+++ /dev/null
-commit 936a14e225037aca4cdeac11c843c7985e636c88
-Author: Ismaƫl Bouya <ismael.bouya@normalesup.org>
-Date: Mon Jul 24 19:58:24 2017 +0200
-
- Add LDAP to diaspora
-
-diff --git a/Gemfile b/Gemfile
-index 414b0138d..2a934e9c9 100644
---- a/Gemfile
-+++ b/Gemfile
-@@ -217,6 +217,9 @@ gem "thor", "0.19.1"
-
- # gem "therubyracer", :platform => :ruby
-
-+# LDAP
-+gem 'net-ldap', '~> 0.16'
-+
- group :production do # we don"t install these on travis to speed up test runs
- # Analytics
-
-diff --git a/Gemfile.lock b/Gemfile.lock
-index 84f8172e4..cdbf19fcd 100644
---- a/Gemfile.lock 2019-01-13 19:55:52.538561762 +0100
-+++ b/Gemfile.lock 2019-01-13 19:58:11.087099067 +0100
-@@ -398,6 +398,7 @@
- mysql2 (0.5.2)
- naught (1.1.0)
- nenv (0.3.0)
-+ net-ldap (0.16.1)
- nio4r (2.3.1)
- nokogiri (1.8.5)
- mini_portile2 (~> 2.3.0)
-@@ -820,6 +821,7 @@
- minitest
- mobile-fu (= 1.4.0)
- mysql2 (= 0.5.2)
-+ net-ldap (~> 0.16)
- nokogiri (= 1.8.5)
- omniauth (= 1.8.1)
- omniauth-tumblr (= 1.2)
-diff --git a/app/models/user.rb b/app/models/user.rb
-index 940a48f25..d1e2beeee 100644
---- a/app/models/user.rb
-+++ b/app/models/user.rb
-@@ -337,6 +337,12 @@ class User < ActiveRecord::Base
- end
-
- def send_confirm_email
-+ if skip_email_confirmation?
-+ self.email = unconfirmed_email
-+ self.unconfirmed_email = nil
-+ save
-+ end
-+
- return if unconfirmed_email.blank?
- Workers::Mail::ConfirmEmail.perform_async(id)
- end
-@@ -554,6 +560,14 @@ class User < ActiveRecord::Base
- end
- end
-
-+ def ldap_user?
-+ AppConfig.ldap.enable? && ldap_dn.present?
-+ end
-+
-+ def skip_email_confirmation?
-+ ldap_user? && AppConfig.ldap.skip_email_confirmation?
-+ end
-+
- private
-
- def clearable_fields
-diff --git a/config/defaults.yml b/config/defaults.yml
-index c046aff07..66e9afa13 100644
---- a/config/defaults.yml
-+++ b/config/defaults.yml
-@@ -202,6 +202,20 @@ defaults:
- scope: tags
- include_user_tags: false
- pod_tags:
-+ ldap:
-+ enable: false
-+ host: localhost
-+ port: 389
-+ only_ldap: true
-+ mail_attribute: mail
-+ skip_email_confirmation: true
-+ use_bind_dn: true
-+ bind_dn: "cn=diaspora,dc=example,dc=com"
-+ bind_pw: "password"
-+ search_base: "dc=example,dc=com"
-+ search_filter: "uid=%{username}"
-+ bind_template: "uid=%{username},dc=example,dc=com"
-+
-
- development:
- environment:
-diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example
-index b2573625d..c357c8651 100644
---- a/config/diaspora.yml.example
-+++ b/config/diaspora.yml.example
-@@ -710,6 +710,36 @@ configuration: ## Section
- ## If scope is 'tags', a comma separated list of tags here can be set.
- ## For example "linux,diaspora", to receive posts related to these tags
- #pod_tags:
-+ ldap:
-+ # Uncomment next line if you want to use LDAP on your instance
-+ enable: true
-+ host: localhost
-+ port: 389
-+ # Use only LDAP authentication (don't try other means)
-+ only_ldap: true
-+ # LDAP attribute to find the user's e-mail. Necessary to create accounts
-+ # for not existing users
-+ mail_attribute: mail
-+ # Skip e-mail confirmation when creating an account via LDAP.
-+ skip_email_confirmation: true
-+ # ----- Using bind_dn and bind_pw
-+ # bind_dn and bind_pw may be used if the diaspora instance
-+ # should be able to connect to LDAP to find and search for users.
-+
-+ use_bind_dn: true
-+ bind_dn: "cn=diaspora,dc=example,dc=com"
-+ bind_pw: "password"
-+ search_base: "dc=example,dc=com"
-+ # This is the filter with which to search for the user. %{username} will
-+ # be replaced by the given login.
-+ search_filter: "uid=%{username}"
-+ #
-+ # ----- Using template
-+ # This setting doesn't require a diaspora LDAP user. Use a template, and
-+ # diaspora will try to login with the templated dn and password
-+ #
-+ # bind_template: "uid=%{username},dc=example,dc=com"
-+
-
- ## Here you can override settings defined above if you need
- ## to have them different in different environments.
-diff --git a/config/initializers/0_ldap_authenticatable.rb b/config/initializers/0_ldap_authenticatable.rb
-new file mode 100644
-index 000000000..49846502f
---- /dev/null
-+++ b/config/initializers/0_ldap_authenticatable.rb
-@@ -0,0 +1,82 @@
-+require 'net/ldap'
-+require 'devise/strategies/authenticatable'
-+
-+module Devise
-+ module Strategies
-+ class LdapAuthenticatable < Authenticatable
-+ def valid?
-+ AppConfig.ldap.enable? && params[:user].present?
-+ end
-+
-+ def authenticate!
-+ ldap = Net::LDAP.new(
-+ host: AppConfig.ldap.host,
-+ port: AppConfig.ldap.port,
-+ encryption: :simple_tls,
-+ )
-+
-+ if AppConfig.ldap.use_bind_dn?
-+ ldap.auth AppConfig.ldap.bind_dn, AppConfig.ldap.bind_pw
-+
-+ if !ldap.bind
-+ return fail(:ldap_configuration_error)
-+ end
-+
-+ search_filter = AppConfig.ldap.search_filter % { username: params[:user][:username] }
-+
-+ result = ldap.search(base: AppConfig.ldap.search_base, filter: search_filter, result_set: true)
-+
-+ if result.count != 1
-+ return login_fail
-+ end
-+
-+ user_dn = result.first.dn
-+ user_email = result.first[AppConfig.ldap.mail_attribute].first
-+ else
-+ user_dn = AppConfig.ldap.bind_template % { username: params[:user][:username] }
-+ end
-+
-+ ldap.auth user_dn, params[:user][:password]
-+
-+ if ldap.bind
-+ user = User.find_by(ldap_dn: user_dn)
-+
-+ # We don't want to trust too much the email attribute from
-+ # LDAP: if the user can edit it himself, he may login as
-+ # anyone
-+ if user.nil?
-+ if !AppConfig.ldap.use_bind_dn?
-+ result = ldap.search(base: user_dn, scope: Net::LDAP::SearchScope_BaseObject, filter: "(objectClass=*)", result_set: true)
-+ user_email = result.first[AppConfig.ldap.mail_attribute].first
-+ end
-+
-+ if user_email.present? && User.find_by(email: user_email).nil?
-+ # Password is used for remember_me token
-+ user = User.build(email: user_email, ldap_dn: user_dn, password: SecureRandom.hex, username: params[:user][:username])
-+ user.save
-+ user.seed_aspects
-+ elsif User.find_by(email: user_email).present?
-+ return fail(:ldap_existing_email)
-+ else
-+ return fail(:ldap_cannot_create_account_without_email)
-+ end
-+ end
-+
-+ success!(user)
-+ else
-+ return login_fail
-+ end
-+ end
-+
-+ def login_fail
-+ if AppConfig.ldap.only_ldap?
-+ return fail(:ldap_invalid_login)
-+ else
-+ return pass
-+ end
-+ end
-+ end
-+ end
-+end
-+
-+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
-diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
-index 3698e2373..14e88063e 100644
---- a/config/initializers/devise.rb
-+++ b/config/initializers/devise.rb
-@@ -250,10 +250,9 @@ Devise.setup do |config|
- # If you want to use other strategies, that are not supported by Devise, or
- # change the failure app, you can configure them inside the config.warden block.
- #
-- # config.warden do |manager|
-- # manager.intercept_401 = false
-- # manager.default_strategies(:scope => :user).unshift :some_external_strategy
-- # end
-+ config.warden do |manager|
-+ manager.default_strategies(scope: :user).unshift :ldap_authenticatable
-+ end
-
- # ==> Mountable engine configurations
- # When using Devise inside an engine, let's call it `MyEngine`, and this engine
-diff --git a/db/migrate/20170724182100_add_ldap_dn_to_users.rb b/db/migrate/20170724182100_add_ldap_dn_to_users.rb
-new file mode 100644
-index 000000000..f5cc84d11
---- /dev/null
-+++ b/db/migrate/20170724182100_add_ldap_dn_to_users.rb
-@@ -0,0 +1,6 @@
-+class AddLdapDnToUsers < ActiveRecord::Migration
-+ def change
-+ add_column :users, :ldap_dn, :text, null: true, default: nil
-+ add_index :users, ['ldap_dn'], :length => { "ldap_dn" => 191 }
-+ end
-+end