From f39842a0014b9b9e5bcfebf735a33ba1a8c555d0 Mon Sep 17 00:00:00 2001 From: Girish Ramakrishnan Date: Fri, 25 Sep 2015 21:17:48 -0700 Subject: [PATCH] ldap: allow non-anonymous searches Add LDAP_BIND_DN and LDAP_BIND_PASSWORD that allow apps to bind before a search. There appear to be two kinds of ldap flows: 1. App simply binds using cn=,$LDAP_USERS_BASE_DN. This works swimmingly today. 2. App searches the username under a "bind_dn" using some admin credentials. It takes the result and uses the first dn in the result as the user dn. It then binds as step 1. This commit tries to help out the case 2) apps. These apps really insist on having some credentials for searching. --- src/addons.js | 4 +++- src/ldap.js | 12 ++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/addons.js b/src/addons.js index 6556c4a24..d1c551d39 100644 --- a/src/addons.js +++ b/src/addons.js @@ -289,7 +289,9 @@ function setupLdap(app, callback) { 'LDAP_PORT=3002', 'LDAP_URL=ldap://172.17.42.1:3002', 'LDAP_USERS_BASE_DN=ou=users,dc=cloudron', - 'LDAP_GROUPS_BASE_DN=ou=groups,dc=cloudron' + 'LDAP_GROUPS_BASE_DN=ou=groups,dc=cloudron', + 'LDAP_BIND_DN=cn='+ app.id + ',ou=apps,dc=cloudron', + 'LDAP_BIND_PASSWORD=' + hat(256) // this is ignored ]; debugApp(app, 'Setting up LDAP'); diff --git a/src/ldap.js b/src/ldap.js index b2dd6e1e3..3d01ab47c 100644 --- a/src/ldap.js +++ b/src/ldap.js @@ -63,7 +63,6 @@ function start(callback) { if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && req.filter.matches(tmp.attributes)) { res.send(tmp); - debug('ldap user send:', tmp); } }); @@ -100,7 +99,6 @@ function start(callback) { if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && req.filter.matches(tmp.attributes)) { res.send(tmp); - debug('ldap group send:', tmp); } }); @@ -108,8 +106,14 @@ function start(callback) { }); }); - gServer.bind('dc=cloudron', function(req, res, next) { - debug('ldap bind: %s', req.dn.toString()); + gServer.bind('ou=apps,dc=cloudron', function(req, res, next) { + // TODO: validate password + debug('ldap application bind: %s', req.dn.toString()); + res.end(); + }); + + gServer.bind('ou=users,dc=cloudron', function(req, res, next) { + debug('ldap user bind: %s', req.dn.toString()); if (!req.dn.rdns[0].cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));