From 10ef20363a404343d0ac56502fd5dfbcc466f036 Mon Sep 17 00:00:00 2001
From: Lars Kiesow <lkiesow@uos.de>
Date: Thu, 16 Apr 2020 20:10:14 +0200
Subject: [PATCH] Additional LDAP Authentication Methods (#1287)

This patch allows anonymous and user based authentication to LDAP
servers. This change is based on a patch against bn-ldap-authentication:

-  https://github.com/blindsidenetworks/bn-ldap-authentication/pull/2

The patch introduces a new environment variable `LDAP_AUTH` which
controls the authentication method used against the LDAP server:

- `anonymous` enables an anonymous bind to the LDAP with no password
  being used.

- `user` uses the user's own credentials to search for his data,
  enabling authenticated login to LDAP without the need for a user with
  global read privileges.

The default still remains at using a bind user, allowing for a seamless
upgrade path from the previous version.

This fixes #1082

Co-authored-by: Jesus Federico <jesus@123it.ca>
---
 app/controllers/sessions_controller.rb | 1 +
 config/initializers/omniauth.rb        | 3 +--
 sample.env                             | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index ef263232..2b65e07b 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -131,6 +131,7 @@ class SessionsController < ApplicationController
     ldap_config[:port] = ENV['LDAP_PORT'].to_i != 0 ? ENV['LDAP_PORT'].to_i : 389
     ldap_config[:bind_dn] = ENV['LDAP_BIND_DN']
     ldap_config[:password] = ENV['LDAP_PASSWORD']
+    ldap_config[:auth_method] = ENV['LDAP_AUTH']
     ldap_config[:encryption] = if ENV['LDAP_METHOD'] == 'ssl'
                                     'simple_tls'
                                 elsif ENV['LDAP_METHOD'] == 'tls'
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index f10eb98b..9f0598e5 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -11,8 +11,7 @@ Rails.application.config.providers = []
 # Set which providers are configured.
 Rails.application.config.omniauth_bn_launcher = Rails.configuration.loadbalanced_configuration
 Rails.application.config.omniauth_ldap = ENV['LDAP_SERVER'].present? && ENV['LDAP_UID'].present? &&
-                                         ENV['LDAP_BASE'].present? && ENV['LDAP_BIND_DN'].present? &&
-                                         ENV['LDAP_PASSWORD'].present?
+                                         ENV['LDAP_BASE'].present?
 Rails.application.config.omniauth_twitter = ENV['TWITTER_ID'].present? && ENV['TWITTER_SECRET'].present?
 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present? && ENV['GOOGLE_OAUTH2_SECRET'].present?
 Rails.application.config.omniauth_office365 = ENV['OFFICE365_KEY'].present? &&
diff --git a/sample.env b/sample.env
index 4d4f3564..668813c1 100644
--- a/sample.env
+++ b/sample.env
@@ -61,6 +61,7 @@ OAUTH2_REDIRECT=
 #   LDAP_METHOD=plain
 #   LDAP_UID=uid
 #   LDAP_BASE=dc=example,dc=com
+#   LDAP_AUTH=simple
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
@@ -70,6 +71,7 @@ LDAP_METHOD=
 LDAP_UID=
 LDAP_BASE=
 LDAP_BIND_DN=
+LDAP_AUTH=
 LDAP_PASSWORD=
 LDAP_ROLE_FIELD=