先参照《1107-FreeIPA 和 FreeRadius 搭建双因子认证》完成 FreeIPA 环境配置。
vi my-api/config.json
...
"ldapLogin": {
"enable": true,
"server": "ldap://ldap.bybon.cn",
"baseDn": "uid=manager,cn=users,cn=accounts,dc=bybon,dc=cn",
"bindPassword": "xxxxxxxx",
"searchDn": "cn=users,cn=accounts,dc=bybon,dc=cn",
"searchStandard": "mail",
"emailPostfix": "@bybon.cn",
"emailKey": "mail",
"usernameKey": "displayName"
}
这里需要修改一下,vi my-yapi/vendors/server/controllers/user.js
理由如下,登录的时候,yapi的逻辑是先判断用户邮件,把邮件中的用户名摘出来,然后加上配置中的邮件域。
这个逻辑在ldap中就不对了,改成如下格式,这样直接输入ldap用户名就可以登录了
/**
* ldap登录
* @interface /user/login_by_ldap
* @method
* @category user
* @foldnumber 10
* @param {String} email email名称,不能为空
* @param {String} password 密码,不能为空
* @returns {Object}
*
*/
async getLdapAuth(ctx) {
try {
const { email, password } = ctx.request.body;
//no const username = email.split(/\@/g)[0];
//1 const { info: ldapInfo } = await ldap.ldapQuery(email, password);
//2 const emailPrefix = email.split(/\@/g)[0];
//3 const emailPostfix = yapi.WEBCONFIG.ldapLogin.emailPostfix;
//zrr
const emailPrefix = email.split(/\@/g)[0];
const emailPostfix = yapi.WEBCONFIG.ldapLogin.emailPostfix;
const { info: ldapInfo } = await ldap.ldapQuery(
(emailPostfix ? emailPrefix + emailPostfix : email),password);
//zrr
const emailParams =
ldapInfo[yapi.WEBCONFIG.ldapLogin.emailKey || 'mail'] ||
(emailPostfix ? emailPrefix + emailPostfix : email);
const username = ldapInfo[yapi.WEBCONFIG.ldapLogin.usernameKey] || emailPrefix;
添加评论