Plume/Plume
9
18
Derivar 24
Código Questões 177 Pedidos de integração 8 Lançamentos 8 Wiki Trabalho

WIP attempt to do non anonymous ldap connect #908

aberta(s)
trinity-1686a quer integrar 1 cometimento do ramo ldap-non-anon no ramo main
puxar de: ldap-non-anon
integrar em: Plume:main
Diálogo 6 Cometimentos 1 Ficheiros modificados 2 +31 -1
trinity-1686a comentou 2021-02-21 14:36:30 +00:00
Proprietário(a)
Copiar ligação

attempt at fixing #902
@pwFoo could you test if it works for you?

attempt at fixing #902 @pwFoo could you test if it works for you?
trinity-1686a adicionou os rótulos
C: Enhancement
A: Backend
 2021-02-21 14:37:01 +00:00
pwFoo comentou 2021-02-21 19:59:50 +00:00
Contribuidor pela primeira vez
Copiar ligação

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

I have to finish some other tasks and need to learn how to compile project based on a pull request first...
trinity-1686a comentou 2021-02-22 10:14:23 +00:00
Autor(a)
Proprietário(a)
Copiar ligação

If you know how to compile from sources, you can run git checkout ldap-non-anon before running cargo commands. You might need to run git fetch before git checkout if it does not find the branch

If you know how to compile from sources, you can run `git checkout ldap-non-anon` before running cargo commands. You might need to run `git fetch` before git checkout if it does not find the branch
pwFoo comentou 2021-02-22 13:46:51 +00:00
Contribuidor pela primeira vez
Copiar ligação

First a binddn is connected and than in a second step verify the real user.
Build is done, how to configure the additional LDAP parameters for bind?

First a binddn is connected and than in a second step verify the real user. Build is done, how to configure the additional LDAP parameters for bind?
trinity-1686a comentou 2021-02-22 14:18:25 +00:00
Autor(a)
Proprietário(a)
Copiar ligação

it's LDAP_USER and LDAP_PASSWORD, as environment variables or in .env

it's `LDAP_USER` and `LDAP_PASSWORD`, as environment variables or in .env
pwFoo comentou 2021-02-22 16:30:42 +00:00
Contribuidor pela primeira vez
Copiar ligação

Login works, but I think need some improvements.
I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one?

plume ldap

6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389)
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding
6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))"
6033d7ce conn=1007 op=2 SRCH attr=email
6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d7ce conn=1007 op=3 UNBIND
6033d7ce conn=1007 fd=13 closed

Working application

6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389)
6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d752 conn=1006 op=0 RESULT tag=97 err=0 text=
6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"
6033d752 conn=1006 op=1 SRCH attr=dn
6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0

ToDo

1. Rename bind user ENV

LDAP_BINDDN   # == bind user
LDAP_BINDPW   # == bind user pw

2. That part should be removed! Second bind!

6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding

3. search filter
Binded user need to search for the "real" user. And the search filter need to be configurable like that filter part

6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"

LDAP_FILTER example. search attribute is given by (uid=%u) part and %u is replaced by the login user name.

LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))'

Configurable search base and search filter would be most flexible I think?

Login works, but I think need some improvements. I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one? plume ldap ``` 6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389) 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding 6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))" 6033d7ce conn=1007 op=2 SRCH attr=email 6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d7ce conn=1007 op=3 UNBIND 6033d7ce conn=1007 fd=13 closed ``` Working application ``` 6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389) 6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d752 conn=1006 op=0 RESULT tag=97 err=0 text= 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" 6033d752 conn=1006 op=1 SRCH attr=dn 6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 ``` ## ToDo **1. Rename bind user ENV** ``` LDAP_BINDDN # == bind user LDAP_BINDPW # == bind user pw ``` **2. That part should be removed! Second bind!** ``` 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding ``` **3. search filter** Binded user need to search for the "real" user. And the **search filter** need to be configurable like that **filter** part ``` 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" ``` *LDAP_FILTER* example. search attribute is given by `(uid=%u)` part and `%u` is replaced by the login user name. ``` LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))' ``` Configurable search base and search filter would be most flexible I think?
pwFoo comentou 2021-02-27 08:55:20 +00:00
Contribuidor pela primeira vez
Copiar ligação

Hi @trinity-1686a,
what do you think about the suggested changes?

Hi @trinity-1686a, what do you think about the suggested changes?
Este pedido de integração ainda não tem aprovações suficientes. Já foram concedidas 0 de um total de 1 aprovações.
Este ramo é obsoleto em relação ao ramo base
Não tem autorização para executar a integração constante neste pedido.
Ver instruções para a linha de comandos

Conferir

No seu repositório, irá criar um novo ramo para que possa testar as modificações.
git fetch -u origin ldap-non-anon:ldap-non-anon
git checkout ldap-non-anon
Inicie a sessão para participar neste diálogo.
Revisores
Sem revisores
Rótulos
Retirar rótulos   
A: API

Related to the REST API

  
A: Backend

Code running on the server

  
A: Federation

Stuff related to Federation

  
A: Front-End

Related to the front-end

  
A: I18N

Translations, and related code

  
A: Meta

More about project management or code than the project itself

  
A: Security

   
Build

The building, or installation process of Plume

  
C: Bug

Something isn't working

  
C: Discussion

We need to talk

  
C: Enhancement

New feature or request

  
C: Feature

This is a new feature

  
Compatibility

Compatibility with different browsers, readers and OS

  
Dependency

Related to an external package that Plume uses

  
Design

UI/UX related issues and PRs

  
Documentation

   
Good first issue

Good for newcomers

  
Help welcome

Extra attention is needed

  
Mobile

Issues affecting only mobile UX

  
Rendering

How elements're rendered out for the end user

  
S: Blocked

Something else needs to be fixed first

  
S: Duplicate

This issue or pull request already exists

  
S: Incomplete

This PR is not complete yet

  
S: Instance specific

Issues concern a limited number of instances

  
S: Invalid

This doesn't seem right

  
S: Needs Voting/Discussion

Need to be discussed by the community (on Loomio)

  
S: Ready for review

This PR is ready to be reviewed

  
Suggestion

Proposed ideas worth considering

  
S: Voted on Loomio

This is issue has been created after a vote on Loomio

  
S: Wontfix

This will not be worked on

Sem rótulos
A: API
A: Backend
A: Federation
A: Front-End
A: I18N
A: Meta
A: Security
Build
C: Bug
C: Discussion
C: Enhancement
C: Feature
Compatibility
Dependency
Design
Documentation
Good first issue
Help welcome
Mobile
Rendering
S: Blocked
S: Duplicate
S: Incomplete
S: Instance specific
S: Invalid
S: Needs Voting/Discussion
S: Ready for review
Suggestion
S: Voted on Loomio
S: Wontfix
Etapa
Limpar etapa
Sem itens
Sem etapa
Planeamentos
Limpar planeamentos
Sem itens
Nenhum planeamento
Encarregados
Retirar todos os encarregados
Sem encarregados
2 Participantes
Notificações
Data de vencimento
A data de vencimento é inválida ou está fora do intervalo permitido. Por favor, use o formato "aaaa-mm-dd".

Sem data de vencimento definida.

Dependências

Não estão definidas dependências.

Referência: Plume/Plume#908
Nenhuma descrição fornecida.
Eliminar o ramo "ldap-non-anon"

Eliminar um ramo é algo permanente. Embora o ramo eliminado possa continuar a existir por um breve período de tempo antes de ser realmente removido, a operação NÃO PODERÁ ser desfeita na maioria dos casos. Quer continuar?