Initial support for LDAP server authentication

Limitations as of this commit:

- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
  - instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
  because we aren't using oauth. The currently generated
  tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale

README.md

@@ -131,6 +131,13 @@ Environment variables (will overwrite other server configs)
 | HMD_DROPBOX_CLIENTSECRET | no example | Dropbox API client secret |
 | HMD_GOOGLE_CLIENTID | no example | Google API client id |
 | HMD_GOOGLE_CLIENTSECRET | no example | Google API client secret |
+| HMD_LDAP_URL | ldap://example.com | url of LDAP server |
+| HMD_LDAP_BINDDN | no example | bindDn for LDAP access |
+| HMD_LDAP_BINDCREDENTIALS | no example | bindCredentials for LDAP access |
+| HMD_LDAP_TOKENSECRET | supersecretkey | secret used for generating access/refresh tokens |
+| HMD_LDAP_SEARCHBASE | o=users,dc=example,dc=com | LDAP directory to begin search from |
+| HMD_LDAP_SEARCHFILTER | (uid={{username}}) | LDAP filter to search with |
+| HMD_LDAP_SEARCHATTRIBUTES | no example | LDAP attributes to search with |
 | HMD_IMGUR_CLIENTID | no example | Imgur API client id |
 | HMD_EMAIL | `true` or `false` | set to allow email register and signin |
 | HMD_IMAGE_UPLOAD_TYPE | `imgur`, `s3` or `filesystem` | Where to upload image. For S3, see our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) |
@@ -182,7 +189,7 @@ Third-party integration api key settings
 
 | service | settings location | description |
 | ------- | --------- | ----------- |
-| facebook, twitter, github, gitlab, dropbox, google | environment variables or `config.json` | for signin |
+| facebook, twitter, github, gitlab, dropbox, google, ldap | environment variables or `config.json` | for signin |
 | imgur | environment variables or `config.json` | for image upload |
 | google drive, dropbox | `public/js/config.js` | for export and import |
 

app.js

@@ -380,6 +380,12 @@ if (config.google) {
             failureRedirect: config.serverurl + '/'
         }));
 }
+// ldap auth
+if (config.ldap) {
+    app.post('/auth/ldap', urlencodedParser,
+        passport.authenticate('ldapauth', { successRedirect: '/' })
+    );
+}
 // email auth
 if (config.email) {
     app.post('/register', urlencodedParser, function (req, res, next) {

config.json.example

@@ -45,6 +45,18 @@
             "clientID": "change this",
             "clientSecret": "change this"
         },
+        "ldap": {
+            "url": "ldap://change_this",
+            "bindDn": null,
+            "bindCredentials": null,
+            "tokenSecret": "change this",
+            "searchBase": "change this",
+            "searchFilter": "change this",
+            "searchAttributes": "change this",
+            "tlsOptions": {
+                "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
+            }
+        },
         "imgur": {
             "clientID": "change this"
         }

lib/auth.js

@@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
 var GitlabStrategy = require('passport-gitlab2').Strategy;
 var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
 var GoogleStrategy = require('passport-google-oauth20').Strategy;
+var LdapStrategy = require('passport-ldapauth');
 var LocalStrategy = require('passport-local').Strategy;
 var validator = require('validator');
 
@@ -110,6 +111,36 @@ if (config.google) {
         callbackURL: config.serverurl + '/auth/google/callback'
     }, callback));
 }
+// ldap
+if (config.ldap) {
+    passport.use(new LdapStrategy({
+        server: {
+            url: config.ldap.url || null,
+            bindDn: config.ldap.bindDn || null,
+            bindCredentials: config.ldap.bindCredentials || null,
+            searchBase: config.ldap.searchBase || null,
+            searchFilter: config.ldap.searchFilter || null,
+            searchAttributes: config.ldap.searchAttributes || null,
+            tlsOptions: config.ldap.tlsOptions || null
+        },
+    },
+    function(user, done) {
+        var profile = {
+            id: 'LDAP-' + user.uidNumber,
+            username: user.uid,
+            displayName: user.displayName,
+            emails: [],
+            avatarUrl: null,
+            profileUrl: null,
+            provider: 'ldap',
+        }
+        var stringifiedProfile = JSON.stringify(profile);
+        // TODO: Generate secure tokens for LDAP users
+        var accessToken = 'debug-access-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+        var refreshToken = 'debug-refresh-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+        callback(accessToken, refreshToken, profile, done);
+    }));
+}
 // email
 if (config.email) {
     passport.use(new LocalStrategy({

lib/config.js

@@ -93,6 +93,31 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
     clientID: process.env.HMD_GOOGLE_CLIENTID,
     clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
 } : config.google || false;
+var ldap = config.ldap || (
+    process.env.HMD_LDAP_URL ||
+    process.env.HMD_LDAP_BINDDN ||
+    process.env.HMD_LDAP_BINDCREDENTIALS ||
+    process.env.HMD_LDAP_TOKENSECRET ||
+    process.env.HMD_LDAP_SEARCHBASE ||
+    process.env.HMD_LDAP_SEARCHFILTER ||
+    process.env.HMD_LDAP_SEARCHATTRIBUTES
+) || false;
+if (ldap == true)
+    ldap = {};
+if (process.env.HMD_LDAP_URL)
+    ldap.url = process.env.HMD_LDAP_URL;
+if (process.env.HMD_LDAP_BINDDN)
+    ldap.bindDn = process.env.HMD_LDAP_BINDDN;
+if (process.env.HMD_LDAP_BINDCREDENTIALS)
+    ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
+if (process.env.HMD_LDAP_TOKENSECRET)
+    ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
+if (process.env.HMD_LDAP_SEARCHBASE)
+    ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
+if (process.env.HMD_LDAP_SEARCHFILTER)
+    ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
+if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
+    ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL || config.email || false;
 
@@ -151,6 +176,7 @@ module.exports = {
     gitlab: gitlab,
     dropbox: dropbox,
     google: google,
+    ldap: ldap,
     imgur: imgur,
     email: email,
     imageUploadType: imageUploadType,

lib/response.js

@@ -66,6 +66,7 @@ function showIndex(req, res, next) {
         gitlab: config.gitlab,
         dropbox: config.dropbox,
         google: config.google,
+        ldap: config.ldap,
         email: config.email,
         signin: req.isAuthenticated(),
         infoMessage: req.flash('info'),
@@ -98,6 +99,7 @@ function responseHackMD(res, note) {
         gitlab: config.gitlab,
         dropbox: config.dropbox,
         google: config.google,
+        ldap: config.ldap,
         email: config.email
     });
 }

locales/en.json

@@ -100,5 +100,6 @@
 	"Select From Available Snippets": "Select From Available Snippets",
 	"OR": "OR",
 	"Export to Snippet": "Export to Snippet",
-	"Select Visibility Level": "Select Visibility Level"
+	"Select Visibility Level": "Select Visibility Level",
+	"LDAP Sign in": "LDAP Sign in"
 }

package.json

@@ -85,6 +85,7 @@
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^2.2.0",
     "passport-google-oauth20": "^1.0.0",
+    "passport-ldapauth": "^0.6.0",
     "passport-local": "^1.0.0",
     "passport-twitter": "^1.0.4",
     "passport.socketio": "^3.6.2",

public/views/index.ejs

@@ -57,7 +57,7 @@
                         <% if (errorMessage && errorMessage.length > 0) { %>
                         <div class="alert alert-danger" style="max-width: 400px; margin: 0 auto;"><%= errorMessage %></div>
                         <% } %>
-                        <% if(facebook || twitter || github || gitlab || dropbox || google || email) { %>
+                        <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %>
                         <span class="ui-signin">
                             <br>
                             <a type="button" class="btn btn-lg btn-success ui-signin" data-toggle="modal" data-target=".signin-modal" style="min-width: 170px;"><%= __('Sign In') %></a>
@@ -93,7 +93,7 @@
                 </div>
 
                 <div id="history" class="section"<% if(!signin) { %> style="display:none;"<% } %>>
-                    <% if(facebook || twitter || github || gitlab || dropbox || google || email) { %>
+                    <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %>
                     <div class="ui-signin">
                         <p><%= __('Below is the history from browser') %></p>
                     </div>
@@ -192,6 +192,7 @@
         </div>
     </div>
     <%- include signin-modal %>
+    <%- include signin-ldap-modal %>
 
     <% if(useCDN) { %>
     <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>

public/views/signin-ldap-modal.ejs

@@ -0,0 +1,35 @@
+<!-- signin ldap modal -->
+<div class="modal fade signin-ldap-modal" tabindex="-1" role="dialog" aria-labelledby="mySmallModalLabel" aria-hidden="true">
+    <div class="modal-dialog modal-sm">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span>
+                </button>
+                <h4 class="modal-title" id="mySmallModalLabel"><%= __('LDAP Sign in') %></h4>
+            </div>
+            <div class="modal-body" style="text-align: center;">
+                <% if(ldap) { %>
+                <form data-toggle="validator" role="form" class="form-horizontal" method="post" enctype="application/x-www-form-urlencoded">
+                    <div class="form-group">
+                        <div class="col-sm-12">
+                            <input type="username" class="form-control" name="username" placeholder="Username" required>
+                            <span class="help-block control-label with-errors" style="display: inline;"></span>
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <div class="col-sm-12">
+                            <input type="password" class="form-control" name="password" placeholder="Password" required>
+                            <span class="help-block control-label with_errors" style="display: inline;"></span>
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <div class="col-sm-12">
+                            <button type="submit" class="btn btn-primary" formaction="<%- url %>/auth/ldap">Sign in</button>
+                        </div>
+                    </div>
+                </form>
+                <% } %>
+            </div>
+        </div>
+    </div>
+</div>

public/views/signin-modal.ejs

@@ -38,7 +38,13 @@
                     <i class="fa fa-google"></i> <%= __('Sign in via %s', 'Google') %>
                 </a>
                 <% } %>
-                <% if((facebook || twitter || github || gitlab || dropbox || google) && email) { %>
+                <% if(ldap) { %>
+                <a type="button" class="btn btn-lg btn-block btn-social btn-reddit "data-toggle="modal" data-target=".signin-ldap-modal">
+                    <i class="fa fa-book"></i> <%= __('Sign in via %s', 'LDAP') %>
+                </a>
+                <% } %>
+
+                <% if((facebook || twitter || github || gitlab || dropbox || google || ldap) && email) { %>
                 <hr>
                 <% }%>
                 <% if(email) { %>