Introduce basic LDAP authentication.

.gitignore

@@ -1,6 +1,7 @@
 node_modules/
 gist.db
 .idea/
+.vscode/
 .DS_Store
 /**/.DS_Store
 public/assets/*
@@ -9,3 +10,4 @@ opengist
 build/
 docs/.vitepress/dist/
 docs/.vitepress/cache/
+vendor/

config.yml

@@ -72,7 +72,6 @@ ssh.external-domain:
 # Path or alias to ssh-keygen executable. Default: ssh-keygen
 ssh.keygen-executable: ssh-keygen
 
-
 # OAuth2 configuration
 # The callback/redirect URL must be http://opengist.url/oauth/<github|gitlab|gitea|openid-connect>/callback
 
@@ -102,6 +101,17 @@ oidc.secret:
 # Discovery endpoint of the OpenID provider. Generally something like http://auth.example.com/.well-known/openid-configuration
 oidc.discovery-url:
 
+# LDAP authentication configuration
+# URL of the LDAP instance e.g: ldap://ldap.example.com:389
+ldap.url:
+# Bind DN to authenticate against the LDAP e.g: cn=read-only-admin,dc=example,dc=com
+ldap.bind-dn:
+# The password for the Bind DN.
+ldap.bind-credentials:
+# The Base DN to start search from e.g: dc=example,dc=com
+ldap.search-base:
+# The filter to search against (the format string %s will be replaced with the username) e.g: (uid=%s)
+ldap.search-filter:
 
 # Custom assets
 # Add your own custom assets, that are files relatives to $opengist-home/custom/

docs/configuration/admin-panel.md

@@ -45,6 +45,8 @@ Here you can change a limited number of settings without restarting the instance
     - Forbid the creation of new accounts.
 - Require login
     - Enforce users to be logged in to see gists.
+- Enable LDAP
+    - Allow users to use LDAP authentication. If LDAP authentication fails, it will try local authentication.
 - Allow individual gists without login
     - Allow individual gists to be viewed and downloaded without login, while requiring login for discovering gists.
 - Disable login form

docs/configuration/cheat-sheet.md

@@ -37,6 +37,11 @@ aside: false
 | oidc.client-key       | OG_OIDC_CLIENT_KEY                  | none                  | The client key for the OpenID application.                                                                                                                                                                                       |
 | oidc.secret           | OG_OIDC_SECRET                      | none                  | The secret for the OpenID application.                                                                                                                                                                                           |
 | oidc.discovery-url    | OG_OIDC_DISCOVERY_URL               | none                  | Discovery endpoint of the OpenID provider.                                                                                                                                                                                       |
+| ldap.url              | OG_LDAP_URL                         | `ldap://0.0.0.0:389`  | URL of the LDAP instance.                                                                                                                                                                                                        |
+| ldap.bind-dn          | OG_LDAP_BIND_DN                     | none                  | Bind DN to authenticate against the LDAP.                                                                                                                                                                                        |
+| ldap.bind-credentials | OG_LDAP_BIND_CREDENTIALS            | none                  | The password for the Bind DN.                                                                                                                                                                                                    |
+| ldap.search-base      | OG_LDAP_SEARCH_BASE                 | none                  | The Base DN to start search from.                                                                                                                                                                                                |
+| ldap.search-filter    | OG_LDAP_SEARCH_FILTER               | none                  | The filter to search against (the format string %s will be replaced with the username).                                                                                                                                          |
 | custom.logo           | OG_CUSTOM_LOGO                      | none                  | Path to an image, relative to $opengist-home/custom.                                                                                                                                                                             |
 | custom.favicon        | OG_CUSTOM_FAVICON                   | none                  | Path to an image, relative to $opengist-home/custom.                                                                                                                                                                             |
 | custom.static-links   | OG_CUSTOM_STATIC_LINK_#_(PATH,NAME) | none                  | Path and name to custom links, more info [here](custom-links.md).                                                                                                                                                                |

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.4.3
 	github.com/dustin/go-humanize v1.0.1
 	github.com/glebarez/sqlite v1.11.0
+	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-playground/validator/v10 v10.23.0
 	github.com/go-webauthn/webauthn v0.11.2
 	github.com/google/uuid v1.6.0
@@ -34,6 +35,7 @@ require (
 
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/RoaringBitmap/roaring v1.9.4 // indirect
 	github.com/bits-and-blooms/bitset v1.17.0 // indirect
 	github.com/blevesearch/bleve_index_api v1.1.13 // indirect
@@ -60,6 +62,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect