconfig:"COMPANY_NAME"`
|
||||
MailFrom string `yaml:"mailfrom" envconfig:"MAIL_FROM"`
|
||||
AdminUser string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user
|
||||
AdminPassword string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
|
||||
DatabasePath string `yaml:"database" envconfig:"DATABASE_PATH"`
|
||||
EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
|
||||
ListeningAddress string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
|
||||
ExternalUrl string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
|
||||
Title string `yaml:"title" envconfig:"WEBSITE_TITLE"`
|
||||
CompanyName string `yaml:"company" envconfig:"COMPANY_NAME"`
|
||||
MailFrom string `yaml:"mailfrom" envconfig:"MAIL_FROM"`
|
||||
AdminUser string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user
|
||||
AdminPassword string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
|
||||
DatabasePath string `yaml:"database" envconfig:"DATABASE_PATH"`
|
||||
EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
|
||||
CreateInterfaceOnLogin bool `yaml:"createOnLogin" envconfig:"CREATE_INTERFACE_ON_LOGIN"`
|
||||
SyncLdapStatus bool `yaml:"syncLdapStatus" envconfig:"SYNC_LDAP_STATUS"` // disable account if disabled in ldap
|
||||
} `yaml:"core"`
|
||||
Email MailConfig `yaml:"email"`
|
||||
LDAP ldap.Config `yaml:"ldap"`
|
||||
|
|
|
@ -63,7 +63,7 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
|
|||
a.Cfg.BaseDN,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
|
||||
[]string{"dn"},
|
||||
[]string{"dn", "userAccountControl"},
|
||||
nil,
|
||||
)
|
||||
|
||||
|
@ -78,6 +78,12 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
|
|||
|
||||
userDN := sr.Entries[0].DN
|
||||
|
||||
// Check if user is disabled, if so deny login
|
||||
uac := sr.Entries[0].GetAttributeValue("userAccountControl")
|
||||
if uac != "" && IsLdapUserDisabled(uac) {
|
||||
return false
|
||||
}
|
||||
|
||||
// Bind as the user to verify their password
|
||||
err = client.Bind(userDN, password)
|
||||
if err != nil {
|
||||
|
|
|
@ -5,6 +5,7 @@ import (
|
|||
"crypto/tls"
|
||||
"fmt"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
@ -214,7 +215,7 @@ func NewUserCache(config Config, store UserCacheHolder) *UserCache {
|
|||
}
|
||||
|
||||
log.Infof("Filling user cache...")
|
||||
err := uc.Update(true)
|
||||
err := uc.Update(true, true)
|
||||
log.Infof("User cache filled!")
|
||||
uc.LastError = err
|
||||
|
||||
|
@ -250,7 +251,7 @@ func (u UserCache) close(conn *ldap.Conn) {
|
|||
}
|
||||
|
||||
// Update updates the user cache in background, minimal locking will happen
|
||||
func (u *UserCache) Update(filter bool) error {
|
||||
func (u *UserCache) Update(filter, withDisabledUsers bool) error {
|
||||
log.Debugf("Updating ldap cache...")
|
||||
client, err := u.open()
|
||||
if err != nil {
|
||||
|
@ -290,8 +291,8 @@ func (u *UserCache) Update(filter bool) error {
|
|||
continue // prefilter...
|
||||
}
|
||||
|
||||
if userAccountControl == "" || userAccountControl == "514" {
|
||||
continue // 514 means account is disabled
|
||||
if !withDisabledUsers && userAccountControl != "" && IsLdapUserDisabled(userAccountControl) {
|
||||
continue
|
||||
}
|
||||
|
||||
if entry.DN != dn {
|
||||
|
@ -323,3 +324,15 @@ func (u *UserCache) Update(filter bool) error {
|
|||
|
||||
return nil
|
||||
}
|
||||
|
||||
func IsLdapUserDisabled(userAccountControl string) bool {
|
||||
uacInt, err := strconv.Atoi(userAccountControl)
|
||||
if err != nil {
|
||||
return true
|
||||
}
|
||||
if int32(uacInt)&0x2 != 0 {
|
||||
return true // bit 2 set means account is disabled
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
|
|
@ -157,7 +157,7 @@ func (s *Server) Run() {
|
|||
go func(s *Server) {
|
||||
for {
|
||||
time.Sleep(CacheRefreshDuration)
|
||||
if err := s.ldapCacheUpdater.Update(true); err != nil {
|
||||
if err := s.ldapCacheUpdater.Update(true, true); err != nil {
|
||||
log.Warnf("Failed to update ldap group cache: %v", err)
|
||||
}
|
||||
log.Debugf("Refreshed LDAP permissions!")
|
||||
|
@ -165,6 +165,18 @@ func (s *Server) Run() {
|
|||
}(s)
|
||||
}
|
||||
|
||||
if !s.ldapDisabled && s.config.Core.SyncLdapStatus {
|
||||
go func(s *Server) {
|
||||
for {
|
||||
time.Sleep(CacheRefreshDuration)
|
||||
if err := s.SyncLdapAttributesWithWireGuard(); err != nil {
|
||||
log.Warnf("Failed to synchronize ldap attributes: %v", err)
|
||||
}
|
||||
log.Debugf("Synced LDAP attributes!")
|
||||
}
|
||||
}(s)
|
||||
}
|
||||
|
||||
// Run web service
|
||||
err := s.server.Run(s.config.Core.ListeningAddress)
|
||||
if err != nil {
|
||||
|
|
|
@ -4,6 +4,8 @@ import (
|
|||
"net/http"
|
||||
"strings"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
|
@ -95,6 +97,21 @@ func (s *Server) PostLogin(c *gin.Context) {
|
|||
}
|
||||
}
|
||||
|
||||
// Check if user already has a peer setup, if not create one
|
||||
if s.config.Core.CreateInterfaceOnLogin && !adminAuthenticated {
|
||||
users := s.users.GetUsersByMail(sessionData.Email)
|
||||
|
||||
if len(users) == 0 { // Create vpn peer
|
||||
err := s.CreateUser(User{
|
||||
Identifier: sessionData.Firstname + " " + sessionData.Lastname + " (Default)",
|
||||
Email: sessionData.Email,
|
||||
CreatedBy: sessionData.Email,
|
||||
UpdatedBy: sessionData.Email,
|
||||
})
|
||||
log.Errorf("Failed to automatically create vpn peer for %s: %v", sessionData.Email, err)
|
||||
}
|
||||
}
|
||||
|
||||
if err := s.updateSessionData(c, sessionData); err != nil {
|
||||
s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
|
||||
return
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
package server
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/h44z/wg-portal/internal/ldap"
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
|
||||
// Users will be automatically disabled once they are disabled in ldap.
|
||||
// This method is blocking.
|
||||
func (s *Server) SyncLdapAttributesWithWireGuard() error {
|
||||
allUsers := s.users.GetAllUsers()
|
||||
for i := range allUsers {
|
||||
user := allUsers[i]
|
||||
if user.LdapUser == nil {
|
||||
continue // skip non ldap users
|
||||
}
|
||||
|
||||
if user.DeactivatedAt != nil {
|
||||
continue // skip already disabled interfaces
|
||||
}
|
||||
|
||||
if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
|
||||
now := time.Now()
|
||||
user.DeactivatedAt = &now
|
||||
if err := s.UpdateUser(user, now); err != nil {
|
||||
log.Errorf("Failed to disable user %s: %v", user.Email, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
|
@ -10,7 +10,8 @@ DNS = {{ .Server.DNSStr }}
|
|||
{{- end}}
|
||||
{{- if ne .Server.Mtu 0 -}}
|
||||
MTU = {{.Server.Mtu}}
|
||||
{{- end -}}
|
||||
{{- end}}
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ .Server.PublicKey }}
|
||||
{{- if .Client.PresharedKey -}}
|
||||
|
|
Loading…
Reference in New Issue