Merge pull request vesoft-inc#1 from panda-sheep/support_ldap

support ldap
liwenhui-soul · Aug 25, 2021 · 9498250 · 9498250
2 parents ef73a36 + b62a086
commit 9498250
Show file tree

Hide file tree

Showing 14 changed files with 626 additions and 7 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -45,14 +45,14 @@ jobs:
           - ubuntu2004
         compiler:
           - gcc-9.2
-          - clang-9
+          - clang-10
         exclude:
           - os: centos7
-            compiler: clang-9
+            compiler: clang-10
     container:
       image: vesoft/nebula-dev:${{ matrix.os }}
       env:
-        TOOLSET_DIR: /opt/vesoft/toolset/clang/9.0.0
+        TOOLSET_DIR: /opt/vesoft/toolset/clang/10.0.0
         CCACHE_DIR: /tmp/ccache/nebula/${{ matrix.os }}-${{ matrix.compiler }}
         CCACHE_MAXSIZE: 8G
       volumes:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -13,10 +13,11 @@
 #   NEBULA_OTHER_ROOT               -- Specify the root directory for user build
 #                                   -- Split with ":", exp: DIR:DIR
 #
-#   ENABLE_JEMALLOC                -- Link jemalloc into all executables
-#   ENABLE_NATIVE                  -- Build native client
-#   ENABLE_TESTING                 -- Build unit test
-#   ENABLE_PACK_ONE                -- Package to one or multi packages
+#   ENABLE_JEMALLOC                 -- Link jemalloc into all executables
+#   ENABLE_NATIVE                   -- Build native client
+#   ENABLE_TESTING                  -- Build unit test
+#   ENABLE_PACK_ONE                 -- Package to one or multi packages
+#   ENABLE_LDAP                     -- Link ldap for ldap authentication
 
 # CMake version check
 cmake_minimum_required(VERSION 3.9.0)

diff --git a/cmake/FindLdap.cmake b/cmake/FindLdap.cmake
@@ -0,0 +1,29 @@
+# - Try to find Ldap includes dirs and libraries
+#
+# Usage of this module as follows:
+#
+#     find_package(Ldap)
+#
+# Variables used by this module, they can change the default behaviour and need
+# to be set before calling find_package:
+#
+# Variables defined by this module:
+#
+#  Ldap_FOUND            System has Ldap, include and lib dirs found
+#  Ldap_INCLUDE_DIR      The Ldap includes directories.
+#  Ldap_LIBRARY          The Ldap library.
+
+find_path(Ldap_INCLUDE_DIR NAMES ldap.h)
+find_library(Ldap_LIBRARY NAMES ldap)
+
+if(Ldap_INCLUDE_DIR AND Ldap_LIBRARY)
+    set(Ldap_FOUND TRUE)
+    mark_as_advanced(
+        Ldap_INCLUDE_DIR
+        Ldap_LIBRARY
+    )
+endif()
+
+if(NOT Ldap_FOUND)
+    message(FATAL_ERROR "Ldap doesn't exist")
+endif()
diff --git a/cmake/nebula/ConfigNebulaCommon.cmake b/cmake/nebula/ConfigNebulaCommon.cmake
@@ -28,6 +28,7 @@ macro(config_nebula_common)
                 -DNEBULA_THIRDPARTY_ROOT=${NEBULA_THIRDPARTY_ROOT}
                 -DNEBULA_OTHER_ROOT=${NEBULA_OTHER_ROOT}
                 -DENABLE_JEMALLOC=${ENABLE_JEMALLOC}
+                -DENABLE_LDAP=${ENABLE_LDAP}
                 -DENABLE_TESTING=OFF
                 -DENABLE_CCACHE=${ENABLE_CCACHE}
                 -DENABLE_ASAN=${ENABLE_ASAN}

diff --git a/cmake/nebula/GeneralCMakeOptions.cmake b/cmake/nebula/GeneralCMakeOptions.cmake
@@ -4,6 +4,7 @@ option(ENABLE_TESTING                   "Build unit tests" ON)
 option(ENABLE_CCACHE                    "Use ccache to speed up compiling" ON)
 option(ENABLE_WERROR                    "Regard warnings as errors" ON)
 option(ENABLE_JEMALLOC                  "Use jemalloc as memory allocator" ON)
+option(ENABLE_LDAP                      "Enable ldap" OFF)
 option(ENABLE_ASAN                      "Build with AddressSanitizer" OFF)
 option(ENABLE_UBSAN                     "Build with UndefinedBehaviourSanitizer" OFF)
 option(ENABLE_TSAN                      "Build with ThreadSanitizer" OFF)

diff --git a/cmake/nebula/NebulaCMakeMacros.cmake b/cmake/nebula/NebulaCMakeMacros.cmake
@@ -87,6 +87,7 @@ macro(nebula_link_libraries target)
         boost_filesystem
         boost_program_options
         event
+        ldap
         double-conversion
         s2
         ${OPENSSL_SSL_LIBRARY}

diff --git a/cmake/nebula/ThirdPartyConfig.cmake b/cmake/nebula/ThirdPartyConfig.cmake
@@ -89,6 +89,9 @@ find_package(Googletest REQUIRED)
 if(ENABLE_JEMALLOC)
     find_package(Jemalloc REQUIRED)
 endif()
+if(ENABLE_LDAP)
+    find_package(Ldap REQUIRED)
+endif()
 find_package(Libevent REQUIRED)
 find_package(Proxygen REQUIRED)
 find_package(Rocksdb REQUIRED)

diff --git a/src/graph/service/CMakeLists.txt b/src/graph/service/CMakeLists.txt
@@ -25,5 +25,6 @@ nebula_add_library(
     PermissionCheck.cpp
     PasswordAuthenticator.cpp
     CloudAuthenticator.cpp
+    LdapAuthenticator.cpp
 )
 
diff --git a/src/graph/service/GraphFlags.cpp b/src/graph/service/GraphFlags.cpp
@@ -62,3 +62,38 @@ DEFINE_bool(disable_octal_escape_char,
             false,
             "Octal escape character will be disabled"
             " in next version to ensure compatibility with cypher.");
+
+// LDAP authentication common parameters
+DEFINE_string(ldap_server,
+              "",
+              "list of ldap server addresses, "
+              "separate multiple addresses with comma");
+DEFINE_int32(ldap_port, 0, "Ldap server port, if no port is specified, use the default port");
+DEFINE_string(ldap_scheme, "ldap", "Only support ldap");
+DEFINE_bool(ldap_tls,
+            false,
+            "Whether the connection between graphd and the LDAP server uses "
+            "TLS encryption");
+
+// LDAP authentication simple bind mode parameters
+DEFINE_string(ldap_prefix,
+              "",
+              "Prepend the string to the user name "
+              "to form the distinguished name");
+DEFINE_string(ldap_suffix,
+              "",
+              "Append the string to the user name "
+              "to form the distinguished name");
+
+// LDAP authentication search bind mode parameters
+DEFINE_string(ldap_basedn, "", "Root distinguished name to search the user");
+DEFINE_string(ldap_binddn,
+              "",
+              "User distinguished name binding to the "
+              "directory to perform the search");
+DEFINE_string(ldap_bindpasswd,
+              "",
+              "User password binding to the directory "
+              "to perform the search");
+DEFINE_string(ldap_searchattribute, "", "Attribute to match the user name in the search");
+DEFINE_string(ldap_searchfilter, "", "Use search filter, more flexible than searchattribut");
diff --git a/src/graph/service/GraphFlags.h b/src/graph/service/GraphFlags.h
@@ -46,4 +46,21 @@ DECLARE_int64(max_allowed_connections);
 
 DECLARE_string(local_ip);
 
+// LDAP authentication common parameters
+DECLARE_string(ldap_server);
+DECLARE_int32(ldap_port);
+DECLARE_string(ldap_scheme);
+DECLARE_bool(ldap_tls);
+
+// LDAP authentication simple bind mode parameters
+DECLARE_string(ldap_prefix);
+DECLARE_string(ldap_suffix);
+
+// LDAP authentication search bind mode parameters
+DECLARE_string(ldap_basedn);
+DECLARE_string(ldap_binddn);
+DECLARE_string(ldap_bindpasswd);
+DECLARE_string(ldap_searchattribute);
+DECLARE_string(ldap_searchfilter);
+
 #endif  // GRAPH_GRAPHFLAGS_H_
diff --git a/src/graph/service/GraphService.cpp b/src/graph/service/GraphService.cpp
@@ -13,6 +13,7 @@
 #include "common/time/TimezoneInfo.h"
 #include "graph/service/CloudAuthenticator.h"
 #include "graph/service/GraphFlags.h"
+#include "graph/service/LdapAuthenticator.h"
 #include "graph/service/PasswordAuthenticator.h"
 #include "graph/service/RequestContext.h"
 #include "graph/stats/StatsDef.h"
@@ -163,7 +164,11 @@ bool GraphService::auth(const std::string& username, const std::string& password
   } else if (FLAGS_auth_type == "cloud") {
     auto authenticator = std::make_unique<CloudAuthenticator>(queryEngine_->metaClient());
     return authenticator->auth(username, password);
+  } else if (FLAGS_auth_type == "ldap") {
+    auto authenticator = std::make_unique<LdapAuthenticator>(queryEngine_->metaClient());
+    return authenticator->auth(username, password);
   }
+
   LOG(WARNING) << "Unknown auth type: " << FLAGS_auth_type;
   return false;
 }