Skip to content

Latest commit

 

History

History
163 lines (110 loc) · 5.88 KB

README.md

File metadata and controls

163 lines (110 loc) · 5.88 KB

About

This project is based on two repos: ohdarling/virtual-ldap and anjia0532/virtual-ldap, thanks to the authors. This projects aims to use Dingtalk as unified anthentication for internal system.

  • ohdarling/virtual-ldap is the original repo which implements Ldap service and use DingTalk as authorization service.
  • I found anjia0532/virtual-ldap is in the first project pull request, it implements Dockerfile, generate random password and add pinyin field in the ldap tree.

Based on this two projects, I implement following features:

  • Implement docker compose yaml with virutal-ldap, mysql and Keycloak, the detailed usage you can follow this link: https://xujiwei.com/blog/2020/02/internal-authorize-based-on-dingtalk-virtual-ldap-keyclaok/
  • For our own company scenario, I fix the password rule. The default uid is pinyin(only keep lower chars) with the last four numbers of cell phone. The default password is pinyin(only keep lower chars) with the first four numbers of cell phone. User can reset password in Keycloak during first login.
  • Fix user authentication, first check database and then check the attribute in ldap tree.

这个项目是基于ohdarling/virtual-ldap和anjia0532/virtual-ldap项目实现的,感谢原作者。目的为了满足使用钉钉作为统一鉴权方式为内部系统提供鉴权服务。

  • ohdarling/virtual-ldap项目实现了Ldap服务以及通过钉钉同步信息,作为统一鉴权系统使用。
  • anjia0532/virtual-ldap项目实际上是在上一个项目的pull request找到的,但是由于没有合并到主干,所以作者独立进行了开发。这个项目主要为了实现容器化,并且采用了随机生成密码和增加pinyin字段。

基于这两个项目,我进一步开发了下面的功能:

Virtual-LDAP

Virtual-LDAP is a service used to bridge any other account services to the LDAP protocol. With Virtual-LDAP, you can use existing account services (such as DingTalk) as an authorization service for many open source projects.

Virtual-LDAP has a provider architecture, so you can extend it with a custom provider to support any other account service, such as a database-based account service.

Virtual-LDAP is not a complete implementation of LDAP and currently only supports partial binding, search, and modification requests. All directory groups and users will be obtained from the provider.

The database used for Virtual-LDAP is used to store user passwords. Passwords will be hashed using SHA256 plus a salt value.

Configuration

Virtual-LDAP using JavaScript to configure all settings, include DN, admins, database, provider and custom groups.

For every configuration items, see example config file below.

module.exports = {
  ldap: {
    // LDAP serve port, it is a insecure port, please connect with ldap://
    listenPort: 1389,
    // Base DN will be o=Example,dc=example,dc=com
    // Groups base DN will be ou=Groups,o=Example,dc=example,dc=com
    // Users base DN will be ou=People,o=Example,dc=example,dc=com
    rootDN: 'dc=example,dc=com',
    organization: 'Example',
    // Admins who can search or modify directory
    admins: [
      {
        // Bind DN will be cn=keycloak,dc=example,dc=com
        commonName: 'keycloak',
        password: 'keycloak',
        // Can this admin modify user's password
        canModifyEntry: true,
      },
      {
        commonName: 'jenkins',
        password: 'jenkins',
        canModifyEntry: false,
      },
    ]
  },
  // Database for storing users' password
  database: {
    type: 'mysql',
    host: '127.0.0.1',
    port: '23306',
    user: 'root',
    password: '123456',
    database: 'vldap',
  },
  // Provider for providen account service
  provider: {
    name: 'dingtalk',
    appKey: '__APPKEY__',
    appSecret: '__APPSECRET__',
  },
  // Custom groups, base DN will be ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com
  customGroups: [
    {
      // DN will be ou=Jenkins Admins,ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com
      name: 'Jenkins Admins',
      // User with these mails will be added to the group
      members: [ 'jenkins@example.com' ],
    }
  ]
}

LDAP DN

For Virtual-LDAP using the above configuration file, the commonly used DNs are as follows.

Root DN

dc=example,dc=com

Search Directory Bind DN

cn=keycloak,dc=example,dc=com

Groups Base DN

ou=Groups,o=Example,dc=example,dc=com

Users Base DN

ou=People,o=Example,dc=example,dc=com

Custom Groups Base DN

ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com

Jenkins Admins DN

ou=Jenkins Admins,ou=CustomGroups,ou=Groups,o=Example,dc=example,dc=com

Typical User DN

mail=user@example.com,ou=People,o=Example,dc=example,dc=com

Run Virtual-LDAP

Virtual-LDAP can run from source or run as a service in another project.

Run from source

git clone https://github.com/ohdarling/virtual-ldap
cd virtual-ldap
npm start

Run as a service

const server = require('virtual-ldap');
server.setupVirtualLDAPServer(require("./config"));
server.runVirtualLDAPServer();

Testing with ApacheDirectoryStudio

create connectionauth

ldap browse

License

MIT License