Merge pull request #238 from ammmze/feature/ldap

Feature/ldap

README.md

@@ -216,6 +216,8 @@ login: demo | password: demodemodemo
 
 This user data is populated to the database if there is not already any user data in it. [It is possible to alter the default user seed data.](DEFAULTUSERSEEDDATA.md)
 
+You may also configure konga to authenticate via [LDAP](./docs/LDAP.md).
+
 ## Upgrading
 In some cases a newer version of Konga may introduce new db tables, collections or changes in schemas.
 The only thing you need to do is to start Konga in dev mode once so that the migrations will be applied.

api/services/Passport.js

@@ -25,6 +25,8 @@
  */
 
 // Module dependencies
+var LdapStrategy = require('passport-ldapauth');
+var ldapConf = require("../../config/ldap");
 var passport = require('passport');
 var path = require('path');
 var url = require('url');
@@ -198,10 +200,14 @@ passport.endpoint = function endpoint(request, response) {
 passport.callback = function callback(request, response, next) {
   sails.log.verbose(__filename + ':' + __line + ' [Service.Passport.callback() called]');
 
-  var provider = request.param('provider', 'local');
+  var provider = request.param('provider', process.env.KONGA_AUTH_PROVIDER  || 'local');
   var action = request.param('action');
 
-  if (provider === 'local' && action !== undefined) {
+  if (provider === 'ldap') {
+    passport.use(new LdapStrategy(ldapConf));
+    this.authenticate('ldapauth',
+      this.protocols.ldap.getResolver(next))(request, response, response.next);
+  } else if (provider === 'local' && action !== undefined) {
     if (action === 'connect' && request.user) {
       this.protocols.local.connect(request, response, next);
     } else {

api/services/protocols/index.js

@@ -16,6 +16,7 @@
 module.exports = {
   local: require('./local'),
   oauth: require('./oauth'),
+  ldap: require('./ldap'),
   oauth2: require('./oauth2'),
   openid: require('./openid')
 };

api/services/protocols/ldap.js

@@ -0,0 +1,93 @@
+var _ = require('lodash');
+var adminGroup = new RegExp(process.env.KONGA_ADMIN_GROUP_REG || "^(admin|konga)$");
+var ldapAttrMap = {
+    username: process.env.KONGA_LDAP_ATTR_USERNAME || 'uid',
+    firstName: process.env.KONGA_LDAP_ATTR_FIRSTNAME || 'givenName',
+    lastName: process.env.KONGA_LDAP_ATTR_LASTNAME || 'sn',
+    email: process.env.KONGA_LDAP_ATTR_EMAIL || 'mail'
+};
+var commonName = /^cn=([^,]+),.*/;
+
+var ldapToUser = function (ldapUser, user, next) {
+    var data = _.clone(user || {});
+    data.active = true;
+
+    // copy attributes from the ldap user to the konga user using the ldapAttrMap
+    for (var userAttr in ldapAttrMap) {
+        if (ldapAttrMap.hasOwnProperty(userAttr)) {
+            data[userAttr] = ldapUser[ldapAttrMap[userAttr]];
+        }
+    }
+
+    if (data && data.id) {
+        sails.models.user.update({id: data.id}, data).exec(function(err) {
+            if (err) {
+                console.error("Failed to update user from ldap", err);
+                next(err);
+            } else {
+                setAdminStatus(ldapUser, data, next);
+            }
+        });
+    } else {
+        sails.models.user.create(data).exec(function (err, user) {
+            if (err) {
+                console.error("Failed to create user from ldap", err);
+                next(err);
+            } else {
+                setAdminStatus(ldapUser, user, next);
+            }
+        });
+    }
+}
+
+var group_test = function (group) {
+    return adminGroup.test(group.cn);
+}
+
+var member_test = function (group) {
+     return adminGroup.test(commonName.replace(group, "$1"));
+}
+
+var setAdminStatus = function (ldapUser, user, next) {
+    user.admin =
+        _.findIndex(ldapUser._groups, group_test) > -1 ||
+        _.findIndex(ldapUser.memberOf, member_test) > -1;
+    next(null, user);
+}
+
+/**
+ * Resolve LDAP user
+ *
+ * This function can be used to create a user in the local db to store
+ * users' roles locally
+ *
+ * @param {Request}   request
+ * @param {Response}  response
+ * @param {Function}  next
+ */
+exports.getResolver = function getResolver(next) {
+    return function resolveUser(err, result, message) {
+        if (result === false || typeof result === 'undefined') {
+            console.error('failed to resolve user', err, message);
+            var error = message;
+            next(error);
+        } else {
+            var ldapUser = result;
+            sails.models.user
+                .findOne({ // UID is the default, but the LDAP provider could be ActiveDirectory
+                    username: (ldapUser.uid || ldapUser.sAMAccountName)
+                })
+                .populate('node')
+                .exec(function onExec(error, user) {
+                    if (error) {
+                        // Dunno, something bad happened
+                        console.error('failed to look up existing user', error);
+                        next(error);
+                    } else {
+                        // sync the ldap user to konga user
+                        ldapToUser(ldapUser, user, next);
+                    }
+                })
+        }
+    };
+}

config/ldap.js

@@ -0,0 +1,24 @@
+var _ = require('lodash');
+
+var groupFilter = process.env.KONGA_LDAP_GROUP_SEARCH_FILTER || '(|(memberUid={{uid}})(memberUid={{uidNumber}})(sAMAccountName={{uid}}))';
+var groupFilterTemplate = _.template(groupFilter, {
+    // use {{...}} syntax for template variables
+    interpolate: /{{([\s\S]+?)}}/g
+});
+module.exports = {
+    server: {
+        url: process.env.KONGA_LDAP_HOST || 'ldap://localhost:389',
+        bindDN: process.env.KONGA_LDAP_BIND_DN,
+        bindCredentials: process.env.KONGA_LDAP_BIND_PASSWORD,
+        searchAttributes: (process.env.KONGA_LDAP_USER_ATTRS || 'uid,uidNumber,givenName,sn,mail').split(','),
+        searchBase: process.env.KONGA_LDAP_USER_SEARCH_BASE || "ou=users,dc=com",
+        searchFilter: process.env.KONGA_LDAP_USER_SEARCH_FILTER || '(|(uid={{username}})(sAMAccountName={{username}}))',
+        groupSearchAttributes: (process.env.KONGA_LDAP_GROUP_ATTRS || 'cn').split(','),
+        groupSearchBase: process.env.KONGA_LDAP_GROUP_SEARCH_BASE || 'ou=groups,dc=com',
+        groupSearchFilter: function (user) {
+            return groupFilterTemplate(user);
+        }
+    },
+    usernameField: 'identifier',
+    passwordField: 'password'
+};

docs/LDAP.md

@@ -0,0 +1,24 @@
+# LDAP
+
+With the LDAP integration, you can authenticate via your LDAP server. Currently the application does need the user to be in the konga user database for the user profile page to display properly, so we currently will sync any LDAP authenticated user into the konga user database upon each login. In the future, perhaps the user profile page will be read-only for LDAP authentication? Or maybe it can sync the data back up to the LDAP server?
+
+## Configuration
+
+| Environment Variable | Default | Description |
+| --- | --- | --- |
+| `KONGA_AUTH_PROVIDER` | `local` | **Set this to `ldap` to switch auth provider to LDAP** |
+| `KONGA_LDAP_HOST` | `ldap://localhost:389` | The location of the LDAP server |
+| `KONGA_LDAP_BIND_DN` | *no default* | The DN that the konga should use to login to LDAP to search users |
+| `KONGA_LDAP_BIND_PASSWORD` | *no default* | The password for the user konga will use to search for users |
+| `KONGA_LDAP_USER_SEARCH_BASE` | `ou=users,dc=com` | The base DN used to search for users |
+| `KONGA_LDAP_USER_SEARCH_FILTER` | `(|(uid={{username}})(sAMAccountName={{username}}))` | The filter expression used to search for users. Use `{{username}}` where you expect the username to be. |
+| `KONGA_LDAP_USER_ATTRS` | `uid,uidNumber,givenName,sn,mail` | Comma separated list of attributes to pull from the LDAP server for users |
+| `KONGA_LDAP_GROUP_SEARCH_BASE` | `ou=groups,dc=com` | The base DN used to search for groups |
+| `KONGA_LDAP_GROUP_SEARCH_FILTER` | `(|(memberUid={{uid}})(memberUid={{uidNumber}})(sAMAccountName={{uid}}))` | The filter expression used to search for groups. Use `{{some-attr}}` where you expect a user attribute to be or `{{dn}}` for the user `dn`. |
+| `KONGA_LDAP_GROUP_ATTRS` | `cn` | Comma separated list of attributes to pull from the LDAP server for groups |
+| `KONGA_ADMIN_GROUP_REG` | `^(admin|konga)$` | Regular expression used to determine if a group should be considered as an admin user |
+| `KONGA_LDAP_ATTR_USERNAME` | `uid` | LDAP attribute name that should be used as the konga username |
+| `KONGA_LDAP_ATTR_FIRSTNAME` | `givenName` | LDAP attribute name that should be used as the konga user's first name |
+| `KONGA_LDAP_ATTR_LASTNAME` | `sn` | LDAP attribute name that should be used as the konga user's last name |
+| `KONGA_LDAP_ATTR_EMAIL` | `mail` | LDAP attribute name that should be used as the konga user's email address |
+

package.json

@@ -46,6 +46,7 @@
     "nodemailer": "^4.6.7",
     "nodemailer-mailgun-transport": "^1.4.0",
     "passport": "0.3.0",
+    "passport-ldapauth": "^2.0.0",
     "passport-local": "1.0.0",
     "rc": "^1.2.8",
     "sails": "~0.12.14",