mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-12-23 08:33:42 +00:00
Merge pull request #279 from alecdwm/ldap-auth
Support for LDAP server authentication
This commit is contained in:
commit
b13635aac9
11 changed files with 191 additions and 6 deletions
10
README.md
10
README.md
|
@ -140,6 +140,14 @@ Environment variables (will overwrite other server configs)
|
|||
| HMD_DROPBOX_CLIENTSECRET | no example | Dropbox API client secret |
|
||||
| HMD_GOOGLE_CLIENTID | no example | Google API client id |
|
||||
| HMD_GOOGLE_CLIENTSECRET | no example | Google API client secret |
|
||||
| HMD_LDAP_URL | ldap://example.com | url of LDAP server |
|
||||
| HMD_LDAP_BINDDN | no example | bindDn for LDAP access |
|
||||
| HMD_LDAP_BINDCREDENTIALS | no example | bindCredentials for LDAP access |
|
||||
| HMD_LDAP_TOKENSECRET | supersecretkey | secret used for generating access/refresh tokens |
|
||||
| HMD_LDAP_SEARCHBASE | o=users,dc=example,dc=com | LDAP directory to begin search from |
|
||||
| HMD_LDAP_SEARCHFILTER | (uid={{username}}) | LDAP filter to search with |
|
||||
| HMD_LDAP_SEARCHATTRIBUTES | no example | LDAP attributes to search with |
|
||||
| HMD_LDAP_TLS_CA | no example | Root CA for LDAP TLS in PEM format |
|
||||
| HMD_IMGUR_CLIENTID | no example | Imgur API client id |
|
||||
| HMD_EMAIL | `true` or `false` | set to allow email register and signin |
|
||||
| HMD_IMAGE_UPLOAD_TYPE | `imgur`, `s3` or `filesystem` | Where to upload image. For S3, see our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) |
|
||||
|
@ -194,7 +202,7 @@ Third-party integration api key settings
|
|||
|
||||
| service | settings location | description |
|
||||
| ------- | --------- | ----------- |
|
||||
| facebook, twitter, github, gitlab, dropbox, google | environment variables or `config.json` | for signin |
|
||||
| facebook, twitter, github, gitlab, dropbox, google, ldap | environment variables or `config.json` | for signin |
|
||||
| imgur | environment variables or `config.json` | for image upload |
|
||||
| google drive, dropbox | `public/js/config.js` | for export and import |
|
||||
|
||||
|
|
12
app.js
12
app.js
|
@ -381,6 +381,18 @@ if (config.google) {
|
|||
failureRedirect: config.serverurl + '/'
|
||||
}));
|
||||
}
|
||||
// ldap auth
|
||||
if (config.ldap) {
|
||||
app.post('/auth/ldap', urlencodedParser, function (req, res, next) {
|
||||
if (!req.body.username || !req.body.password) return response.errorBadRequest(res);
|
||||
setReturnToFromReferer(req);
|
||||
passport.authenticate('ldapauth', {
|
||||
successReturnToOrRedirect: config.serverurl + '/',
|
||||
failureRedirect: config.serverurl + '/',
|
||||
failureFlash: true
|
||||
})(req, res, next);
|
||||
});
|
||||
}
|
||||
// email auth
|
||||
if (config.email) {
|
||||
app.post('/register', urlencodedParser, function (req, res, next) {
|
||||
|
|
|
@ -51,6 +51,18 @@
|
|||
"clientID": "change this",
|
||||
"clientSecret": "change this"
|
||||
},
|
||||
"ldap": {
|
||||
"url": "ldap://change_this",
|
||||
"bindDn": null,
|
||||
"bindCredentials": null,
|
||||
"tokenSecret": "change this",
|
||||
"searchBase": "change this",
|
||||
"searchFilter": "change this",
|
||||
"searchAttributes": "change this",
|
||||
"tlsOptions": {
|
||||
"changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
|
||||
}
|
||||
},
|
||||
"imgur": {
|
||||
"clientID": "change this"
|
||||
}
|
||||
|
|
59
lib/auth.js
59
lib/auth.js
|
@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
|
|||
var GitlabStrategy = require('passport-gitlab2').Strategy;
|
||||
var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
|
||||
var GoogleStrategy = require('passport-google-oauth20').Strategy;
|
||||
var LdapStrategy = require('passport-ldapauth');
|
||||
var LocalStrategy = require('passport-local').Strategy;
|
||||
var validator = require('validator');
|
||||
|
||||
|
@ -110,6 +111,62 @@ if (config.google) {
|
|||
callbackURL: config.serverurl + '/auth/google/callback'
|
||||
}, callback));
|
||||
}
|
||||
// ldap
|
||||
if (config.ldap) {
|
||||
passport.use(new LdapStrategy({
|
||||
server: {
|
||||
url: config.ldap.url || null,
|
||||
bindDn: config.ldap.bindDn || null,
|
||||
bindCredentials: config.ldap.bindCredentials || null,
|
||||
searchBase: config.ldap.searchBase || null,
|
||||
searchFilter: config.ldap.searchFilter || null,
|
||||
searchAttributes: config.ldap.searchAttributes || null,
|
||||
tlsOptions: config.ldap.tlsOptions || null
|
||||
},
|
||||
},
|
||||
function(user, done) {
|
||||
var profile = {
|
||||
id: 'LDAP-' + user.uidNumber,
|
||||
username: user.uid,
|
||||
displayName: user.displayName,
|
||||
emails: user.mail ? [user.mail] : [],
|
||||
avatarUrl: null,
|
||||
profileUrl: null,
|
||||
provider: 'ldap',
|
||||
}
|
||||
var stringifiedProfile = JSON.stringify(profile);
|
||||
models.User.findOrCreate({
|
||||
where: {
|
||||
profileid: profile.id.toString()
|
||||
},
|
||||
defaults: {
|
||||
profile: stringifiedProfile,
|
||||
}
|
||||
}).spread(function (user, created) {
|
||||
if (user) {
|
||||
var needSave = false;
|
||||
if (user.profile != stringifiedProfile) {
|
||||
user.profile = stringifiedProfile;
|
||||
needSave = true;
|
||||
}
|
||||
if (needSave) {
|
||||
user.save().then(function () {
|
||||
if (config.debug)
|
||||
logger.info('user login: ' + user.id);
|
||||
return done(null, user);
|
||||
});
|
||||
} else {
|
||||
if (config.debug)
|
||||
logger.info('user login: ' + user.id);
|
||||
return done(null, user);
|
||||
}
|
||||
}
|
||||
}).catch(function (err) {
|
||||
logger.error('ldap auth failed: ' + err);
|
||||
return done(err, null);
|
||||
});
|
||||
}));
|
||||
}
|
||||
// email
|
||||
if (config.email) {
|
||||
passport.use(new LocalStrategy({
|
||||
|
@ -130,4 +187,4 @@ if (config.email) {
|
|||
return done(err);
|
||||
});
|
||||
}));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -95,6 +95,37 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
|
|||
clientID: process.env.HMD_GOOGLE_CLIENTID,
|
||||
clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
|
||||
} : config.google || false;
|
||||
var ldap = config.ldap || (
|
||||
process.env.HMD_LDAP_URL ||
|
||||
process.env.HMD_LDAP_BINDDN ||
|
||||
process.env.HMD_LDAP_BINDCREDENTIALS ||
|
||||
process.env.HMD_LDAP_TOKENSECRET ||
|
||||
process.env.HMD_LDAP_SEARCHBASE ||
|
||||
process.env.HMD_LDAP_SEARCHFILTER ||
|
||||
process.env.HMD_LDAP_SEARCHATTRIBUTES
|
||||
) || false;
|
||||
if (ldap == true)
|
||||
ldap = {};
|
||||
if (process.env.HMD_LDAP_URL)
|
||||
ldap.url = process.env.HMD_LDAP_URL;
|
||||
if (process.env.HMD_LDAP_BINDDN)
|
||||
ldap.bindDn = process.env.HMD_LDAP_BINDDN;
|
||||
if (process.env.HMD_LDAP_BINDCREDENTIALS)
|
||||
ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
|
||||
if (process.env.HMD_LDAP_TOKENSECRET)
|
||||
ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
|
||||
if (process.env.HMD_LDAP_SEARCHBASE)
|
||||
ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
|
||||
if (process.env.HMD_LDAP_SEARCHFILTER)
|
||||
ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
|
||||
if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
|
||||
ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
|
||||
if (process.env.HMD_LDAP_TLS_CA) {
|
||||
var ca = {
|
||||
ca: process.env.HMD_LDAP_TLS_CA
|
||||
}
|
||||
ldap.tlsOptions = ldap.tlsOptions ? Object.assign(ldap.tlsOptions, ca) : ca
|
||||
}
|
||||
var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
|
||||
var email = process.env.HMD_EMAIL ? (process.env.HMD_EMAIL === 'true') : !!config.email;
|
||||
|
||||
|
@ -156,6 +187,7 @@ module.exports = {
|
|||
gitlab: gitlab,
|
||||
dropbox: dropbox,
|
||||
google: google,
|
||||
ldap: ldap,
|
||||
imgur: imgur,
|
||||
email: email,
|
||||
imageUploadType: imageUploadType,
|
||||
|
|
25
lib/letter-avatars.js
Normal file
25
lib/letter-avatars.js
Normal file
|
@ -0,0 +1,25 @@
|
|||
"use strict";
|
||||
|
||||
// external modules
|
||||
var randomcolor = require('randomcolor');
|
||||
|
||||
// core
|
||||
module.exports = function(name) {
|
||||
var color = randomcolor({
|
||||
seed: name,
|
||||
luminosity: 'dark'
|
||||
});
|
||||
var letter = name.substring(0, 1).toUpperCase();
|
||||
|
||||
var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
|
||||
svg += '<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" height="96" width="96" version="1.1" viewBox="0 0 96 96">';
|
||||
svg += '<g>';
|
||||
svg += '<rect width="96" height="96" fill="' + color + '" />';
|
||||
svg += '<text font-size="64px" font-family="sans-serif" text-anchor="middle" fill="#ffffff">';
|
||||
svg += '<tspan x="48" y="72" stroke-width=".26458px" fill="#ffffff">' + letter + '</tspan>';
|
||||
svg += '</text>';
|
||||
svg += '</g>';
|
||||
svg += '</svg>';
|
||||
|
||||
return 'data:image/svg+xml;base64,' + new Buffer(svg).toString('base64');
|
||||
};
|
|
@ -7,6 +7,7 @@ var scrypt = require('scrypt');
|
|||
|
||||
// core
|
||||
var logger = require("../logger.js");
|
||||
var letterAvatars = require('../letter-avatars.js');
|
||||
|
||||
module.exports = function (sequelize, DataTypes) {
|
||||
var User = sequelize.define("User", {
|
||||
|
@ -105,6 +106,16 @@ module.exports = function (sequelize, DataTypes) {
|
|||
case "google":
|
||||
photo = profile.photos[0].value.replace(/(\?sz=)\d*$/i, '$196');
|
||||
break;
|
||||
case "ldap":
|
||||
//no image api provided,
|
||||
//use gravatar if email exists,
|
||||
//otherwise generate a letter avatar
|
||||
if (profile.emails[0]) {
|
||||
photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0]) + '?s=96';
|
||||
} else {
|
||||
photo = letterAvatars(profile.username);
|
||||
}
|
||||
break;
|
||||
}
|
||||
return photo;
|
||||
},
|
||||
|
|
|
@ -66,6 +66,7 @@ function showIndex(req, res, next) {
|
|||
gitlab: config.gitlab,
|
||||
dropbox: config.dropbox,
|
||||
google: config.google,
|
||||
ldap: config.ldap,
|
||||
email: config.email,
|
||||
signin: req.isAuthenticated(),
|
||||
infoMessage: req.flash('info'),
|
||||
|
@ -94,6 +95,7 @@ function responseHackMD(res, note) {
|
|||
gitlab: config.gitlab,
|
||||
dropbox: config.dropbox,
|
||||
google: config.google,
|
||||
ldap: config.ldap,
|
||||
email: config.email
|
||||
});
|
||||
}
|
||||
|
|
|
@ -85,6 +85,7 @@
|
|||
"passport-github": "^1.1.0",
|
||||
"passport-gitlab2": "^2.2.0",
|
||||
"passport-google-oauth20": "^1.0.0",
|
||||
"passport-ldapauth": "^0.6.0",
|
||||
"passport-local": "^1.0.0",
|
||||
"passport-twitter": "^1.0.4",
|
||||
"passport.socketio": "^3.7.0",
|
||||
|
|
|
@ -57,7 +57,7 @@
|
|||
<% if (errorMessage && errorMessage.length > 0) { %>
|
||||
<div class="alert alert-danger" style="max-width: 400px; margin: 0 auto;"><%= errorMessage %></div>
|
||||
<% } %>
|
||||
<% if(facebook || twitter || github || gitlab || dropbox || google || email) { %>
|
||||
<% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %>
|
||||
<span class="ui-signin">
|
||||
<br>
|
||||
<a type="button" class="btn btn-lg btn-success ui-signin" data-toggle="modal" data-target=".signin-modal" style="min-width: 170px;"><%= __('Sign In') %></a>
|
||||
|
@ -97,7 +97,7 @@
|
|||
</div>
|
||||
|
||||
<div id="history" class="section"<% if(!signin) { %> style="display:none;"<% } %>>
|
||||
<% if(facebook || twitter || github || gitlab || dropbox || google || email) { %>
|
||||
<% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %>
|
||||
<div class="ui-signin">
|
||||
<p><%= __('Below is the history from browser') %></p>
|
||||
</div>
|
||||
|
|
|
@ -38,7 +38,32 @@
|
|||
<i class="fa fa-google"></i> <%= __('Sign in via %s', 'Google') %>
|
||||
</a>
|
||||
<% } %>
|
||||
<% if((facebook || twitter || github || gitlab || dropbox || google) && email) { %>
|
||||
<% if((facebook || twitter || github || gitlab || dropbox || google) && ldap) { %>
|
||||
<hr>
|
||||
<% }%>
|
||||
<% if(ldap) { %>
|
||||
<h4>Via LDAP</h4>
|
||||
<form data-toggle="validator" role="form" class="form-horizontal" method="post" enctype="application/x-www-form-urlencoded">
|
||||
<div class="form-group">
|
||||
<div class="col-sm-12">
|
||||
<input type="username" class="form-control" name="username" placeholder="Username" required>
|
||||
<span class="help-block control-label with-errors" style="display: inline;"></span>
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<div class="col-sm-12">
|
||||
<input type="password" class="form-control" name="password" placeholder="Password" required>
|
||||
<span class="help-block control-label with_errors" style="display: inline;"></span>
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<div class="col-sm-12">
|
||||
<button type="submit" class="btn btn-primary" formaction="<%- url %>/auth/ldap">Sign in</button>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
<% } %>
|
||||
<% if((facebook || twitter || github || gitlab || dropbox || google || ldap) && email) { %>
|
||||
<hr>
|
||||
<% }%>
|
||||
<% if(email) { %>
|
||||
|
@ -67,4 +92,4 @@
|
|||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
|
Loading…
Reference in a new issue