implement login via LDAP
#826
Manually merged
trinity-1686a
merged 6 commits from ldap
into main
4 years ago
Reviewers
Request review
No reviewers
Labels
Clear labels
Related to the REST API
Code running on the server
Stuff related to Federation
Related to the front-end
Translations, and related code
More about project management or code than the project itself
The building, or installation process of Plume
Something isn't working
We need to talk
New feature or request
This is a new feature
Compatibility with different browsers, readers and OS
Related to an external package that Plume uses
UI/UX related issues and PRs
Good for newcomers
Extra attention is needed
Issues affecting only mobile UX
How elements're rendered out for the end user
Something else needs to be fixed first
This issue or pull request already exists
This PR is not complete yet
Issues concern a limited number of instances
This doesn't seem right
Need to be discussed by the community (on Loomio)
This PR is ready to be reviewed
Proposed ideas worth considering
This is issue has been created after a vote on Loomio
This will not be worked on
Apply labels
A: API
Related to the REST API
A: Backend
Code running on the server
A: Federation
Stuff related to Federation
A: Front-End
Related to the front-end
A: I18N
Translations, and related code
A: Meta
More about project management or code than the project itself
A: Security
Build
The building, or installation process of Plume
C: Bug
Something isn't working
C: Discussion
We need to talk
C: Enhancement
New feature or request
C: Feature
This is a new feature
Compatibility
Compatibility with different browsers, readers and OS
Dependency
Related to an external package that Plume uses
Design
UI/UX related issues and PRs
Documentation
Good first issue
Good for newcomers
Help welcome
Extra attention is needed
Mobile
Issues affecting only mobile UX
Rendering
How elements're rendered out for the end user
S: Blocked
Something else needs to be fixed first
S: Duplicate
This issue or pull request already exists
S: Incomplete
This PR is not complete yet
S: Instance specific
Issues concern a limited number of instances
S: Invalid
This doesn't seem right
S: Needs Voting/Discussion
Need to be discussed by the community (on Loomio)
S: Ready for review
This PR is ready to be reviewed
Suggestion
Proposed ideas worth considering
S: Voted on Loomio
This is issue has been created after a vote on Loomio
S: Wontfix
This will not be worked on
No Label
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.
No due date set.
Dependencies
No dependencies set.
Reference: Plume/Plume#826
Reference in New Issue
There is no content yet.
Delete Branch 'ldap'
Deleting a branch is permanent. It CANNOT be undone. Continue?
No
Yes
fix #312
why would you get rid of this?
It has been added back in the model, inside login()
WIP: implement login via LDAPto implement login via LDAP 4 years agoI've tested the implementation against Bottin, however I'm not sure how to add tests that can be run automatically.
Once this is merged, I'll add the new environment variables to the docs.
i've looked at this now and have left a few comments.
I like the general look and feel!
@ -172,0 +176,4 @@
dependencies = [
"proc-macro2 1.0.18 (registry+https://github.com/rust-lang/crates.io-index)",
"quote 1.0.7 (registry+https://github.com/rust-lang/crates.io-index)",
"syn 1.0.34 (registry+https://github.com/rust-lang/crates.io-index)",
we should upgrade our own dependencies of these packages to 1.x
@ -243,0 +268,4 @@
user_name_attr,
mail_attr,
})
} else if addr.is_some() && base_dn.is_some() {
if addr and base_dn
is_some()
…@ -243,0 +269,4 @@
mail_attr,
})
} else if addr.is_some() && base_dn.is_some() {
panic!("Invalid LDAP configuration : both LDAP_ADDR and LDAP_BASE_DN must be set")
we panic, because both of those must be set??!
Hum there is a mistake making this code unreachable. If both are set, it will take the first
if
, if only one is set, it should take theelse if
(which is not the case, I'll change that), I consider that invalid as both an addr and a base_dn are required, and there is no good default value (contrary to other vars), and finaly the else is to disable ldap when none is configured@ -300,0 +300,4 @@
let bind = ldap_conn
.simple_bind(&ldap_name, password)
.map_err(|_| Error::NotFound)?;
if bind.success().is_ok() {
if we use ldap as user-database, we could do the ldap bind once, and then pass around a connection…
…well… an
Arc<Mutex<LdapConn>>
We could, that's more or less what I was doing on a draft a few months ago, but I lost it, and I'm not sure how much it would be helpful. Sure we use it as a user database, but we only consult it on login/account creation, so not exactly a bottleneck
@ -300,0 +333,4 @@
Err(Error::NotFound)
}
} else {
Err(Error::NotFound)
would it be possible to do these as if not tests, so we don't nest four levels deep until we get to the actual code.
@ -300,0 +358,4 @@
}
}
pub fn login(conn: &Connection, ident: &str, password: &str) -> Result<User> {
can you please document where in this code we now fake the login check to prevent timing attacks?
i can't seem to see it in this code.
@ -300,0 +361,4 @@
pub fn login(conn: &Connection, ident: &str, password: &str) -> Result<User> {
let local_id = Instance::get_local()?.id;
let user = User::find_by_email(conn, ident)
.or_else(|_| User::find_by_name(conn, ident, local_id))
these…
@ -300,0 +362,4 @@
let local_id = Instance::get_local()?.id;
let user = User::find_by_email(conn, ident)
.or_else(|_| User::find_by_name(conn, ident, local_id))
.and_then(|u| {
…are going to be pain with async code
can we preemptively turn this into a
match
?I wasn't 100% sure what you meant, if the result doesn't fit your expectations, please tell
👍
I'm not sure why gitea sais "❌ Some required checks are missing". May I still merge it?
@trinity-1686a
yes, please do
9ec2d93f50
into main manually 4 years agoReviewers
9ec2d93f50
.