3x-ui/util/ldap/ldap.go

package ldaputil

import (
    "crypto/tls"
    "fmt"

    "github.com/go-ldap/ldap/v3"
)

type Config struct {
    Host        string
    Port        int
    UseTLS      bool
    BindDN      string
    Password    string
    BaseDN      string
    UserFilter  string
    UserAttr    string
    FlagField   string
    TruthyVals  []string
    Invert      bool
}

// FetchVlessFlags returns map[email]enabled
func FetchVlessFlags(cfg Config) (map[string]bool, error) {
    addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
    var conn *ldap.Conn
    var err error
    if cfg.UseTLS {
        conn, err = ldap.DialTLS("tcp", addr, &tls.Config{InsecureSkipVerify: false})
    } else {
        conn, err = ldap.Dial("tcp", addr)
    }
    if err != nil {
        return nil, err
    }
    defer conn.Close()

    if cfg.BindDN != "" {
        if err := conn.Bind(cfg.BindDN, cfg.Password); err != nil {
            return nil, err
        }
    }

    if cfg.UserFilter == "" {
        cfg.UserFilter = "(objectClass=person)"
    }
    if cfg.UserAttr == "" {
        cfg.UserAttr = "mail"
    }
    // if field not set we fallback to legacy vless_enabled
    if cfg.FlagField == "" {
        cfg.FlagField = "vless_enabled"
    }

    req := ldap.NewSearchRequest(
        cfg.BaseDN,
        ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
        cfg.UserFilter,
        []string{cfg.UserAttr, cfg.FlagField},
        nil,
    )

    res, err := conn.Search(req)
    if err != nil {
        return nil, err
    }

    result := make(map[string]bool, len(res.Entries))
    for _, e := range res.Entries {
        user := e.GetAttributeValue(cfg.UserAttr)
        if user == "" {
            continue
        }
        val := e.GetAttributeValue(cfg.FlagField)
        enabled := false
        for _, t := range cfg.TruthyVals {
            if val == t {
                enabled = true
                break
            }
        }
        if cfg.Invert {
            enabled = !enabled
        }
        result[user] = enabled
    }
    return result, nil
}

// AuthenticateUser searches user by cfg.UserAttr and attempts to bind with provided password.
func AuthenticateUser(cfg Config, username, password string) (bool, error) {
    addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)
    var conn *ldap.Conn
    var err error
    if cfg.UseTLS {
        conn, err = ldap.DialTLS("tcp", addr, &tls.Config{InsecureSkipVerify: false})
    } else {
        conn, err = ldap.Dial("tcp", addr)
    }
    if err != nil {
        return false, err
    }
    defer conn.Close()

    // Optional initial bind for search
    if cfg.BindDN != "" {
        if err := conn.Bind(cfg.BindDN, cfg.Password); err != nil {
            return false, err
        }
    }

    if cfg.UserFilter == "" {
        cfg.UserFilter = "(objectClass=person)"
    }
    if cfg.UserAttr == "" {
        cfg.UserAttr = "uid"
    }

    // Build filter to find specific user
    filter := fmt.Sprintf("(&%s(%s=%s))", cfg.UserFilter, cfg.UserAttr, ldap.EscapeFilter(username))
    req := ldap.NewSearchRequest(
        cfg.BaseDN,
        ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 1, 0, false,
        filter,
        []string{"dn"},
        nil,
    )
    res, err := conn.Search(req)
    if err != nil {
        return false, err
    }
    if len(res.Entries) == 0 {
        return false, nil
    }
    userDN := res.Entries[0].DN
    // Try to bind as the user
    if err := conn.Bind(userDN, password); err != nil {
        return false, nil
    }
    return true, nil
}
feat: add ldap component (#3568) * add ldap component * fix: fix russian comments, tls cert verify default true * feat: remove replaces go mod for local dev 2025-09-28 19:00:16 +00:00			`package ldaputil`

			`import (`
			`"crypto/tls"`
			`"fmt"`

			`"github.com/go-ldap/ldap/v3"`
			`)`

			`type Config struct {`
			`Host string`
			`Port int`
			`UseTLS bool`
			`BindDN string`
			`Password string`
			`BaseDN string`
			`UserFilter string`
			`UserAttr string`
			`FlagField string`
			`TruthyVals []string`
			`Invert bool`
			`}`

			`// FetchVlessFlags returns map[email]enabled`
			`func FetchVlessFlags(cfg Config) (map[string]bool, error) {`
			`addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)`
			`var conn *ldap.Conn`
			`var err error`
			`if cfg.UseTLS {`
			`conn, err = ldap.DialTLS("tcp", addr, &tls.Config{InsecureSkipVerify: false})`
			`} else {`
			`conn, err = ldap.Dial("tcp", addr)`
			`}`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer conn.Close()`

			`if cfg.BindDN != "" {`
			`if err := conn.Bind(cfg.BindDN, cfg.Password); err != nil {`
			`return nil, err`
			`}`
			`}`

			`if cfg.UserFilter == "" {`
			`cfg.UserFilter = "(objectClass=person)"`
			`}`
			`if cfg.UserAttr == "" {`
			`cfg.UserAttr = "mail"`
			`}`
			`// if field not set we fallback to legacy vless_enabled`
			`if cfg.FlagField == "" {`
			`cfg.FlagField = "vless_enabled"`
			`}`

			`req := ldap.NewSearchRequest(`
			`cfg.BaseDN,`
			`ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,`
			`cfg.UserFilter,`
			`[]string{cfg.UserAttr, cfg.FlagField},`
			`nil,`
			`)`

			`res, err := conn.Search(req)`
			`if err != nil {`
			`return nil, err`
			`}`

			`result := make(map[string]bool, len(res.Entries))`
			`for _, e := range res.Entries {`
			`user := e.GetAttributeValue(cfg.UserAttr)`
			`if user == "" {`
			`continue`
			`}`
			`val := e.GetAttributeValue(cfg.FlagField)`
			`enabled := false`
			`for _, t := range cfg.TruthyVals {`
			`if val == t {`
			`enabled = true`
			`break`
			`}`
			`}`
			`if cfg.Invert {`
			`enabled = !enabled`
			`}`
			`result[user] = enabled`
			`}`
			`return result, nil`
			`}`

			`// AuthenticateUser searches user by cfg.UserAttr and attempts to bind with provided password.`
			`func AuthenticateUser(cfg Config, username, password string) (bool, error) {`
			`addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)`
			`var conn *ldap.Conn`
			`var err error`
			`if cfg.UseTLS {`
			`conn, err = ldap.DialTLS("tcp", addr, &tls.Config{InsecureSkipVerify: false})`
			`} else {`
			`conn, err = ldap.Dial("tcp", addr)`
			`}`
			`if err != nil {`
			`return false, err`
			`}`
			`defer conn.Close()`

			`// Optional initial bind for search`
			`if cfg.BindDN != "" {`
			`if err := conn.Bind(cfg.BindDN, cfg.Password); err != nil {`
			`return false, err`
			`}`
			`}`

			`if cfg.UserFilter == "" {`
			`cfg.UserFilter = "(objectClass=person)"`
			`}`
			`if cfg.UserAttr == "" {`
			`cfg.UserAttr = "uid"`
			`}`

			`// Build filter to find specific user`
			`filter := fmt.Sprintf("(&%s(%s=%s))", cfg.UserFilter, cfg.UserAttr, ldap.EscapeFilter(username))`
			`req := ldap.NewSearchRequest(`
			`cfg.BaseDN,`
			`ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 1, 0, false,`
			`filter,`
			`[]string{"dn"},`
			`nil,`
			`)`
			`res, err := conn.Search(req)`
			`if err != nil {`
			`return false, err`
			`}`
			`if len(res.Entries) == 0 {`
			`return false, nil`
			`}`
			`userDN := res.Entries[0].DN`
			`// Try to bind as the user`
			`if err := conn.Bind(userDN, password); err != nil {`
			`return false, nil`
			`}`
			`return true, nil`
			`}`