Additional LDAP Authentication Methods (#1287)

This patch allows anonymous and user based authentication to LDAP servers. This change is based on a patch against bn-ldap-authentication: - https://github.com/blindsidenetworks/bn-ldap-authentication/pull/2 The patch introduces a new environment variable `LDAP_AUTH` which controls the authentication method used against the LDAP server: - `anonymous` enables an anonymous bind to the LDAP with no password being used. - `user` uses the user's own credentials to search for his data, enabling authenticated login to LDAP without the need for a user with global read privileges. The default still remains at using a bind user, allowing for a seamless upgrade path from the previous version. This fixes #1082 Co-authored-by: Jesus Federico <jesus@123it.ca>
2020-04-16 20:10:14 +02:00 · 2020-04-16 20:10:14 +02:00 · 10ef20363a
parent 9d14b561a5
commit 10ef20363a
3 changed files with 4 additions and 2 deletions
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -131,6 +131,7 @@ class SessionsController < ApplicationController
    ldap_config[:port] = ENV['LDAP_PORT'].to_i != 0 ? ENV['LDAP_PORT'].to_i : 389
    ldap_config[:bind_dn] = ENV['LDAP_BIND_DN']
    ldap_config[:password] = ENV['LDAP_PASSWORD']
+    ldap_config[:auth_method] = ENV['LDAP_AUTH']
    ldap_config[:encryption] = if ENV['LDAP_METHOD'] == 'ssl'
                                    'simple_tls'
                                elsif ENV['LDAP_METHOD'] == 'tls'
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -11,8 +11,7 @@ Rails.application.config.providers = []
 # Set which providers are configured.
 Rails.application.config.omniauth_bn_launcher = Rails.configuration.loadbalanced_configuration
 Rails.application.config.omniauth_ldap = ENV['LDAP_SERVER'].present? && ENV['LDAP_UID'].present? &&
-                                         ENV['LDAP_BASE'].present? && ENV['LDAP_BIND_DN'].present? &&
-                                         ENV['LDAP_PASSWORD'].present?
+                                         ENV['LDAP_BASE'].present?
 Rails.application.config.omniauth_twitter = ENV['TWITTER_ID'].present? && ENV['TWITTER_SECRET'].present?
 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present? && ENV['GOOGLE_OAUTH2_SECRET'].present?
 Rails.application.config.omniauth_office365 = ENV['OFFICE365_KEY'].present? &&
--- a/sample.env
+++ b/sample.env
@ -61,6 +61,7 @@ OAUTH2_REDIRECT=
 #   LDAP_METHOD=plain
 #   LDAP_UID=uid
 #   LDAP_BASE=dc=example,dc=com
+#   LDAP_AUTH=simple
 #   LDAP_BIND_DN=cn=admin,dc=example,dc=com
 #   LDAP_PASSWORD=password
 #   LDAP_ROLE_FIELD=ou
@ -70,6 +71,7 @@ LDAP_METHOD=
 LDAP_UID=
 LDAP_BASE=
 LDAP_BIND_DN=
+LDAP_AUTH=
 LDAP_PASSWORD=
 LDAP_ROLE_FIELD=