WIP attempt to do non anonymous ldap connect #908

オープン

trinity-1686a ldap-non-anon から 1 件のコミットを main へマージしたい

プル元: ldap-non-anon

マージ先: Plume:main

Plume:main

Plume:1686a/resist-gone-sender

Plume:1686a/fast-fill

Plume:paginate-search-init

Plume:s3

Plume:fix-delete-user

Plume:timeline-cli

Plume:blog-title

Plume:signature

Plume:remove-dup-images

Plume:drone-ci

Plume:DearRude/force-lang

Plume:igalic/go/async-all-mut

Plume:go/async

Plume:floreal/translations-update

Plume:missing-docs

Plume:RAOF/fix-arm64-build

Plume:epsilon-phase/authorized-fetch

Plume:upgrade

Plume:improve-the-editor-once-again

Plume:igalic/feat/custom-fairing-domains

Plume:feature/ldap

Plume:test/dotenv_error

Plume:fix-mobile-margin

会話 6 コミット 1 変更されたファイル 2 +31 -1

trinity-1686a がコメント 2021-02-21 14:36:30 +00:00

オーナー

リンクをコピー

attempt at fixing #902
@pwFoo could you test if it works for you?

attempt at fixing #902 @pwFoo could you test if it works for you?

trinity-1686a がラベル

C: Enhancement

A: Backend

を追加 2021-02-21 14:37:01 +00:00

pwFoo がコメント 2021-02-21 19:59:50 +00:00

初めての貢献者

リンクをコピー

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

trinity-1686a がコメント 2021-02-22 10:14:23 +00:00

作成者

オーナー

リンクをコピー

If you know how to compile from sources, you can run git checkout ldap-non-anon before running cargo commands. You might need to run git fetch before git checkout if it does not find the branch

If you know how to compile from sources, you can run `git checkout ldap-non-anon` before running cargo commands. You might need to run `git fetch` before git checkout if it does not find the branch

pwFoo がコメント 2021-02-22 13:46:51 +00:00

初めての貢献者

リンクをコピー

First a binddn is connected and than in a second step verify the real user.
Build is done, how to configure the additional LDAP parameters for bind?

First a binddn is connected and than in a second step verify the real user. Build is done, how to configure the additional LDAP parameters for bind?

trinity-1686a がコメント 2021-02-22 14:18:25 +00:00

作成者

オーナー

リンクをコピー

it's LDAP_USER and LDAP_PASSWORD, as environment variables or in .env

it's `LDAP_USER` and `LDAP_PASSWORD`, as environment variables or in .env

pwFoo がコメント 2021-02-22 16:30:42 +00:00

初めての貢献者

リンクをコピー

Login works, but I think need some improvements.
I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one?

plume ldap

6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389)
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding
6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))"
6033d7ce conn=1007 op=2 SRCH attr=email
6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d7ce conn=1007 op=3 UNBIND
6033d7ce conn=1007 fd=13 closed

Working application

6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389)
6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d752 conn=1006 op=0 RESULT tag=97 err=0 text=
6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"
6033d752 conn=1006 op=1 SRCH attr=dn
6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0

ToDo

1. Rename bind user ENV

LDAP_BINDDN   # == bind user
LDAP_BINDPW   # == bind user pw

2. That part should be removed! Second bind!

6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding

3. search filter
Binded user need to search for the "real" user. And the search filter need to be configurable like that filter part

6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"

LDAP_FILTER example. search attribute is given by (uid=%u) part and %u is replaced by the login user name.

LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))'

Configurable search base and search filter would be most flexible I think?

Login works, but I think need some improvements. I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one? plume ldap ``` 6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389) 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding 6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))" 6033d7ce conn=1007 op=2 SRCH attr=email 6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d7ce conn=1007 op=3 UNBIND 6033d7ce conn=1007 fd=13 closed ``` Working application ``` 6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389) 6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d752 conn=1006 op=0 RESULT tag=97 err=0 text= 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" 6033d752 conn=1006 op=1 SRCH attr=dn 6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 ``` ## ToDo **1. Rename bind user ENV** ``` LDAP_BINDDN # == bind user LDAP_BINDPW # == bind user pw ``` **2. That part should be removed! Second bind!** ``` 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding ``` **3. search filter** Binded user need to search for the "real" user. And the **search filter** need to be configurable like that **filter** part ``` 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" ``` *LDAP_FILTER* example. search attribute is given by `(uid=%u)` part and `%u` is replaced by the login user name. ``` LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))' ``` Configurable search base and search filter would be most flexible I think?

pwFoo がコメント 2021-02-27 08:55:20 +00:00

初めての貢献者

リンクをコピー

Hi @trinity-1686a,
what do you think about the suggested changes?

Hi @trinity-1686a, what do you think about the suggested changes?

このプルリクエストはまだ承認数が足りません。 0/1の承認を得ています。

このブランチはベースブランチに対して最新ではありません

このプルリクエストをマージする権限がありません。

コマンドラインの手順を表示

チェックアウト

プロジェクトリポジトリから新しいブランチをチェックアウトし、変更内容をテストします。

git fetch -u origin ldap-non-anon:ldap-non-anon

git checkout ldap-non-anon

サインインしてこの会話に参加。

レビューア

レビューアなし

ラベル

ラベルをクリア   

A: API

Related to the REST API

  

A: Backend

Code running on the server

  

A: Federation

Stuff related to Federation

  

A: Front-End

Related to the front-end

  

A: I18N

Translations, and related code

  

A: Meta

More about project management or code than the project itself

  

A: Security

  

Build

The building, or installation process of Plume

  

C: Bug

Something isn't working

  

C: Discussion

We need to talk

  

C: Enhancement

New feature or request

  

C: Feature

This is a new feature

  

Compatibility

Compatibility with different browsers, readers and OS

  

Dependency

Related to an external package that Plume uses

  

Design

UI/UX related issues and PRs

  

Documentation

  

Good first issue

Good for newcomers

  

Help welcome

Extra attention is needed

  

Mobile

Issues affecting only mobile UX

  

Rendering

How elements're rendered out for the end user

  

S: Blocked

Something else needs to be fixed first

  

S: Duplicate

This issue or pull request already exists

  

S: Incomplete

This PR is not complete yet

  

S: Instance specific

Issues concern a limited number of instances

  

S: Invalid

This doesn't seem right

  

S: Needs Voting/Discussion

Need to be discussed by the community (on Loomio)

  

S: Ready for review

This PR is ready to be reviewed

  

Suggestion

Proposed ideas worth considering

  

S: Voted on Loomio

This is issue has been created after a vote on Loomio

  

S: Wontfix

This will not be worked on

ラベルなし

A: API

A: Backend

A: Federation

A: Front-End

A: I18N

A: Meta

A: Security

Build

C: Bug

C: Discussion

C: Enhancement

C: Feature

Compatibility

Dependency

Design

Documentation

Good first issue

Help welcome

Mobile

Rendering

S: Blocked

S: Duplicate

S: Incomplete

S: Instance specific

S: Invalid

S: Needs Voting/Discussion

S: Ready for review

Suggestion

S: Voted on Loomio

S: Wontfix

マイルストーン

マイルストーンをクリア

項目なし

マイルストーンなし

プロジェクト

プロジェクトをクリア

項目なし

プロジェクトなし

担当者

担当者をクリア

担当者なし

2 人の参加者

通知

購読する

期日

期日が正しくないか範囲を超えています。 "yyyy-mm-dd" の形式で入力してください。

期日は未設定です。

依存関係

依存関係が設定されていません。

リファレンス: Plume/Plume#908

説明はありません。