feat(ldap): support starttls and ldaps

Signed-off-by: Wei Zhang <[email protected]>
TabbyML · Dec 30, 2024 · f2c9abd · f2c9abd
1 parent 65d73c5
commit f2c9abd
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/ee/tabby-webserver/src/ldap.rs b/ee/tabby-webserver/src/ldap.rs
@@ -1,31 +1,50 @@
 use anyhow::anyhow;
 use async_trait::async_trait;
-use ldap3::{drive, LdapConnAsync, Scope, SearchEntry};
-use tabby_schema::{CoreError, Result};
+use ldap3::{drive, LdapConnAsync, LdapConnSettings, Scope, SearchEntry};
+use tabby_schema::{email::Encryption, CoreError, Result};
 
 #[async_trait]
 pub trait LdapClient: Send + Sync {
     async fn validate(&mut self, user: &str, password: &str) -> Result<LdapUser>;
 }
 
 pub fn new_ldap_client(
-    host: String,
+    host: &str,
     port: i64,
+    encryption: &str,
+    skip_verify_tls: bool,
     bind_dn: String,
     bind_password: String,
     base_dn: String,
     user_filter: String,
     email_attr: String,
     name_attr: String,
 ) -> impl LdapClient {
+    let mut settings = LdapConnSettings::new();
+    if encryption == "starttls" {
+        settings = settings.set_starttls(true);
+    };
+    if skip_verify_tls {
+        settings = settings.set_no_tls_verify(true);
+    };
+
+    let schema = if encryption == "ldaps" {
+        "ldaps"
+    } else {
+        "ldap"
+    };
+
     LdapClientImpl {
-        address: format!("ldap://{}:{}", host, port),
+        address: format!("{}://{}:{}", schema, host, port),
         bind_dn,
         bind_password,
         base_dn,
         user_filter,
+
         email_attr,
         name_attr,
+
+        settings,
     }
 }
 
@@ -38,6 +57,8 @@ pub struct LdapClientImpl {
 
     email_attr: String,
     name_attr: String,
+
+    settings: LdapConnSettings,
 }
 
 pub struct LdapUser {
@@ -48,7 +69,8 @@ pub struct LdapUser {
 #[async_trait]
 impl LdapClient for LdapClientImpl {
     async fn validate(&mut self, user: &str, password: &str) -> Result<LdapUser> {
-        let (connection, mut client) = LdapConnAsync::new(&self.address).await?;
+        let (connection, mut client) =
+            LdapConnAsync::with_settings(self.settings.clone(), &self.address).await?;
         drive!(connection);
 
         // use bind_dn to search

diff --git a/ee/tabby-webserver/src/service/auth.rs b/ee/tabby-webserver/src/service/auth.rs
@@ -582,8 +582,10 @@ impl AuthenticationService for AuthenticationServiceImpl {
 
     async fn test_ldap_connection(&self, input: UpdateLdapCredentialInput) -> Result<()> {
         let mut client = ldap::new_ldap_client(
-            input.host,
+            input.host.as_ref(),
             input.port as i64,
+            input.encryption.as_enum_str(),
+            input.skip_tls_verify,
             input.bind_dn,
             input.bind_password,
             input.base_dn,
@@ -670,8 +672,10 @@ async fn ldap_login(
 
     let credential = credential.unwrap();
     let mut client = ldap::new_ldap_client(
-        credential.host,
+        credential.host.as_ref(),
         credential.port,
+        credential.encryption.as_str(),
+        credential.skip_tls_verify,
         credential.bind_dn,
         credential.bind_password,
         credential.base_dn,