summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--README.md9
-rw-r--r--app.js6
-rw-r--r--config.json.example12
-rw-r--r--lib/auth.js33
-rw-r--r--lib/config.js26
-rwxr-xr-xlib/response.js2
-rw-r--r--locales/en.json3
-rw-r--r--package.json1
-rw-r--r--public/views/index.ejs5
-rw-r--r--public/views/signin-ldap-modal.ejs35
-rw-r--r--public/views/signin-modal.ejs10
11 files changed, 135 insertions, 7 deletions
diff --git a/README.md b/README.md
index bdf97ee2..442cbd5c 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,13 @@ Environment variables (will overwrite other server configs)
| HMD_DROPBOX_CLIENTSECRET | no example | Dropbox API client secret |
| HMD_GOOGLE_CLIENTID | no example | Google API client id |
| HMD_GOOGLE_CLIENTSECRET | no example | Google API client secret |
+| HMD_LDAP_URL | ldap://example.com | url of LDAP server |
+| HMD_LDAP_BINDDN | no example | bindDn for LDAP access |
+| HMD_LDAP_BINDCREDENTIALS | no example | bindCredentials for LDAP access |
+| HMD_LDAP_TOKENSECRET | supersecretkey | secret used for generating access/refresh tokens |
+| HMD_LDAP_SEARCHBASE | o=users,dc=example,dc=com | LDAP directory to begin search from |
+| HMD_LDAP_SEARCHFILTER | (uid={{username}}) | LDAP filter to search with |
+| HMD_LDAP_SEARCHATTRIBUTES | no example | LDAP attributes to search with |
| HMD_IMGUR_CLIENTID | no example | Imgur API client id |
| HMD_EMAIL | `true` or `false` | set to allow email register and signin |
| HMD_IMAGE_UPLOAD_TYPE | `imgur`, `s3` or `filesystem` | Where to upload image. For S3, see our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) |
@@ -182,7 +189,7 @@ Third-party integration api key settings
| service | settings location | description |
| ------- | --------- | ----------- |
-| facebook, twitter, github, gitlab, dropbox, google | environment variables or `config.json` | for signin |
+| facebook, twitter, github, gitlab, dropbox, google, ldap | environment variables or `config.json` | for signin |
| imgur | environment variables or `config.json` | for image upload |
| google drive, dropbox | `public/js/config.js` | for export and import |
diff --git a/app.js b/app.js
index 0d78a153..44054961 100644
--- a/app.js
+++ b/app.js
@@ -380,6 +380,12 @@ if (config.google) {
failureRedirect: config.serverurl + '/'
}));
}
+// ldap auth
+if (config.ldap) {
+ app.post('/auth/ldap', urlencodedParser,
+ passport.authenticate('ldapauth', { successRedirect: '/' })
+ );
+}
// email auth
if (config.email) {
app.post('/register', urlencodedParser, function (req, res, next) {
diff --git a/config.json.example b/config.json.example
index 22fd5c92..642df4f6 100644
--- a/config.json.example
+++ b/config.json.example
@@ -45,6 +45,18 @@
"clientID": "change this",
"clientSecret": "change this"
},
+ "ldap": {
+ "url": "ldap://change_this",
+ "bindDn": null,
+ "bindCredentials": null,
+ "tokenSecret": "change this",
+ "searchBase": "change this",
+ "searchFilter": "change this",
+ "searchAttributes": "change this",
+ "tlsOptions": {
+ "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
+ }
+ },
"imgur": {
"clientID": "change this"
}
diff --git a/lib/auth.js b/lib/auth.js
index f167cede..1e21eb9f 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
var GitlabStrategy = require('passport-gitlab2').Strategy;
var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
var GoogleStrategy = require('passport-google-oauth20').Strategy;
+var LdapStrategy = require('passport-ldapauth');
var LocalStrategy = require('passport-local').Strategy;
var validator = require('validator');
@@ -110,6 +111,36 @@ if (config.google) {
callbackURL: config.serverurl + '/auth/google/callback'
}, callback));
}
+// ldap
+if (config.ldap) {
+ passport.use(new LdapStrategy({
+ server: {
+ url: config.ldap.url || null,
+ bindDn: config.ldap.bindDn || null,
+ bindCredentials: config.ldap.bindCredentials || null,
+ searchBase: config.ldap.searchBase || null,
+ searchFilter: config.ldap.searchFilter || null,
+ searchAttributes: config.ldap.searchAttributes || null,
+ tlsOptions: config.ldap.tlsOptions || null
+ },
+ },
+ function(user, done) {
+ var profile = {
+ id: 'LDAP-' + user.uidNumber,
+ username: user.uid,
+ displayName: user.displayName,
+ emails: [],
+ avatarUrl: null,
+ profileUrl: null,
+ provider: 'ldap',
+ }
+ var stringifiedProfile = JSON.stringify(profile);
+ // TODO: Generate secure tokens for LDAP users
+ var accessToken = 'debug-access-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+ var refreshToken = 'debug-refresh-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+ callback(accessToken, refreshToken, profile, done);
+ }));
+}
// email
if (config.email) {
passport.use(new LocalStrategy({
@@ -130,4 +161,4 @@ if (config.email) {
return done(err);
});
}));
-} \ No newline at end of file
+}
diff --git a/lib/config.js b/lib/config.js
index 669fcaa8..a44c279b 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -93,6 +93,31 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
clientID: process.env.HMD_GOOGLE_CLIENTID,
clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
} : config.google || false;
+var ldap = config.ldap || (
+ process.env.HMD_LDAP_URL ||
+ process.env.HMD_LDAP_BINDDN ||
+ process.env.HMD_LDAP_BINDCREDENTIALS ||
+ process.env.HMD_LDAP_TOKENSECRET ||
+ process.env.HMD_LDAP_SEARCHBASE ||
+ process.env.HMD_LDAP_SEARCHFILTER ||
+ process.env.HMD_LDAP_SEARCHATTRIBUTES
+) || false;
+if (ldap == true)
+ ldap = {};
+if (process.env.HMD_LDAP_URL)
+ ldap.url = process.env.HMD_LDAP_URL;
+if (process.env.HMD_LDAP_BINDDN)
+ ldap.bindDn = process.env.HMD_LDAP_BINDDN;
+if (process.env.HMD_LDAP_BINDCREDENTIALS)
+ ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
+if (process.env.HMD_LDAP_TOKENSECRET)
+ ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
+if (process.env.HMD_LDAP_SEARCHBASE)
+ ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
+if (process.env.HMD_LDAP_SEARCHFILTER)
+ ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
+if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
+ ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
var email = process.env.HMD_EMAIL || config.email || false;
@@ -151,6 +176,7 @@ module.exports = {
gitlab: gitlab,
dropbox: dropbox,
google: google,
+ ldap: ldap,
imgur: imgur,
email: email,
imageUploadType: imageUploadType,
diff --git a/lib/response.js b/lib/response.js
index aae39851..f0f49181 100755
--- a/lib/response.js
+++ b/lib/response.js
@@ -66,6 +66,7 @@ function showIndex(req, res, next) {
gitlab: config.gitlab,
dropbox: config.dropbox,
google: config.google,
+ ldap: config.ldap,
email: config.email,
signin: req.isAuthenticated(),
infoMessage: req.flash('info'),
@@ -98,6 +99,7 @@ function responseHackMD(res, note) {
gitlab: config.gitlab,
dropbox: config.dropbox,
google: config.google,
+ ldap: config.ldap,
email: config.email
});
}
diff --git a/locales/en.json b/locales/en.json
index f1f0d140..dda317f1 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -100,5 +100,6 @@
"Select From Available Snippets": "Select From Available Snippets",
"OR": "OR",
"Export to Snippet": "Export to Snippet",
- "Select Visibility Level": "Select Visibility Level"
+ "Select Visibility Level": "Select Visibility Level",
+ "LDAP Sign in": "LDAP Sign in"
} \ No newline at end of file
diff --git a/package.json b/package.json
index 5203e54b..4ef10312 100644
--- a/package.json
+++ b/package.json
@@ -85,6 +85,7 @@
"passport-github": "^1.1.0",
"passport-gitlab2": "^2.2.0",
"passport-google-oauth20": "^1.0.0",
+ "passport-ldapauth": "^0.6.0",
"passport-local": "^1.0.0",
"passport-twitter": "^1.0.4",
"passport.socketio": "^3.6.2",
diff --git a/public/views/index.ejs b/public/views/index.ejs
index 2bec7de0..baca1417 100644
--- a/public/views/index.ejs
+++ b/public/views/index.ejs
@@ -57,7 +57,7 @@
<% if (errorMessage && errorMessage.length > 0) { %>
<div class="alert alert-danger" style="max-width: 400px; margin: 0 auto;"><%= errorMessage %></div>
<% } %>
- <% if(facebook || twitter || github || gitlab || dropbox || google || email) { %>
+ <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %>
<span class="ui-signin">
<br>
<a type="button" class="btn btn-lg btn-success ui-signin" data-toggle="modal" data-target=".signin-modal" style="min-width: 170px;"><%= __('Sign In') %></a>
@@ -93,7 +93,7 @@
</div>
<div id="history" class="section"<% if(!signin) { %> style="display:none;"<% } %>>
- <% if(facebook || twitter || github || gitlab || dropbox || google || email) { %>
+ <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %>
<div class="ui-signin">
<p><%= __('Below is the history from browser') %></p>
</div>
@@ -192,6 +192,7 @@
</div>
</div>
<%- include signin-modal %>
+ <%- include signin-ldap-modal %>
<% if(useCDN) { %>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
diff --git a/public/views/signin-ldap-modal.ejs b/public/views/signin-ldap-modal.ejs
new file mode 100644
index 00000000..6a665f17
--- /dev/null
+++ b/public/views/signin-ldap-modal.ejs
@@ -0,0 +1,35 @@
+<!-- signin ldap modal -->
+<div class="modal fade signin-ldap-modal" tabindex="-1" role="dialog" aria-labelledby="mySmallModalLabel" aria-hidden="true">
+ <div class="modal-dialog modal-sm">
+ <div class="modal-content">
+ <div class="modal-header">
+ <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span>
+ </button>
+ <h4 class="modal-title" id="mySmallModalLabel"><%= __('LDAP Sign in') %></h4>
+ </div>
+ <div class="modal-body" style="text-align: center;">
+ <% if(ldap) { %>
+ <form data-toggle="validator" role="form" class="form-horizontal" method="post" enctype="application/x-www-form-urlencoded">
+ <div class="form-group">
+ <div class="col-sm-12">
+ <input type="username" class="form-control" name="username" placeholder="Username" required>
+ <span class="help-block control-label with-errors" style="display: inline;"></span>
+ </div>
+ </div>
+ <div class="form-group">
+ <div class="col-sm-12">
+ <input type="password" class="form-control" name="password" placeholder="Password" required>
+ <span class="help-block control-label with_errors" style="display: inline;"></span>
+ </div>
+ </div>
+ <div class="form-group">
+ <div class="col-sm-12">
+ <button type="submit" class="btn btn-primary" formaction="<%- url %>/auth/ldap">Sign in</button>
+ </div>
+ </div>
+ </form>
+ <% } %>
+ </div>
+ </div>
+ </div>
+</div>
diff --git a/public/views/signin-modal.ejs b/public/views/signin-modal.ejs
index acbad256..ba6c57ff 100644
--- a/public/views/signin-modal.ejs
+++ b/public/views/signin-modal.ejs
@@ -38,7 +38,13 @@
<i class="fa fa-google"></i> <%= __('Sign in via %s', 'Google') %>
</a>
<% } %>
- <% if((facebook || twitter || github || gitlab || dropbox || google) && email) { %>
+ <% if(ldap) { %>
+ <a type="button" class="btn btn-lg btn-block btn-social btn-reddit "data-toggle="modal" data-target=".signin-ldap-modal">
+ <i class="fa fa-book"></i> <%= __('Sign in via %s', 'LDAP') %>
+ </a>
+ <% } %>
+
+ <% if((facebook || twitter || github || gitlab || dropbox || google || ldap) && email) { %>
<hr>
<% }%>
<% if(email) { %>
@@ -67,4 +73,4 @@
</div>
</div>
</div>
-</div> \ No newline at end of file
+</div>