1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
commit 936a14e225037aca4cdeac11c843c7985e636c88
Author: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Mon Jul 24 19:58:24 2017 +0200
Add LDAP to diaspora
diff --git a/Gemfile b/Gemfile
index 414b0138d..2a934e9c9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -217,6 +217,9 @@ gem "thor", "0.19.1"
# gem "therubyracer", :platform => :ruby
+# LDAP
+gem 'net-ldap', '~> 0.16'
+
group :production do # we don"t install these on travis to speed up test runs
# Analytics
diff --git a/Gemfile.lock b/Gemfile.lock
index 84f8172e4..cdbf19fcd 100644
--- a/Gemfile.lock 2019-01-13 19:55:52.538561762 +0100
+++ b/Gemfile.lock 2019-01-13 19:58:11.087099067 +0100
@@ -398,6 +398,7 @@
mysql2 (0.5.2)
naught (1.1.0)
nenv (0.3.0)
+ net-ldap (0.16.1)
nio4r (2.3.1)
nokogiri (1.8.5)
mini_portile2 (~> 2.3.0)
@@ -820,6 +821,7 @@
minitest
mobile-fu (= 1.4.0)
mysql2 (= 0.5.2)
+ net-ldap (~> 0.16)
nokogiri (= 1.8.5)
omniauth (= 1.8.1)
omniauth-tumblr (= 1.2)
diff --git a/app/models/user.rb b/app/models/user.rb
index 940a48f25..d1e2beeee 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -337,6 +337,12 @@ class User < ActiveRecord::Base
end
def send_confirm_email
+ if skip_email_confirmation?
+ self.email = unconfirmed_email
+ self.unconfirmed_email = nil
+ save
+ end
+
return if unconfirmed_email.blank?
Workers::Mail::ConfirmEmail.perform_async(id)
end
@@ -554,6 +560,14 @@ class User < ActiveRecord::Base
end
end
+ def ldap_user?
+ AppConfig.ldap.enable? && ldap_dn.present?
+ end
+
+ def skip_email_confirmation?
+ ldap_user? && AppConfig.ldap.skip_email_confirmation?
+ end
+
private
def clearable_fields
diff --git a/config/defaults.yml b/config/defaults.yml
index c046aff07..66e9afa13 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -202,6 +202,20 @@ defaults:
scope: tags
include_user_tags: false
pod_tags:
+ ldap:
+ enable: false
+ host: localhost
+ port: 389
+ only_ldap: true
+ mail_attribute: mail
+ skip_email_confirmation: true
+ use_bind_dn: true
+ bind_dn: "cn=diaspora,dc=example,dc=com"
+ bind_pw: "password"
+ search_base: "dc=example,dc=com"
+ search_filter: "uid=%{username}"
+ bind_template: "uid=%{username},dc=example,dc=com"
+
development:
environment:
diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example
index b2573625d..c357c8651 100644
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@@ -710,6 +710,36 @@ configuration: ## Section
## If scope is 'tags', a comma separated list of tags here can be set.
## For example "linux,diaspora", to receive posts related to these tags
#pod_tags:
+ ldap:
+ # Uncomment next line if you want to use LDAP on your instance
+ enable: true
+ host: localhost
+ port: 389
+ # Use only LDAP authentication (don't try other means)
+ only_ldap: true
+ # LDAP attribute to find the user's e-mail. Necessary to create accounts
+ # for not existing users
+ mail_attribute: mail
+ # Skip e-mail confirmation when creating an account via LDAP.
+ skip_email_confirmation: true
+ # ----- Using bind_dn and bind_pw
+ # bind_dn and bind_pw may be used if the diaspora instance
+ # should be able to connect to LDAP to find and search for users.
+
+ use_bind_dn: true
+ bind_dn: "cn=diaspora,dc=example,dc=com"
+ bind_pw: "password"
+ search_base: "dc=example,dc=com"
+ # This is the filter with which to search for the user. %{username} will
+ # be replaced by the given login.
+ search_filter: "uid=%{username}"
+ #
+ # ----- Using template
+ # This setting doesn't require a diaspora LDAP user. Use a template, and
+ # diaspora will try to login with the templated dn and password
+ #
+ # bind_template: "uid=%{username},dc=example,dc=com"
+
## Here you can override settings defined above if you need
## to have them different in different environments.
diff --git a/config/initializers/0_ldap_authenticatable.rb b/config/initializers/0_ldap_authenticatable.rb
new file mode 100644
index 000000000..49846502f
--- /dev/null
+++ b/config/initializers/0_ldap_authenticatable.rb
@@ -0,0 +1,82 @@
+require 'net/ldap'
+require 'devise/strategies/authenticatable'
+
+module Devise
+ module Strategies
+ class LdapAuthenticatable < Authenticatable
+ def valid?
+ AppConfig.ldap.enable? && params[:user].present?
+ end
+
+ def authenticate!
+ ldap = Net::LDAP.new(
+ host: AppConfig.ldap.host,
+ port: AppConfig.ldap.port,
+ encryption: :simple_tls,
+ )
+
+ if AppConfig.ldap.use_bind_dn?
+ ldap.auth AppConfig.ldap.bind_dn, AppConfig.ldap.bind_pw
+
+ if !ldap.bind
+ return fail(:ldap_configuration_error)
+ end
+
+ search_filter = AppConfig.ldap.search_filter % { username: params[:user][:username] }
+
+ result = ldap.search(base: AppConfig.ldap.search_base, filter: search_filter, result_set: true)
+
+ if result.count != 1
+ return login_fail
+ end
+
+ user_dn = result.first.dn
+ user_email = result.first[AppConfig.ldap.mail_attribute].first
+ else
+ user_dn = AppConfig.ldap.bind_template % { username: params[:user][:username] }
+ end
+
+ ldap.auth user_dn, params[:user][:password]
+
+ if ldap.bind
+ user = User.find_by(ldap_dn: user_dn)
+
+ # We don't want to trust too much the email attribute from
+ # LDAP: if the user can edit it himself, he may login as
+ # anyone
+ if user.nil?
+ if !AppConfig.ldap.use_bind_dn?
+ result = ldap.search(base: user_dn, scope: Net::LDAP::SearchScope_BaseObject, filter: "(objectClass=*)", result_set: true)
+ user_email = result.first[AppConfig.ldap.mail_attribute].first
+ end
+
+ if user_email.present? && User.find_by(email: user_email).nil?
+ # Password is used for remember_me token
+ user = User.build(email: user_email, ldap_dn: user_dn, password: SecureRandom.hex, username: params[:user][:username])
+ user.save
+ user.seed_aspects
+ elsif User.find_by(email: user_email).present?
+ return fail(:ldap_existing_email)
+ else
+ return fail(:ldap_cannot_create_account_without_email)
+ end
+ end
+
+ success!(user)
+ else
+ return login_fail
+ end
+ end
+
+ def login_fail
+ if AppConfig.ldap.only_ldap?
+ return fail(:ldap_invalid_login)
+ else
+ return pass
+ end
+ end
+ end
+ end
+end
+
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 3698e2373..14e88063e 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -250,10 +250,9 @@ Devise.setup do |config|
# If you want to use other strategies, that are not supported by Devise, or
# change the failure app, you can configure them inside the config.warden block.
#
- # config.warden do |manager|
- # manager.intercept_401 = false
- # manager.default_strategies(:scope => :user).unshift :some_external_strategy
- # end
+ config.warden do |manager|
+ manager.default_strategies(scope: :user).unshift :ldap_authenticatable
+ end
# ==> Mountable engine configurations
# When using Devise inside an engine, let's call it `MyEngine`, and this engine
diff --git a/db/migrate/20170724182100_add_ldap_dn_to_users.rb b/db/migrate/20170724182100_add_ldap_dn_to_users.rb
new file mode 100644
index 000000000..f5cc84d11
--- /dev/null
+++ b/db/migrate/20170724182100_add_ldap_dn_to_users.rb
@@ -0,0 +1,6 @@
+class AddLdapDnToUsers < ActiveRecord::Migration
+ def change
+ add_column :users, :ldap_dn, :text, null: true, default: nil
+ add_index :users, ['ldap_dn'], :length => { "ldap_dn" => 191 }
+ end
+end
|