diff --git a/Dockerfile b/Dockerfile index d9ccfcda1..440d88da2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -132,7 +132,7 @@ RUN \ ln -sf $(which bsdtar) $(which tar) && \ \ # Download nodejs - wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-${ARCHITECTURE}.tar.gz && \ + wget https://npm.taobao.org/mirrors/node/${NODE_VERSION}/node-${NODE_VERSION}-${ARCHITECTURE}.tar.gz && \ wget https://nodejs.org/dist/${NODE_VERSION}/SHASUMS256.txt.asc && \ #--------------------------------------------------------------------------------------------- # Node Fibers 100% CPU usage issue: diff --git a/docker-compose.yml b/docker-compose.yml index 54e50ce2f..34251252e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -115,7 +115,8 @@ services: # NOTE: Quay is currently not updated, use Docker Hub image below c) # a) For Wekan Meteor 1.8.x version at master branch, # using https://quay.io/wekan/wekan automatic builds - image: quay.io/wekan/wekan + #image: quay.io/wekan/wekan + image: localhost/wekan:latest # b) Using specific Meteor 1.6.x version tag: # image: quay.io/wekan/wekan:v1.95 # c) Using Docker Hub automatic builds https://hub.docker.com/r/wekanteam/wekan @@ -424,157 +425,148 @@ services: # Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required. # # The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap. - #- DEFAULT_AUTHENTICATION_METHOD=ldap + - DEFAULT_AUTHENTICATION_METHOD=ldap # # Enable or not the connection by the LDAP - #- LDAP_ENABLE=true + - LDAP_ENABLE=true # # The port of the LDAP server - #- LDAP_PORT=389 + - LDAP_PORT=636 # # The host server for the LDAP server - #- LDAP_HOST=localhost + - LDAP_HOST=win100a002.verband.creditreform.de + + - LDAP_AD_SIMPLE_AUTH=true + - LDAP_USER_AUTHENTICATION=true # # The base DN for the LDAP Tree - #- LDAP_BASEDN=ou=user,dc=example,dc=org + - LDAP_BASEDN=OU=Benutzer,dc=verband,dc=creditreform,dc=de + #- LDAP_BASEDN=dc=verband,dc=creditreform,dc=de # # Fallback on the default authentication method - #- LDAP_LOGIN_FALLBACK=false + - LDAP_LOGIN_FALLBACK=true # # Reconnect to the server if the connection is lost - #- LDAP_RECONNECT=true + - LDAP_RECONNECT=true # # Overall timeout, in milliseconds - #- LDAP_TIMEOUT=10000 + - LDAP_TIMEOUT=10000 # # Specifies the timeout for idle LDAP connections in milliseconds - #- LDAP_IDLE_TIMEOUT=10000 + - LDAP_IDLE_TIMEOUT=10000 # # Connection timeout, in milliseconds - #- LDAP_CONNECT_TIMEOUT=10000 + - LDAP_CONNECT_TIMEOUT=10000 # # If the LDAP needs a user account to search - #- LDAP_AUTHENTIFICATION=true + - LDAP_AUTHENTIFICATION=true # - # The search user DN - You need quotes when you have spaces in parameters - # 2 examples: - #- LDAP_AUTHENTIFICATION_USERDN="CN=ldap admin,CN=users,DC=domainmatter,DC=lan" - #- LDAP_AUTHENTIFICATION_USERDN="CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com" + # The search user DN + #- LDAP_AUTHENTIFICATION_USERDN=maassens@verband.creditreform.de # # The password for the search user - #- LDAP_AUTHENTIFICATION_PASSWORD=pwd + #- LDAP_AUTHENTIFICATION_PASSWORD= # # Enable logs for the module - #- LDAP_LOG_ENABLED=true + - LDAP_LOG_ENABLED=true + - INTERNAL_LOG_LEVEL=DEBUG # # If the sync of the users should be done in the background - #- LDAP_BACKGROUND_SYNC=false + - LDAP_BACKGROUND_SYNC=false # - # At which interval does the background task sync. - # The format must be as specified in: - # https://bunkat.github.io/later/parsers.html#text - #- LDAP_BACKGROUND_SYNC_INTERVAL='every 1 hour' + # At which interval does the background task sync in milliseconds + - LDAP_BACKGROUND_SYNC_INTERVAL=2000 # - #- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false + - LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=true # - #- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false + - LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true # - # If using LDAPS: LDAP_ENCRYPTION=ssl - #- LDAP_ENCRYPTION=false + # If using LDAPS: LDAP_ENCRYPTION=ssl / none + - LDAP_ENCRYPTION=ssl # # The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file. #- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE----- # # Reject Unauthorized Certificate - #- LDAP_REJECT_UNAUTHORIZED=false - # - # Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key). - #- LDAP_USER_AUTHENTICATION="true" - # - # Which field is used to find the user for the user authentication. Default: uid. - #- LDAP_USER_AUTHENTICATION_FIELD="uid" + - LDAP_REJECT_UNAUTHORIZED=false # # Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed - #- LDAP_USER_SEARCH_FILTER= + - LDAP_USER_SEARCH_FILTER=(objectClass=user) # # base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree) - #- LDAP_USER_SEARCH_SCOPE=one + - LDAP_USER_SEARCH_SCOPE=one # # Which field is used to find the user, like uid / sAMAccountName - #- LDAP_USER_SEARCH_FIELD=sAMAccountName + - LDAP_USER_SEARCH_FIELD=sAMAccountName # # Used for pagination (0=unlimited) - #- LDAP_SEARCH_PAGE_SIZE=0 + - LDAP_SEARCH_PAGE_SIZE=0 # # The limit number of entries (0=unlimited) - #- LDAP_SEARCH_SIZE_LIMIT=0 + - LDAP_SEARCH_SIZE_LIMIT=0 # - # Enable group filtering. Note the authenticated ldap user must be able to query all relevant group data with own login data from ldap. - #- LDAP_GROUP_FILTER_ENABLE=false + # Enable group filtering + - LDAP_GROUP_FILTER_ENABLE=false # # The object class for filtering. Example: group - #- LDAP_GROUP_FILTER_OBJECTCLASS= + # - LDAP_GROUP_FILTER_OBJECTCLASS=person # - # The attribute of a group identifying it. Example: cn - #- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE= + # - LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=cn # - # The attribute inside a group object listing its members. Example: member - #- LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= + # - LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= # - # The format of the value of LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE. Example: 'dn' if the users dn ist saved as value into the attribute. - #- LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT= + # - LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT= # - # The group name (id) that matches all users. - #- LDAP_GROUP_FILTER_GROUP_NAME= + # - LDAP_GROUP_FILTER_GROUP_NAME= # # LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid - #- LDAP_UNIQUE_IDENTIFIER_FIELD= + # - LDAP_UNIQUE_IDENTIFIER_FIELD= # # LDAP_UTF8_NAMES_SLUGIFY : Convert the username to utf8 #- LDAP_UTF8_NAMES_SLUGIFY=true # # LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName - #- LDAP_USERNAME_FIELD=sAMAccountName + - LDAP_USERNAME_FIELD=sAMAccountName # # LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName - #- LDAP_FULLNAME_FIELD=fullname + - LDAP_FULLNAME_FIELD=cn # - #- LDAP_MERGE_EXISTING_USERS=false + - LDAP_MERGE_EXISTING_USERS=true # # Allow existing account matching by e-mail address when username does not match - #- LDAP_EMAIL_MATCH_ENABLE=true + - LDAP_EMAIL_MATCH_ENABLE=true # # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match - #- LDAP_EMAIL_MATCH_REQUIRE=true + - LDAP_EMAIL_MATCH_REQUIRE=false # # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching - #- LDAP_EMAIL_MATCH_VERIFIED=true + - LDAP_EMAIL_MATCH_VERIFIED=false # # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address - #- LDAP_EMAIL_FIELD=mail + - LDAP_EMAIL_FIELD=mail #----------------------------------------------------------------- - #- LDAP_SYNC_USER_DATA=false + - LDAP_SYNC_USER_DATA=true # - #- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"} + - LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"} # #- LDAP_SYNC_GROUP_ROLES='' # # The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP # example : - #- LDAP_DEFAULT_DOMAIN=mydomain.com + - LDAP_DEFAULT_DOMAIN=verband.creditreform.de # # Enable/Disable syncing of admin status based on ldap groups: - #- LDAP_SYNC_ADMIN_STATUS=true + - LDAP_SYNC_ADMIN_STATUS=false # # Comma separated list of admin group names to sync. #- LDAP_SYNC_ADMIN_GROUPS=group1,group2 #--------------------------------------------------------------------- # Login to LDAP automatically with HTTP header. # In below example for siteminder, at right side of = is header name. - #- HEADER_LOGIN_ID=HEADERUID - #- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME - #- HEADER_LOGIN_LASTNAME=HEADERLASTNAME - #- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS + #- HEADER_LOGIN_ID=BNPPUID + #- HEADER_LOGIN_FIRSTNAME=BNPPFIRSTNAME + #- HEADER_LOGIN_LASTNAME=BNPPLASTNAME + #- HEADER_LOGIN_EMAIL=BNPPEMAILADDRESS #--------------------------------------------------------------------- # ==== LOGOUT TIMER, probably does not work yet ==== # LOGOUT_WITH_TIMER : Enables or not the option logout with timer diff --git a/packages/wekan-ldap/server/ldap.js b/packages/wekan-ldap/server/ldap.js index f2d9a7b72..50f0daa88 100644 --- a/packages/wekan-ldap/server/ldap.js +++ b/packages/wekan-ldap/server/ldap.js @@ -40,6 +40,8 @@ export default class LDAP { group_filter_group_member_attribute: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE'), group_filter_group_member_format : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT'), group_filter_group_name : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_NAME'), + AD_Simple_Auth : this.constructor.settings_get('LDAP_AD_SIMPLE_AUTH'), + Default_Domain : this.constructor.settings_get('LDAP_DEFAULT_DOMAIN'), }; } @@ -225,9 +227,16 @@ export default class LDAP { } - if (!this.options.BaseDN) throw new Error('BaseDN is not provided'); + if (!this.options.BaseDN && !this.options.AD_Simple_Auth) throw new Error('BaseDN is not provided'); - const userDn = `${this.options.User_Authentication_Field}=${username},${this.options.BaseDN}`; + var userDn = ""; + if (this.options.AD_Simple_Auth === true) { + userDn = `${username}@${this.options.Default_Domain}`; + } else { + userDn = `${this.options.User_Authentication_Field}=${username},${this.options.BaseDN}`; + } + + log_info('Binding with User', userDn); this.bindSync(userDn, password); this.domainBinded = true;