From 02e99277146d8bd912f2f19af1d3e94a6181d90d Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Tue, 13 Dec 2016 22:31:35 +0100
Subject: Initial support for LDAP server authentication

Limitations as of this commit:

- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
  - instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
  because we aren't using oauth. The currently generated
  tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale
---
 lib/auth.js     | 33 ++++++++++++++++++++++++++++++++-
 lib/config.js   | 26 ++++++++++++++++++++++++++
 lib/response.js |  2 ++
 3 files changed, 60 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/auth.js b/lib/auth.js
index f167cede..1e21eb9f 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
 var GitlabStrategy = require('passport-gitlab2').Strategy;
 var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
 var GoogleStrategy = require('passport-google-oauth20').Strategy;
+var LdapStrategy = require('passport-ldapauth');
 var LocalStrategy = require('passport-local').Strategy;
 var validator = require('validator');
 
@@ -110,6 +111,36 @@ if (config.google) {
         callbackURL: config.serverurl + '/auth/google/callback'
     }, callback));
 }
+// ldap
+if (config.ldap) {
+    passport.use(new LdapStrategy({
+        server: {
+            url: config.ldap.url || null,
+            bindDn: config.ldap.bindDn || null,
+            bindCredentials: config.ldap.bindCredentials || null,
+            searchBase: config.ldap.searchBase || null,
+            searchFilter: config.ldap.searchFilter || null,
+            searchAttributes: config.ldap.searchAttributes || null,
+            tlsOptions: config.ldap.tlsOptions || null
+        },
+    },
+    function(user, done) {
+        var profile = {
+            id: 'LDAP-' + user.uidNumber,
+            username: user.uid,
+            displayName: user.displayName,
+            emails: [],
+            avatarUrl: null,
+            profileUrl: null,
+            provider: 'ldap',
+        }
+        var stringifiedProfile = JSON.stringify(profile);
+        // TODO: Generate secure tokens for LDAP users
+        var accessToken = 'debug-access-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+        var refreshToken = 'debug-refresh-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+        callback(accessToken, refreshToken, profile, done);
+    }));
+}
 // email
 if (config.email) {
     passport.use(new LocalStrategy({
@@ -130,4 +161,4 @@ if (config.email) {
             return done(err);
         });
     }));
-}
\ No newline at end of file
+}
diff --git a/lib/config.js b/lib/config.js
index 669fcaa8..a44c279b 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -93,6 +93,31 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
     clientID: process.env.HMD_GOOGLE_CLIENTID,
     clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
 } : config.google || false;
+var ldap = config.ldap || (
+    process.env.HMD_LDAP_URL ||
+    process.env.HMD_LDAP_BINDDN ||
+    process.env.HMD_LDAP_BINDCREDENTIALS ||
+    process.env.HMD_LDAP_TOKENSECRET ||
+    process.env.HMD_LDAP_SEARCHBASE ||
+    process.env.HMD_LDAP_SEARCHFILTER ||
+    process.env.HMD_LDAP_SEARCHATTRIBUTES
+) || false;
+if (ldap == true)
+    ldap = {};
+if (process.env.HMD_LDAP_URL)
+    ldap.url = process.env.HMD_LDAP_URL;
+if (process.env.HMD_LDAP_BINDDN)
+    ldap.bindDn = process.env.HMD_LDAP_BINDDN;
+if (process.env.HMD_LDAP_BINDCREDENTIALS)
+    ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
+if (process.env.HMD_LDAP_TOKENSECRET)
+    ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
+if (process.env.HMD_LDAP_SEARCHBASE)
+    ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
+if (process.env.HMD_LDAP_SEARCHFILTER)
+    ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
+if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
+    ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL || config.email || false;
 
@@ -151,6 +176,7 @@ module.exports = {
     gitlab: gitlab,
     dropbox: dropbox,
     google: google,
+    ldap: ldap,
     imgur: imgur,
     email: email,
     imageUploadType: imageUploadType,
diff --git a/lib/response.js b/lib/response.js
index aae39851..f0f49181 100755
--- a/lib/response.js
+++ b/lib/response.js
@@ -66,6 +66,7 @@ function showIndex(req, res, next) {
         gitlab: config.gitlab,
         dropbox: config.dropbox,
         google: config.google,
+        ldap: config.ldap,
         email: config.email,
         signin: req.isAuthenticated(),
         infoMessage: req.flash('info'),
@@ -98,6 +99,7 @@ function responseHackMD(res, note) {
         gitlab: config.gitlab,
         dropbox: config.dropbox,
         google: config.google,
+        ldap: config.ldap,
         email: config.email
     });
 }
-- 
cgit v1.2.3