From 9338f061a303ae3d57a8ea1af524c2ca51929f8d Mon Sep 17 00:00:00 2001 From: link0ff Date: Tue, 12 Mar 2019 18:20:02 +0200 Subject: [PATCH] Support LDAP method start_tls --- config/config.exs | 2 ++ docs/config.md | 12 +++++-- lib/pleroma/web/auth/ldap_authenticator.ex | 51 ++++++++++++++++++++++-------- 3 files changed, 49 insertions(+), 16 deletions(-) diff --git a/config/config.exs b/config/config.exs index 8544dcc0d..1ed330df2 100644 --- a/config/config.exs +++ b/config/config.exs @@ -361,6 +361,8 @@ config :pleroma, :ldap, port: String.to_integer(System.get_env("LDAP_PORT") || "389"), ssl: System.get_env("LDAP_SSL") == "true", sslopts: [], + tls: System.get_env("LDAP_TLS") == "true", + tlsopts: [], base: System.get_env("LDAP_BASE") || "dc=example,dc=com", uid: System.get_env("LDAP_UID") || "cn" diff --git a/docs/config.md b/docs/config.md index 8d6770959..7052b1eb4 100644 --- a/docs/config.md +++ b/docs/config.md @@ -329,13 +329,21 @@ config :auto_linker, ## :ldap +Use LDAP for user authentication. When a user logs in to the Pleroma +instance, the name and password will be verified by trying to authenticate +(bind) to an LDAP server. If a user exists in the LDAP directory but there +is no account with the same name yet on the Pleroma instance then a new +Pleroma account will be created with the same name as the LDAP user name. + * `enabled`: enables LDAP authentication * `host`: LDAP server hostname * `port`: LDAP port, e.g. 389 or 636 -* `ssl`: true to use SSL +* `ssl`: true to use SSL, usually implies the port 636 * `sslopts`: additional SSL options +* `tls`: true to start TLS, usually implies the port 389 +* `tlsopts`: additional TLS options * `base`: LDAP base, e.g. "dc=example,dc=com" -* `uid`: attribute type to authenticate the user, e.g. when "cn", the filter will be "cn=username,base" +* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base" ## Pleroma.Web.Auth.Authenticator diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index 56f2f5aed..88217aab8 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -60,22 +60,23 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do case :eldap.open([to_charlist(host)], options) do {:ok, connection} -> try do - uid = Keyword.get(ldap, :uid, "cn") - base = Keyword.get(ldap, :base) + if Keyword.get(ldap, :tls, false) do + :application.ensure_all_started(:ssl) - case :eldap.simple_bind(connection, "#{uid}=#{name},#{base}", password) do - :ok -> - case User.get_by_nickname_or_email(name) do - %User{} = user -> - user + case :eldap.start_tls( + connection, + Keyword.get(ldap, :tlsopts, []), + @connection_timeout + ) do + :ok -> + :ok - _ -> - register_user(connection, base, uid, name, password) - end - - error -> - error + error -> + Logger.error("Could not start TLS: #{inspect(error)}") + end end + + bind_user(connection, ldap, name, password) after :eldap.close(connection) end @@ -86,11 +87,31 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do end end + defp bind_user(connection, ldap, name, password) do + uid = Keyword.get(ldap, :uid, "cn") + base = Keyword.get(ldap, :base) + + case :eldap.simple_bind(connection, "#{uid}=#{name},#{base}", password) do + :ok -> + case User.get_by_nickname_or_email(name) do + %User{} = user -> + user + + _ -> + register_user(connection, base, uid, name, password) + end + + error -> + error + end + end + defp register_user(connection, base, uid, name, password) do case :eldap.search(connection, [ {:base, to_charlist(base)}, {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))}, {:scope, :eldap.wholeSubtree()}, + {:attributes, ['mail', 'email']}, {:timeout, @search_timeout} ]) do {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} -> @@ -110,7 +131,9 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do error -> error end else - _ -> {:error, :ldap_registration_missing_attributes} + _ -> + Logger.error("Could not find LDAP attribute mail: #{inspect(attributes)}") + {:error, :ldap_registration_missing_attributes} end error ->