From 005f70ed19863edabf3941736654eed281c25925 Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Fri, 24 Jul 2020 18:19:18 +0300 Subject: [PATCH 01/10] :tada: login with LDAP form and event --- frontend/src/uxbox/main/data/auth.cljs | 24 +++++++++++++++++++ frontend/src/uxbox/main/repo.cljs | 6 +++++ frontend/src/uxbox/main/ui/auth/login.cljs | 10 ++++++-- .../src/uxbox/main/ui/components/forms.cljs | 3 ++- 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/frontend/src/uxbox/main/data/auth.cljs b/frontend/src/uxbox/main/data/auth.cljs index 3047a3d815..186c130e75 100644 --- a/frontend/src/uxbox/main/data/auth.cljs +++ b/frontend/src/uxbox/main/data/auth.cljs @@ -78,6 +78,30 @@ (rx/of (du/profile-fetched profile) (rt/nav' :dashboard-team {:team-id team-id})))))) +(defn login-with-ldap + [{:keys [email password] :as data}] + (us/verify ::login-params data) + (ptk/reify ::login-with-ldap + ptk/UpdateEvent + (update [_ state] + (merge state (dissoc initial-state :route :router))) + + ptk/WatchEvent + (watch [this state s] + (let [{:keys [on-error on-success] + :or {on-error identity + on-success identity}} (meta data) + params {:email email + :password password + :scope "webapp"}] + (->> (rx/timer 100) + (rx/mapcat #(rp/mutation :login-with-ldap params)) + (rx/tap on-success) + (rx/catch (fn [err] + (on-error err) + (rx/empty))) + (rx/map logged-in)))))) + ;; --- Logout (def clear-user-data diff --git a/frontend/src/uxbox/main/repo.cljs b/frontend/src/uxbox/main/repo.cljs index 5574fb4fab..927da0d789 100644 --- a/frontend/src/uxbox/main/repo.cljs +++ b/frontend/src/uxbox/main/repo.cljs @@ -104,5 +104,11 @@ (->> (http/send! {:method :post :uri uri :body params}) (rx/mapcat handle-response)))) +(defmethod mutation :login-with-ldap + [id params] + (let [uri (str cfg/public-uri "/api/login-ldap")] + (->> (http/send! {:method :post :uri uri :body params}) + (rx/mapcat handle-response)))) + (def client-error? http/client-error?) (def server-error? http/server-error?) diff --git a/frontend/src/uxbox/main/ui/auth/login.cljs b/frontend/src/uxbox/main/ui/auth/login.cljs index 16f69ac1b2..24ef2a38e8 100644 --- a/frontend/src/uxbox/main/ui/auth/login.cljs +++ b/frontend/src/uxbox/main/ui/auth/login.cljs @@ -43,6 +43,7 @@ (mf/defc login-form [{:keys [locale] :as props}] (let [error? (mf/use-state false) + submit-event (mf/use-var da/login) on-error (fn [form event] @@ -53,7 +54,7 @@ (reset! error? false) (let [params (with-meta (:clean-data form) {:on-error on-error})] - (st/emit! (da/login params))))] + (st/emit! (@submit-event params))))] [:* (when @error? @@ -78,7 +79,12 @@ :help-icon i/eye :label (t locale "auth.password-label")}] [:& submit-button - {:label (t locale "auth.login-submit-label")}]]])) + {:label (t locale "auth.login-submit-label") + :on-click #(reset! submit-event da/login)}] + (when cfg/login-with-ldap + [:& submit-button + {:label (t locale "auth.login-with-ldap-submit-label") + :on-click #(reset! submit-event da/login-with-ldap)}])]])) (mf/defc login-page [{:keys [locale] :as props}] diff --git a/frontend/src/uxbox/main/ui/components/forms.cljs b/frontend/src/uxbox/main/ui/components/forms.cljs index 81a0e43b52..e5341bf318 100644 --- a/frontend/src/uxbox/main/ui/components/forms.cljs +++ b/frontend/src/uxbox/main/ui/components/forms.cljs @@ -121,12 +121,13 @@ i/arrow-slide]]])) (mf/defc submit-button - [{:keys [label form] :as props}] + [{:keys [label form on-click] :as props}] (let [form (mf/use-ctx form-ctx)] [:input.btn-primary.btn-large {:name "submit" :class (when-not (:valid form) "btn-disabled") :disabled (not (:valid form)) + :on-click on-click :value label :type "submit"}])) From 6fd7a2369093f41e3427612bfa81d1f6e86d59bd Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Fri, 24 Jul 2020 18:20:42 +0300 Subject: [PATCH 02/10] :wrench: ldap frontend config, locales, gulp config --- frontend/gulpfile.js | 5 +++++ frontend/resources/locales.json | 9 +++++++++ frontend/src/uxbox/config.cljs | 2 ++ 3 files changed, 16 insertions(+) diff --git a/frontend/gulpfile.js b/frontend/gulpfile.js index 1d4bc778d0..ec348345ec 100644 --- a/frontend/gulpfile.js +++ b/frontend/gulpfile.js @@ -113,6 +113,7 @@ function readConfig(data) { const demoWarn = process.env.UXBOX_DEMO_WARNING; const deployDate = process.env.UXBOX_DEPLOY_DATE; const deployCommit = process.env.UXBOX_DEPLOY_COMMIT; + const loginWithLDAP = process.env.UXBOX_LOGIN_WITH_LDAP; let cfg = { demoWarning: demoWarn === "true" @@ -130,6 +131,10 @@ function readConfig(data) { cfg.deployCommit = deployCommit; } + if (loginWithLDAP !== undefined) { + cfg.loginWithLDAP = loginWithLDAP; + } + Object.assign(cfg, data); return JSON.stringify(cfg); diff --git a/frontend/resources/locales.json b/frontend/resources/locales.json index 00c7b3e43a..1906fb9e38 100644 --- a/frontend/resources/locales.json +++ b/frontend/resources/locales.json @@ -107,6 +107,15 @@ "es" : "Entrar" } }, + "auth.login-with-ldap-submit-label" : { + "used-in" : [ "src/uxbox/main/ui/auth/login.cljs:108" ], + "translations" : { + "en" : "Sign in with LDAP", + "fr" : "", + "es" : "", + "ru" : "Вход через LDAP" + } + }, "auth.login-subtitle" : { "used-in" : [ "src/uxbox/main/ui/auth/login.cljs:89" ], "translations" : { diff --git a/frontend/src/uxbox/config.cljs b/frontend/src/uxbox/config.cljs index dc0e706140..3fce9afb96 100644 --- a/frontend/src/uxbox/config.cljs +++ b/frontend/src/uxbox/config.cljs @@ -15,10 +15,12 @@ puri (obj/get config "publicURI") wuri (obj/get config "workerURI") gcid (obj/get config "googleClientID" true) + lwl (obj/get config "loginWithLDAP" false) warn (obj/get config "demoWarning" true)] (def default-language "en") (def demo-warning warn) (def google-client-id gcid) + (def login-with-ldap lwl) (def worker-uri wuri) (def public-uri puri) (def default-theme "default"))) From 272c27061dd289017acd2187b65cea6abc6faea3 Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Fri, 24 Jul 2020 18:40:26 +0300 Subject: [PATCH 03/10] :sparkles: auth with LDAP handler and config --- backend/deps.edn | 2 + backend/src/uxbox/config.clj | 49 +++++++++++++++++++-- backend/src/uxbox/http.clj | 3 ++ backend/src/uxbox/http/auth/ldap.clj | 66 ++++++++++++++++++++++++++++ 4 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 backend/src/uxbox/http/auth/ldap.clj diff --git a/backend/deps.edn b/backend/deps.edn index e544793a70..3af2bc1fcd 100644 --- a/backend/deps.edn +++ b/backend/deps.edn @@ -53,6 +53,8 @@ com.draines/postal {:mvn/version "2.0.3" :exclusions [commons-codec/commons-codec]} + org.clojars.pntblnk/clj-ldap {:mvn/version"0.0.16"} + ;; exception printing io.aviso/pretty {:mvn/version "0.1.37"} diff --git a/backend/src/uxbox/config.clj b/backend/src/uxbox/config.clj index 2299fb8d98..4827cc16a6 100644 --- a/backend/src/uxbox/config.clj +++ b/backend/src/uxbox/config.clj @@ -43,8 +43,22 @@ :allow-demo-users true :registration-enabled true :registration-domain-whitelist "" - :debug-humanize-transit true - }) + :debug-humanize-transit true}) + + ;; LDAP auth disabled by default + ;:ldap-auth-host "ldap.mysupercompany.com" + ;:ldap-auth-port 636 + ;:ldap-auth-version "3" + ;:ldap-bind-dn "cn=admin,dc=ldap,dc=mysupercompany,dc=com" + ;:ldap-bind-password "verysecure" + ;:ldap-auth-ssl false + ;:ldap-auth-starttls true + ;:ldap-auth-base-dn "ou=People,dc=ldap,dc=mysupercompany,dc=com" + ;:ldap-auth-user-query "(|(uid=$username)(mail=$username))" + ;:ldap-auth-username-attribute "uid" + ;:ldap-auth-email-attribute "mail" + ;:ldap-auth-fullname-attribute "displayname" + ;:ldap-auth-avatar-attribute "jpegPhoto" (s/def ::http-server-port ::us/integer) (s/def ::http-server-debug ::us/boolean) @@ -78,6 +92,21 @@ (s/def ::google-client-id ::us/string) (s/def ::google-client-secret ::us/string) +(s/def ::ldap-auth-host ::us/string) +(s/def ::ldap-auth-port ::us/integer) +(s/def ::ldap-auth-version ::us/string) +(s/def ::ldap-bind-dn ::us/string) +(s/def ::ldap-bind-password ::us/string) +(s/def ::ldap-auth-ssl ::us/boolean) +(s/def ::ldap-auth-starttls ::us/boolean) +(s/def ::ldap-auth-base-dn ::us/string) +(s/def ::ldap-auth-user-query ::us/string) +(s/def ::ldap-auth-username-attribute ::us/string) +(s/def ::ldap-auth-email-attribute ::us/string) +(s/def ::ldap-auth-fullname-attribute ::us/string) +(s/def ::ldap-auth-avatar-attribute ::us/string) +(s/def ::ldap-auth-isactivedirectory ::us/boolean) + (s/def ::config (s/keys :opt-un [::http-server-cors ::http-server-debug @@ -106,7 +135,21 @@ ::allow-demo-users ::registration-enabled ::registration-domain-whitelist - ::image-process-max-threads])) + ::image-process-max-threads + ::ldap-auth-host + ::ldap-auth-port + ::ldap-auth-version + ::ldap-bind-dn + ::ldap-bind-password + ::ldap-auth-ssl + ::ldap-auth-starttls + ::ldap-auth-base-dn + ::ldap-auth-user-query + ::ldap-auth-username-attribute + ::ldap-auth-email-attribute + ::ldap-auth-fullname-attribute + ::ldap-auth-avatar-attribute + ::ldap-auth-isactivedirectory])) (defn env->config [env] diff --git a/backend/src/uxbox/http.clj b/backend/src/uxbox/http.clj index 5d9838c361..cc02c18d0a 100644 --- a/backend/src/uxbox/http.clj +++ b/backend/src/uxbox/http.clj @@ -19,6 +19,7 @@ [uxbox.http.handlers :as handlers] [uxbox.http.auth :as auth] [uxbox.http.auth.google :as google] + [uxbox.http.auth.ldap :as ldap] [uxbox.http.middleware :as middleware] [uxbox.http.session :as session] [uxbox.http.ws :as ws] @@ -48,6 +49,8 @@ :method :post}] ["/logout" {:handler auth/logout-handler :method :post}] + ["/login-ldap" {:handler ldap/auth + :method :post}] ["/w" {:middleware [session/auth]} ["/query/:type" {:get handlers/query-handler}] diff --git a/backend/src/uxbox/http/auth/ldap.clj b/backend/src/uxbox/http/auth/ldap.clj new file mode 100644 index 0000000000..2263c02a39 --- /dev/null +++ b/backend/src/uxbox/http/auth/ldap.clj @@ -0,0 +1,66 @@ +(ns uxbox.http.auth.ldap + (:require + [clj-ldap.client :as client] + [clojure.set :as set] + [mount.core :refer [defstate]] + [uxbox.common.exceptions :as ex] + [uxbox.config :as cfg] + [uxbox.services.mutations :as sm] + [uxbox.http.session :as session])) + + +(defn replace-several [s & {:as replacements}] + (reduce-kv clojure.string/replace s replacements)) + +(defstate ldap-pool + :start (client/connect (merge + {:host {:address (:ldap-auth-host cfg/config) + :port (:ldap-auth-port cfg/config)}} + (-> cfg/config + (select-keys [:ldap-auth-ssl + :ldap-auth-starttls + :ldap-bind-dn + :ldap-bind-password]) + (set/rename-keys {:ldap-auth-ssl :ssl? + :ldap-auth-starttls :startTLS? + :ldap-bind-dn :bind-dn + :ldap-bind-password :password})))) + :stop (client/close ldap-pool)) + +(defn- auth-with-ldap [username password] + (let [conn (client/get-connection ldap-pool) + user-search-query (replace-several (:ldap-auth-user-query cfg/config) + "$username" username) + user-attributes (-> cfg/config + (select-keys [:ldap-auth-username-attribute + :ldap-auth-email-attribute + :ldap-auth-fullname-attribute + :ldap-auth-avatar-attribute]) + vals)] + (try + (when-some [user-entry (-> conn + (client/search + (:ldap-auth-base-dn cfg/config) + {:filter user-search-query + :sizelimit 1 + :attributes user-attributes}) + first)] + (when-not (client/bind? conn (:dn user-entry) password) + (ex/raise :type :authentication + :code ::wrong-credentials)) + (set/rename-keys user-entry {(keyword (:ldap-auth-avatar-attribute cfg/config)) :photo + (keyword (:ldap-auth-fullname-attribute cfg/config)) :fullname + (keyword (:ldap-auth-email-attribute cfg/config)) :email})) + (finally (client/release-connection ldap-pool conn))))) + +(defn auth [req] + (let [data (:body-params req) + uagent (get-in req [:headers "user-agent"])] + (when-some [info (auth-with-ldap (:email data) (:password data))] + (let [profile (sm/handle {::sm/type :login-or-register + :email (:email info) + :fullname (:fullname info)}) + sid (session/create (:id profile) uagent)] + {:status 200 + :cookies (session/cookies sid) + :body profile})))) From f2c4ff7518cc72e999d9f94277ef6dd5c7fb1214 Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Sat, 25 Jul 2020 00:13:04 +0300 Subject: [PATCH 04/10] :bug: System start and stop without LDAP connection --- backend/src/uxbox/http/auth/ldap.clj | 84 +++++++++++++++------------- 1 file changed, 45 insertions(+), 39 deletions(-) diff --git a/backend/src/uxbox/http/auth/ldap.clj b/backend/src/uxbox/http/auth/ldap.clj index 2263c02a39..351b851e9a 100644 --- a/backend/src/uxbox/http/auth/ldap.clj +++ b/backend/src/uxbox/http/auth/ldap.clj @@ -6,52 +6,58 @@ [uxbox.common.exceptions :as ex] [uxbox.config :as cfg] [uxbox.services.mutations :as sm] - [uxbox.http.session :as session])) + [uxbox.http.session :as session] + [clojure.tools.logging :as log])) (defn replace-several [s & {:as replacements}] (reduce-kv clojure.string/replace s replacements)) -(defstate ldap-pool - :start (client/connect (merge - {:host {:address (:ldap-auth-host cfg/config) - :port (:ldap-auth-port cfg/config)}} - (-> cfg/config - (select-keys [:ldap-auth-ssl - :ldap-auth-starttls - :ldap-bind-dn - :ldap-bind-password]) - (set/rename-keys {:ldap-auth-ssl :ssl? - :ldap-auth-starttls :startTLS? - :ldap-bind-dn :bind-dn - :ldap-bind-password :password})))) - :stop (client/close ldap-pool)) +(defstate *ldap-pool + :start (delay + (try + (client/connect (merge {:host {:address (:ldap-auth-host cfg/config) + :port (:ldap-auth-port cfg/config)}} + (-> cfg/config + (select-keys [:ldap-auth-ssl + :ldap-auth-starttls + :ldap-bind-dn + :ldap-bind-password]) + (set/rename-keys {:ldap-auth-ssl :ssl? + :ldap-auth-starttls :startTLS? + :ldap-bind-dn :bind-dn + :ldap-bind-password :password})))) + (catch Exception e + (log/errorf e "Cannot connect to LDAP %s:%s" + (:ldap-auth-host cfg/config) (:ldap-auth-port cfg/config))))) + :stop (when (realized? *ldap-pool) + (some-> *ldap-pool deref (client/close)))) (defn- auth-with-ldap [username password] - (let [conn (client/get-connection ldap-pool) - user-search-query (replace-several (:ldap-auth-user-query cfg/config) - "$username" username) - user-attributes (-> cfg/config - (select-keys [:ldap-auth-username-attribute - :ldap-auth-email-attribute - :ldap-auth-fullname-attribute - :ldap-auth-avatar-attribute]) - vals)] - (try - (when-some [user-entry (-> conn - (client/search - (:ldap-auth-base-dn cfg/config) - {:filter user-search-query - :sizelimit 1 - :attributes user-attributes}) - first)] - (when-not (client/bind? conn (:dn user-entry) password) - (ex/raise :type :authentication - :code ::wrong-credentials)) - (set/rename-keys user-entry {(keyword (:ldap-auth-avatar-attribute cfg/config)) :photo - (keyword (:ldap-auth-fullname-attribute cfg/config)) :fullname - (keyword (:ldap-auth-email-attribute cfg/config)) :email})) - (finally (client/release-connection ldap-pool conn))))) + (when-let [conn (some-> *ldap-pool deref (client/get-connection))] + (let [user-search-query (replace-several (:ldap-auth-user-query cfg/config) + "$username" username) + user-attributes (-> cfg/config + (select-keys [:ldap-auth-username-attribute + :ldap-auth-email-attribute + :ldap-auth-fullname-attribute + :ldap-auth-avatar-attribute]) + vals)] + (try + (when-some [user-entry (-> conn + (client/search + (:ldap-auth-base-dn cfg/config) + {:filter user-search-query + :sizelimit 1 + :attributes user-attributes}) + first)] + (when-not (client/bind? conn (:dn user-entry) password) + (ex/raise :type :authentication + :code ::wrong-credentials)) + (set/rename-keys user-entry {(keyword (:ldap-auth-avatar-attribute cfg/config)) :photo + (keyword (:ldap-auth-fullname-attribute cfg/config)) :fullname + (keyword (:ldap-auth-email-attribute cfg/config)) :email})) + (finally (client/release-connection @*ldap-pool conn)))))) (defn auth [req] (let [data (:body-params req) From d1c409ce9075ca7fa14eb98f1bf145a70ae4c105 Mon Sep 17 00:00:00 2001 From: "mathieu.brunot" Date: Sun, 26 Jul 2020 01:15:55 +0200 Subject: [PATCH 05/10] :books: Update available env config Signed-off-by: mathieu.brunot --- docs/05-Management-Guide.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/docs/05-Management-Guide.md b/docs/05-Management-Guide.md index 57944dda37..f755736c6e 100644 --- a/docs/05-Management-Guide.md +++ b/docs/05-Management-Guide.md @@ -7,11 +7,13 @@ **Only available at build time!** - `-e UXBOX_PUBLIC_URI=...` (defaults to `http://localhost:6060`) +- `-e UXBOX_GOOGLE_CLIENT_ID=...` (defaults to `true`) +- `-e UXBOX_LOGIN_WITH_LDAP=...` (defaults to `false`) - `-e UXBOX_DEMO_WARNING=...` (defaults to `true`) ## Backend configuration parameters ## -Backend accepts a bunch of configuration parameters (detailed abowe), +Backend accepts a bunch of configuration parameters (detailed above), that can be passed in different ways. The preferred one is using environment variables. @@ -41,6 +43,19 @@ respective defaults): - `UXBOX_REGISTRATION_DOMAIN_WHITELIST=""` (comma-separated domains, defaults to `""` which means that all domains are allowed) - `UXBOX_DEBUG_HUMANIZE_TRANSIT=true` +- `UXBOX_LDAP_AUTH_HOST=` (default undefined) +- `UXBOX_LDAP_AUTH_PORT=` (default undefined) +- `UXBOX_LDAP_AUTH_VERSION=3` +- `UXBOX_LDAP_BIND_DN=` (default undefined) +- `UXBOX_LDAP_BIND_PASSWORD=` (default undefined) +- `UXBOX_LDAP_AUTH_SSL=` (default `false`) +- `UXBOX_LDAP_AUTH_STARTTLS=` (default `false`) +- `UXBOX_LDAP_AUTH_BASE_DN=` (default undefined) +- `UXBOX_LDAP_AUTH_USER_QUERY=(|(uid=$username)(mail=$username))` +- `UXBOX_LDAP_AUTH_USERNAME_ATTRIBUTE=uid` +- `UXBOX_LDAP_AUTH_EMAIL_ATTRIBUTE=mail` +- `UXBOX_LDAP_AUTH_FULLNAME_ATTRIBUTE=displayName` +- `UXBOX_LDAP_AUTH_AVATAR_ATTRIBUTE=jpegPhoto` ## REPL ## From 2d60ec9deee1ea46792a7231666568fd1d866fdd Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Tue, 28 Jul 2020 13:48:09 +0300 Subject: [PATCH 06/10] :wrench: LDAP authentication config with better default values Co-authored-by: Mathieu Brunot --- backend/src/uxbox/config.clj | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/backend/src/uxbox/config.clj b/backend/src/uxbox/config.clj index 4827cc16a6..8922de4425 100644 --- a/backend/src/uxbox/config.clj +++ b/backend/src/uxbox/config.clj @@ -43,22 +43,22 @@ :allow-demo-users true :registration-enabled true :registration-domain-whitelist "" - :debug-humanize-transit true}) + :debug-humanize-transit true - ;; LDAP auth disabled by default + ;; LDAP auth disabled by default. Set ldap-auth-host to enable ;:ldap-auth-host "ldap.mysupercompany.com" - ;:ldap-auth-port 636 - ;:ldap-auth-version "3" + ;:ldap-auth-port 389 + :ldap-auth-version "3" ;:ldap-bind-dn "cn=admin,dc=ldap,dc=mysupercompany,dc=com" ;:ldap-bind-password "verysecure" ;:ldap-auth-ssl false - ;:ldap-auth-starttls true + ;:ldap-auth-starttls false ;:ldap-auth-base-dn "ou=People,dc=ldap,dc=mysupercompany,dc=com" - ;:ldap-auth-user-query "(|(uid=$username)(mail=$username))" - ;:ldap-auth-username-attribute "uid" - ;:ldap-auth-email-attribute "mail" - ;:ldap-auth-fullname-attribute "displayname" - ;:ldap-auth-avatar-attribute "jpegPhoto" + :ldap-auth-user-query "(|(uid=$username)(mail=$username))" + :ldap-auth-username-attribute "uid" + :ldap-auth-email-attribute "mail" + :ldap-auth-fullname-attribute "displayName" + :ldap-auth-avatar-attribute "jpegPhoto"}) (s/def ::http-server-port ::us/integer) (s/def ::http-server-debug ::us/boolean) From 055504ba9a9901112fecf2edd508104315acfb22 Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Tue, 28 Jul 2020 13:50:51 +0300 Subject: [PATCH 07/10] :globe_with_meridians: Sign in with LDAP label for fr, es locales Co-authored-by: Mathieu Brunot --- frontend/resources/locales.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frontend/resources/locales.json b/frontend/resources/locales.json index 1906fb9e38..98ffa4f9c1 100644 --- a/frontend/resources/locales.json +++ b/frontend/resources/locales.json @@ -111,8 +111,8 @@ "used-in" : [ "src/uxbox/main/ui/auth/login.cljs:108" ], "translations" : { "en" : "Sign in with LDAP", - "fr" : "", - "es" : "", + "fr" : "Se connecter via LDAP", + "es" : "Entrar con LDAP", "ru" : "Вход через LDAP" } }, From b4758539227133942de01d0c9c20f4f8f3870915 Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Tue, 28 Jul 2020 13:52:20 +0300 Subject: [PATCH 08/10] :wrench: Remove unused LDAP config spec Co-authored-by: Mathieu Brunot --- backend/src/uxbox/config.clj | 1 - 1 file changed, 1 deletion(-) diff --git a/backend/src/uxbox/config.clj b/backend/src/uxbox/config.clj index 8922de4425..945b93e749 100644 --- a/backend/src/uxbox/config.clj +++ b/backend/src/uxbox/config.clj @@ -94,7 +94,6 @@ (s/def ::ldap-auth-host ::us/string) (s/def ::ldap-auth-port ::us/integer) -(s/def ::ldap-auth-version ::us/string) (s/def ::ldap-bind-dn ::us/string) (s/def ::ldap-bind-password ::us/string) (s/def ::ldap-auth-ssl ::us/boolean) From 712563a98441fa7e2873f2e50a2d7b45d93c9bc2 Mon Sep 17 00:00:00 2001 From: Vitaly Kornilov Date: Tue, 28 Jul 2020 13:56:50 +0300 Subject: [PATCH 09/10] :arrow_up: Replace outdated org.clojars.pntblnk/clj-ldap with puppetlabs/clj-ldap --- backend/deps.edn | 2 +- backend/src/uxbox/http/auth/ldap.clj | 31 +++++++++++++--------------- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/backend/deps.edn b/backend/deps.edn index 3af2bc1fcd..c396e0d4a8 100644 --- a/backend/deps.edn +++ b/backend/deps.edn @@ -53,7 +53,7 @@ com.draines/postal {:mvn/version "2.0.3" :exclusions [commons-codec/commons-codec]} - org.clojars.pntblnk/clj-ldap {:mvn/version"0.0.16"} + puppetlabs/clj-ldap {:mvn/version"0.3.0"} ;; exception printing io.aviso/pretty {:mvn/version "0.1.37"} diff --git a/backend/src/uxbox/http/auth/ldap.clj b/backend/src/uxbox/http/auth/ldap.clj index 351b851e9a..d869cb3f3a 100644 --- a/backend/src/uxbox/http/auth/ldap.clj +++ b/backend/src/uxbox/http/auth/ldap.clj @@ -31,10 +31,10 @@ (log/errorf e "Cannot connect to LDAP %s:%s" (:ldap-auth-host cfg/config) (:ldap-auth-port cfg/config))))) :stop (when (realized? *ldap-pool) - (some-> *ldap-pool deref (client/close)))) + (some-> *ldap-pool deref (.close)))) (defn- auth-with-ldap [username password] - (when-let [conn (some-> *ldap-pool deref (client/get-connection))] + (when-some [conn (some-> *ldap-pool deref)] (let [user-search-query (replace-several (:ldap-auth-user-query cfg/config) "$username" username) user-attributes (-> cfg/config @@ -43,21 +43,18 @@ :ldap-auth-fullname-attribute :ldap-auth-avatar-attribute]) vals)] - (try - (when-some [user-entry (-> conn - (client/search - (:ldap-auth-base-dn cfg/config) - {:filter user-search-query - :sizelimit 1 - :attributes user-attributes}) - first)] - (when-not (client/bind? conn (:dn user-entry) password) - (ex/raise :type :authentication - :code ::wrong-credentials)) - (set/rename-keys user-entry {(keyword (:ldap-auth-avatar-attribute cfg/config)) :photo - (keyword (:ldap-auth-fullname-attribute cfg/config)) :fullname - (keyword (:ldap-auth-email-attribute cfg/config)) :email})) - (finally (client/release-connection @*ldap-pool conn)))))) + (when-some [user-entry (-> conn + (client/search (:ldap-auth-base-dn cfg/config) + {:filter user-search-query + :sizelimit 1 + :attributes user-attributes}) + (first))] + (when-not (client/bind? conn (:dn user-entry) password) + (ex/raise :type :authentication + :code ::wrong-credentials)) + (set/rename-keys user-entry {(keyword (:ldap-auth-avatar-attribute cfg/config)) :photo + (keyword (:ldap-auth-fullname-attribute cfg/config)) :fullname + (keyword (:ldap-auth-email-attribute cfg/config)) :email}))))) (defn auth [req] (let [data (:body-params req) From 89f4fbfbb1d037dac8730669b15ee189414b2bbd Mon Sep 17 00:00:00 2001 From: "mathieu.brunot" Date: Fri, 7 Aug 2020 23:25:21 +0200 Subject: [PATCH 10/10] :wrench: Clean unused LDAP var Signed-off-by: mathieu.brunot --- backend/src/uxbox/config.clj | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/backend/src/uxbox/config.clj b/backend/src/uxbox/config.clj index 945b93e749..eac43c9246 100644 --- a/backend/src/uxbox/config.clj +++ b/backend/src/uxbox/config.clj @@ -48,7 +48,6 @@ ;; LDAP auth disabled by default. Set ldap-auth-host to enable ;:ldap-auth-host "ldap.mysupercompany.com" ;:ldap-auth-port 389 - :ldap-auth-version "3" ;:ldap-bind-dn "cn=admin,dc=ldap,dc=mysupercompany,dc=com" ;:ldap-bind-password "verysecure" ;:ldap-auth-ssl false @@ -104,7 +103,6 @@ (s/def ::ldap-auth-email-attribute ::us/string) (s/def ::ldap-auth-fullname-attribute ::us/string) (s/def ::ldap-auth-avatar-attribute ::us/string) -(s/def ::ldap-auth-isactivedirectory ::us/boolean) (s/def ::config (s/keys :opt-un [::http-server-cors @@ -137,7 +135,6 @@ ::image-process-max-threads ::ldap-auth-host ::ldap-auth-port - ::ldap-auth-version ::ldap-bind-dn ::ldap-bind-password ::ldap-auth-ssl @@ -147,8 +144,7 @@ ::ldap-auth-username-attribute ::ldap-auth-email-attribute ::ldap-auth-fullname-attribute - ::ldap-auth-avatar-attribute - ::ldap-auth-isactivedirectory])) + ::ldap-auth-avatar-attribute])) (defn env->config [env]