Add enterprise level LDAP authentication

2025-03-11 14:51:22 +08:00 · 2025-03-11 14:51:22 +08:00 · d1ed6ddd9d
commit d1ed6ddd9d
parent 785e83b221
5 changed files with 17 additions and 15 deletions
--- a/api/app_factory.py
+++ b/api/app_factory.py
@ -38,7 +38,6 @@ def create_app() -> DifyApp:

 def initialize_extensions(app: DifyApp):
    from extensions import (
-        ext_ldap,
        ext_app_metrics,
        ext_blueprints,
        ext_celery,
@ -48,6 +47,7 @@ def initialize_extensions(app: DifyApp):
        ext_database,
        ext_hosting_provider,
        ext_import_modules,
+        ext_ldap,
        ext_logging,
        ext_login,
        ext_mail,
--- a/api/configs/app_config.py
+++ b/api/configs/app_config.py
@ -5,10 +5,10 @@ from pydantic.fields import FieldInfo
 from pydantic_settings import BaseSettings, PydanticBaseSettingsSource, SettingsConfigDict

 from .deploy import DeploymentConfig
-from .ldap import AuthenticationConfig
 from .enterprise import EnterpriseFeatureConfig
 from .extra import ExtraServiceConfig
 from .feature import FeatureConfig
+from .ldap import AuthenticationConfig
 from .middleware import MiddlewareConfig
 from .packaging import PackagingInfo
 from .remote_settings_sources import RemoteSettingsSource, RemoteSettingsSourceConfig, RemoteSettingsSourceName
--- a/api/configs/ldap/init.py
+++ b/api/configs/ldap/init.py
@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 """
@File    : __init__.py.py 
@Time    : 2025/3/6 {TIME}
@ -8,6 +7,7 @@
 from pydantic import Field
 from pydantic_settings import BaseSettings

+
 class AuthenticationConfig(BaseSettings):
    """LDAP authentication related configuration"""
    # LDAP Authentication
--- a/api/extensions/ext_ldap.py
+++ b/api/extensions/ext_ldap.py
@ -1,17 +1,19 @@
-# -*- coding: utf-8 -*-
 """
@File    : ext_ldap.py 
@Time    : 2025/3/5 {TIME}
@Author  : xxlaila
@Software: dify
 """
-from flask_ldap3_login import LDAP3LoginManager
-from configs import dify_config
-from dify_app import DifyApp
 import json
 import logging
 from queue import Queue
-from ldap3 import Server, Connection, ALL
+
+from flask_ldap3_login import LDAP3LoginManager
+from ldap3 import ALL, Connection, Server
+
+from configs import dify_config
+from dify_app import DifyApp
+

 def is_enabled():
    return getattr(dify_config, 'LDAP_ENABLED', False)
@ -54,7 +56,7 @@ def get_ldap_connection():
                    return new_conn
                raise Exception("LDAP connection reconstruction failed")
        except Exception as e:
-            logging.error(f"LDAP connection recovery failed: {str(e)}")
+            logging.exception(f"LDAP connection recovery failed: {e}")
            raise
    return conn

@ -67,7 +69,7 @@ def release_ldap_connection(conn):
        conn.open()  # Reopen connection without binding
        LDAP_POOL.put(conn)
    except Exception as e:
-        logging.error(f"Failed to recycle LDAP connection: {str(e)}")
+        logging.exception(f"Failed to recycle LDAP connection: {str(e)}")
        conn.unbind()

 def init_app(app: DifyApp):
--- a/api/services/account_service.py
+++ b/api/services/account_service.py
@ -8,6 +8,8 @@ from datetime import UTC, datetime, timedelta
 from hashlib import sha256
 from typing import Any, Optional, cast

+from flask import current_app as app
+from ldap3 import Connection, Server
 from pydantic import BaseModel
 from sqlalchemy import func
 from sqlalchemy.orm import Session
@ -17,6 +19,7 @@ from configs import dify_config
 from constants.languages import language_timezone_mapping, languages
 from events.tenant_event import tenant_was_created
 from extensions.ext_database import db
+from extensions.ext_ldap import get_ldap_connection, release_ldap_connection
 from extensions.ext_redis import redis_client
 from libs.helper import RateLimiter, TokenManager
 from libs.passport import PassportService
@ -57,10 +60,7 @@ from tasks.mail_account_deletion_task import send_account_deletion_verification_
 from tasks.mail_email_code_login import send_email_code_login_mail_task
 from tasks.mail_invite_member_task import send_invite_member_mail_task
 from tasks.mail_reset_password_task import send_reset_password_mail_task
-from extensions.ext_ldap import get_ldap_connection, release_ldap_connection
-from ldap3 import Server, Connection, ALL

-from flask import current_app as app

 class TokenPair(BaseModel):
    access_token: str
@ -217,7 +217,7 @@ class AccountService:
                    finally:
                        release_ldap_connection(conn)
        except Exception as e:
-            logging.error(f"LDAP authentication error: {str(e)}")
+            logging.exception(f"LDAP authentication error: {str(e)}")

        # Perform local authentication only if LDAP authentication explicitly fails
        if not is_ldap_success:
@ -303,7 +303,7 @@ class AccountService:

        except Exception as e:
            db.session.rollback()  # Transaction rollback to prevent database pollution
-            logging.error(f"Failed to create LDAP user or add to tenant: {str(e)}")
+            logging.exception(f"Failed to create LDAP user or add to tenant: {str(e)}")
            raise AccountRegisterError("Failed to create LDAP user.")

    @staticmethod