Split User and Group filter

2024-10-05 23:23:59 +02:00 · 2021-05-18 23:26:33 +02:00 · 2021-05-18 23:26:33 +02:00 · 547ce9a744
commit 547ce9a744
parent 2b982babbb
4 changed files with 15 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,3 @@
-
 # Free Overleaf Ldap Implementation

 This repo contains an improved, free ldap authentication and authorisation 
@ -80,9 +79,9 @@ LDAP_SERVER: ldaps://LDAPSERVER:636
 LDAP_BASE: dc=DOMAIN,dc=TLD
 LDAP_BIND_USER: cn=ldap_reader,dc=DOMAIN,dc=TLS
 LDAP_BIND_PW: TopSecret
-# By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
-# you have to set a group filter a minimal groupfilter would be: '(objectClass=person)'
-LDAP_GROUP_FILTER: '(memberof=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
+# users need to match this filter to login.
+#All occurrences of `%u` get replaced by the entered uid.
+LDAP_USER_FILTER: '(memberof=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u)'

 # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. 
 # Admin Users can invite external (non ldap) users. This feature makes only sense 
--- a/docker-compose.certbot.yml
+++ b/docker-compose.certbot.yml
@ -58,8 +58,8 @@ services:
            LDAP_SERVER: ldaps://LDAPSERVER:636
            LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
            LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS
-            # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
-            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
+            # Binds with the LDAP_BIND_USER and searches for users matching this filter:
+            LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u)'

            # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. 
            # Admin Users can invite external (non ldap) users. This feature makes only sense 
@ -71,6 +71,7 @@ services:
            # All users in the LDAP_GROUP_FILTER are loaded from the ldap server into contacts.
            # This LDAP search happens without bind. If you want this and your LDAP needs a bind you can 
            # adapt this in the function getLdapContacts() in ContactsController.js (lines 82 - 107)
+            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
            LDAP_CONTACTS: 'false'

            # Same property, unfortunately with different names in
--- a/docker-compose.traefik.yml
+++ b/docker-compose.traefik.yml
@ -135,15 +135,14 @@ services:
            
            LDAP_SERVER: ldaps://LDAPSERVER:636
            LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
-            LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS
-            
-            # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
-            # LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
-            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
+            #LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS

-            # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. 
-            # Admin Users can invite external (non ldap) users. This feature makes only sense 
-            # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send 
+            # # Binds with the LDAP_BIND_USER and searches for users matching this filter:
+            LDAP_USER_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)(uid=%u)'
+
+            # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
+            # Admin Users can invite external (non ldap) users. This feature makes only sense
+            # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
            # system wide messages.
            LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
            ALLOW_EMAIL_LOGIN: 'true'
@ -151,6 +150,7 @@ services:
            # All users in the LDAP_GROUP_FILTER are loaded from the ldap server into contacts.
            # This LDAP search happens without bind. If you want this and your LDAP needs a bind you can 
            # adapt this in the function getLdapContacts() in ContactsController.js (lines 82 - 107)
+            LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
            LDAP_CONTACTS: 'false'

            # Same property, unfortunately with different names in
--- a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
+++ b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
@ -276,7 +276,7 @@ const AuthenticationManager = {
    const ldap_base = process.env.LDAP_BASE
    var uid = query.email
    const replacer = new RegExp("%u", "g")
-    const filterstr = process.env.LDAP_GROUP_FILTER.replace(replacer, ldapEscape.filter`${uid}`) //replace all appearances
+    const filterstr = process.env.LDAP_USER_FILTER.replace(replacer, ldapEscape.filter`${uid}`) //replace all appearances
    console.log("filterstr:" + filterstr)
    var userDn = "" //ldapEscape.filter`uid=${uid}` + ',' + ldap_bd;
    var mail = ""