From 27cfdf30e7909be67cfebdc3542ca70cad1154c3 Mon Sep 17 00:00:00 2001 From: Michael Gloystein Date: Wed, 30 May 2018 10:19:41 -0600 Subject: [PATCH 1/3] Adding LDAP as authentication method --- api/services/Passport.js | 10 ++++- api/services/protocols/index.js | 1 + api/services/protocols/ldap.js | 73 +++++++++++++++++++++++++++++++++ config/ldap.js | 16 ++++++++ package.json | 1 + 5 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 api/services/protocols/ldap.js create mode 100644 config/ldap.js diff --git a/api/services/Passport.js b/api/services/Passport.js index b0ea0a959..9f48e999d 100644 --- a/api/services/Passport.js +++ b/api/services/Passport.js @@ -25,6 +25,8 @@ */ // Module dependencies +var LdapStrategy = require('passport-ldapauth'); +var ldapConf = require("../../config/ldap"); var passport = require('passport'); var path = require('path'); var url = require('url'); @@ -198,10 +200,14 @@ passport.endpoint = function endpoint(request, response) { passport.callback = function callback(request, response, next) { sails.log.verbose(__filename + ':' + __line + ' [Service.Passport.callback() called]'); - var provider = request.param('provider', 'local'); + var provider = request.param('provider', process.env.KONGA_AUTH_PROVIDER || 'local'); var action = request.param('action'); - if (provider === 'local' && action !== undefined) { + if (provider === 'ldap') { + passport.use(new LdapStrategy(ldapConf)); + this.authenticate('ldapauth', + this.protocols.ldap.resolve(request, response, next))(request, response, response.next); + } else if (provider === 'local' && action !== undefined) { if (action === 'connect' && request.user) { this.protocols.local.connect(request, response, next); } else { diff --git a/api/services/protocols/index.js b/api/services/protocols/index.js index 4f807f05f..e2f2c05c4 100644 --- a/api/services/protocols/index.js +++ b/api/services/protocols/index.js @@ -16,6 +16,7 @@ module.exports = { local: require('./local'), oauth: require('./oauth'), + ldap: require('./ldap'), oauth2: require('./oauth2'), openid: require('./openid') }; diff --git a/api/services/protocols/ldap.js b/api/services/protocols/ldap.js new file mode 100644 index 000000000..c17417416 --- /dev/null +++ b/api/services/protocols/ldap.js @@ -0,0 +1,73 @@ +var _ = require('lodash'); +var adminGroup = new RegExp(process.env.ADMIN_GROUP_REG || null); +var commonName = /^cn=([^,]+),.*/ + +var ldapToUser = function (ldapUser, next) { + var data = { + active: true + } + data.username = ldapUser.uid; + data.firstName = ldapUser.givenName; + data.lastName = ldapUser.sn; + data.email = ldapUser.mail; + + sails.models.user.create(data) + .exec(function (err, user) { + if (err) { + next(err); + } else { + adminStatus(ldapUser, user, next); + } + }); +} + +var group_test = function (group) { + return group.cn === 'admin' || adminGroup.test(group.cn); +} + +var member_test = function (group) { + return group.startsWith('cn=admin') || + adminGroup.test(commonName.replace(group, "$1")); +} + +var adminStatus = function (ldapUser, user, next) { + user.admin = + _.findIndex(ldapUser._groups, group_test) > -1 || + _.findIndex(ldapUser.memberOf, member_test) > -1; + next(null, user); +} + +/** + * Resolve LDAP user + * + * This function can be used to create a user in the local db to store + * users' roles locally + * + * @param {Request} request + * @param {Response} response + * @param {Function} next + */ +exports.resolve = function resolve(request, response, next) { + return function resolveUser(err, result, message) { + if (result === false) { + var error = message; + next(error); + } else { + var ldapUser = result; + sails.models.user + .findOne({ + username: ldapUser.uid || ldapUser.sAMAccountName + }) + .populate('node') + .exec(function onExec(error, user) { + if (error) { + next(error); + } else if (!user) { + ldapToUser(ldapUser, next); + } else { + adminStatus(ldapUser, user, next); + } + }) + } + }; +} \ No newline at end of file diff --git a/config/ldap.js b/config/ldap.js new file mode 100644 index 000000000..2797020ed --- /dev/null +++ b/config/ldap.js @@ -0,0 +1,16 @@ + +module.exports = { + server: { + url: process.env.LDAP_HOST || 'ldap://localhost:389', + bindDN: process.env.LDAP_BIND_USER, + bindCredentials: process.env.LDAP_BIND_PASSWORD, + searchAttributes: ['uid', 'givenName', 'sn', 'mail'], + searchBase: process.env.LDAP_SEARCH || "cn=users,dc=com", + searchFilter: '(|(uid={{username}})(sAMAccountName={{username}}))', + groupSearchAttributes: ['cn'], + groupSearchBase: process.env.LDAP_GROUP_SEARCH || 'cn=groups,cn=accounts,dc=com', + groupSearchFilter: '(member={{dn}})' + }, + usernameField: 'identifier', + passwordField: 'password' +}; \ No newline at end of file diff --git a/package.json b/package.json index 8f1f9b2e5..5ecfa4633 100644 --- a/package.json +++ b/package.json @@ -52,6 +52,7 @@ "nodemailer": "^4.3.1", "nodemailer-mailgun-transport": "^1.3.5", "passport": "0.3.0", + "passport-ldapauth": "^2.0.0", "passport-local": "1.0.0", "rc": "1.0.1", "sails": "~0.12.14", From e11ce37c1d02cdddf4685f689e63553d1ef101c7 Mon Sep 17 00:00:00 2001 From: Michael Gloystein Date: Mon, 4 Jun 2018 11:37:58 -0600 Subject: [PATCH 2/3] Add comments and rename for clarity --- api/services/Passport.js | 2 +- api/services/protocols/ldap.js | 16 ++++++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/api/services/Passport.js b/api/services/Passport.js index 9f48e999d..aed143258 100644 --- a/api/services/Passport.js +++ b/api/services/Passport.js @@ -206,7 +206,7 @@ passport.callback = function callback(request, response, next) { if (provider === 'ldap') { passport.use(new LdapStrategy(ldapConf)); this.authenticate('ldapauth', - this.protocols.ldap.resolve(request, response, next))(request, response, response.next); + this.protocols.ldap.getResolver(next))(request, response, response.next); } else if (provider === 'local' && action !== undefined) { if (action === 'connect' && request.user) { this.protocols.local.connect(request, response, next); diff --git a/api/services/protocols/ldap.js b/api/services/protocols/ldap.js index c17417416..adf93f868 100644 --- a/api/services/protocols/ldap.js +++ b/api/services/protocols/ldap.js @@ -16,7 +16,7 @@ var ldapToUser = function (ldapUser, next) { if (err) { next(err); } else { - adminStatus(ldapUser, user, next); + setAdminStatus(ldapUser, user, next); } }); } @@ -30,7 +30,7 @@ var member_test = function (group) { adminGroup.test(commonName.replace(group, "$1")); } -var adminStatus = function (ldapUser, user, next) { +var setAdminStatus = function (ldapUser, user, next) { user.admin = _.findIndex(ldapUser._groups, group_test) > -1 || _.findIndex(ldapUser.memberOf, member_test) > -1; @@ -47,7 +47,7 @@ var adminStatus = function (ldapUser, user, next) { * @param {Response} response * @param {Function} next */ -exports.resolve = function resolve(request, response, next) { +exports.getResolver = function getResolver(next) { return function resolveUser(err, result, message) { if (result === false) { var error = message; @@ -55,17 +55,21 @@ exports.resolve = function resolve(request, response, next) { } else { var ldapUser = result; sails.models.user - .findOne({ - username: ldapUser.uid || ldapUser.sAMAccountName + .findOne({ // UID is the default, but the LDAP provider could be ActiveDirectory + username: (ldapUser.uid || ldapUser.sAMAccountName) }) .populate('node') .exec(function onExec(error, user) { if (error) { + // Dunno, something bad happened next(error); } else if (!user) { + // We've not seen this user yet, so let's create a profile ldapToUser(ldapUser, next); } else { - adminStatus(ldapUser, user, next); + // We trust LDAP explicitly, so we'll check the groups the user + // is a part of evey time they login + setAdminStatus(ldapUser, user, next); } }) } From d5f571ffb1682f55502ab363bd5603c0829d94a9 Mon Sep 17 00:00:00 2001 From: Branden Cash Date: Mon, 9 Jul 2018 10:01:34 -0700 Subject: [PATCH 3/3] updating LDAP integration to sync the LDAP user data to the Konga user each time they login. added some documentation on LDAP configuration --- README.md | 2 ++ api/services/protocols/ldap.js | 60 +++++++++++++++++++++------------- config/ldap.js | 28 ++++++++++------ docs/LDAP.md | 24 ++++++++++++++ 4 files changed, 82 insertions(+), 32 deletions(-) create mode 100644 docs/LDAP.md diff --git a/README.md b/README.md index 131573b5b..e4b9d923e 100644 --- a/README.md +++ b/README.md @@ -214,6 +214,8 @@ login: demo | password: demodemodemo This user data is populated to the database if there is not already any user data in it. [It is possible to alter the default user seed data.](DEFAULTUSERSEEDDATA.md) +You may also configure konga to authenticate via [LDAP](./docs/LDAP.md). + ## Upgrading In some cases a newer version of Konga may introduce new db tables, collections or changes in schemas. The only thing you need to do is to start Konga in dev mode once so that the migrations will be applied. diff --git a/api/services/protocols/ldap.js b/api/services/protocols/ldap.js index adf93f868..2bf114da5 100644 --- a/api/services/protocols/ldap.js +++ b/api/services/protocols/ldap.js @@ -1,33 +1,51 @@ var _ = require('lodash'); -var adminGroup = new RegExp(process.env.ADMIN_GROUP_REG || null); -var commonName = /^cn=([^,]+),.*/ +var adminGroup = new RegExp(process.env.KONGA_ADMIN_GROUP_REG || "^(admin|konga)$"); +var ldapAttrMap = { + username: process.env.KONGA_LDAP_ATTR_USERNAME || 'uid', + firstName: process.env.KONGA_LDAP_ATTR_FIRSTNAME || 'givenName', + lastName: process.env.KONGA_LDAP_ATTR_LASTNAME || 'sn', + email: process.env.KONGA_LDAP_ATTR_EMAIL || 'mail' +}; +var commonName = /^cn=([^,]+),.*/; -var ldapToUser = function (ldapUser, next) { - var data = { - active: true +var ldapToUser = function (ldapUser, user, next) { + var data = _.clone(user || {}); + data.active = true; + + // copy attributes from the ldap user to the konga user using the ldapAttrMap + for (var userAttr in ldapAttrMap) { + if (ldapAttrMap.hasOwnProperty(userAttr)) { + data[userAttr] = ldapUser[ldapAttrMap[userAttr]]; + } } - data.username = ldapUser.uid; - data.firstName = ldapUser.givenName; - data.lastName = ldapUser.sn; - data.email = ldapUser.mail; - sails.models.user.create(data) - .exec(function (err, user) { + if (data && data.id) { + sails.models.user.update({id: data.id}, data).exec(function(err) { if (err) { + console.error("Failed to update user from ldap", err); + next(err); + } else { + setAdminStatus(ldapUser, data, next); + } + }); + } else { + sails.models.user.create(data).exec(function (err, user) { + if (err) { + console.error("Failed to create user from ldap", err); next(err); } else { setAdminStatus(ldapUser, user, next); } }); + } } var group_test = function (group) { - return group.cn === 'admin' || adminGroup.test(group.cn); + return adminGroup.test(group.cn); } var member_test = function (group) { - return group.startsWith('cn=admin') || - adminGroup.test(commonName.replace(group, "$1")); + return adminGroup.test(commonName.replace(group, "$1")); } var setAdminStatus = function (ldapUser, user, next) { @@ -49,7 +67,8 @@ var setAdminStatus = function (ldapUser, user, next) { */ exports.getResolver = function getResolver(next) { return function resolveUser(err, result, message) { - if (result === false) { + if (result === false || typeof result === 'undefined') { + console.error('failed to resolve user', err, message); var error = message; next(error); } else { @@ -62,16 +81,13 @@ exports.getResolver = function getResolver(next) { .exec(function onExec(error, user) { if (error) { // Dunno, something bad happened + console.error('failed to look up existing user', error); next(error); - } else if (!user) { - // We've not seen this user yet, so let's create a profile - ldapToUser(ldapUser, next); } else { - // We trust LDAP explicitly, so we'll check the groups the user - // is a part of evey time they login - setAdminStatus(ldapUser, user, next); + // sync the ldap user to konga user + ldapToUser(ldapUser, user, next); } }) } }; -} \ No newline at end of file +} diff --git a/config/ldap.js b/config/ldap.js index 2797020ed..8ecfdd0ab 100644 --- a/config/ldap.js +++ b/config/ldap.js @@ -1,16 +1,24 @@ +var _ = require('lodash'); +var groupFilter = process.env.KONGA_LDAP_GROUP_SEARCH_FILTER || '(|(memberUid={{uid}})(memberUid={{uidNumber}})(sAMAccountName={{uid}}))'; +var groupFilterTemplate = _.template(groupFilter, { + // use {{...}} syntax for template variables + interpolate: /{{([\s\S]+?)}}/g +}); module.exports = { server: { - url: process.env.LDAP_HOST || 'ldap://localhost:389', - bindDN: process.env.LDAP_BIND_USER, - bindCredentials: process.env.LDAP_BIND_PASSWORD, - searchAttributes: ['uid', 'givenName', 'sn', 'mail'], - searchBase: process.env.LDAP_SEARCH || "cn=users,dc=com", - searchFilter: '(|(uid={{username}})(sAMAccountName={{username}}))', - groupSearchAttributes: ['cn'], - groupSearchBase: process.env.LDAP_GROUP_SEARCH || 'cn=groups,cn=accounts,dc=com', - groupSearchFilter: '(member={{dn}})' + url: process.env.KONGA_LDAP_HOST || 'ldap://localhost:389', + bindDN: process.env.KONGA_LDAP_BIND_DN, + bindCredentials: process.env.KONGA_LDAP_BIND_PASSWORD, + searchAttributes: (process.env.KONGA_LDAP_USER_ATTRS || 'uid,uidNumber,givenName,sn,mail').split(','), + searchBase: process.env.KONGA_LDAP_USER_SEARCH_BASE || "ou=users,dc=com", + searchFilter: process.env.KONGA_LDAP_USER_SEARCH_FILTER || '(|(uid={{username}})(sAMAccountName={{username}}))', + groupSearchAttributes: (process.env.KONGA_LDAP_GROUP_ATTRS || 'cn').split(','), + groupSearchBase: process.env.KONGA_LDAP_GROUP_SEARCH_BASE || 'ou=groups,dc=com', + groupSearchFilter: function (user) { + return groupFilterTemplate(user); + } }, usernameField: 'identifier', passwordField: 'password' -}; \ No newline at end of file +}; diff --git a/docs/LDAP.md b/docs/LDAP.md new file mode 100644 index 000000000..f8e12244b --- /dev/null +++ b/docs/LDAP.md @@ -0,0 +1,24 @@ +# LDAP + +With the LDAP integration, you can authenticate via your LDAP server. Currently the application does need the user to be in the konga user database for the user profile page to display properly, so we currently will sync any LDAP authenticated user into the konga user database upon each login. In the future, perhaps the user profile page will be read-only for LDAP authentication? Or maybe it can sync the data back up to the LDAP server? + +## Configuration + +| Environment Variable | Default | Description | +| --- | --- | --- | +| `KONGA_AUTH_PROVIDER` | `local` | **Set this to `ldap` to switch auth provider to LDAP** | +| `KONGA_LDAP_HOST` | `ldap://localhost:389` | The location of the LDAP server | +| `KONGA_LDAP_BIND_DN` | *no default* | The DN that the konga should use to login to LDAP to search users | +| `KONGA_LDAP_BIND_PASSWORD` | *no default* | The password for the user konga will use to search for users | +| `KONGA_LDAP_USER_SEARCH_BASE` | `ou=users,dc=com` | The base DN used to search for users | +| `KONGA_LDAP_USER_SEARCH_FILTER` | `(|(uid={{username}})(sAMAccountName={{username}}))` | The filter expression used to search for users. Use `{{username}}` where you expect the username to be. | +| `KONGA_LDAP_USER_ATTRS` | `uid,uidNumber,givenName,sn,mail` | Comma separated list of attributes to pull from the LDAP server for users | +| `KONGA_LDAP_GROUP_SEARCH_BASE` | `ou=groups,dc=com` | The base DN used to search for groups | +| `KONGA_LDAP_GROUP_SEARCH_FILTER` | `(|(memberUid={{uid}})(memberUid={{uidNumber}})(sAMAccountName={{uid}}))` | The filter expression used to search for groups. Use `{{some-attr}}` where you expect a user attribute to be or `{{dn}}` for the user `dn`. | +| `KONGA_LDAP_GROUP_ATTRS` | `cn` | Comma separated list of attributes to pull from the LDAP server for groups | +| `KONGA_ADMIN_GROUP_REG` | `^(admin|konga)$` | Regular expression used to determine if a group should be considered as an admin user | +| `KONGA_LDAP_ATTR_USERNAME` | `uid` | LDAP attribute name that should be used as the konga username | +| `KONGA_LDAP_ATTR_FIRSTNAME` | `givenName` | LDAP attribute name that should be used as the konga user's first name | +| `KONGA_LDAP_ATTR_LASTNAME` | `sn` | LDAP attribute name that should be used as the konga user's last name | +| `KONGA_LDAP_ATTR_EMAIL` | `mail` | LDAP attribute name that should be used as the konga user's email address | +