Rótulos Etapas

WIP attempt to do non anonymous ldap connect #908

aberta(s)

trinity-1686a quer integrar 1 cometimento(s) do ramo ldap-non-anon no ramo main

puxar de: ldap-non-anon

integrar em: Plume:main

Plume:paginate-search-init

Plume:main

Plume:s3

Plume:fix-delete-user

Plume:timeline-cli

Plume:blog-title

Plume:signature

Plume:remove-dup-images

Plume:drone-ci

Plume:DearRude/force-lang

Plume:igalic/go/async-all-mut

Plume:go/async

Plume:floreal/translations-update

Plume:missing-docs

Plume:RAOF/fix-arm64-build

Plume:epsilon-phase/authorized-fetch

Plume:upgrade

Plume:improve-the-editor-once-again

Plume:igalic/feat/custom-fairing-domains

Plume:feature/ldap

Plume:test/dotenv_error

Plume:fix-mobile-margin

Diálogo 6 Cometimentos 1 Ficheiros modificados 2

trinity-1686a comentou há 3 anos

Proprietário(a)

attempt at fixing #902
@pwFoo could you test if it works for you?

attempt at fixing #902 @pwFoo could you test if it works for you?

trinity-1686a adicionou os rótulos

C: Enhancement

A: Backend

há 3 anos

pwFoo comentou há 3 anos

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

I have to finish some other tasks and need to learn how to compile project based on a pull request first...

trinity-1686a comentou há 3 anos

Remetente

Proprietário(a)

If you know how to compile from sources, you can run git checkout ldap-non-anon before running cargo commands. You might need to run git fetch before git checkout if it does not find the branch

If you know how to compile from sources, you can run `git checkout ldap-non-anon` before running cargo commands. You might need to run `git fetch` before git checkout if it does not find the branch

pwFoo comentou há 3 anos

First a binddn is connected and than in a second step verify the real user.
Build is done, how to configure the additional LDAP parameters for bind?

First a binddn is connected and than in a second step verify the real user. Build is done, how to configure the additional LDAP parameters for bind?

trinity-1686a comentou há 3 anos

Remetente

Proprietário(a)

it's LDAP_USER and LDAP_PASSWORD, as environment variables or in .env

it's `LDAP_USER` and `LDAP_PASSWORD`, as environment variables or in .env

pwFoo comentou há 3 anos

Login works, but I think need some improvements.
I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one?

plume ldap

6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389)
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding
6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text=
6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))"
6033d7ce conn=1007 op=2 SRCH attr=email
6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d7ce conn=1007 op=3 UNBIND
6033d7ce conn=1007 fd=13 closed

Working application

6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389)
6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0
6033d752 conn=1006 op=0 RESULT tag=97 err=0 text=
6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"
6033d752 conn=1006 op=1 SRCH attr=dn
6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128
6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0

ToDo

1. Rename bind user ENV

LDAP_BINDDN   # == bind user
LDAP_BINDPW   # == bind user pw

2. That part should be removed! Second bind!

6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128
6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
6033d7ce connection_input: conn=1007 deferring operation: binding

3. search filter
Binded user need to search for the "real" user. And the search filter need to be configurable like that filter part

6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))"

LDAP_FILTER example. search attribute is given by (uid=%u) part and %u is replaced by the login user name.

LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))'

Configurable search base and search filter would be most flexible I think?

Login works, but I think need some improvements. I see the ldap query and can compare it with a working one. Looks like your implementation do two bindings instead of one? plume ldap ``` 6033d7ce conn=1007 fd=13 ACCEPT from IP=10.0.102.4:51806 (IP=0.0.0.0:389) 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d7ce conn=1007 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce conn=1007 op=0 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding 6033d7ce conn=1007 op=1 RESULT tag=97 err=0 text= 6033d7ce conn=1007 op=2 SRCH base="uid=myuser,ou=users,dc=example,dc=com" scope=0 deref=0 filter="(|(objectClass=person)(?objectClass=user))" 6033d7ce conn=1007 op=2 SRCH attr=email 6033d7ce conn=1007 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d7ce conn=1007 op=3 UNBIND 6033d7ce conn=1007 fd=13 closed ``` Working application ``` 6033d751 conn=1006 fd=12 ACCEPT from IP=10.0.102.4:47932 (IP=0.0.0.0:389) 6033d751 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128 6033d752 conn=1006 op=0 BIND dn="cn=binduser,dc=example,dc=com" mech=SIMPLE ssf=0 6033d752 conn=1006 op=0 RESULT tag=97 err=0 text= 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" 6033d752 conn=1006 op=1 SRCH attr=dn 6033d752 conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 6033d752 conn=1006 op=2 BIND anonymous mech=implicit ssf=0 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" method=128 6033d752 conn=1006 op=2 BIND dn="uid=ahg,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 ``` ## ToDo **1. Rename bind user ENV** ``` LDAP_BINDDN # == bind user LDAP_BINDPW # == bind user pw ``` **2. That part should be removed! Second bind!** ``` 6033d7ce conn=1007 op=1 BIND anonymous mech=implicit ssf=0 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" method=128 6033d7ce conn=1007 op=1 BIND dn="uid=myuser,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 6033d7ce connection_input: conn=1007 deferring operation: binding ``` **3. search filter** Binded user need to search for the "real" user. And the **search filter** need to be configurable like that **filter** part ``` 6033d752 conn=1006 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(memberOf=cn=group1,ou=groups,dc=example,dc=com)(uid=myuser))" ``` *LDAP_FILTER* example. search attribute is given by `(uid=%u)` part and `%u` is replaced by the login user name. ``` LDAP_FILTER='(&(objectClass=posixAccount)(memberof=cn=<groupname>,ou=groups,dc=example,dc=com)(uid=%u))' ``` Configurable search base and search filter would be most flexible I think?

pwFoo comentou há 3 anos

Hi @trinity-1686a,
what do you think about the suggested changes?

Hi @trinity-1686a, what do you think about the suggested changes?

Este pedido de integração contém modificações que entram em conflito com o ramo de destino.

• plume-models/src/config.rs

Inicie a sessão para participar neste diálogo.

Revisores

Solicitar revisão

Sem revisores

Rótulos

Aplicar rótulos

Retirar rótulos   

A: API

Related to the REST API   

A: Backend

Code running on the server   

A: Federation

Stuff related to Federation   

A: Front-End

Related to the front-end   

A: I18N

Translations, and related code   

A: Meta

More about project management or code than the project itself   

A: Security

  

Build

The building, or installation process of Plume   

C: Bug

Something isn't working   

C: Discussion

We need to talk   

C: Enhancement

New feature or request   

C: Feature

This is a new feature   

Compatibility

Compatibility with different browsers, readers and OS   

Dependency

Related to an external package that Plume uses   

Design

UI/UX related issues and PRs   

Documentation

  

Good first issue

Good for newcomers   

Help welcome

Extra attention is needed   

Mobile

Issues affecting only mobile UX   

Rendering

How elements're rendered out for the end user   

S: Blocked

Something else needs to be fixed first   

S: Duplicate

This issue or pull request already exists   

S: Incomplete

This PR is not complete yet   

S: Instance specific

Issues concern a limited number of instances   

S: Invalid

This doesn't seem right   

S: Needs Voting/Discussion

Need to be discussed by the community (on Loomio)   

S: Ready for review

This PR is ready to be reviewed   

Suggestion

Proposed ideas worth considering   

S: Voted on Loomio

This is issue has been created after a vote on Loomio   

S: Wontfix

This will not be worked on

Sem rótulo

A: API

A: Backend

A: Federation

A: Front-End

A: I18N

A: Meta

A: Security

Build

C: Bug

C: Discussion

C: Enhancement

C: Feature

Compatibility

Dependency

Design

Documentation

Good first issue

Help welcome

Mobile

Rendering

S: Blocked

S: Duplicate

S: Incomplete

S: Instance specific

S: Invalid

S: Needs Voting/Discussion

S: Ready for review

Suggestion

S: Voted on Loomio

S: Wontfix

Etapa

Definir etapa

Limpar etapa

Sem itens

Sem etapa

Encarregados

Definir encarregados

Retirar todos os encarregados

Sem encarregados

2 Participantes

Notificações

Subscrever

Data de vencimento

A data de vencimento é inválida ou está fora do intervalo permitido. Por favor, use o formato 'aaaa-mm-dd'.

Sem data de vencimento definida.

Dependências

Não estão definidas dependências.

Referência: Plume/Plume#908

Escrever Pré-visualizar

Carregando…

Cancelar

Guardar

Ainda não há conteúdo.