fix

2023-11-21 18:10:30 +08:00 · 2023-11-21 18:10:30 +08:00 · 3c6aadb253
commit 3c6aadb253
parent 67035477c1
32 changed files with 143 additions and 78 deletions
--- a/server/ldap-admin/internal/handler/addldaporganizationmemberhandler.go
+++ b/server/ldap-admin/internal/handler/addldaporganizationmemberhandler.go
@ -15,7 +15,7 @@ func AddLdapOrganizationMemberHandler(svcCtx *svc.ServiceContext) http.HandlerFu
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.AddLdapOrganizationMemberReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func AddLdapOrganizationMemberHandler(svcCtx *svc.ServiceContext) http.HandlerFu
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.AddLdapOrganizationMember(&req, userinfo)
+		resp := l.AddLdapOrganizationMember(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/createldaporganizationhandler.go
+++ b/server/ldap-admin/internal/handler/createldaporganizationhandler.go
@ -15,7 +15,7 @@ func CreateLdapOrganizationHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.CreateLdapOrganizationReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func CreateLdapOrganizationHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.CreateLdapOrganization(&req, userinfo)
+		resp := l.CreateLdapOrganization(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/createldapuserbasegrouphandler.go
+++ b/server/ldap-admin/internal/handler/createldapuserbasegrouphandler.go
@ -15,7 +15,7 @@ func CreateLdapUserBaseGroupHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.Request
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func CreateLdapUserBaseGroupHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.CreateLdapUserBaseGroup(&req, userinfo)
+		resp := l.CreateLdapUserBaseGroup(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/createldapuserhandler.go
+++ b/server/ldap-admin/internal/handler/createldapuserhandler.go
@ -15,7 +15,7 @@ func CreateLdapUserHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.CreateLdapUserReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func CreateLdapUserHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.CreateLdapUser(&req, userinfo)
+		resp := l.CreateLdapUser(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/deleteldaporganizationhandler.go
+++ b/server/ldap-admin/internal/handler/deleteldaporganizationhandler.go
@ -15,7 +15,7 @@ func DeleteLdapOrganizationHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.DeleteLdapOrganizationReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func DeleteLdapOrganizationHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.DeleteLdapOrganization(&req, userinfo)
+		resp := l.DeleteLdapOrganization(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/deleteldapuserhandler.go
+++ b/server/ldap-admin/internal/handler/deleteldapuserhandler.go
@ -15,7 +15,7 @@ func DeleteLdapUserHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.DeleteLdapUserReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func DeleteLdapUserHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.DeleteLdapUser(&req, userinfo)
+		resp := l.DeleteLdapUser(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/getldaporganizationmembershandler.go
+++ b/server/ldap-admin/internal/handler/getldaporganizationmembershandler.go
@ -15,7 +15,7 @@ func GetLdapOrganizationMembersHandler(svcCtx *svc.ServiceContext) http.HandlerF
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.GetLdapOrganizationMembersReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func GetLdapOrganizationMembersHandler(svcCtx *svc.ServiceContext) http.HandlerF
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.GetLdapOrganizationMembers(&req, userinfo)
+		resp := l.GetLdapOrganizationMembers(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/getldaporganizationshandler.go
+++ b/server/ldap-admin/internal/handler/getldaporganizationshandler.go
@ -15,7 +15,7 @@ func GetLdapOrganizationsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.Request
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func GetLdapOrganizationsHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.GetLdapOrganizations(&req, userinfo)
+		resp := l.GetLdapOrganizations(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/getldapuserinfohandler.go
+++ b/server/ldap-admin/internal/handler/getldapuserinfohandler.go
@ -15,7 +15,7 @@ func GetLdapUserInfoHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.GetLdapUserInfoReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func GetLdapUserInfoHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.GetLdapUserInfo(&req, userinfo)
+		resp := l.GetLdapUserInfo(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/getldapusershandler.go
+++ b/server/ldap-admin/internal/handler/getldapusershandler.go
@ -15,7 +15,7 @@ func GetLdapUsersHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.GetLdapUsersReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func GetLdapUsersHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.GetLdapUsers(&req, userinfo)
+		resp := l.GetLdapUsers(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/ldapuserloginhandler.go
+++ b/server/ldap-admin/internal/handler/ldapuserloginhandler.go
@ -15,7 +15,7 @@ func LdapUserLoginHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.LdapUserLoginReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func LdapUserLoginHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.LdapUserLogin(&req, userinfo)
+		resp := l.LdapUserLogin(&req)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/removeldaporganizationmemberhandler.go
+++ b/server/ldap-admin/internal/handler/removeldaporganizationmemberhandler.go
@ -15,7 +15,7 @@ func RemoveLdapOrganizationMemberHandler(svcCtx *svc.ServiceContext) http.Handle
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.RemoveLdapOrganizationMemberReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func RemoveLdapOrganizationMemberHandler(svcCtx *svc.ServiceContext) http.Handle
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.RemoveLdapOrganizationMember(&req, userinfo)
+		resp := l.RemoveLdapOrganizationMember(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/updateldaporganizationhandler.go
+++ b/server/ldap-admin/internal/handler/updateldaporganizationhandler.go
@ -15,7 +15,7 @@ func UpdateLdapOrganizationHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.UpdateLdapOrganizationReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func UpdateLdapOrganizationHandler(svcCtx *svc.ServiceContext) http.HandlerFunc
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.UpdateLdapOrganization(&req, userinfo)
+		resp := l.UpdateLdapOrganization(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/updateldapuserhandler.go
+++ b/server/ldap-admin/internal/handler/updateldapuserhandler.go
@ -15,7 +15,7 @@ func UpdateLdapUserHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.UpdateLdapUserReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func UpdateLdapUserHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.UpdateLdapUser(&req, userinfo)
+		resp := l.UpdateLdapUser(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/handler/updateldapuserpwdhandler.go
+++ b/server/ldap-admin/internal/handler/updateldapuserpwdhandler.go
@ -15,7 +15,7 @@ func UpdateLdapUserPwdHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {

 		var req types.UpdateLdapUserPwdReq
-		userinfo, err := basic.RequestParse(w, r, svcCtx, &req)
+		_, err := basic.RequestParse(w, r, svcCtx, &req)
 		if err != nil {
 			return
 		}
@ -26,7 +26,7 @@ func UpdateLdapUserPwdHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		rl := reflect.ValueOf(l)
 		basic.BeforeLogic(w, r, rl)

-		resp := l.UpdateLdapUserPwd(&req, userinfo)
+		resp := l.UpdateLdapUserPwd(&req, r)

 		if !basic.AfterLogic(w, r, rl, resp) {
 			basic.NormalAfterLogic(w, r, resp)
--- a/server/ldap-admin/internal/logic/addldaporganizationmemberlogic.go
+++ b/server/ldap-admin/internal/logic/addldaporganizationmemberlogic.go
@ -1,10 +1,10 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/email"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -33,7 +33,11 @@ func NewAddLdapOrganizationMemberLogic(ctx context.Context, svcCtx *svc.ServiceC
 // func (l *AddLdapOrganizationMemberLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *AddLdapOrganizationMemberLogic) AddLdapOrganizationMember(req *types.AddLdapOrganizationMemberReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *AddLdapOrganizationMemberLogic) AddLdapOrganizationMember(req *types.AddLdapOrganizationMemberReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.OrganizationDN = strings.Trim(req.OrganizationDN, " ")
 	req.UserDN = strings.Trim(req.UserDN, " ")
 	if len(req.OrganizationDN) <= 3 || req.OrganizationDN[:3] != "ou=" {
@ -46,7 +50,6 @@ func (l *AddLdapOrganizationMemberLogic) AddLdapOrganizationMember(req *types.Ad
 	if !email.IsEmailValid(cnEmail) {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "错误的用户cn")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	err := ldapServer.AddUserToOrganization(req.OrganizationDN, req.UserDN)
 	if err != nil {
 		logx.Error(err)
--- a/server/ldap-admin/internal/logic/createldaporganizationlogic.go
+++ b/server/ldap-admin/internal/logic/createldaporganizationlogic.go
@ -1,10 +1,10 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/chinese_to_pinyin"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -33,7 +33,11 @@ func NewCreateLdapOrganizationLogic(ctx context.Context, svcCtx *svc.ServiceCont
 // func (l *CreateLdapOrganizationLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *CreateLdapOrganizationLogic) CreateLdapOrganization(req *types.CreateLdapOrganizationReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *CreateLdapOrganizationLogic) CreateLdapOrganization(req *types.CreateLdapOrganizationReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.OrganizationEnName = strings.Trim(req.OrganizationEnName, " ")
 	req.ParentOrganizationDN = strings.Trim(req.ParentOrganizationDN, " ")
 	req.BusinessCategory = strings.Trim(req.BusinessCategory, " ")
@ -52,7 +56,6 @@ func (l *CreateLdapOrganizationLogic) CreateLdapOrganization(req *types.CreateLd
 	}
 	//组装organization dn
 	organizationDN := "ou=" + req.OrganizationEnName + "," + req.ParentOrganizationDN
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	err := ldapServer.Create(organizationDN, map[string][]string{
 		"objectClass":      {"top", "groupOfUniqueNames"},
 		"cn":               {req.OrganizationEnName},
--- a/server/ldap-admin/internal/logic/createldapuserbasegrouplogic.go
+++ b/server/ldap-admin/internal/logic/createldapuserbasegrouplogic.go
@ -1,9 +1,9 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
+	"net/http"

 	"context"

@ -31,8 +31,11 @@ func NewCreateLdapUserBaseGroupLogic(ctx context.Context, svcCtx *svc.ServiceCon
 // func (l *CreateLdapUserBaseGroupLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *CreateLdapUserBaseGroupLogic) CreateLdapUserBaseGroup(req *types.Request, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *CreateLdapUserBaseGroupLogic) CreateLdapUserBaseGroup(req *types.Request, r *http.Request) (resp *basic.Response) {
 	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	err := ldapServer.Create(l.svcCtx.Config.Ldap.PeopleGroupDN, map[string][]string{
 		"objectClass":      {"top", "organizationalUnit"},
 		"ou":               {"FusenTeam"},
--- a/server/ldap-admin/internal/logic/createldapuserlogic.go
+++ b/server/ldap-admin/internal/logic/createldapuserlogic.go
@ -3,13 +3,13 @@ package logic
 import (
 	"fmt"
 	"fusenapi/model/gmodel"
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/chinese_to_pinyin"
 	"fusenapi/utils/email"
 	"fusenapi/utils/encryption_decryption"
 	"fusenapi/utils/ldap_lib"
 	"gorm.io/gorm"
+	"net/http"
 	"strings"
 	"time"

@ -39,7 +39,11 @@ func NewCreateLdapUserLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Cr
 // func (l *CreateLdapUserLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *CreateLdapUserLogic) CreateLdapUser(req *types.CreateLdapUserReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *CreateLdapUserLogic) CreateLdapUser(req *types.CreateLdapUserReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.UserName = strings.Trim(req.UserName, " ")
 	req.Mobile = strings.Trim(req.Mobile, " ")
 	req.Email = strings.Trim(req.Email, " ")
@ -56,7 +60,6 @@ func (l *CreateLdapUserLogic) CreateLdapUser(req *types.CreateLdapUserReq, useri
 	if !email.IsEmailValid(req.Email) {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误，邮箱格式不正确")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	//把用户名转pinyin
 	userNamePinyin := chinese_to_pinyin.ChineseToPinyin(req.UserName)
 	userDN := fmt.Sprintf("cn=%s,%s", req.Email, l.svcCtx.Config.Ldap.PeopleGroupDN)
--- a/server/ldap-admin/internal/logic/deleteldaporganizationlogic.go
+++ b/server/ldap-admin/internal/logic/deleteldaporganizationlogic.go
@ -1,9 +1,9 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -32,12 +32,15 @@ func NewDeleteLdapOrganizationLogic(ctx context.Context, svcCtx *svc.ServiceCont
 // func (l *DeleteLdapOrganizationLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *DeleteLdapOrganizationLogic) DeleteLdapOrganization(req *types.DeleteLdapOrganizationReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *DeleteLdapOrganizationLogic) DeleteLdapOrganization(req *types.DeleteLdapOrganizationReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.OrganizationDN = strings.Trim(req.OrganizationDN, " ")
 	if len(req.OrganizationDN) <= 3 || req.OrganizationDN[:3] != "ou=" {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误，无效的组织DN")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	if err := ldapServer.Delete(req.OrganizationDN); err != nil {
 		logx.Error(err)
 		return resp.SetStatusWithMessage(basic.CodeServiceErr, "删除ldap组织失败,"+err.Error())
--- a/server/ldap-admin/internal/logic/deleteldapuserlogic.go
+++ b/server/ldap-admin/internal/logic/deleteldapuserlogic.go
@ -1,9 +1,9 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -32,12 +32,15 @@ func NewDeleteLdapUserLogic(ctx context.Context, svcCtx *svc.ServiceContext) *De
 // func (l *DeleteLdapUserLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *DeleteLdapUserLogic) DeleteLdapUser(req *types.DeleteLdapUserReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *DeleteLdapUserLogic) DeleteLdapUser(req *types.DeleteLdapUserReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.UserDN = strings.Trim(req.UserDN, " ")
 	if len(req.UserDN) <= 3 || req.UserDN[:3] != "cn=" {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误，无效的用户DN")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	err := ldapServer.Update(req.UserDN, map[string][]string{
 		"postalCode": {"0"},
 	})
--- a/server/ldap-admin/internal/logic/getldaporganizationmemberslogic.go
+++ b/server/ldap-admin/internal/logic/getldaporganizationmemberslogic.go
@ -2,10 +2,10 @@ package logic

 import (
 	"fmt"
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
 	"github.com/go-ldap/ldap/v3"
+	"net/http"
 	"strings"

 	"context"
@ -34,13 +34,16 @@ func NewGetLdapOrganizationMembersLogic(ctx context.Context, svcCtx *svc.Service
 // func (l *GetLdapOrganizationMembersLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *GetLdapOrganizationMembersLogic) GetLdapOrganizationMembers(req *types.GetLdapOrganizationMembersReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *GetLdapOrganizationMembersLogic) GetLdapOrganizationMembers(req *types.GetLdapOrganizationMembersReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.OrganizationDN = strings.Trim(req.OrganizationDN, " ")
 	if len(req.OrganizationDN) <= 3 || req.OrganizationDN[:3] != "ou=" {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误,无效的组织DN")
 	}
 	//先获取组织成员
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	//获取跟用户dn筛选排除该用户
 	rootDNSlice := strings.Split(l.svcCtx.Config.Ldap.RootDN, ",")
 	if len(rootDNSlice) == 0 {
--- a/server/ldap-admin/internal/logic/getldaporganizationslogic.go
+++ b/server/ldap-admin/internal/logic/getldaporganizationslogic.go
@ -1,10 +1,10 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
 	"github.com/go-ldap/ldap/v3"
+	"net/http"
 	"sort"
 	"strings"

@ -42,13 +42,16 @@ type DNItem struct {
 	Child     []*DNItem              `json:"child"`
 }

-func (l *GetLdapOrganizationsLogic) GetLdapOrganizations(req *types.Request, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *GetLdapOrganizationsLogic) GetLdapOrganizations(req *types.Request, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	//从ldap获取组织架构数据
 	rootCn := strings.Split(l.svcCtx.Config.Ldap.RootDN, ",")
 	if len(rootCn) == 0 {
 		return resp.SetStatusWithMessage(basic.CodeServiceErr, "root用户DN未设置")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	peopleDNSlice := strings.Split(l.svcCtx.Config.Ldap.PeopleGroupDN, ",")
 	if len(peopleDNSlice) <= 1 {
 		return resp.SetStatusWithMessage(basic.CodeServiceErr, "基础用户组的DN未配置")
--- a/server/ldap-admin/internal/logic/getldapuserinfologic.go
+++ b/server/ldap-admin/internal/logic/getldapuserinfologic.go
@ -4,10 +4,10 @@ import (
 	"context"
 	"fusenapi/server/ldap-admin/internal/svc"
 	"fusenapi/server/ldap-admin/internal/types"
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/email"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"github.com/zeromicro/go-zero/core/logx"
@ -31,7 +31,11 @@ func NewGetLdapUserInfoLogic(ctx context.Context, svcCtx *svc.ServiceContext) *G
 // func (l *GetLdapUserInfoLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *GetLdapUserInfoLogic) GetLdapUserInfo(req *types.GetLdapUserInfoReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *GetLdapUserInfoLogic) GetLdapUserInfo(req *types.GetLdapUserInfoReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	if len(req.UserDN) <= 3 || req.UserDN[:3] != "cn=" {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误，用户DN错误")
 	}
@ -39,7 +43,6 @@ func (l *GetLdapUserInfoLogic) GetLdapUserInfo(req *types.GetLdapUserInfoReq, us
 	if !email.IsEmailValid(cnEmail) {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "错误的用户cn")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	user, err := ldapServer.GetLdapUserInfo(req.UserDN)
 	if err != nil {
 		logx.Error(err)
--- a/server/ldap-admin/internal/logic/getldapuserslogic.go
+++ b/server/ldap-admin/internal/logic/getldapuserslogic.go
@ -1,9 +1,9 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -32,9 +32,12 @@ func NewGetLdapUsersLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetL
 // func (l *GetLdapUsersLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *GetLdapUsersLogic) GetLdapUsers(req *types.GetLdapUsersReq, userinfo *auth.UserInfo) (resp *basic.Response) {
-	req.PageCookie = strings.Trim(req.PageCookie, " ")
+func (l *GetLdapUsersLogic) GetLdapUsers(req *types.GetLdapUsersReq, r *http.Request) (resp *basic.Response) {
 	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
+	req.PageCookie = strings.Trim(req.PageCookie, " ")
 	pageSize := uint32(20)
 	list, cookie, err := ldapServer.GetLdapBaseTeamUserList(pageSize, req.PageCookie)
 	if err != nil {
--- a/server/ldap-admin/internal/logic/ldapuserloginlogic.go
+++ b/server/ldap-admin/internal/logic/ldapuserloginlogic.go
@ -2,7 +2,6 @@ package logic

 import (
 	"fmt"
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/email"
 	"fusenapi/utils/encryption_decryption"
@ -35,7 +34,7 @@ func NewLdapUserLoginLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Lda
 // func (l *LdapUserLoginLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *LdapUserLoginLogic) LdapUserLogin(req *types.LdapUserLoginReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *LdapUserLoginLogic) LdapUserLogin(req *types.LdapUserLoginReq) (resp *basic.Response) {
 	req.Email = strings.Trim(req.Email, " ")
 	req.Password = strings.Trim(req.Password, " ")
 	if !email.IsEmailValid(req.Email) {
@ -66,7 +65,7 @@ func (l *LdapUserLoginLogic) LdapUserLogin(req *types.LdapUserLoginReq, userinfo
 		return resp.SetStatusWithMessage(basic.CodeServiceErr, "密码错误!")
 	}
 	//生成token
-	token, err := ldapServer.GenJwtToken(ldapUserInfo.UserId, l.svcCtx.Config.Auth.AccessExpire, ldapUserInfo.UserDN, ldapUserInfo.Password)
+	token, err := ldapServer.GenJwtToken(ldapUserInfo.UserId, l.svcCtx.Config.Auth.AccessExpire, ldapUserInfo.UserDN, l.svcCtx.Config.Auth.AccessSecret)
 	if err != nil {
 		logx.Error(err)
 		return resp.SetStatusWithMessage(basic.CodeServiceErr, "生成登录凭证失败")
--- a/server/ldap-admin/internal/logic/removeldaporganizationmemberlogic.go
+++ b/server/ldap-admin/internal/logic/removeldaporganizationmemberlogic.go
@ -1,10 +1,10 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/email"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -33,7 +33,11 @@ func NewRemoveLdapOrganizationMemberLogic(ctx context.Context, svcCtx *svc.Servi
 // func (l *RemoveLdapOrganizationMemberLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *RemoveLdapOrganizationMemberLogic) RemoveLdapOrganizationMember(req *types.RemoveLdapOrganizationMemberReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *RemoveLdapOrganizationMemberLogic) RemoveLdapOrganizationMember(req *types.RemoveLdapOrganizationMemberReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.OrganizationDN = strings.Trim(req.OrganizationDN, " ")
 	req.UserDN = strings.Trim(req.UserDN, " ")
 	if len(req.OrganizationDN) <= 3 || req.OrganizationDN[:3] != "ou=" {
@ -46,7 +50,6 @@ func (l *RemoveLdapOrganizationMemberLogic) RemoveLdapOrganizationMember(req *ty
 	if !email.IsEmailValid(cnEmail) {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "错误的用户cn")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	err := ldapServer.RemoveUserFromOrganization(req.OrganizationDN, req.UserDN)
 	if err != nil {
 		logx.Error(err)
--- a/server/ldap-admin/internal/logic/updateldaporganizationlogic.go
+++ b/server/ldap-admin/internal/logic/updateldaporganizationlogic.go
@ -1,9 +1,9 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -32,7 +32,11 @@ func NewUpdateLdapOrganizationLogic(ctx context.Context, svcCtx *svc.ServiceCont
 // func (l *UpdateLdapOrganizationLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *UpdateLdapOrganizationLogic) UpdateLdapOrganization(req *types.UpdateLdapOrganizationReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *UpdateLdapOrganizationLogic) UpdateLdapOrganization(req *types.UpdateLdapOrganizationReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.OrganizationDN = strings.Trim(req.OrganizationDN, " ")
 	if req.OrganizationDN == "" {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误，组织DN不能为空")
@ -40,7 +44,6 @@ func (l *UpdateLdapOrganizationLogic) UpdateLdapOrganization(req *types.UpdateLd
 	if len(req.OrganizationDN) <= 3 || req.OrganizationDN[:3] != "ou=" {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "参数错误，无效的组织DN")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	if err := ldapServer.Update(req.OrganizationDN, map[string][]string{
 		"businessCategory": {req.BusinessCategory},
 	}); err != nil {
--- a/server/ldap-admin/internal/logic/updateldapuserlogic.go
+++ b/server/ldap-admin/internal/logic/updateldapuserlogic.go
@ -3,11 +3,11 @@ package logic
 import (
 	"fmt"
 	"fusenapi/model/gmodel"
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/chinese_to_pinyin"
 	"fusenapi/utils/email"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"
 	"time"

@ -37,7 +37,11 @@ func NewUpdateLdapUserLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Up
 // func (l *UpdateLdapUserLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *UpdateLdapUserLogic) UpdateLdapUser(req *types.UpdateLdapUserReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *UpdateLdapUserLogic) UpdateLdapUser(req *types.UpdateLdapUserReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.UserDN = strings.Trim(req.UserDN, " ")
 	req.Mobile = strings.Trim(req.Mobile, " ")
 	req.Avatar = strings.Trim(req.Avatar, " ")
@ -54,7 +58,6 @@ func (l *UpdateLdapUserLogic) UpdateLdapUser(req *types.UpdateLdapUserReq, useri
 	}
 	//把用户名转pinyin
 	userNamePinyin := chinese_to_pinyin.ChineseToPinyin(req.UserName)
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	now := time.Now()
 	//更新的属性
 	attr := map[string][]string{
--- a/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go
+++ b/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go
@ -1,11 +1,11 @@
 package logic

 import (
-	"fusenapi/utils/auth"
 	"fusenapi/utils/basic"
 	"fusenapi/utils/email"
 	"fusenapi/utils/encryption_decryption"
 	"fusenapi/utils/ldap_lib"
+	"net/http"
 	"strings"

 	"context"
@ -34,7 +34,11 @@ func NewUpdateLdapUserPwdLogic(ctx context.Context, svcCtx *svc.ServiceContext)
 // func (l *UpdateLdapUserPwdLogic) BeforeLogic(w http.ResponseWriter, r *http.Request) {
 // }

-func (l *UpdateLdapUserPwdLogic) UpdateLdapUserPwd(req *types.UpdateLdapUserPwdReq, userinfo *auth.UserInfo) (resp *basic.Response) {
+func (l *UpdateLdapUserPwdLogic) UpdateLdapUserPwd(req *types.UpdateLdapUserPwdReq, r *http.Request) (resp *basic.Response) {
+	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
+	if !ldapServer.VerifyAuthority(r.Header.Get("Ldap-Authorization"), l.svcCtx.Config.Auth.AccessSecret) {
+		return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限，请联系管理员开通")
+	}
 	req.UserDN = strings.Trim(req.UserDN, " ")
 	req.NewPassword = strings.Trim(req.NewPassword, " ")
 	req.OldPassword = strings.Trim(req.OldPassword, " ")
@ -48,7 +52,6 @@ func (l *UpdateLdapUserPwdLogic) UpdateLdapUserPwd(req *types.UpdateLdapUserPwdR
 	if !email.IsEmailValid(cnEmail) {
 		return resp.SetStatusWithMessage(basic.CodeRequestParamsErr, "错误的用户cn")
 	}
-	ldapServer := ldap_lib.NewLdap(l.svcCtx.Ldap, l.svcCtx.Config.Ldap.BaseDN, l.svcCtx.Config.Ldap.RootDN, l.svcCtx.Config.Ldap.PeopleGroupDN)
 	//查询个人信息
 	user, err := ldapServer.GetLdapUserInfo(req.UserDN)
 	if err != nil {
--- a/utils/ldap_lib/auth.go
+++ b/utils/ldap_lib/auth.go
@ -0,0 +1,22 @@
+package ldap_lib
+
+import "github.com/zeromicro/go-zero/core/logx"
+
+// 验证权限
+func (l *Ldap) VerifyAuthority(token, jwtSecret string) bool {
+	info, err := l.ParseJwtToken(token, jwtSecret)
+	if err != nil {
+		logx.Error("解析token失败", err, "----token:", token)
+		return false
+	}
+	//查询ldap
+	userInfo, err := l.GetLdapUserInfo(info.UserDN)
+	if err != nil {
+		logx.Error("获取ldap用户信息失败", err, "----user_dn:", info.UserDN)
+	}
+	if userInfo.Status != 1 {
+		return false
+	}
+	// TODO 查询权限组相关信息
+	return true
+}
--- a/utils/ldap_lib/jwt_parse.go
+++ b/utils/ldap_lib/jwt_parse.go
@ -13,14 +13,14 @@ type UserInfo struct {
 }

 // 生成token
-func (l *Ldap) GenJwtToken(userId, expireTime int64, userDN, password string) (token string, err error) {
+func (l *Ldap) GenJwtToken(userId, expireTime int64, userDN, secret string) (token string, err error) {
 	t := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"user_dn": userDN,
 		"user_id": userId,
 		"exp":     time.Now().Add(time.Second * time.Duration(expireTime)).Unix(), //过期时间
 		"iss":     "fusen",
 	})
-	token, err = t.SignedString([]byte(password))
+	token, err = t.SignedString([]byte(secret))
 	if err != nil {
 		return "", err
 	}
@ -28,13 +28,13 @@ func (l *Ldap) GenJwtToken(userId, expireTime int64, userDN, password string) (t
 }

 // 解释token
-func (l *Ldap) ParseJwtToken(token, password string) (UserInfo, error) {
+func (l *Ldap) ParseJwtToken(token, secret string) (UserInfo, error) {
 	if len(token) <= 7 || token[:7] != "Bearer " {
 		return UserInfo{}, errors.New("无效的token")
 	}
 	token = token[7:]
 	t, err := jwt.ParseWithClaims(token, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte(password), nil
+		return []byte(secret), nil
 	})
 	if err != nil {
 		return UserInfo{}, err
@ -49,3 +49,5 @@ func (l *Ldap) ParseJwtToken(token, password string) (UserInfo, error) {
 	}
 	return userInfo, nil
 }
+
+//