From dfedfc7e7a7be168e0e9e7941e9f3e8452244277 Mon Sep 17 00:00:00 2001 From: BaiJiangJie Date: Thu, 10 Oct 2019 17:53:22 +0800 Subject: [PATCH 1/2] =?UTF-8?q?[Update]=20LDAP=20=E7=99=BB=E5=BD=95?= =?UTF-8?q?=E8=AE=A4=E8=AF=81=E6=B7=BB=E5=8A=A0=E9=85=8D=E7=BD=AE=E9=A1=B9?= =?UTF-8?q?=EF=BC=9A=E5=8F=AA=E6=9C=89=E5=9C=A8=E7=94=A8=E6=88=B7=E5=88=97?= =?UTF-8?q?=E8=A1=A8=E4=B8=AD=E7=9A=84=E7=94=A8=E6=88=B7=E4=BC=9A=E8=A2=AB?= =?UTF-8?q?=E5=85=81=E8=AE=B8=E8=AE=A4=E8=AF=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/authentication/backends/ldap.py | 7 +++++++ apps/jumpserver/conf.py | 1 + apps/jumpserver/settings.py | 1 + 3 files changed, 9 insertions(+) diff --git a/apps/authentication/backends/ldap.py b/apps/authentication/backends/ldap.py index 9dd151561..07ec0f375 100644 --- a/apps/authentication/backends/ldap.py +++ b/apps/authentication/backends/ldap.py @@ -32,6 +32,13 @@ class LDAPAuthorizationBackend(LDAPBackend): if not username: logger.info('Authenticate failed: username is None') return None + if settings.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: + user_model = self.get_user_model() + exist = user_model.objects.filter(username=username).exists() + if not exist: + msg = 'Authentication failed: user ({}) is not in the user list' + logger.info(msg.format(username)) + return None ldap_user = LDAPUser(self, username=username.strip(), request=request) user = self.authenticate_ldap_user(ldap_user, password) logger.info('Authenticate user: {}'.format(user)) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 9825eaece..0df26d149 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -378,6 +378,7 @@ defaults = { 'AUTH_LDAP_SYNC_IS_PERIODIC': False, 'AUTH_LDAP_SYNC_INTERVAL': None, 'AUTH_LDAP_SYNC_CRONTAB': None, + 'AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS': False, 'HTTP_BIND_HOST': '0.0.0.0', 'HTTP_LISTEN_PORT': 8080, 'WS_LISTEN_PORT': 8070, diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py index b0db8dbab..6088358f1 100644 --- a/apps/jumpserver/settings.py +++ b/apps/jumpserver/settings.py @@ -429,6 +429,7 @@ AUTH_LDAP_SEARCH_PAGED_SIZE = CONFIG.AUTH_LDAP_SEARCH_PAGED_SIZE AUTH_LDAP_SYNC_IS_PERIODIC = CONFIG.AUTH_LDAP_SYNC_IS_PERIODIC AUTH_LDAP_SYNC_INTERVAL = CONFIG.AUTH_LDAP_SYNC_INTERVAL AUTH_LDAP_SYNC_CRONTAB = CONFIG.AUTH_LDAP_SYNC_CRONTAB +AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS = CONFIG.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS AUTH_LDAP_SERVER_URI = 'ldap://localhost:389' AUTH_LDAP_BIND_DN = 'cn=admin,dc=jumpserver,dc=org' From d1dc3342a24c1ac581a1181f898e1217863d9d8d Mon Sep 17 00:00:00 2001 From: BaiJiangJie Date: Thu, 10 Oct 2019 18:04:31 +0800 Subject: [PATCH 2/2] =?UTF-8?q?[Update]=20=E9=85=8D=E7=BD=AE=E9=A1=B9=20AU?= =?UTF-8?q?TH=5FLDAP=5FUSER=5FLOGIN=5FONLY=5FIN=5FUSERS=20=E6=B7=BB?= =?UTF-8?q?=E5=8A=A0=E5=88=B0=20config=5Fexample.yml=20=E4=B8=AD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config_example.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config_example.yml b/config_example.yml index 911e7b8ee..786de3257 100644 --- a/config_example.yml +++ b/config_example.yml @@ -72,13 +72,18 @@ REDIS_PORT: 6379 # RADIUS_PORT: 1812 # RADIUS_SECRET: -# LDAP/AD 设置定时同步参数 +# LDAP/AD settings +# 定时同步用户 # 启用/禁用 # AUTH_LDAP_SYNC_IS_PERIODIC: True # 单位: 时 # AUTH_LDAP_SYNC_INTERVAL: 12 # Crontab 表达式 # AUTH_LDAP_SYNC_CRONTAB: * 6 * * * +# +# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证 +# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False + # OTP settings # OTP/MFA 配置