Merge pull request #1 from joestump/joestump-add-ldap

Rebase old LDAP PR against upstream main

.github/workflows/pipeline.yml

@@ -370,8 +370,8 @@ jobs:
           GIT_TAG: ${{ needs.git-version.outputs.git_tag }}
         run: |
           rm -rf binaries/msi
-          sudo GIT_TAG=$GIT_TAG release/wix/build_msi.sh ${GITHUB_WORKSPACE} 386
-          sudo GIT_TAG=$GIT_TAG release/wix/build_msi.sh ${GITHUB_WORKSPACE} amd64
+          sudo GIT_TAG=${GIT_TAG:-0.0.0-dev} release/wix/build_msi.sh ${GITHUB_WORKSPACE} 386
+          sudo GIT_TAG=${GIT_TAG:-0.0.0-dev} release/wix/build_msi.sh ${GITHUB_WORKSPACE} amd64
           du -h binaries/msi/*.msi
 
       - name: Upload MSI files
@@ -464,4 +464,4 @@ jobs:
 #        run: |
 #          for artifact in $(gh api repos/${{ github.repository }}/actions/artifacts | jq -r '.artifacts[] | select(.name | startswith("packages")) | .id'); do
 #            gh api --method DELETE repos/${{ github.repository }}/actions/artifacts/$artifact
-#          done
+#          done

conf/configuration.go

@@ -98,6 +98,7 @@ type configOptions struct {
 	PID                             pidOptions          `json:",omitzero"`
 	Inspect                         inspectOptions      `json:",omitzero"`
 	Subsonic                        subsonicOptions     `json:",omitzero"`
+	LDAP                            ldapOptions         `json:",omitzero"`
 	LastFM                          lastfmOptions       `json:",omitzero"`
 	Spotify                         spotifyOptions      `json:",omitzero"`
 	Deezer                          deezerOptions       `json:",omitzero"`
@@ -178,6 +179,16 @@ type spotifyOptions struct {
 	Secret string
 }
 
+type ldapOptions struct {
+	Host         string
+	BindDN       string
+	BindPassword string
+	Base         string
+	SearchFilter string
+	Mail         string
+	Name         string
+}
+
 type deezerOptions struct {
 	Enabled  bool
 	Language string
@@ -572,6 +583,7 @@ func setViperDefaults() {
 	viper.SetDefault("defaulttheme", "Dark")
 	viper.SetDefault("defaultlanguage", "")
 	viper.SetDefault("defaultuivolume", consts.DefaultUIVolume)
+	viper.SetDefault("defaultdownsamplingformat", consts.DefaultDownsamplingFormat)
 	viper.SetDefault("enablereplaygain", true)
 	viper.SetDefault("enablecoveranimation", true)
 	viper.SetDefault("enablenowplaying", true)
@@ -620,6 +632,15 @@ func setViperDefaults() {
 	viper.SetDefault("deezer.language", "en")
 	viper.SetDefault("listenbrainz.enabled", true)
 	viper.SetDefault("listenbrainz.baseurl", "https://api.listenbrainz.org/1/")
+
+	viper.SetDefault("ldap.host", "ldap://localhost:389")
+	viper.SetDefault("ldap.binddn", "")
+	viper.SetDefault("ldap.bindpassword", "")
+	viper.SetDefault("ldap.base", "")
+	viper.SetDefault("ldap.searchfilter", "(&(objectClass=inetOrgPerson)(uid=%s))")
+	viper.SetDefault("ldap.mail", "mail")
+	viper.SetDefault("ldap.name", "cn")
+
 	viper.SetDefault("enablescrobblehistory", true)
 	viper.SetDefault("httpheaders.frameoptions", "DENY")
 	viper.SetDefault("backup.path", "")

go.mod

@@ -26,6 +26,7 @@ require (
 	github.com/go-chi/cors v1.2.2
 	github.com/go-chi/httprate v0.15.0
 	github.com/go-chi/jwtauth/v5 v5.3.3
+	github.com/go-ldap/ldap v3.0.3+incompatible
 	github.com/go-viper/encoding/ini v0.1.1
 	github.com/gohugoio/hashstructure v0.6.0
 	github.com/google/go-pipeline v0.0.0-20230411140531-6cbedfc1d3fc
@@ -68,7 +69,10 @@ require (
 	golang.org/x/term v0.38.0
 	golang.org/x/text v0.32.0
 	golang.org/x/time v0.14.0
+	golang.org/x/tools v0.40.0 // indirect
 	google.golang.org/protobuf v1.36.11
+	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -132,8 +136,6 @@ require (
 	golang.org/x/exp v0.0.0-20251209150349-8475f28825e9 // indirect
 	golang.org/x/mod v0.31.0 // indirect
 	golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc // indirect
-	golang.org/x/tools v0.40.0 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce // indirect
 )
 

go.sum

@@ -76,6 +76,8 @@ github.com/go-chi/httprate v0.15.0 h1:j54xcWV9KGmPf/X4H32/aTH+wBlrvxL7P+SdnRqxh5
 github.com/go-chi/httprate v0.15.0/go.mod h1:rzGHhVrsBn3IMLYDOZQsSU4fJNWcjui4fWKJcCId1R4=
 github.com/go-chi/jwtauth/v5 v5.3.3 h1:50Uzmacu35/ZP9ER2Ht6SazwPsnLQ9LRJy6zTZJpHEo=
 github.com/go-chi/jwtauth/v5 v5.3.3/go.mod h1:O4QvPRuZLZghl9WvfVaON+ARfGzpD2PBX/QY5vUz7aQ=
+github.com/go-ldap/ldap v3.0.3+incompatible h1:HTeSZO8hWMS1Rgb2Ziku6b8a7qRIZZMHjsvuZyatzwk=
+github.com/go-ldap/ldap v3.0.3+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
@@ -392,6 +394,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
+gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

server/auth.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/deluan/rest"
 	"github.com/go-chi/jwtauth/v5"
+	"github.com/go-ldap/ldap"
 	"github.com/navidrome/navidrome/conf"
 	"github.com/navidrome/navidrome/consts"
 	"github.com/navidrome/navidrome/core/auth"
@@ -154,7 +155,11 @@ func createAdminUser(ctx context.Context, ds model.DataStore, username, password
 }
 
 func validateLogin(userRepo model.UserRepository, userName, password string) (*model.User, error) {
-	u, err := userRepo.FindByUsernameWithPassword(userName)
+	u, err := validateLoginLDAP(userRepo, userName, password)
+	if u != nil && err == nil {
+		return u, nil
+	}
+	u, err = userRepo.FindByUsernameWithPassword(userName)
 	if errors.Is(err, model.ErrNotFound) {
 		return nil, nil
 	}
@@ -171,6 +176,93 @@ func validateLogin(userRepo model.UserRepository, userName, password string) (*m
 	return u, nil
 }
 
+func validateLoginLDAP(userRepo model.UserRepository, userName, password string) (*model.User, error) {
+	if conf.Server.LDAP.Host == "" {
+		return nil, nil
+	}
+
+	binduserdn := conf.Server.LDAP.BindDN
+	bindpassword := conf.Server.LDAP.BindPassword
+	mailAttr := conf.Server.LDAP.Mail
+	nameAttr := conf.Server.LDAP.Name
+
+	l, err := ldap.DialURL(conf.Server.LDAP.Host)
+	if err != nil {
+		log.Error(err)
+		return nil, nil
+	}
+	defer l.Close()
+
+	// First bind with a read only user
+	err = l.Bind(binduserdn, bindpassword)
+	if err != nil {
+		log.Error(err)
+		return nil, nil
+	}
+
+	// Search for the given username
+	searchRequest := ldap.NewSearchRequest(
+		conf.Server.LDAP.Base,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf(conf.Server.LDAP.SearchFilter, ldap.EscapeFilter(userName)),
+		[]string{"dn", nameAttr, mailAttr},
+		nil,
+	)
+
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		log.Error(err)
+		return nil, nil
+	}
+
+	if len(sr.Entries) != 1 {
+		log.Error("User does not exist or too many entries returned")
+		return nil, nil
+	}
+
+	dn := sr.Entries[0].DN
+	mail := sr.Entries[0].GetAttributeValue(mailAttr)
+	name := sr.Entries[0].GetAttributeValue(nameAttr)
+
+	authenticated := true
+	// Bind as the user to verify their password
+	err = l.Bind(dn, password)
+
+	if err != nil {
+		log.Error(err)
+		authenticated = false
+	}
+
+	// Rebind as the read only user for any further queries
+	err = l.Bind(binduserdn, bindpassword)
+	if err != nil {
+		log.Error(err)
+	}
+
+	if !authenticated {
+		return nil, nil
+	}
+
+	u, err := userRepo.FindByUsername(userName)
+	if errors.Is(err, model.ErrNotFound) {
+		u = &model.User{UserName: userName}
+	}
+	u.Name = name
+	u.Email = mail
+	u.Password = password
+	err = userRepo.Put(u)
+	if err != nil {
+		log.Error("Could not update User", "user", userName)
+	}
+
+	err = userRepo.UpdateLastLoginAt(u.ID)
+	if err != nil {
+		log.Error("Could not update LastLoginAt", "user", userName)
+	}
+
+	return u, nil
+}
+
 func JWTVerifier(next http.Handler) http.Handler {
 	return jwtauth.Verify(auth.TokenAuth, tokenFromHeader, jwtauth.TokenFromCookie, jwtauth.TokenFromQuery)(next)
 }