From 8eed93e3d357052ae2766ec588e5b32a683d5617 Mon Sep 17 00:00:00 2001 From: "Simon M. Haller-Seeber" Date: Thu, 14 May 2020 12:09:53 +0200 Subject: [PATCH] Distinguish between ldap bind DN and ldap base dn - to match ldap functionality properly --- README.md | 14 ++++++++------ docker-compose.yml | 5 +++-- .../sharelatex/AuthenticationManager.js | 9 +++++---- ldap-overleaf-sl/sharelatex/ContactController.js | 4 ++-- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index f7aba16..de7e95f 100644 --- a/README.md +++ b/README.md @@ -63,23 +63,25 @@ Edit [docker-compose.yml](docker-compose.yml) to fit your local setup. ``` LDAP_SERVER: ldaps://LDAPSERVER:636 -LDAP_BIND_BASE: ou=people,dc=DOMAIN,dc=TLD +LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD +LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP +# you have to set a group filter a minimal groupfilter would be: '(objectClass=person)' LDAP_GROUP_FILTER: '(memberof=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)' # if user is in ADMIN_GROUP on user creation (2 first login) it sets isAdmin to true. LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)' LDAP_CONTACTS: 'true' ``` -### Contacts +### LDAP Contacts -All users in the GROUPNAME are loaded from the ldap server into the contacts. At the moment -this happens every time you click on "Share" within a project. +If you enable this, then all users in GROUPNAME are loaded from the ldap server into the contacts. +At the moment this happens every time you click on "Share" within a project. The user search happens without bind - so if your LDAP needs a bind you can adapt this in the function `getLdapContacts()` in ContactsController.js (lines 82 - 107) -if you want to disable this function set: +if you want to enable this function set: ``` -LDAP_CONTACTS: 'false' +LDAP_CONTACTS: 'true' ``` ### Sharelatex Configuration diff --git a/docker-compose.yml b/docker-compose.yml index 3106c02..27d3081 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -44,12 +44,13 @@ services: SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues." LDAP_SERVER: ldaps://LDAPSERVER:636 - LDAP_BIND_BASE: ou=people,dc=DOMAIN,dc=TLD + LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD + LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)' # if user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)' - LDAP_CONTACTS: 'true' + LDAP_CONTACTS: 'false' # Same property, unfortunately with different names in # different locations diff --git a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js index 76d2774..8263a83 100644 --- a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js +++ b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js @@ -269,10 +269,11 @@ const AuthenticationManager = { }); //const bindDn = process.env.LDAP_BIND_USER //const bindPassword = process.env.LDAP_BIND_PW - const ldap_bb = process.env.LDAP_BIND_BASE + const ldap_bd = process.env.LDAP_BINDDN + const ldap_base = process.env.LDAP_BASE const uid = query.email.split('@')[0] const filterstr = '(&' + process.env.LDAP_GROUP_FILTER + '(uid=' + uid + '))' - const userDn = 'uid=' + uid + ',' + ldap_bb; + const userDn = 'uid=' + uid + ',' + ldap_bd; var mail = "" var firstname = "" var lastname = "" @@ -287,7 +288,7 @@ const AuthenticationManager = { } // get user data try { - const {searchEntries, searchRef,} = await client.search(ldap_bb, { + const {searchEntries, searchRef,} = await client.search(ldap_base, { scope: 'sub', filter: filterstr , }); @@ -309,7 +310,7 @@ const AuthenticationManager = { // if admin filter is set - only set admin for user in ldap group if (process.env.LDAP_ADMIN_GROUP_FILTER) { const adminfilter = '(&' + process.env.LDAP_ADMIN_GROUP_FILTER + '(uid=' + uid + '))' - adminEntry = await client.search(ldap_bb, { + adminEntry = await client.search(ldap_base, { scope: 'sub', filter: adminfilter, }); diff --git a/ldap-overleaf-sl/sharelatex/ContactController.js b/ldap-overleaf-sl/sharelatex/ContactController.js index 049038f..7a91286 100644 --- a/ldap-overleaf-sl/sharelatex/ContactController.js +++ b/ldap-overleaf-sl/sharelatex/ContactController.js @@ -86,10 +86,10 @@ module.exports = ContactsController = { const client = new Client({ url: process.env.LDAP_SERVER, }); - const ldap_bb = process.env.LDAP_BIND_BASE + const ldap_base = process.env.LDAP_BASE // get user data try { - const {searchEntries,searchReferences,} = await client.search(ldap_bb, {scope: 'sub',filter: process.env.LDAP_GROUP_FILTER ,}); + const {searchEntries,searchReferences,} = await client.search(ldap_base, {scope: 'sub',filter: process.env.LDAP_GROUP_FILTER ,}); await searchEntries; for (var i = 0; i < searchEntries.length; i++) { var entry = new Map()