add LDAP authentication

2017-07-05 16:26:27 -04:00 · 2017-07-05 16:26:27 -04:00 · ae774b90ce
parent 9bbb669cc1
commit ae774b90ce
8 changed files with 58 additions and 1 deletions
--- a/1
+++ b/1
@ -65,6 +65,7 @@ gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 gem 'omniauth', '1.3.1'
 gem 'omniauth-twitter', '1.2.1'
 gem 'omniauth-google-oauth2', '0.4.1'
+gem 'omniauth-ldap'

 gem 'bigbluebutton-api-ruby'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -116,6 +116,7 @@ GEM
    multi_json (1.12.1)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
+    net-ldap (0.16.0)
    nio4r (1.2.1)
    nokogiri (1.6.8.1)
      mini_portile2 (~> 2.1.0)
@ -134,6 +135,11 @@ GEM
      multi_json (~> 1.3)
      omniauth (>= 1.1.1)
      omniauth-oauth2 (>= 1.3.1)
+    omniauth-ldap (1.0.5)
+      net-ldap (~> 0.12)
+      omniauth (~> 1.0)
+      pyu-ruby-sasl (~> 0.0.3.2)
+      rubyntlm (~> 0.3.4)
    omniauth-oauth (1.1.0)
      oauth
      omniauth (~> 1.0)
@ -151,6 +157,7 @@ GEM
      mimemagic (= 0.3.0)
    pg (0.19.0)
    puma (3.6.0)
+    pyu-ruby-sasl (0.0.3.3)
    rack (2.0.1)
    rack-test (0.6.3)
      rack (>= 1.0)
@ -184,6 +191,7 @@ GEM
    rb-fsevent (0.9.7)
    rb-inotify (0.9.7)
      ffi (>= 0.5.0)
+    rubyntlm (0.3.4)
    sass (3.4.22)
    sass-rails (5.0.6)
      railties (>= 4.0.0, < 6)
@ -254,6 +262,7 @@ DEPENDENCIES
  mocha
  omniauth (= 1.3.1)
  omniauth-google-oauth2 (= 0.4.1)
+  omniauth-ldap
  omniauth-twitter (= 1.2.1)
  paperclip (~> 4.2)
  pg
--- a/app/assets/images/ldap_icon.png
+++ b/app/assets/images/ldap_icon.png
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -16,6 +16,8 @@

 class SessionsController < ApplicationController

+  skip_before_filter :verify_authenticity_token
+
  def new
  end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -47,6 +47,14 @@ class User < ApplicationRecord
    auth_hash['info']['email']
  end

+  def self.ldap_username(auth_hash)
+    auth_hash['info']['nickname']
+  end
+  
+  def self.ldap_email(auth_hash)
+    auth_hash['info']['email']
+  end
+
  def set_encrypted_id
    self.encrypted_id = "#{username[0..1]}-#{Digest::SHA1.hexdigest(uid+provider)[0..7]}"
  end
--- a/app/views/sessions/new.erb
+++ b/app/views/sessions/new.erb
@ -49,6 +49,18 @@
                </div>
              <% end %>
          <% end %>
+          <% if omniauth_providers_configured(:ldap) %>
+              <%= link_to omniauth_login_url(:ldap), class: "signin-link signin-link-ldap" do %>
+                <div class="signin-button center-block">
+                  <div class="signin-icon-wrapper">
+                    <%= image_tag(ENV['LDAP_ICON'].present? ? ENV['LDAP_ICON'] : 'ldap_icon.png', alt: "L", class: "signin-icon") %>
+                  </div>
+                  <div class="signin-text-wrapper text-center">
+                    <span class="signin-text"><%= t('signin_text', provider: ENV['LDAP_NAME'].present? ? ENV['LDAP_NAME'] : 'LDAP') %></span>
+                  </div>
+                </div>
+              <% end %>
+          <% end %>
        </div>
      <% end %>
    </div>
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -1,11 +1,22 @@
-Rails.application.config.providers = [:google, :twitter]
+Rails.application.config.providers = [:google, :twitter, :ldap]

 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present?

 Rails.application.config.omniauth_twitter = ENV['TWITTER_ID'].present?

+Rails.application.config.omniauth_ldap = ENV['LDAP_SERVER'].present?
+
 Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, ENV['TWITTER_ID'], ENV['TWITTER_SECRET']
  provider :google_oauth2, ENV['GOOGLE_OAUTH2_ID'], ENV['GOOGLE_OAUTH2_SECRET'],
    scope: ['profile', 'email', 'youtube', 'youtube.upload'], access_type: 'online', name: 'google'
+  provider :ldap,
+    host: ENV['LDAP_SERVER'],
+    port: ENV['LDAP_PORT'],
+    method: :plain,
+    allow_username_or_email_login: true,
+    uid: ENV['LDAP_UID'],
+    base: ENV['LDAP_BASE'],
+    bind_dn: ENV['LDAP_BIND_DN'],
+    password: ENV['LDAP_PASSWORD']
 end
--- a/14
+++ b/14
@ -36,6 +36,20 @@ TWITTER_SECRET=
 GOOGLE_OAUTH2_ID=
 GOOGLE_OAUTH2_SECRET=

+# LDAP Login Provider (optional)
+#
+#   You can enable LDAP authentication by providing values for LDAP_SERVER and LDAP_PORT.
+#   For information about setting up LDAP, see: (LINK TO LDAP DOCS).
+#
+LDAP_SERVER=
+LDAP_PORT=
+LDAP_UID=
+LDAP_BASE=
+LDAP_BIND_DN=
+LDAP_PASSWORD=
+LDAP_ICON=
+LDAP_NAME=
+
 # If "true", GreenLight will register a webhook callback for each meeting
 # created. This callback is called for all events that happen in the meeting,
 # including the processing of its recording. These events are used to update