From 4d81089959153d5ef5dd0452cd32b348e2a32ff1 Mon Sep 17 00:00:00 2001 From: Gerard Krol Date: Wed, 8 Nov 2017 10:47:46 +0000 Subject: [PATCH] Add support for passport-ldapauth --- config/default.toml | 16 +++++++++++++ lib/passport.js | 55 ++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 68 insertions(+), 3 deletions(-) diff --git a/config/default.toml b/config/default.toml index 13315fa5..e31cef4e 100644 --- a/config/default.toml +++ b/config/default.toml @@ -125,6 +125,22 @@ passwordresetlink="" bindUser="" bindPassword="" +[ldapauth] +# Alternative LDAP implementation using the more popular passport-ldapauth library. +enabled=false +host="localhost" +port=389 +# Subtree in which the searchrequest for the user is done +baseDN="ou=users,dc=company" +# What whe are searching for. This should return a single user. +filter="(|(sAMAccountName={{username}})(mail={{username}}))" +# Username field in LDAP, used to identify the user in Mailtrain (uid/cn/username/sAMAccountName) +uidTag="sAMAccountName" +passwordresetlink="" +# Credentials for the initial search operation (final bind DN will be exactly as specified) +bindUser="name@company.net" +bindPassword="mySecretPassword" + [postfixbounce] # Enable to allow writing Postfix bounce log to Mailtrain listener # If enabled, tail mail.log to Mailtrain with the following command: diff --git a/lib/passport.js b/lib/passport.js index 1ddd3bca..3b02a07e 100644 --- a/lib/passport.js +++ b/lib/passport.js @@ -17,7 +17,16 @@ try { LdapStrategy = require('passport-ldapjs').Strategy; // eslint-disable-line global-require } catch (E) { if (config.ldap.enabled) { - log.info('LDAP', 'Module "passport-ldapjs" not installed. LDAP auth will fail.'); + log.info('LDAP', 'Module "passport-ldapjs" not installed. It will not be used for LDAP auth.'); + } +} + +let LdapAuthStrategy; +try { + LdapAuthStrategy = require('passport-ldapauth').Strategy; // eslint-disable-line global-require +} catch (E) { + if (config.ldapauth.enabled) { + log.info('LDAP', 'Module "passport-ldapauth" not installed. It will not be used for LDAP auth.'); } } @@ -44,7 +53,8 @@ module.exports.logout = (req, res) => { }; module.exports.login = (req, res, next) => { - passport.authenticate(config.ldap.enabled ? 'ldap' : 'local', (err, user, info) => { + let authMode = config.ldapauth.enabled ? 'ldapauth' : config.ldap.enabled ? 'ldap' : 'local'; + passport.authenticate(authMode, (err, user, info) => { if (err) { req.flash('danger', err.message); return next(err); @@ -73,7 +83,7 @@ module.exports.login = (req, res, next) => { }; if (config.ldap.enabled && LdapStrategy) { - log.info('Using LDAP auth'); + log.info('Using LDAP auth (passport-ldapjs)'); let opts = { server: { @@ -116,6 +126,45 @@ if (config.ldap.enabled && LdapStrategy) { } }); })); +} else if (config.ldapauth.enabled && LdapAuthStrategy) { + log.info("Using LDAP auth (passport-ldapauth)"); + let opts = { + server: { + url: 'ldap://' + config.ldap.host + ':' + config.ldap.port, + searchBase: config.ldapauth.baseDN, + searchFilter: config.ldapauth.filter, + searchAttributes: [config.ldapauth.uidTag, 'mail'], + bindDN: config.ldapauth.bindUser, + bindCredentials: config.ldapauth.bindPassword + }, + }; + + passport.use(new LdapAuthStrategy(opts, (profile, done) => { + users.findByUsername(profile[config.ldapauth.uidTag], (err, user) => { + if (err) { + return done(err); + } + + if (!user) { + // password is empty for ldap + users.add(profile[config.ldapauth.uidTag], '', profile.mail, (err, id) => { + if (err) { + return done(err); + } + + return done(null, { + id, + username: profile[config.ldapauth.uidTag] + }); + }); + } else { + return done(null, { + id: user.id, + username: user.username + }); + } + }); + })); } else { log.info('Using local auth');