mirror of
https://github.com/thelounge/thelounge
synced 2024-11-24 21:13:06 +00:00
Make new LDAP options backward compatible
Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another
This commit is contained in:
parent
19710b90c0
commit
cfa6db10c7
6 changed files with 232 additions and 142 deletions
|
@ -371,15 +371,22 @@ module.exports = {
|
|||
// 3. Lounge tries to connect a second time, but this time using the user's
|
||||
// DN and password. Auth is validated iff this connection is successful.
|
||||
//
|
||||
// The search query takes a couple of parameters:
|
||||
// - A base DN. Only children nodes of this DN will be likely to be returned
|
||||
// - A search scope (see LDAP documentation)
|
||||
// - The query itself, build as (&(<primaryKey>=<username>) <filter>)
|
||||
// The search query takes a couple of parameters in `searchDN`:
|
||||
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
|
||||
// to be returned;
|
||||
// - a search scope `searchDN/scope` (see LDAP documentation);
|
||||
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
|
||||
// where <username> is the user name provided in the log in request,
|
||||
// <primaryKey> is provided by the config and <fitler> is a filtering complement
|
||||
// also given in the config, to filter for instance only for nodes of type
|
||||
// inetOrgPerson, or whatever LDAP search allows.
|
||||
//
|
||||
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
|
||||
// ignore searchDN options and assume that the user DN is always:
|
||||
// <bindDN>,<primaryKey>=<username>
|
||||
// where <username> is the user name provided in the log in request, and <bindDN>
|
||||
// and <primaryKey> are provided by the config.
|
||||
//
|
||||
ldap: {
|
||||
//
|
||||
// Enable LDAP user authentication
|
||||
|
@ -399,33 +406,23 @@ module.exports = {
|
|||
//
|
||||
// LDAP connection tls options (only used if scheme is ldaps://)
|
||||
//
|
||||
// @type object (see nodejs' tls.connect() options)
|
||||
// @type object (see nodejs' tls.connect() options)
|
||||
// @default {}
|
||||
//
|
||||
// Example:
|
||||
// You can use this option in order to force the use of IPv6:
|
||||
// {
|
||||
// host: 'my::ip::v6'
|
||||
// servername: 'ldaps://example.com'
|
||||
// host: 'my::ip::v6',
|
||||
// servername: 'example.com'
|
||||
// }
|
||||
tlsOptions: {},
|
||||
|
||||
//
|
||||
// LDAP searching bind DN
|
||||
// This bind DN is used to query the server for the DN of the user.
|
||||
// This is supposed to be a system user that has access in read only to
|
||||
// the DNs of the people that are allowed to log in.
|
||||
// LDAP base dn, alternative to searchDN
|
||||
//
|
||||
// @type string
|
||||
//
|
||||
rootDN: "cn=thelounge,ou=system-users,dc=example,dc=com",
|
||||
|
||||
//
|
||||
// Password of the lounge LDAP system user
|
||||
//
|
||||
// @type string
|
||||
//
|
||||
rootPassword: "1234",
|
||||
// baseDN: "ou=accounts,dc=example,dc=com",
|
||||
|
||||
//
|
||||
// LDAP primary key
|
||||
|
@ -436,27 +433,55 @@ module.exports = {
|
|||
primaryKey: "uid",
|
||||
|
||||
//
|
||||
// LDAP filter
|
||||
// LDAP search dn settings. This defines the procedure by which the
|
||||
// lounge first look for user DN before authenticating her.
|
||||
// Ignored if baseDN is specified
|
||||
//
|
||||
// @type string
|
||||
// @default "uid"
|
||||
// @type object
|
||||
//
|
||||
filter: "(objectClass=inetOrgPerson)(memberOf=ou=accounts,dc=example,dc=com)",
|
||||
searchDN: {
|
||||
|
||||
//
|
||||
// LDAP search base (search only within this node)
|
||||
//
|
||||
// @type string
|
||||
//
|
||||
base: "dc=example,dc=com",
|
||||
//
|
||||
// LDAP searching bind DN
|
||||
// This bind DN is used to query the server for the DN of the user.
|
||||
// This is supposed to be a system user that has access in read only to
|
||||
// the DNs of the people that are allowed to log in.
|
||||
//
|
||||
// @type string
|
||||
//
|
||||
rootDN: "cn=thelounge,ou=system-users,dc=example,dc=com",
|
||||
|
||||
//
|
||||
// LDAP search scope
|
||||
//
|
||||
// @type string
|
||||
// @default "sub"
|
||||
//
|
||||
scope: "sub"
|
||||
//
|
||||
// Password of the lounge LDAP system user
|
||||
//
|
||||
// @type string
|
||||
//
|
||||
rootPassword: "1234",
|
||||
|
||||
//
|
||||
// LDAP filter
|
||||
//
|
||||
// @type string
|
||||
// @default "uid"
|
||||
//
|
||||
filter: "(objectClass=inetOrgPerson)(memberOf=ou=accounts,dc=example,dc=com)",
|
||||
|
||||
//
|
||||
// LDAP search base (search only within this node)
|
||||
//
|
||||
// @type string
|
||||
//
|
||||
base: "dc=example,dc=com",
|
||||
|
||||
//
|
||||
// LDAP search scope
|
||||
//
|
||||
// @type string
|
||||
// @default "sub"
|
||||
//
|
||||
scope: "sub"
|
||||
|
||||
}
|
||||
},
|
||||
|
||||
// Extra debugging
|
||||
|
|
29
src/plugins/auth/_ldapCommon.js
Normal file
29
src/plugins/auth/_ldapCommon.js
Normal file
|
@ -0,0 +1,29 @@
|
|||
"use strict";
|
||||
|
||||
const Helper = require("../../helper");
|
||||
const ldap = require("ldapjs");
|
||||
|
||||
function ldapAuthCommon(manager, client, user, bindDN, password, callback) {
|
||||
const config = Helper.config;
|
||||
|
||||
let ldapclient = ldap.createClient({
|
||||
url: config.ldap.url,
|
||||
tlsOptions: config.ldap.tlsOptions
|
||||
});
|
||||
|
||||
ldapclient.on("error", function(err) {
|
||||
log.error("Unable to connect to LDAP server", err);
|
||||
callback(!err);
|
||||
});
|
||||
|
||||
ldapclient.bind(bindDN, password, function(err) {
|
||||
if (!err && !client) {
|
||||
manager.addUser(user, null);
|
||||
}
|
||||
ldapclient.unbind();
|
||||
callback(!err);
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = ldapAuthCommon;
|
||||
|
72
src/plugins/auth/advancedLdap.js
Normal file
72
src/plugins/auth/advancedLdap.js
Normal file
|
@ -0,0 +1,72 @@
|
|||
"use strict";
|
||||
|
||||
const Helper = require("../../helper");
|
||||
const ldap = require("ldapjs");
|
||||
|
||||
const _ldapAuthCommon = require("./_ldapCommon");
|
||||
|
||||
/**
|
||||
* LDAP auth using initial DN search (see config comment for ldap.searchDN)
|
||||
*/
|
||||
function advancedLdapAuth(manager, client, user, password, callback) {
|
||||
if (!user) {
|
||||
return callback(false);
|
||||
}
|
||||
|
||||
const config = Helper.config;
|
||||
const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
|
||||
|
||||
let ldapclient = ldap.createClient({
|
||||
url: config.ldap.url,
|
||||
tlsOptions: config.ldap.tlsOptions
|
||||
});
|
||||
|
||||
const base = config.ldap.searchDN.base;
|
||||
const searchOptions = {
|
||||
scope: config.ldap.searchDN.scope,
|
||||
filter: "(&(" + config.ldap.primaryKey + "=" + userDN + ")" + config.ldap.searchDN.filter + ")",
|
||||
attributes: ["dn"]
|
||||
};
|
||||
|
||||
ldapclient.on("error", function(err) {
|
||||
log.error("Unable to connect to LDAP server", err);
|
||||
callback(!err);
|
||||
});
|
||||
|
||||
ldapclient.bind(config.ldap.searchDN.rootDN, config.ldap.searchDN.rootPassword, function(err) {
|
||||
if (err) {
|
||||
log.error("Invalid LDAP root credentials");
|
||||
ldapclient.unbind();
|
||||
callback(false);
|
||||
} else {
|
||||
ldapclient.search(base, searchOptions, function(err2, res) {
|
||||
if (err2) {
|
||||
log.warning("User not found: ", userDN);
|
||||
ldapclient.unbind();
|
||||
callback(false);
|
||||
} else {
|
||||
let found = false;
|
||||
res.on("searchEntry", function(entry) {
|
||||
found = true;
|
||||
const bindDN = entry.objectName;
|
||||
log.info("Auth against LDAP ", config.ldap.url, " with found bindDN ", bindDN);
|
||||
ldapclient.unbind();
|
||||
|
||||
_ldapAuthCommon(manager, client, user, bindDN, password, callback);
|
||||
});
|
||||
res.on("error", function(err3) {
|
||||
log.error("LDAP error: ", err3);
|
||||
callback(false);
|
||||
});
|
||||
res.on("end", function() {
|
||||
if (!found) {
|
||||
callback(false);
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = advancedLdapAuth;
|
21
src/plugins/auth/ldap.js
Normal file
21
src/plugins/auth/ldap.js
Normal file
|
@ -0,0 +1,21 @@
|
|||
"use strict";
|
||||
|
||||
const Helper = require("../../helper");
|
||||
const _ldapAuthCommon = require("./_ldapCommon");
|
||||
|
||||
function ldapAuth(manager, client, user, password, callback) {
|
||||
if (!user) {
|
||||
return callback(false);
|
||||
}
|
||||
|
||||
const config = Helper.config;
|
||||
|
||||
const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
|
||||
const bindDN = config.ldap.primaryKey + "=" + userDN + "," + config.ldap.baseDN;
|
||||
|
||||
log.info("Auth against LDAP ", config.ldap.url, " with provided bindDN ", bindDN);
|
||||
|
||||
_ldapAuthCommon(manager, client, user, bindDN, password, callback);
|
||||
}
|
||||
|
||||
module.exports = ldapAuth;
|
38
src/plugins/auth/local.js
Normal file
38
src/plugins/auth/local.js
Normal file
|
@ -0,0 +1,38 @@
|
|||
"use strict";
|
||||
|
||||
const Helper = require("../../helper");
|
||||
const colors = require("colors/safe");
|
||||
|
||||
function localAuth(manager, client, user, password, callback) {
|
||||
// If no user is found, or if the client has not provided a password,
|
||||
// fail the authentication straight away
|
||||
if (!client || !password) {
|
||||
return callback(false);
|
||||
}
|
||||
|
||||
// If this user has no password set, fail the authentication
|
||||
if (!client.config.password) {
|
||||
log.error(`User ${colors.bold(user)} with no local password set tried to sign in. (Probably a LDAP user)`);
|
||||
return callback(false);
|
||||
}
|
||||
|
||||
Helper.password
|
||||
.compare(password, client.config.password)
|
||||
.then((matching) => {
|
||||
if (matching && Helper.password.requiresUpdate(client.config.password)) {
|
||||
const hash = Helper.password.hash(password);
|
||||
|
||||
client.setPassword(hash, (success) => {
|
||||
if (success) {
|
||||
log.info(`User ${colors.bold(client.name)} logged in and their hashed password has been updated to match new security requirements`);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
callback(matching);
|
||||
}).catch((error) => {
|
||||
log.error(`Error while checking users password. Error: ${error}`);
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = localAuth;
|
117
src/server.js
117
src/server.js
|
@ -11,7 +11,9 @@ var path = require("path");
|
|||
var io = require("socket.io");
|
||||
var dns = require("dns");
|
||||
var Helper = require("./helper");
|
||||
var ldap = require("ldapjs");
|
||||
var ldapAuth = require("./plugins/auth/ldap");
|
||||
var advancedLdapAuth = require("./plugins/auth/advancedLdap");
|
||||
var localAuth = require("./plugins/auth/local");
|
||||
var colors = require("colors/safe");
|
||||
const net = require("net");
|
||||
const Identification = require("./identification");
|
||||
|
@ -372,109 +374,6 @@ function initializeClient(socket, client, generateToken, token) {
|
|||
}
|
||||
}
|
||||
|
||||
function localAuth(client, user, password, callback) {
|
||||
// If no user is found, or if the client has not provided a password,
|
||||
// fail the authentication straight away
|
||||
if (!client || !password) {
|
||||
return callback(false);
|
||||
}
|
||||
|
||||
// If this user has no password set, fail the authentication
|
||||
if (!client.config.password) {
|
||||
log.error(`User ${colors.bold(user)} with no local password set tried to sign in. (Probably a LDAP user)`);
|
||||
return callback(false);
|
||||
}
|
||||
|
||||
Helper.password
|
||||
.compare(password, client.config.password)
|
||||
.then((matching) => {
|
||||
if (matching && Helper.password.requiresUpdate(client.config.password)) {
|
||||
const hash = Helper.password.hash(password);
|
||||
|
||||
client.setPassword(hash, (success) => {
|
||||
if (success) {
|
||||
log.info(`User ${colors.bold(client.name)} logged in and their hashed password has been updated to match new security requirements`);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
callback(matching);
|
||||
}).catch((error) => {
|
||||
log.error(`Error while checking users password. Error: ${error}`);
|
||||
});
|
||||
}
|
||||
|
||||
function ldapAuth(client, user, password, callback) {
|
||||
if (!user) {
|
||||
return callback(false);
|
||||
}
|
||||
var config = Helper.config;
|
||||
var userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
|
||||
|
||||
var ldapclient = ldap.createClient({
|
||||
url: config.ldap.url,
|
||||
tlsOptions: config.ldap.tlsOptions
|
||||
});
|
||||
|
||||
var base = config.ldap.base;
|
||||
var searchOptions = {
|
||||
scope: config.ldap.scope,
|
||||
filter: "(&(" + config.ldap.primaryKey + "=" + userDN + ")" + config.ldap.filter + ")",
|
||||
attributes: ["dn"]
|
||||
};
|
||||
|
||||
ldapclient.on("error", function(err) {
|
||||
log.error("Unable to connect to LDAP server", err);
|
||||
callback(!err);
|
||||
});
|
||||
|
||||
ldapclient.bind(config.ldap.rootDN, config.ldap.rootPassword, function(err) {
|
||||
if (err) {
|
||||
log.error("Invalid LDAP root credentials");
|
||||
ldapclient.unbind();
|
||||
callback(false);
|
||||
} else {
|
||||
ldapclient.search(base, searchOptions, function(err2, res) {
|
||||
if (err2) {
|
||||
log.warning("User not found: ", userDN);
|
||||
ldapclient.unbind();
|
||||
callback(false);
|
||||
} else {
|
||||
var found = false;
|
||||
res.on("searchEntry", function(entry) {
|
||||
found = true;
|
||||
var bindDN = entry.objectName;
|
||||
log.info("Auth against LDAP ", config.ldap.url, " with bindDN ", bindDN);
|
||||
ldapclient.unbind();
|
||||
var ldapclient2 = ldap.createClient({
|
||||
url: config.ldap.url,
|
||||
tlsOptions: config.ldap.tlsOptions
|
||||
});
|
||||
ldapclient2.bind(bindDN, password, function(err3) {
|
||||
if (!err3 && !client) {
|
||||
if (!manager.addUser(user, null)) {
|
||||
log.error("Unable to create new user", user);
|
||||
}
|
||||
}
|
||||
ldapclient2.unbind();
|
||||
callback(!err3);
|
||||
});
|
||||
});
|
||||
res.on("error", function(err3) {
|
||||
log.error("LDAP error: ", err3);
|
||||
callback(false);
|
||||
});
|
||||
res.on("end", function() {
|
||||
if (!found) {
|
||||
callback(false);
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
function performAuthentication(data) {
|
||||
const socket = this;
|
||||
let client;
|
||||
|
@ -538,11 +437,17 @@ function performAuthentication(data) {
|
|||
}
|
||||
|
||||
// Perform password checking
|
||||
let auth = function() {};
|
||||
if (!Helper.config.public && Helper.config.ldap.enable) {
|
||||
ldapAuth(client, data.user, data.password, authCallback);
|
||||
if ("baseDN" in Helper.config.ldap) {
|
||||
auth = ldapAuth;
|
||||
} else {
|
||||
auth = advancedLdapAuth;
|
||||
}
|
||||
} else {
|
||||
localAuth(client, data.user, data.password, authCallback);
|
||||
auth = localAuth;
|
||||
}
|
||||
auth(manager, client, data.user, data.password, authCallback);
|
||||
}
|
||||
|
||||
function reverseDnsLookup(ip, callback) {
|
||||
|
|
Loading…
Reference in a new issue