From 1059630b9dd52e382abe486356cf342231a8b218 Mon Sep 17 00:00:00 2001
From: kuaifan <aipaw@live.cn>
Date: Thu, 16 Apr 2026 11:48:40 +0000
Subject: [PATCH] =?UTF-8?q?feat(ldap):=20=E6=94=AF=E6=8C=81=E9=9D=9E?=
 =?UTF-8?q?=E9=82=AE=E7=AE=B1=E7=94=A8=E6=88=B7=E5=90=8D=E7=99=BB=E5=BD=95?=
 =?UTF-8?q?=EF=BC=8C=E5=AE=8C=E5=96=84=20AD=20=E5=85=BC=E5=AE=B9=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 登录页放宽校验：登录模式允许任意账号格式，注册模式仍强制邮箱
- 登录属性新增 userPrincipalName 选项（AD 常用且通常是邮箱格式）
- LDAP 用户缺少邮箱属性时返回明确错误提示，替代误导性的"请输入正确的邮箱地址"
- LDAP 登录合并已有本地账号时记录 info 日志，便于审计

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/Ldap/LdapUser.php                                  | 10 ++++++++--
 language/original-api.txt                              |  1 +
 language/original-web.txt                              |  1 +
 resources/assets/js/pages/login.vue                    |  7 ++++++-
 .../manage/setting/components/SystemThirdAccess.vue    |  3 ++-
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/app/Ldap/LdapUser.php b/app/Ldap/LdapUser.php
index ab549afd5..95afeae5c 100644
--- a/app/Ldap/LdapUser.php
+++ b/app/Ldap/LdapUser.php
@@ -2,6 +2,7 @@
 
 namespace App\Ldap;
 
+use App\Exceptions\ApiException;
 use App\Models\User;
 use App\Module\Base;
 use App\Services\RequestContext;
@@ -76,7 +77,7 @@ class LdapUser extends Model
     public static function getLoginAttr(): string
     {
         $attr = Base::settingFind('thirdAccessSetting', 'ldap_login_attr');
-        return in_array($attr, ['cn', 'uid', 'mail', 'sAMAccountName']) ? $attr : 'cn';
+        return in_array($attr, ['cn', 'uid', 'mail', 'sAMAccountName', 'userPrincipalName']) ? $attr : 'cn';
     }
 
     /**
@@ -201,10 +202,15 @@ class LdapUser extends Model
             return null;
         }
         if (empty($user)) {
-            $email = self::getUserEmail($row) ?: $username;
+            $email = self::getUserEmail($row);
+            if (empty($email)) {
+                throw new ApiException('LDAP 用户缺少邮箱属性，请联系管理员配置');
+            }
             $user = User::whereEmail($email)->first();
             if (empty($user)) {
                 $user = User::reg($email, $password);
+            } elseif (!$user->isLdap()) {
+                info("[LDAP] merged with existing local account: userid={$user->userid}, email={$email}");
             }
         }
         if ($user) {
diff --git a/language/original-api.txt b/language/original-api.txt
index 1379d9b08..efe364f7e 100644
--- a/language/original-api.txt
+++ b/language/original-api.txt
@@ -973,3 +973,4 @@ AI 返回内容为空
 此类型消息不支持转发
 没有权限操作此任务
 请选择要转发的消息
+LDAP 用户缺少邮箱属性，请联系管理员配置
diff --git a/language/original-web.txt b/language/original-web.txt
index 0bb815e77..db088c189 100644
--- a/language/original-web.txt
+++ b/language/original-web.txt
@@ -2360,3 +2360,4 @@ AI任务分析
 请选择生日
 登录属性
 用于匹配登录用户名的 LDAP 属性，Active Directory 请选择 sAMAccountName
+请输入帐号
diff --git a/resources/assets/js/pages/login.vue b/resources/assets/js/pages/login.vue
index 8e6e80bf6..08373d07c 100644
--- a/resources/assets/js/pages/login.vue
+++ b/resources/assets/js/pages/login.vue
@@ -507,11 +507,16 @@ export default {
                 this.code = $A.trim(this.code)
                 this.invite = $A.trim(this.invite)
                 //
-                if (!$A.isEmail(this.email)) {
+                if (this.loginType == 'reg' && !$A.isEmail(this.email)) {
                     $A.messageWarning("请输入正确的邮箱地址")
                     this.$refs.email.focus()
                     return
                 }
+                if (!this.email) {
+                    $A.messageWarning("请输入帐号")
+                    this.$refs.email.focus()
+                    return
+                }
                 if (!this.password) {
                     $A.messageWarning("请输入密码")
                     this.$refs.password.focus()
diff --git a/resources/assets/js/pages/manage/setting/components/SystemThirdAccess.vue b/resources/assets/js/pages/manage/setting/components/SystemThirdAccess.vue
index e413cf709..d8b251ab4 100644
--- a/resources/assets/js/pages/manage/setting/components/SystemThirdAccess.vue
+++ b/resources/assets/js/pages/manage/setting/components/SystemThirdAccess.vue
@@ -35,10 +35,11 @@
                         </FormItem>
                         <FormItem :label="$L('登录属性')" prop="ldap_login_attr">
                             <RadioGroup v-model="formData.ldap_login_attr">
-                                <Radio label="uid">uid</Radio>
                                 <Radio label="cn">cn</Radio>
+                                <Radio label="uid">uid</Radio>
                                 <Radio label="mail">mail</Radio>
                                 <Radio label="sAMAccountName">sAMAccountName</Radio>
+                                <Radio label="userPrincipalName">userPrincipalName</Radio>
                             </RadioGroup>
                             <div class="form-tip">{{$L('用于匹配登录用户名的 LDAP 属性，Active Directory 请选择 sAMAccountName')}}</div>
                         </FormItem>