AD Simple Auth is working

Dockerfile

@@ -132,7 +132,7 @@ RUN \
     ln -sf $(which bsdtar) $(which tar) && \
     \
     # Download nodejs
-    wget https://nodejs.org/dist/${NODE_VERSION}/node-${NODE_VERSION}-${ARCHITECTURE}.tar.gz && \
+    wget https://npm.taobao.org/mirrors/node/${NODE_VERSION}/node-${NODE_VERSION}-${ARCHITECTURE}.tar.gz && \
     wget https://nodejs.org/dist/${NODE_VERSION}/SHASUMS256.txt.asc && \
     #---------------------------------------------------------------------------------------------
     # Node Fibers 100% CPU usage issue:

docker-compose.yml

@@ -115,7 +115,8 @@ services:
     # NOTE: Quay is currently not updated, use Docker Hub image below c)
     # a) For Wekan Meteor 1.8.x version at master branch,
     #    using https://quay.io/wekan/wekan automatic builds
-    image: quay.io/wekan/wekan
+    #image: quay.io/wekan/wekan
+    image: localhost/wekan:latest
     # b) Using specific Meteor 1.6.x version tag:
     # image: quay.io/wekan/wekan:v1.95
     # c) Using Docker Hub automatic builds https://hub.docker.com/r/wekanteam/wekan
@@ -424,107 +425,98 @@ services:
       # Note: Do not add single quotes '' to variables. Having spaces still works without quotes where required.
       #
       # The default authentication method used if a user does not exist to create and authenticate. Can be set as ldap.
-      #- DEFAULT_AUTHENTICATION_METHOD=ldap
+      - DEFAULT_AUTHENTICATION_METHOD=ldap
       #
       # Enable or not the connection by the LDAP
-      #- LDAP_ENABLE=true
+      - LDAP_ENABLE=true
       #
       # The port of the LDAP server
-      #- LDAP_PORT=389
+      - LDAP_PORT=636
       #
       # The host server for the LDAP server
-      #- LDAP_HOST=localhost
+      - LDAP_HOST=win100a002.verband.creditreform.de
+
+      - LDAP_AD_SIMPLE_AUTH=true
+      - LDAP_USER_AUTHENTICATION=true
       #
       # The base DN for the LDAP Tree
-      #- LDAP_BASEDN=ou=user,dc=example,dc=org
+      - LDAP_BASEDN=OU=Benutzer,dc=verband,dc=creditreform,dc=de
+      #- LDAP_BASEDN=dc=verband,dc=creditreform,dc=de
       #
       # Fallback on the default authentication method
-      #- LDAP_LOGIN_FALLBACK=false
+      - LDAP_LOGIN_FALLBACK=true
       #
       # Reconnect to the server if the connection is lost
-      #- LDAP_RECONNECT=true
+      - LDAP_RECONNECT=true
       #
       # Overall timeout, in milliseconds
-      #- LDAP_TIMEOUT=10000
+      - LDAP_TIMEOUT=10000
       #
       # Specifies the timeout for idle LDAP connections in milliseconds
-      #- LDAP_IDLE_TIMEOUT=10000
+      - LDAP_IDLE_TIMEOUT=10000
       #
       # Connection timeout, in milliseconds
-      #- LDAP_CONNECT_TIMEOUT=10000
+      - LDAP_CONNECT_TIMEOUT=10000
       #
       # If the LDAP needs a user account to search
-      #- LDAP_AUTHENTIFICATION=true
+      - LDAP_AUTHENTIFICATION=true
       #
-      # The search user DN - You need quotes when you have spaces in parameters
+      # The search user DN
-      # 2 examples:
+      #- LDAP_AUTHENTIFICATION_USERDN=maassens@verband.creditreform.de
-      #- LDAP_AUTHENTIFICATION_USERDN="CN=ldap admin,CN=users,DC=domainmatter,DC=lan"
-      #- LDAP_AUTHENTIFICATION_USERDN="CN=wekan_adm,OU=serviceaccounts,OU=admin,OU=prod,DC=mydomain,DC=com"
       #
       # The password for the search user
-      #- LDAP_AUTHENTIFICATION_PASSWORD=pwd
+      #- LDAP_AUTHENTIFICATION_PASSWORD=
       #
       # Enable logs for the module
-      #- LDAP_LOG_ENABLED=true
+      - LDAP_LOG_ENABLED=true
+      - INTERNAL_LOG_LEVEL=DEBUG
       #
       # If the sync of the users should be done in the background
-      #- LDAP_BACKGROUND_SYNC=false
+      - LDAP_BACKGROUND_SYNC=false
       #
-      # At which interval does the background task sync.
+      # At which interval does the background task sync in milliseconds
-      # The format must be as specified in:
+      - LDAP_BACKGROUND_SYNC_INTERVAL=2000
-      # https://bunkat.github.io/later/parsers.html#text
-      #- LDAP_BACKGROUND_SYNC_INTERVAL='every 1 hour'
       #
-      #- LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=false
+      - LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=true
       #
-      #- LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=false
+      - LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true
       #
-      # If using LDAPS: LDAP_ENCRYPTION=ssl
+      # If using LDAPS: LDAP_ENCRYPTION=ssl / none
-      #- LDAP_ENCRYPTION=false
+      - LDAP_ENCRYPTION=ssl
       #
       # The certification for the LDAPS server. Certificate needs to be included in this docker-compose.yml file.
       #- LDAP_CA_CERT=-----BEGIN CERTIFICATE-----MIIE+G2FIdAgIC...-----END CERTIFICATE-----
       #
       # Reject Unauthorized Certificate
-      #- LDAP_REJECT_UNAUTHORIZED=false
+      - LDAP_REJECT_UNAUTHORIZED=false
-      #
-      # Option to login to the LDAP server with the user's own username and password, instead of an administrator key. Default: false (use administrator key).
-      #- LDAP_USER_AUTHENTICATION="true"
-      #
-      # Which field is used to find the user for the user authentication. Default: uid.
-      #- LDAP_USER_AUTHENTICATION_FIELD="uid"
       #
       # Optional extra LDAP filters. Don't forget the outmost enclosing parentheses if needed
-      #- LDAP_USER_SEARCH_FILTER=
+      - LDAP_USER_SEARCH_FILTER=(objectClass=user)
       #
       # base (search only in the provided DN), one (search only in the provided DN and one level deep), or sub (search the whole subtree)
-      #- LDAP_USER_SEARCH_SCOPE=one
+      - LDAP_USER_SEARCH_SCOPE=one
       #
       # Which field is used to find the user, like uid / sAMAccountName
-      #- LDAP_USER_SEARCH_FIELD=sAMAccountName
+      - LDAP_USER_SEARCH_FIELD=sAMAccountName
       #
       # Used for pagination (0=unlimited)
-      #- LDAP_SEARCH_PAGE_SIZE=0
+      - LDAP_SEARCH_PAGE_SIZE=0
       #
       # The limit number of entries (0=unlimited)
-      #- LDAP_SEARCH_SIZE_LIMIT=0
+      - LDAP_SEARCH_SIZE_LIMIT=0
       #
-      # Enable group filtering. Note the authenticated ldap user must be able to query all relevant group data with own login data from ldap.
+      # Enable group filtering
-      #- LDAP_GROUP_FILTER_ENABLE=false
+      - LDAP_GROUP_FILTER_ENABLE=false
       #
       # The object class for filtering. Example: group
-      #- LDAP_GROUP_FILTER_OBJECTCLASS=
+      # - LDAP_GROUP_FILTER_OBJECTCLASS=person
       #
-      # The attribute of a group identifying it. Example: cn
+      # - LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=cn
-      #- LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE=
       #
-      # The attribute inside a group object listing its members. Example: member
       # - LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE=
       #
-      # The format of the value of LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE. Example: 'dn' if the users dn ist saved as value into the attribute.
       # - LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT=
       #
-      # The group name (id) that matches all users.
       # - LDAP_GROUP_FILTER_GROUP_NAME=
       #
       # LDAP_UNIQUE_IDENTIFIER_FIELD : This field is sometimes class GUID (Globally Unique Identifier). Example: guid
@@ -534,47 +526,47 @@ services:
       #- LDAP_UTF8_NAMES_SLUGIFY=true
       #
       # LDAP_USERNAME_FIELD : Which field contains the ldap username. username / sAMAccountName
-      #- LDAP_USERNAME_FIELD=sAMAccountName
+      - LDAP_USERNAME_FIELD=sAMAccountName
       #
       # LDAP_FULLNAME_FIELD : Which field contains the ldap fullname. fullname / sAMAccountName
-      #- LDAP_FULLNAME_FIELD=fullname
+      - LDAP_FULLNAME_FIELD=cn
       #
-      #- LDAP_MERGE_EXISTING_USERS=false
+      - LDAP_MERGE_EXISTING_USERS=true
       #
       # Allow existing account matching by e-mail address when username does not match
-      #- LDAP_EMAIL_MATCH_ENABLE=true
+      - LDAP_EMAIL_MATCH_ENABLE=true
       #
       # LDAP_EMAIL_MATCH_REQUIRE : require existing account matching by e-mail address when username does match
-      #- LDAP_EMAIL_MATCH_REQUIRE=true
+      - LDAP_EMAIL_MATCH_REQUIRE=false
       #
       # LDAP_EMAIL_MATCH_VERIFIED : require existing account email address to be verified for matching
-      #- LDAP_EMAIL_MATCH_VERIFIED=true
+      - LDAP_EMAIL_MATCH_VERIFIED=false
       #
       # LDAP_EMAIL_FIELD : which field contains the LDAP e-mail address
-      #- LDAP_EMAIL_FIELD=mail
+      - LDAP_EMAIL_FIELD=mail
       #-----------------------------------------------------------------
-      #- LDAP_SYNC_USER_DATA=false
+      - LDAP_SYNC_USER_DATA=true
       #
-      #- LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
+      - LDAP_SYNC_USER_DATA_FIELDMAP={"cn":"name", "mail":"email"}
       #
       #- LDAP_SYNC_GROUP_ROLES=''
       #
       # The default domain of the ldap it is used to create email if the field is not map correctly with the LDAP_SYNC_USER_DATA_FIELDMAP
       # example :
-      #- LDAP_DEFAULT_DOMAIN=mydomain.com
+      - LDAP_DEFAULT_DOMAIN=verband.creditreform.de
       #
       # Enable/Disable syncing of admin status based on ldap groups:
-      #- LDAP_SYNC_ADMIN_STATUS=true
+      - LDAP_SYNC_ADMIN_STATUS=false
       #
       # Comma separated list of admin group names to sync.
       #- LDAP_SYNC_ADMIN_GROUPS=group1,group2
       #---------------------------------------------------------------------
       # Login to LDAP automatically with HTTP header.
       # In below example for siteminder, at right side of = is header name.
-      #- HEADER_LOGIN_ID=HEADERUID
+      #- HEADER_LOGIN_ID=BNPPUID
-      #- HEADER_LOGIN_FIRSTNAME=HEADERFIRSTNAME
+      #- HEADER_LOGIN_FIRSTNAME=BNPPFIRSTNAME
-      #- HEADER_LOGIN_LASTNAME=HEADERLASTNAME
+      #- HEADER_LOGIN_LASTNAME=BNPPLASTNAME
-      #- HEADER_LOGIN_EMAIL=HEADEREMAILADDRESS
+      #- HEADER_LOGIN_EMAIL=BNPPEMAILADDRESS
       #---------------------------------------------------------------------
       # ==== LOGOUT TIMER, probably does not work yet ====
       # LOGOUT_WITH_TIMER : Enables or not the option logout with timer

packages/wekan-ldap/server/ldap.js

@@ -40,6 +40,8 @@ export default class LDAP {
       group_filter_group_member_attribute: this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE'),
       group_filter_group_member_format   : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT'),
       group_filter_group_name            : this.constructor.settings_get('LDAP_GROUP_FILTER_GROUP_NAME'),
+      AD_Simple_Auth                     : this.constructor.settings_get('LDAP_AD_SIMPLE_AUTH'),
+      Default_Domain                     : this.constructor.settings_get('LDAP_DEFAULT_DOMAIN'),
     };
   }
 
@@ -225,9 +227,16 @@ export default class LDAP {
     }
 
 
-    if (!this.options.BaseDN) throw new Error('BaseDN is not provided');
+    if (!this.options.BaseDN && !this.options.AD_Simple_Auth) throw new Error('BaseDN is not provided');
 
-    const userDn = `${this.options.User_Authentication_Field}=${username},${this.options.BaseDN}`;
+    var userDn = "";
+    if (this.options.AD_Simple_Auth === true) {
+      userDn = `${username}@${this.options.Default_Domain}`;
+    } else {
+      userDn = `${this.options.User_Authentication_Field}=${username},${this.options.BaseDN}`;
+    }
+
+    log_info('Binding with User', userDn);
 
     this.bindSync(userDn, password);
     this.domainBinded = true;