add ForceSearchForSamAccountName option to ldap query settings

abbas-gheydi · May 31, 2024 · de64dee · de64dee
1 parent 1d5a06d
commit de64dee
Show file tree

Hide file tree

Showing 18 changed files with 809 additions and 93 deletions.
diff --git a/deploy/config/radiusd.conf b/deploy/config/radiusd.conf
@@ -1,23 +1,26 @@
 # radOTP configuratio file
-# by default radOTP search for this file in current path, else it tries /etc/radotp/ (recommended location)
+# by default radOTP search for this file in "/etc/radotp/", else it tries current path.
 
 [radius]
 	# ListenAddress is Radius server address
 	ListenAddress = "0.0.0.0:1812"
 	# Secret is common world bitween RadOTP and nas clients like Cisco or Fortinate firewalles to encrypt passwords.
 	Secret = "secret"
 	# Authentication_Mode is the key to set radius server authentication behavior
-	# Authentication_Mode = "only_password" , "only_otp" , "two_fa", "two_fa_optional_otp"
-	Authentication_Mode = "two_fa_optional_otp"
-	#Enable_Fortinet_Group_Name gets groups from ldap,it only works with "only_password" and "two_fa" authentication mode
+    #Authentication_Mode = "only_password" This mode authenticates users against an Active Directory LDAP/LDAPS server. Users only need to enter their AD password to log in.
+    #Authentication_Mode = "only_otp" This mode authenticates users with an OTP database only. Users only need to enter a one-time password (OTP) code to log in.
+    #Authentication_Mode = "two_fa" This mode enables two-factor authentication (2FA). Users need to enter both their AD password and an OTP code to log in.
+    #Authentication_Mode = "two_fa_optional_otp" This mode is similar to two_fa, but it only applies 2FA to users who have an OTP in the database. Users who do not have an OTP can log in with their AD password only.
+    Authentication_Mode = "two_fa"
+	# Enable_Fortinet_Group_Name gets groups from ldap,it only works with "only_password" and "two_fa" authentication mode
 	Enable_Fortinet_Group_Name = false
 
 [web]
 	ListenHTTP = "0.0.0.0:8080"
 	ListenHTTPS = "0.0.0.0:8081"
 	RedirectToHTTPS = true
 	RedirectToHTTPSPortNumber = "443"
-	#Isuuer is qr code issueer name,it appears in google athenticator app
+	# Isuuer is qr code issueer name,it appears in google athenticator app
 	Isuuer = "company.local"
 	EnableRestApi = false
 	Apikey = "test"
@@ -44,24 +47,29 @@
 	# then Fortinet_Group_Name AVP sets in radius response.
 	# FortiGroups = [ "vpnadmins", "vpnusers" ]
 
-	#LdapGroupsFilter = "vpn users"
+	# LdapGroupsFilter = "vpn users"
 
 	# ldap server address (domain controller address)
 	ldapServers = [ "127.0.0.1" , "192.168.1.12"]
 
-	#basedn is domain name in active directory, test.local is "DC=test,DC=local" for example
+	# basedn is domain name in active directory, test.local is "DC=test,DC=local" for example
 	basedn = "DC=test,DC=local"
 
 	port = 389
 
-	#security is ldap security level settings
+	# security is ldap security level settings
 	#### to enable tls on Active directory https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
-	#security = 0 is SecurityNone
-	#security = 1 is SecurityTLS
-	#security = 2 is SecurityStartTLS
-	#security = 3 is SecurityInsecureTLS
-	#security = 4 is SecurityInsecureStartTLS
+	# security = 0 is SecurityNone
+	# security = 1 is SecurityTLS
+	# security = 2 is SecurityStartTLS
+	# security = 3 is SecurityInsecureTLS
+	# security = 4 is SecurityInsecureStartTLS
 	security = 0
+
+	# When ForceSearchForSamAccountName is set to true, the LDAP query will forcefully search for SamAccountName.
+	# By default, this setting is false, which means that if set to false, the search will be conducted for userPrincipalName instead
+	ForceSearchForSamAccountName = false
+
 
 [metrics]
 	# prometheus exporter settings.

diff --git a/go.mod b/go.mod
@@ -18,6 +18,7 @@ require (
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
+	github.com/abbas-gheydi/go-ad-auth/v3 v3.4.41 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect

diff --git a/go.sum b/go.sum
@@ -62,6 +62,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
 github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/abbas-gheydi/go-ad-auth/v3 v3.4.41 h1:5xm0QEIGGExRRR1UWHYlekmH3xlahcm4dsyODaQK5CM=
+github.com/abbas-gheydi/go-ad-auth/v3 v3.4.41/go.mod h1:hEFwR0rdKWT0OpQPGztCV+eFXdRoaUfKB2LM0Kd84bw=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=

diff --git a/pkgs/authentiate/ldap.go b/pkgs/authentiate/ldap.go
@@ -6,7 +6,7 @@ import (
 	"sync"
 	"time"
 
-	ldapAuth "github.com/korylprince/go-ad-auth/v3"
+	ldapAuth "github.com/abbas-gheydi/go-ad-auth/v3"
 )
 
 var (

diff --git a/pkgs/confs/confs.go b/pkgs/confs/confs.go
@@ -23,8 +23,8 @@ func (c *Configurations) Load() {
 
 	viper.SetConfigName("radiusd.conf")
 	viper.SetConfigType("toml")
-	viper.AddConfigPath("/etc/motp/")
 	viper.AddConfigPath("/etc/radotp/")
+	viper.AddConfigPath("/etc/motp/")
 	viper.AddConfigPath(".")
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -65,10 +65,11 @@ type databaseconf struct {
 }
 
 type LdapProvider struct {
-	FortiGroups      []string
-	LdapGroupsFilter string
-	LdapServers      []string
-	Basedn           string
-	Port             int
-	Security         int
+	FortiGroups                  []string
+	LdapGroupsFilter             string
+	LdapServers                  []string
+	Basedn                       string
+	Port                         int
+	Security                     int
+	ForceSearchForSamAccountName bool
 }
diff --git a/pkgs/confs/load.go b/pkgs/confs/load.go
@@ -7,7 +7,7 @@ import (
 	"github.com/Abbas-gheydi/radotp/pkgs/rad"
 	"github.com/Abbas-gheydi/radotp/pkgs/storage"
 	"github.com/Abbas-gheydi/radotp/pkgs/web"
-	ldapAuth "github.com/korylprince/go-ad-auth/v3"
+	ldapAuth "github.com/abbas-gheydi/go-ad-auth/v3"
 )
 
 var Cfg Configurations
@@ -41,6 +41,7 @@ func LoadConfigs() {
 	rad.Auth_Provider.LdapConfig.Security = ldapAuth.SecurityType(Cfg.Ldap.Security)
 	rad.Auth_Provider.LdapConfig.Server = Cfg.Ldap.LdapServers[0]
 	rad.Auth_Provider.LdapServers = Cfg.Ldap.LdapServers
+	rad.Auth_Provider.LdapConfig.ForceSearchForSamAccountName = Cfg.Ldap.ForceSearchForSamAccountName
 
 	//database configs
 	storage.Dsn = fmt.Sprintf("host=%v user=%v password=%v dbname=%v port=%v sslmode=%v TimeZone=%v", Cfg.Database.Server, Cfg.Database.Username, Cfg.Database.Password, Cfg.Database.Dbname, Cfg.Database.Port, Cfg.Database.Sslmode, Cfg.Database.Timezone)

diff --git a/radiusd.conf b/radiusd.conf
diff --git a/radiusd.conf b/radiusd.conf
@@ -0,0 +1 @@
+deploy/config/radiusd.conf
diff --git a/vendor/github.com/abbas-gheydi/go-ad-auth/v3/.gitignore b/vendor/github.com/abbas-gheydi/go-ad-auth/v3/.gitignore
diff --git a/vendor/github.com/abbas-gheydi/go-ad-auth/v3/LICENSE b/vendor/github.com/abbas-gheydi/go-ad-auth/v3/LICENSE
diff --git a/vendor/github.com/abbas-gheydi/go-ad-auth/v3/README.md b/vendor/github.com/abbas-gheydi/go-ad-auth/v3/README.md
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ import ( @@
     	"sync"
     	"time"
-    	ldapAuth "github.com/korylprince/go-ad-auth/v3"
+    	ldapAuth "github.com/abbas-gheydi/go-ad-auth/v3"
     )
     var (
@@ Expand Down @@