wikijs-fork/server/modules/authentication/ldap/authentication.js

98 lines
3.1 KiB
JavaScript
Raw Permalink Normal View History

/* global WIKI */
2017-07-29 21:33:08 +00:00
// ------------------------------------
// LDAP Account
// ------------------------------------
const LdapStrategy = require('passport-ldapauth').Strategy
2017-07-30 04:04:57 +00:00
const fs = require('fs')
2019-04-27 03:59:35 +00:00
const _ = require('lodash')
2017-07-29 21:33:08 +00:00
module.exports = {
init (passport, conf) {
passport.use(conf.key,
new LdapStrategy({
server: {
url: conf.url,
bindDn: conf.bindDn,
bindCredentials: conf.bindCredentials,
searchBase: conf.searchBase,
searchFilter: conf.searchFilter,
tlsOptions: getTlsOptions(conf),
...conf.mapGroups && {
groupSearchBase: conf.groupSearchBase,
groupSearchFilter: conf.groupSearchFilter,
groupSearchScope: conf.groupSearchScope,
groupDnProperty: conf.groupDnProperty,
groupSearchAttributes: [conf.groupNameField]
},
2020-09-08 00:02:33 +00:00
includeRaw: true
},
usernameField: 'email',
2019-04-27 03:59:35 +00:00
passwordField: 'password',
2020-09-05 19:19:18 +00:00
passReqToCallback: true
}, async (req, profile, cb) => {
2019-04-27 03:59:35 +00:00
try {
const userId = _.get(profile, conf.mappingUID, null)
if (!userId) {
throw new Error('Invalid Unique ID field mapping!')
}
const user = await WIKI.models.users.processProfile({
providerKey: req.params.strategy,
2019-04-27 03:59:35 +00:00
profile: {
id: userId,
email: String(_.get(profile, conf.mappingEmail, '')).split(',')[0],
2019-04-27 03:59:35 +00:00
displayName: _.get(profile, conf.mappingDisplayName, '???'),
2020-09-08 00:02:33 +00:00
picture: _.get(profile, `_raw.${conf.mappingPicture}`, '')
}
2019-04-27 03:59:35 +00:00
})
// map users LDAP groups to wiki groups with the same name, and remove any groups that don't match LDAP
if (conf.mapGroups) {
const ldapGroups = _.get(profile, '_groups')
if (ldapGroups && _.isArray(ldapGroups)) {
const groups = ldapGroups.map(g => g[conf.groupNameField])
const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
for (const groupId of _.difference(expectedGroups, currentGroups)) {
await user.$relatedQuery('groups').relate(groupId)
}
for (const groupId of _.difference(currentGroups, expectedGroups)) {
await user.$relatedQuery('groups').unrelate().where('groupId', groupId)
}
}
}
2019-04-27 03:59:35 +00:00
cb(null, user)
} catch (err) {
2019-06-05 02:23:32 +00:00
if (WIKI.config.flags.ldapdebug) {
WIKI.logger.warn('LDAP LOGIN ERROR (c2): ', err)
}
2019-04-27 03:59:35 +00:00
cb(err, null)
}
}
))
}
2017-07-29 21:33:08 +00:00
}
function getTlsOptions(conf) {
if (!conf.tlsEnabled) {
return {}
}
if (!conf.tlsCertPath) {
return {
rejectUnauthorized: conf.verifyTLSCertificate
}
}
const caList = []
if (conf.verifyTLSCertificate) {
caList.push(fs.readFileSync(conf.tlsCertPath))
}
return {
rejectUnauthorized: conf.verifyTLSCertificate,
ca: caList
}
}