Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 15:30:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Merge branch 'edge' into meteor-1.8

Browse source
This commit is contained in:
Lauri Ojansivu 2019-05-10 23:20:17 +03:00
commit df69ade422
13 changed files with 173 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

15
CHANGELOG.md
View file

@ -1,9 +1,22 @@
# v2.68 2019-05-10 Wekan release
This release adds the following new features:
- [Option to login to the LDAP server with the user's own username and password, instead of an administrator
key](https://github.com/wekan/wekan/pull/2399). Default: false (use administrator key).
With new setting: LDAP_USER_AUTHENTICATION=true.
Thanks to thiagofernando.
- [Added above new LDAP_USER_AUTHENTION=true option to Snap, Docker and Source settings](https://github.com/wekan/wekan/commit/3bbc805ee42e3c1638b50260d3fafc2b5f936923).
Thanks to xet7.
Thanks to above GitHub users for their contributions and translators for their translations.
# v2.67 2019-05-10 Wekan release # v2.67 2019-05-10 Wekan release
This release adds the following new features: This release adds the following new features:
- [Move board to Archive button at each board at All Boards page](https://github.com/wekan/wekan/commit/828f6ea321020eda77fea399df52889e2081dfac). - [Move board to Archive button at each board at All Boards page](https://github.com/wekan/wekan/commit/828f6ea321020eda77fea399df52889e2081dfac).
Thanks to xet7. Related #2389 Thanks to xet7. Related [#2389](https://github.com/wekan/wekan/issues/2389).
- [If adding Subtasks does not work on old board, added wiki page how to make it work again](https://github.com/wekan/wekan/wiki/Subtasks). - [If adding Subtasks does not work on old board, added wiki page how to make it work again](https://github.com/wekan/wekan/wiki/Subtasks).
Thanks to xet7. Thanks to xet7.

1
Dockerfile
View file

@ -61,6 +61,7 @@ ENV BUILD_DEPS="apt-utils bsdtar gnupg gosu wget curl bzip2 build-essential pyth
LDAP_ENCRYPTION=false \ LDAP_ENCRYPTION=false \
LDAP_CA_CERT="" \ LDAP_CA_CERT="" \
LDAP_REJECT_UNAUTHORIZED=false \ LDAP_REJECT_UNAUTHORIZED=false \
LDAP_USER_AUTHENTICATION=false \
LDAP_USER_SEARCH_FILTER="" \ LDAP_USER_SEARCH_FILTER="" \
LDAP_USER_SEARCH_SCOPE="" \ LDAP_USER_SEARCH_SCOPE="" \
LDAP_USER_SEARCH_FIELD="" \ LDAP_USER_SEARCH_FIELD="" \

2
Stackerfile.yml
View file

@ -1,5 +1,5 @@
appId: wekan-public/apps/77b94f60-dec9-0136-304e-16ff53095928 appId: wekan-public/apps/77b94f60-dec9-0136-304e-16ff53095928
appVersion: "v2.67.0" appVersion: "v2.68.0"
files: files:
userUploads: userUploads:
- README.md - README.md

3
docker-compose.yml
View file

@ -400,6 +400,9 @@ services:
# Reject Unauthorized Certificate # Reject Unauthorized Certificate
#- LDAP_REJECT_UNAUTHORIZED=false #- LDAP_REJECT_UNAUTHORIZED=false
# #
# Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
#- LDAP_USER_AUTHENTICATION="true"
#
# Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed # Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
#- LDAP_USER_SEARCH_FILTER= #- LDAP_USER_SEARCH_FILTER=
# #

2
package.json
View file

@ -1,6 +1,6 @@
{ {
"name": "wekan", "name": "wekan",
"version": "v2.67.0", "version": "v2.68.0",
"description": "Open-Source kanban", "description": "Open-Source kanban",
"private": true, "private": true,
"scripts": { "scripts": {

182
packages/wekan-ldap/server/ldap.js
View file

@ -1,41 +1,44 @@
import ldapjs from 'ldapjs'; import ldapjs from 'ldapjs';
import util from 'util'; import util from 'util';
import Bunyan from 'bunyan'; import Bunyan from 'bunyan';
import { log_debug, log_info, log_warn, log_error } from './logger'; import {log_debug, log_info, log_warn, log_error} from './logger';
export default class LDAP { export default class LDAP {
constructor(){ constructor() {
this.ldapjs = ldapjs; this.ldapjs = ldapjs;
this.connected = false; this.connected = false;
this.options = { this.options = {
host: this.constructor.settings_get('LDAP_HOST'), host : this.constructor.settings_get('LDAP_HOST'),
port: this.constructor.settings_get('LDAP_PORT'), port : this.constructor.settings_get('LDAP_PORT'),
Reconnect: this.constructor.settings_get('LDAP_RECONNECT'), Reconnect : this.constructor.settings_get('LDAP_RECONNECT'),
timeout: this.constructor.settings_get('LDAP_TIMEOUT'), timeout : this.constructor.settings_get('LDAP_TIMEOUT'),
connect_timeout: this.constructor.settings_get('LDAP_CONNECT_TIMEOUT'), connect_timeout : this.constructor.settings_get('LDAP_CONNECT_TIMEOUT'),
idle_timeout: this.constructor.settings_get('LDAP_IDLE_TIMEOUT'), idle_timeout : this.constructor.settings_get('LDAP_IDLE_TIMEOUT'),
encryption: this.constructor.settings_get('LDAP_ENCRYPTION'), encryption : this.constructor.settings_get('LDAP_ENCRYPTION'),
ca_cert: this.constructor.settings_get('LDAP_CA_CERT'), ca_cert : this.constructor.settings_get('LDAP_CA_CERT'),
reject_unauthorized: this.constructor.settings_get('LDAP_REJECT_UNAUTHORIZED') || false, reject_unauthorized : this.constructor.settings_get('LDAP_REJECT_UNAUTHORIZED') || false,
Authentication: this.constructor.settings_get('LDAP_AUTHENTIFICATION'), Authentication : this.constructor.settings_get('LDAP_AUTHENTIFICATION'),
Authentication_UserDN: this.constructor.settings_get('LDAP_AUTHENTIFICATION_USERDN'), Authentication_UserDN : this.constructor.settings_get('LDAP_AUTHENTIFICATION_USERDN'),
Authentication_Password: this.constructor.settings_get('LDAP_AUTHENTIFICATION_PASSWORD'), Authentication_Password : this.constructor.settings_get('LDAP_AUTHENTIFICATION_PASSWORD'),
Authentication_Fallback: this.constructor.settings_get('LDAP_LOGIN_FALLBACK'), Authentication_Fallback : this.constructor.settings_get('LDAP_LOGIN_FALLBACK'),
BaseDN: this.constructor.settings_get('LDAP_BASEDN'), BaseDN : this.constructor.settings_get('LDAP_BASEDN'),
Internal_Log_Level: this.constructor.settings_get('INTERNAL_LOG_LEVEL'), Internal_Log_Level : this.constructor.settings_get('INTERNAL_LOG_LEVEL'),
User_Search_Filter: this.constructor.settings_get('LDAP_USER_SEARCH_FILTER'), User_Authentication : this.constructor.settings_get('LDAP_USER_AUTHENTICATION'),
User_Search_Scope: this.constructor.settings_get('LDAP_USER_SEARCH_SCOPE'), User_Attributes : this.constructor.settings_get('LDAP_USER_ATTRIBUTES'),
User_Search_Field: this.constructor.settings_get('LDAP_USER_SEARCH_FIELD'), User_Search_Filter : this.constructor.settings_get('LDAP_USER_SEARCH_FILTER'),
Search_Page_Size: this.constructor.settings_get('LDAP_SEARCH_PAGE_SIZE'), User_Search_Scope : this.constructor.settings_get('LDAP_USER_SEARCH_SCOPE'),
Search_Size_Limit: this.constructor.settings_get('LDAP_SEARCH_SIZE_LIMIT'), User_Search_Field : this.constructor.settings_get('LDAP_USER_SEARCH_FIELD'),
group_filter_enabled: this.constructor.settings_get('LDAP_GROUP_FILTER_ENABLE'), Search_Page_Size : this.constructor.settings_get('LDAP_SEARCH_PAGE_SIZE'),
group_filter_object_class: this.constructor.settings_get('LDAP_GROUP_FILTER_OBJECTCLASS'), Search_Size_Limit : this.constructor.settings_get('LDAP_SEARCH_SIZE_LIMIT'),
group_filter_group_id_attribute: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE'), group_filter_enabled : this.constructor.settings_get('LDAP_GROUP_FILTER_ENABLE'),
group_filter_object_class : this.constructor.settings_get('LDAP_GROUP_FILTER_OBJECTCLASS'),
group_filter_group_id_attribute : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE'),
group_filter_group_member_attribute: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE'), group_filter_group_member_attribute: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE'),
group_filter_group_member_format: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT'), group_filter_group_member_format : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT'),
group_filter_group_name: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_NAME'), group_filter_group_name : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_NAME'),
}; };
} }
@ -52,14 +55,16 @@ export default class LDAP {
log_warn(`Lookup for unset variable: ${name}`); log_warn(`Lookup for unset variable: ${name}`);
} }
} }
connectSync(...args) { connectSync(...args) {
if (!this._connectSync) { if (!this._connectSync) {
this._connectSync = Meteor.wrapAsync(this.connectAsync, this); this._connectSync = Meteor.wrapAsync(this.connectAsync, this);
} }
return this._connectSync(...args); return this._connectSync(...args);
} }
searchAllSync(...args) { searchAllSync(...args) {
if (!this._searchAllSync) { if (!this._searchAllSync) {
this._searchAllSync = Meteor.wrapAsync(this.searchAllAsync, this); this._searchAllSync = Meteor.wrapAsync(this.searchAllAsync, this);
} }
@ -72,19 +77,19 @@ export default class LDAP {
let replied = false; let replied = false;
const connectionOptions = { const connectionOptions = {
url: `${ this.options.host }:${ this.options.port }`, url : `${this.options.host}:${this.options.port}`,
timeout: this.options.timeout, timeout : this.options.timeout,
connectTimeout: this.options.connect_timeout, connectTimeout: this.options.connect_timeout,
idleTimeout: this.options.idle_timeout, idleTimeout : this.options.idle_timeout,
reconnect: this.options.Reconnect, reconnect : this.options.Reconnect,
}; };
if (this.options.Internal_Log_Level !== 'disabled') { if (this.options.Internal_Log_Level !== 'disabled') {
connectionOptions.log = new Bunyan({ connectionOptions.log = new Bunyan({
name: 'ldapjs', name : 'ldapjs',
component: 'client', component: 'client',
stream: process.stderr, stream : process.stderr,
level: this.options.Internal_Log_Level, level : this.options.Internal_Log_Level,
}); });
} }
@ -95,8 +100,8 @@ export default class LDAP {
if (this.options.ca_cert && this.options.ca_cert !== '') { if (this.options.ca_cert && this.options.ca_cert !== '') {
// Split CA cert into array of strings // Split CA cert into array of strings
const chainLines = this.constructor.settings_get('LDAP_CA_CERT').split('\n'); const chainLines = this.constructor.settings_get('LDAP_CA_CERT').split('\n');
let cert = []; let cert = [];
const ca = []; const ca = [];
chainLines.forEach((line) => { chainLines.forEach((line) => {
cert.push(line); cert.push(line);
if (line.match(/-END CERTIFICATE-/)) { if (line.match(/-END CERTIFICATE-/)) {
@ -108,14 +113,14 @@ export default class LDAP {
} }
if (this.options.encryption === 'ssl') { if (this.options.encryption === 'ssl') {
connectionOptions.url = `ldaps://${ connectionOptions.url }`; connectionOptions.url = `ldaps://${connectionOptions.url}`;
connectionOptions.tlsOptions = tlsOptions; connectionOptions.tlsOptions = tlsOptions;
} else { } else {
connectionOptions.url = `ldap://${ connectionOptions.url }`; connectionOptions.url = `ldap://${connectionOptions.url}`;
} }
log_info('Connecting', connectionOptions.url); log_info('Connecting', connectionOptions.url);
log_debug(`connectionOptions${ util.inspect(connectionOptions)}`); log_debug(`connectionOptions${util.inspect(connectionOptions)}`);
this.client = ldapjs.createClient(connectionOptions); this.client = ldapjs.createClient(connectionOptions);
@ -189,23 +194,42 @@ export default class LDAP {
if (this.options.User_Search_Filter !== '') { if (this.options.User_Search_Filter !== '') {
if (this.options.User_Search_Filter[0] === '(') { if (this.options.User_Search_Filter[0] === '(') {
filter.push(`${ this.options.User_Search_Filter }`); filter.push(`${this.options.User_Search_Filter}`);
} else { } else {
filter.push(`(${ this.options.User_Search_Filter })`); filter.push(`(${this.options.User_Search_Filter})`);
} }
} }
const usernameFilter = this.options.User_Search_Field.split(',').map((item) => `(${ item }=${ username })`); const usernameFilter = this.options.User_Search_Field.split(',').map((item) => `(${item}=${username})`);
if (usernameFilter.length === 0) { if (usernameFilter.length === 0) {
log_error('LDAP_LDAP_User_Search_Field not defined'); log_error('LDAP_LDAP_User_Search_Field not defined');
} else if (usernameFilter.length === 1) { } else if (usernameFilter.length === 1) {
filter.push(`${ usernameFilter[0] }`); filter.push(`${usernameFilter[0]}`);
} else { } else {
filter.push(`(|${ usernameFilter.join('') })`); filter.push(`(|${usernameFilter.join('')})`);
} }
return `(&${ filter.join('') })`; return `(&${filter.join('')})`;
}
bindUserIfNecessary(username, password) {
if (this.domainBinded === true) {
return;
}
if (!this.options.User_Authentication) {
return;
}
if (!this.options.BaseDN) throw new Error('BaseDN is not provided');
const userDn = `uid=${username},${this.options.BaseDN}`;
this.bindSync(userDn, password);
this.domainBinded = true;
} }
bindIfNecessary() { bindIfNecessary() {
@ -218,22 +242,24 @@ export default class LDAP {
} }
log_info('Binding UserDN', this.options.Authentication_UserDN); log_info('Binding UserDN', this.options.Authentication_UserDN);
this.bindSync(this.options.Authentication_UserDN, this.options.Authentication_Password); this.bindSync(this.options.Authentication_UserDN, this.options.Authentication_Password);
this.domainBinded = true; this.domainBinded = true;
} }
searchUsersSync(username, page) { searchUsersSync(username, page) {
this.bindIfNecessary(); this.bindIfNecessary();
const searchOptions = { const searchOptions = {
filter: this.getUserFilter(username), filter : this.getUserFilter(username),
scope: this.options.User_Search_Scope || 'sub', scope : this.options.User_Search_Scope || 'sub',
sizeLimit: this.options.Search_Size_Limit, sizeLimit: this.options.Search_Size_Limit,
}; };
if (!!this.options.User_Attributes) searchOptions.attributes = this.options.User_Attributes.split(',');
if (this.options.Search_Page_Size > 0) { if (this.options.Search_Page_Size > 0) {
searchOptions.paged = { searchOptions.paged = {
pageSize: this.options.Search_Page_Size, pageSize : this.options.Search_Page_Size,
pagePause: !!page, pagePause: !!page,
}; };
} }
@ -266,11 +292,11 @@ export default class LDAP {
Unique_Identifier_Field.forEach((item) => { Unique_Identifier_Field.forEach((item) => {
filters.push(new this.ldapjs.filters.EqualityFilter({ filters.push(new this.ldapjs.filters.EqualityFilter({
attribute: item, attribute: item,
value: new Buffer(id, 'hex'), value : new Buffer(id, 'hex'),
})); }));
}); });
filter = new this.ldapjs.filters.OrFilter({filters}); filter = new this.ldapjs.filters.OrFilter({ filters });
} }
const searchOptions = { const searchOptions = {
@ -300,7 +326,7 @@ export default class LDAP {
const searchOptions = { const searchOptions = {
filter: this.getUserFilter(username), filter: this.getUserFilter(username),
scope: this.options.User_Search_Scope || 'sub', scope : this.options.User_Search_Scope || 'sub',
}; };
log_info('Searching user', username); log_info('Searching user', username);
@ -320,7 +346,7 @@ export default class LDAP {
return result[0]; return result[0];
} }
getUserGroups(username, ldapUser){ getUserGroups(username, ldapUser) {
if (!this.options.group_filter_enabled) { if (!this.options.group_filter_enabled) {
return true; return true;
} }
@ -328,13 +354,13 @@ export default class LDAP {
const filter = ['(&']; const filter = ['(&'];
if (this.options.group_filter_object_class !== '') { if (this.options.group_filter_object_class !== '') {
filter.push(`(objectclass=${ this.options.group_filter_object_class })`); filter.push(`(objectclass=${this.options.group_filter_object_class})`);
} }
if (this.options.group_filter_group_member_attribute !== '') { if (this.options.group_filter_group_member_attribute !== '') {
const format_value = ldapUser[this.options.group_filter_group_member_format]; const format_value = ldapUser[this.options.group_filter_group_member_format];
if( format_value ) { if (format_value) {
filter.push(`(${ this.options.group_filter_group_member_attribute }=${ format_value })`); filter.push(`(${this.options.group_filter_group_member_attribute}=${format_value})`);
} }
} }
@ -342,7 +368,7 @@ export default class LDAP {
const searchOptions = { const searchOptions = {
filter: filter.join('').replace(/#{username}/g, username), filter: filter.join('').replace(/#{username}/g, username),
scope: 'sub', scope : 'sub',
}; };
log_debug('Group list filter LDAP:', searchOptions.filter); log_debug('Group list filter LDAP:', searchOptions.filter);
@ -354,11 +380,11 @@ export default class LDAP {
} }
const grp_identifier = this.options.group_filter_group_id_attribute || 'cn'; const grp_identifier = this.options.group_filter_group_id_attribute || 'cn';
const groups = []; const groups = [];
result.map((item) => { result.map((item) => {
groups.push( item[ grp_identifier ] ); groups.push(item[grp_identifier]);
}); });
log_debug(`Groups: ${ groups.join(', ')}`); log_debug(`Groups: ${groups.join(', ')}`);
return groups; return groups;
} }
@ -373,24 +399,24 @@ export default class LDAP {
const filter = ['(&']; const filter = ['(&'];
if (this.options.group_filter_object_class !== '') { if (this.options.group_filter_object_class !== '') {
filter.push(`(objectclass=${ this.options.group_filter_object_class })`); filter.push(`(objectclass=${this.options.group_filter_object_class})`);
} }
if (this.options.group_filter_group_member_attribute !== '') { if (this.options.group_filter_group_member_attribute !== '') {
const format_value = ldapUser[this.options.group_filter_group_member_format]; const format_value = ldapUser[this.options.group_filter_group_member_format];
if( format_value ) { if (format_value) {
filter.push(`(${ this.options.group_filter_group_member_attribute }=${ format_value })`); filter.push(`(${this.options.group_filter_group_member_attribute}=${format_value})`);
} }
} }
if (this.options.group_filter_group_id_attribute !== '') { if (this.options.group_filter_group_id_attribute !== '') {
filter.push(`(${ this.options.group_filter_group_id_attribute }=${ this.options.group_filter_group_name })`); filter.push(`(${this.options.group_filter_group_id_attribute}=${this.options.group_filter_group_name})`);
} }
filter.push(')'); filter.push(')');
const searchOptions = { const searchOptions = {
filter: filter.join('').replace(/#{username}/g, username), filter: filter.join('').replace(/#{username}/g, username),
scope: 'sub', scope : 'sub',
}; };
log_debug('Group filter LDAP:', searchOptions.filter); log_debug('Group filter LDAP:', searchOptions.filter);
@ -426,15 +452,17 @@ export default class LDAP {
searchAllPaged(BaseDN, options, page) { searchAllPaged(BaseDN, options, page) {
this.bindIfNecessary(); this.bindIfNecessary();
const processPage = ({entries, title, end, next}) => { const processPage = ({ entries, title, end, next }) => {
log_info(title); log_info(title);
// Force LDAP idle to wait the record processing // Force LDAP idle to wait the record processing
this.client._updateIdle(true); this.client._updateIdle(true);
page(null, entries, {end, next: () => { page(null, entries, {
// Reset idle timer end, next: () => {
this.client._updateIdle(); // Reset idle timer
next && next(); this.client._updateIdle();
}}); next && next();
}
});
}; };
this.client.search(BaseDN, options, (error, res) => { this.client.search(BaseDN, options, (error, res) => {
@ -461,7 +489,7 @@ export default class LDAP {
processPage({ processPage({
entries, entries,
title: 'Internal Page', title: 'Internal Page',
end: false, end : false,
}); });
entries = []; entries = [];
} }
@ -473,14 +501,14 @@ export default class LDAP {
processPage({ processPage({
entries, entries,
title: 'Final Page', title: 'Final Page',
end: true, end : true,
}); });
} else if (entries.length) { } else if (entries.length) {
log_info('Page'); log_info('Page');
processPage({ processPage({
entries, entries,
title: 'Page', title: 'Page',
end: false, end : false,
next, next,
}); });
entries = []; entries = [];
@ -492,7 +520,7 @@ export default class LDAP {
processPage({ processPage({
entries, entries,
title: 'Final Page', title: 'Final Page',
end: true, end : true,
}); });
entries = []; entries = [];
} }
@ -547,7 +575,7 @@ export default class LDAP {
} }
disconnect() { disconnect() {
this.connected = false; this.connected = false;
this.domainBinded = false; this.domainBinded = false;
log_info('Disconecting'); log_info('Disconecting');
this.client.unbind(); this.client.unbind();

52
packages/wekan-ldap/server/loginHandler.js
View file

@ -41,28 +41,38 @@ Accounts.registerLoginHandler('ldap', function(loginRequest) {
let ldapUser; let ldapUser;
try { try {
ldap.connectSync();
const users = ldap.searchUsersSync(loginRequest.username);
if (users.length !== 1) { ldap.connectSync();
log_info('Search returned', users.length, 'record(s) for', loginRequest.username);
throw new Error('User not Found'); if (!!LDAP.settings_get('LDAP_USER_AUTHENTICATION')) {
} ldap.bindUserIfNecessary(loginRequest.username, loginRequest.ldapPass);
ldapUser = ldap.searchUsersSync(loginRequest.username)[0];
} else {
const users = ldap.searchUsersSync(loginRequest.username);
if (users.length !== 1) {
log_info('Search returned', users.length, 'record(s) for', loginRequest.username);
throw new Error('User not Found');
}
if (ldap.authSync(users[0].dn, loginRequest.ldapPass) === true) {
if (ldap.isUserInGroup(loginRequest.username, users[0])) {
ldapUser = users[0];
} else {
throw new Error('User not in a valid group');
}
} else {
log_info('Wrong password for', loginRequest.username);
}
}
if (ldap.authSync(users[0].dn, loginRequest.ldapPass) === true) {
if (ldap.isUserInGroup(loginRequest.username, users[0])) {
ldapUser = users[0];
} else {
throw new Error('User not in a valid group');
}
} else {
log_info('Wrong password for', loginRequest.username);
}
} catch (error) { } catch (error) {
log_error(error); log_error(error);
} }
if (ldapUser === undefined) { if (!ldapUser) {
if (LDAP.settings_get('LDAP_LOGIN_FALLBACK') === true) { if (LDAP.settings_get('LDAP_LOGIN_FALLBACK') === true) {
return fallbackDefaultAccountSystem(self, loginRequest.username, loginRequest.ldapPass); return fallbackDefaultAccountSystem(self, loginRequest.username, loginRequest.ldapPass);
} }
@ -76,8 +86,7 @@ Accounts.registerLoginHandler('ldap', function(loginRequest) {
const Unique_Identifier_Field = getLdapUserUniqueID(ldapUser); const Unique_Identifier_Field = getLdapUserUniqueID(ldapUser);
let user; let user;
// Attempt to find user by unique identifier
// Attempt to find user by unique identifier
if (Unique_Identifier_Field) { if (Unique_Identifier_Field) {
userQuery = { userQuery = {
@ -88,14 +97,14 @@ Accounts.registerLoginHandler('ldap', function(loginRequest) {
log_debug('userQuery', userQuery); log_debug('userQuery', userQuery);
user = Meteor.users.findOne(userQuery); user = Meteor.users.findOne(userQuery);
} }
// Attempt to find user by username // Attempt to find user by username
let username; let username;
let email; let email;
if (LDAP.settings_get('LDAP_USERNAME_FIELD') !== '') { if (LDAP.settings_get('LDAP_USERNAME_FIELD') !== '') {
username = slug(getLdapUsername(ldapUser)); username = slug(getLdapUsername(ldapUser));
} else { } else {
username = slug(loginRequest.username); username = slug(loginRequest.username);
@ -105,6 +114,7 @@ Accounts.registerLoginHandler('ldap', function(loginRequest) {
email = getLdapEmail(ldapUser); email = getLdapEmail(ldapUser);
} }
if (!user) { if (!user) {
if(email && LDAP.settings_get('LDAP_EMAIL_MATCH_REQUIRE') === true) { if(email && LDAP.settings_get('LDAP_EMAIL_MATCH_REQUIRE') === true) {
if(LDAP.settings_get('LDAP_EMAIL_MATCH_VERIFIED') === true) { if(LDAP.settings_get('LDAP_EMAIL_MATCH_VERIFIED') === true) {

2
releases/virtualbox/start-wekan.sh
View file

@ -191,6 +191,8 @@
# LDAP_REJECT_UNAUTHORIZED : Reject Unauthorized Certificate # LDAP_REJECT_UNAUTHORIZED : Reject Unauthorized Certificate
# example : export LDAP_REJECT_UNAUTHORIZED=true # example : export LDAP_REJECT_UNAUTHORIZED=true
#export LDAP_REJECT_UNAUTHORIZED=false #export LDAP_REJECT_UNAUTHORIZED=false
# Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
#export LDAP_USER_AUTHENTICATION=true
# LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed # LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
# example : export LDAP_USER_SEARCH_FILTER= # example : export LDAP_USER_SEARCH_FILTER=
#export LDAP_USER_SEARCH_FILTER= #export LDAP_USER_SEARCH_FILTER=

4
sandstorm-pkgdef.capnp
View file

@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = (
appTitle = (defaultText = "Wekan"), appTitle = (defaultText = "Wekan"),
# The name of the app as it is displayed to the user. # The name of the app as it is displayed to the user.
appVersion = 269, appVersion = 270,
# Increment this for every release. # Increment this for every release.
appMarketingVersion = (defaultText = "2.67.0~2019-05-10"), appMarketingVersion = (defaultText = "2.68.0~2019-05-10"),
# Human-readable presentation of the app version. # Human-readable presentation of the app version.
minUpgradableAppVersion = 0, minUpgradableAppVersion = 0,

6
snap-src/bin/config
View file

@ -3,7 +3,7 @@
# All supported keys are defined here together with descriptions and default values # All supported keys are defined here together with descriptions and default values
# list of supported keys # list of supported keys
keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW EMAIL_NOTIFICATION_TIMEOUT CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD" keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW EMAIL_NOTIFICATION_TIMEOUT CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_LOGIN_STYLE OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_AUTHENTICATION LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD"
# default values # default values
DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'" DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'"
@ -250,6 +250,10 @@ DESCRIPTION_LDAP_REJECT_UNAUTHORIZED="Reject Unauthorized Certificate"
DEFAULT_LDAP_REJECT_UNAUTHORIZED="false" DEFAULT_LDAP_REJECT_UNAUTHORIZED="false"
KEY_LDAP_REJECT_UNAUTHORIZED="ldap-reject-unauthorized" KEY_LDAP_REJECT_UNAUTHORIZED="ldap-reject-unauthorized"
DESCRIPTION_LDAP_USER_AUTHENTICATION="Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key)."
DEFAULT_LDAP_USER_AUTHENTICATION="false"
KEY_LDAP_USER_AUTHENTICATION="ldap-user-authentication"
DESCRIPTION_LDAP_USER_SEARCH_FILTER="Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed" DESCRIPTION_LDAP_USER_SEARCH_FILTER="Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed"
DEFAULT_LDAP_USER_SEARCH_FILTER="" DEFAULT_LDAP_USER_SEARCH_FILTER=""
KEY_LDAP_USER_SEARCH_FILTER="ldap-user-search-filter" KEY_LDAP_USER_SEARCH_FILTER="ldap-user-search-filter"

3
snap-src/bin/wekan-help
View file

@ -234,6 +234,9 @@ echo -e "Ldap Reject Unauthorized."
echo -e "Reject Unauthorized Certificate:" echo -e "Reject Unauthorized Certificate:"
echo -e "\t$ snap set $SNAP_NAME ldap-reject-unauthorized='true'" echo -e "\t$ snap set $SNAP_NAME ldap-reject-unauthorized='true'"
echo -e "\n" echo -e "\n"
echo -e "Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key)."
echo -e "\t$ snap set $SNAP_NAME ldap-user-authentication='true'"
echo -e "\n"
echo -e "Ldap User Search Filter." echo -e "Ldap User Search Filter."
echo -e "Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed:" echo -e "Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed:"
echo -e "\t$ snap set $SNAP_NAME ldap-user-search-filter=''" echo -e "\t$ snap set $SNAP_NAME ldap-user-search-filter=''"

3
start-wekan.bat
View file

@ -173,6 +173,9 @@ REM # LDAP_REJECT_UNAUTHORIZED : Reject Unauthorized Certificate
REM # example : LDAP_REJECT_UNAUTHORIZED=true REM # example : LDAP_REJECT_UNAUTHORIZED=true
REM SET LDAP_REJECT_UNAUTHORIZED=false REM SET LDAP_REJECT_UNAUTHORIZED=false
REM # Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
REM SET LDAP_USER_AUTHENTICATION=true
REM # LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed REM # LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
REM # example : LDAP_USER_SEARCH_FILTER= REM # example : LDAP_USER_SEARCH_FILTER=
REM SET LDAP_USER_SEARCH_FILTER= REM SET LDAP_USER_SEARCH_FILTER=

2
start-wekan.sh
View file

@ -193,6 +193,8 @@
# LDAP_REJECT_UNAUTHORIZED : Reject Unauthorized Certificate # LDAP_REJECT_UNAUTHORIZED : Reject Unauthorized Certificate
# example : export LDAP_REJECT_UNAUTHORIZED=true # example : export LDAP_REJECT_UNAUTHORIZED=true
#export LDAP_REJECT_UNAUTHORIZED=false #export LDAP_REJECT_UNAUTHORIZED=false
# Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
#export LDAP_USER_AUTHENTICATION=true
# LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed # LDAP_USER_SEARCH_FILTER : Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
# example : export LDAP_USER_SEARCH_FILTER= # example : export LDAP_USER_SEARCH_FILTER=
#export LDAP_USER_SEARCH_FILTER= #export LDAP_USER_SEARCH_FILTER=