2024-06-21 07:14:53 -07:00
|
|
|
const fs = require('fs');
|
2024-05-29 14:46:20 -07:00
|
|
|
const LdapStrategy = require('passport-ldapauth');
|
2024-12-13 11:40:24 -05:00
|
|
|
const { SystemRoles } = require('librechat-data-provider');
|
2024-06-07 17:43:36 -04:00
|
|
|
const { findUser, createUser, updateUser } = require('~/models/userMethods');
|
2024-12-13 11:40:24 -05:00
|
|
|
const { countUsers } = require('~/models/userMethods');
|
2024-07-28 01:16:39 +05:30
|
|
|
const { isEnabled } = require('~/server/utils');
|
2024-06-21 07:14:53 -07:00
|
|
|
const logger = require('~/utils/logger');
|
|
|
|
|
|
|
|
|
|
const {
|
|
|
|
|
LDAP_URL,
|
|
|
|
|
LDAP_BIND_DN,
|
|
|
|
|
LDAP_BIND_CREDENTIALS,
|
|
|
|
|
LDAP_USER_SEARCH_BASE,
|
|
|
|
|
LDAP_SEARCH_FILTER,
|
|
|
|
|
LDAP_CA_CERT_PATH,
|
|
|
|
|
LDAP_FULL_NAME,
|
|
|
|
|
LDAP_ID,
|
|
|
|
|
LDAP_USERNAME,
|
2024-09-21 10:44:27 -04:00
|
|
|
LDAP_EMAIL,
|
2024-07-28 01:16:39 +05:30
|
|
|
LDAP_TLS_REJECT_UNAUTHORIZED,
|
2025-03-21 12:55:09 +01:00
|
|
|
LDAP_STARTTLS,
|
2024-06-21 07:14:53 -07:00
|
|
|
} = process.env;
|
|
|
|
|
|
|
|
|
|
// Check required environment variables
|
|
|
|
|
if (!LDAP_URL || !LDAP_USER_SEARCH_BASE) {
|
2025-05-16 23:18:52 +09:00
|
|
|
module.exports = null;
|
2024-06-21 07:14:53 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const searchAttributes = [
|
|
|
|
|
'displayName',
|
|
|
|
|
'mail',
|
|
|
|
|
'uid',
|
|
|
|
|
'cn',
|
|
|
|
|
'name',
|
|
|
|
|
'commonname',
|
|
|
|
|
'givenName',
|
|
|
|
|
'sn',
|
|
|
|
|
'sAMAccountName',
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
if (LDAP_FULL_NAME) {
|
|
|
|
|
searchAttributes.push(...LDAP_FULL_NAME.split(','));
|
|
|
|
|
}
|
|
|
|
|
if (LDAP_ID) {
|
|
|
|
|
searchAttributes.push(LDAP_ID);
|
|
|
|
|
}
|
|
|
|
|
if (LDAP_USERNAME) {
|
|
|
|
|
searchAttributes.push(LDAP_USERNAME);
|
|
|
|
|
}
|
2024-09-21 10:44:27 -04:00
|
|
|
if (LDAP_EMAIL) {
|
|
|
|
|
searchAttributes.push(LDAP_EMAIL);
|
|
|
|
|
}
|
2024-07-28 01:16:39 +05:30
|
|
|
const rejectUnauthorized = isEnabled(LDAP_TLS_REJECT_UNAUTHORIZED);
|
2025-03-21 12:55:09 +01:00
|
|
|
const startTLS = isEnabled(LDAP_STARTTLS);
|
2024-05-29 14:46:20 -07:00
|
|
|
|
|
|
|
|
const ldapOptions = {
|
|
|
|
|
server: {
|
2024-06-21 07:14:53 -07:00
|
|
|
url: LDAP_URL,
|
|
|
|
|
bindDN: LDAP_BIND_DN,
|
|
|
|
|
bindCredentials: LDAP_BIND_CREDENTIALS,
|
|
|
|
|
searchBase: LDAP_USER_SEARCH_BASE,
|
|
|
|
|
searchFilter: LDAP_SEARCH_FILTER || 'mail={{username}}',
|
|
|
|
|
searchAttributes: [...new Set(searchAttributes)],
|
|
|
|
|
...(LDAP_CA_CERT_PATH && {
|
|
|
|
|
tlsOptions: {
|
2024-07-28 01:16:39 +05:30
|
|
|
rejectUnauthorized,
|
2024-06-21 07:14:53 -07:00
|
|
|
ca: (() => {
|
|
|
|
|
try {
|
|
|
|
|
return [fs.readFileSync(LDAP_CA_CERT_PATH)];
|
|
|
|
|
} catch (err) {
|
|
|
|
|
logger.error('[ldapStrategy]', 'Failed to read CA certificate', err);
|
|
|
|
|
throw err;
|
|
|
|
|
}
|
|
|
|
|
})(),
|
|
|
|
|
},
|
2024-05-29 14:46:20 -07:00
|
|
|
}),
|
2025-03-21 12:55:09 +01:00
|
|
|
...(startTLS && { starttls: true }),
|
2024-05-29 14:46:20 -07:00
|
|
|
},
|
|
|
|
|
usernameField: 'email',
|
|
|
|
|
passwordField: 'password',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
|
|
|
|
|
if (!userinfo) {
|
|
|
|
|
return done(null, false, { message: 'Invalid credentials' });
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
try {
|
2024-06-21 07:14:53 -07:00
|
|
|
const ldapId =
|
|
|
|
|
(LDAP_ID && userinfo[LDAP_ID]) || userinfo.uid || userinfo.sAMAccountName || userinfo.mail;
|
|
|
|
|
|
|
|
|
|
let user = await findUser({ ldapId });
|
|
|
|
|
|
|
|
|
|
const fullNameAttributes = LDAP_FULL_NAME && LDAP_FULL_NAME.split(',');
|
2024-05-29 14:46:20 -07:00
|
|
|
const fullName =
|
2024-06-21 07:14:53 -07:00
|
|
|
fullNameAttributes && fullNameAttributes.length > 0
|
|
|
|
|
? fullNameAttributes.map((attr) => userinfo[attr]).join(' ')
|
|
|
|
|
: userinfo.cn || userinfo.name || userinfo.commonname || userinfo.displayName;
|
|
|
|
|
|
|
|
|
|
const username =
|
|
|
|
|
(LDAP_USERNAME && userinfo[LDAP_USERNAME]) || userinfo.givenName || userinfo.mail;
|
2024-05-29 14:46:20 -07:00
|
|
|
|
2024-09-21 10:44:27 -04:00
|
|
|
const mail = (LDAP_EMAIL && userinfo[LDAP_EMAIL]) || userinfo.mail || username + '@ldap.local';
|
|
|
|
|
|
|
|
|
|
if (!userinfo.mail && !(LDAP_EMAIL && userinfo[LDAP_EMAIL])) {
|
|
|
|
|
logger.warn(
|
|
|
|
|
'[ldapStrategy]',
|
|
|
|
|
`No valid email attribute found in LDAP userinfo. Using fallback email: ${username}@ldap.local`,
|
|
|
|
|
`LDAP_EMAIL env var: ${LDAP_EMAIL || 'not set'}`,
|
|
|
|
|
`Available userinfo attributes: ${Object.keys(userinfo).join(', ')}`,
|
|
|
|
|
'Full userinfo:',
|
|
|
|
|
JSON.stringify(userinfo, null, 2),
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-29 14:46:20 -07:00
|
|
|
if (!user) {
|
2024-12-13 11:40:24 -05:00
|
|
|
const isFirstRegisteredUser = (await countUsers()) === 0;
|
2024-06-07 21:06:47 +02:00
|
|
|
user = {
|
2024-05-29 14:46:20 -07:00
|
|
|
provider: 'ldap',
|
2024-06-21 07:14:53 -07:00
|
|
|
ldapId,
|
2024-05-29 14:46:20 -07:00
|
|
|
username,
|
2024-09-21 10:44:27 -04:00
|
|
|
email: mail,
|
2024-06-21 07:14:53 -07:00
|
|
|
emailVerified: true, // The ldap server administrator should verify the email
|
2024-05-29 14:46:20 -07:00
|
|
|
name: fullName,
|
2024-12-13 11:40:24 -05:00
|
|
|
role: isFirstRegisteredUser ? SystemRoles.ADMIN : SystemRoles.USER,
|
2024-06-07 21:06:47 +02:00
|
|
|
};
|
2024-06-07 17:43:36 -04:00
|
|
|
const userId = await createUser(user);
|
|
|
|
|
user._id = userId;
|
2024-05-29 14:46:20 -07:00
|
|
|
} else {
|
2024-06-21 07:14:53 -07:00
|
|
|
// Users registered in LDAP are assumed to have their user information managed in LDAP,
|
|
|
|
|
// so update the user information with the values registered in LDAP
|
2024-05-29 14:46:20 -07:00
|
|
|
user.provider = 'ldap';
|
2024-06-21 07:14:53 -07:00
|
|
|
user.ldapId = ldapId;
|
2024-09-21 10:44:27 -04:00
|
|
|
user.email = mail;
|
2024-05-29 14:46:20 -07:00
|
|
|
user.username = username;
|
|
|
|
|
user.name = fullName;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-07 17:43:36 -04:00
|
|
|
user = await updateUser(user._id, user);
|
2024-05-29 14:46:20 -07:00
|
|
|
done(null, user);
|
|
|
|
|
} catch (err) {
|
2024-06-21 07:14:53 -07:00
|
|
|
logger.error('[ldapStrategy]', err);
|
2024-05-29 14:46:20 -07:00
|
|
|
done(err);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
module.exports = ldapLogin;
|
