Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support ldap auth #4751

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

support ldap auth #4751

wants to merge 5 commits into from
+262 −6

Conversation

zhangweiqaz
Copy link

@zhangweiqaz zhangweiqaz commented May 10, 2024
edited by CommanderStorm
Loading

Tick the checkbox if you understand [x]:

  • I have read and understand the pull request rules.

Resolves #5359

Description

add ldap auth support. It will works if below enviroment variables exist

  • AUTH_METHOD: LDAP
  • LDAP_ADDRESS: 'ldap://ip:port'
  • LDAP_BASE_DN: 'cn=users,dc=xxxx,dc=com'
  • LDAP_UID=uid
    The auth DN will be 'uid=username,cn=users,dc=xxxx,dc=com'.
    If AUTH_METHOD not equal 'LDAP', it auth with local database user
    Fixes #(issue)

Type of change

Please delete any options that are not relevant.

  • New feature (non-breaking change which adds functionality)

Checklist

  • My code follows the style guidelines of this project
  • I ran ESLint and other linters for modified files
  • I have performed a self-review of my own code and tested it
  • I have commented my code, particularly in hard-to-understand areas (including JSDoc for methods)
  • My changes generates no new warnings
  • My code needed automated testing. I have added them (this is optional task)

Screenshots (if any)

Please do not use any external image service. Instead, just paste in or drag and drop the image here, and it will be uploaded automatically.

CommanderStorm
CommanderStorm requested changes May 10, 2024
View reviewed changes
Copy link
Collaborator

@CommanderStorm CommanderStorm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tip

Please see the part of the contribution guide where we talk about discussing plans beforehand for future PRs.
"Duping work" is not maintainable both for contributors or maintainers ^^

To the PR:

  • Please rebase this PR on top of Add basic multiple admin users support #3571.
  • How can this be tested?
    => Please include a short paragraph how to set up a docker/.. environment to test that LDAP is working.
  • Could you write a first draft how this can be documented? (I have only a basic clue what half of the variables do)

Be aware that our current focus is on getting v2.0 out of the door (see #4500 for further details)
=> reviewing #3571 (as a prerequisite for this PR) might take longer.

server/auth.js Outdated
]);
if (process.env.AUTH_METHOD === "LDAP") {
let ldapAuthSuccess = false;
await new Promise((resolve, reject) => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please extract the ldap parts of this implementation into a function.
This method is too long already and adding more will not aid in readability ^^

server/auth.js Outdated
log.error("auth", "connecting ldap server failed");
resolve();
});
client.bind(process.env.LDAP_UID + "=" + username + "," + process.env.LDAP_BASE_DN,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please include debug logging what query is being executed

server/auth.js Outdated
});
client.on("connectError", (err) => {
log.error("auth", "connecting ldap server failed");
resolve();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please refactor this to reject/resolve with the value of ldapAuthSuccess.
This way, future PRs can't mess with the logic and introduce potential security flaws. (this logic is fine, but lets not leave a footgun lying around ^^)

server/auth.js Outdated
url: [ process.env.LDAP_ADDRESS ]
});
client.on("connectError", (err) => {
log.error("auth", "connecting ldap server failed");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

include the error message if it contains context aiding in debugging

server/auth.js Outdated
if (!ldapAuthSuccess) {
return null;
}
let user = await R.findOne("user", " username = ? AND active = 1 ", [
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please extract the below parts into functions.
This is hard to comprehend => easy to make mistakes. Lets not risk this in security critical code ^^

server/auth.js Outdated
Comment on lines 35 to 37
log.warn("auth", "ldap authentication failed for user: " + username);
} else {
log.info("auth", "ldap authentication succeeded for user: " + username);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets use a template for better readability

Suggested change
log.warn("auth", "ldap authentication failed for user: " + username);
} else {
log.info("auth", "ldap authentication succeeded for user: " + username);
log.info("auth", `ldap failed for ${username} because ${err}`);
} else {
log.info("auth", `${username} successfully logged in via ldap`);

server/auth.js Outdated
let ldapAuthSuccess = false;
await new Promise((resolve, reject) => {
const client = ldap.createClient({
url: [ process.env.LDAP_ADDRESS ]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the parameters to this function (ldapjs' docs):

  • url does allow multiple LDAP servers.
    Should we support this as well?
  • there are a few options regarding timouts. I think having timeouts for LDAP operations might be a good call.
  • Should we add the reconnection parameter?

@zhangweiqaz
Copy link
Author

Thanks for your advises, that help me a lot. Due to #3571 is big change, this PR can be delayed or restructured.
Ldap auth can be test below step:
1、create a temp ldap server
docker run --detach --rm --name openldap
-p 1389:1389
--env LDAP_ADMIN_USERNAME=admin
--env LDAP_ADMIN_PASSWORD=adminpassword
--env LDAP_USERS=customuser
--env LDAP_PASSWORDS=custompassword
--env LDAP_ROOT=dc=example,dc=org
--env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org
bitnami/openldap:latest
2、set the enviroment variables
export AUTH_METHOD="LDAP"
export LDAP_ADDRESS="ldap://ldap_server_ip:1389"
export LDAP_UID="cn"
export LDAP_BASE_DN="ou=users,dc=example,dc=org"
3、run uptime-kuma and use "customuser" and "custompassword" to login

@Zaid-maker
Copy link
Contributor

Thanks for your advises, that help me a lot. Due to #3571 is big change, this PR can be delayed or restructured. Ldap auth can be test below step: 1、create a temp ldap server docker run --detach --rm --name openldap -p 1389:1389 --env LDAP_ADMIN_USERNAME=admin --env LDAP_ADMIN_PASSWORD=adminpassword --env LDAP_USERS=customuser --env LDAP_PASSWORDS=custompassword --env LDAP_ROOT=dc=example,dc=org --env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org bitnami/openldap:latest 2、set the enviroment variables export AUTH_METHOD="LDAP" export LDAP_ADDRESS="ldap://ldap_server_ip:1389" export LDAP_UID="cn" export LDAP_BASE_DN="ou=users,dc=example,dc=org" 3、run uptime-kuma and use "customuser" and "custompassword" to login

You can use handy tool to quickly test docker containers (sort of) Dockge

@CommanderStorm CommanderStorm mentioned this pull request May 14, 2024
Open
1 task
@CommanderStorm CommanderStorm added blocked cannot progress because of external reasons area:user-management pr:needs review this PR needs a review by maintainers or other community members pr:please address review comments this PR needs a bit more work to be mergable labels May 19, 2024
@CommanderStorm CommanderStorm mentioned this pull request May 19, 2024
Draft
6 tasks
@github-actions github-actions bot added pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again and removed pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again labels May 20, 2024
@CommanderStorm CommanderStorm added the pr:needs other pr merged pending other PR to be merged first label May 23, 2024
@github-actions github-actions bot added pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again and removed pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again labels May 23, 2024
@CommanderStorm CommanderStorm removed the pr:needs review this PR needs a review by maintainers or other community members label Jun 3, 2024
@github-actions github-actions bot removed the pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again label Jun 24, 2024
@github-actions github-actions bot added the pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again label Jul 15, 2024
@rvpool rvpool mentioned this pull request Nov 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CommanderStorm CommanderStorm CommanderStorm requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
area:user-management blocked cannot progress because of external reasons needs:resolve-merge-conflict pr:needs other pr merged pending other PR to be merged first pr:please address review comments this PR needs a bit more work to be mergable pr:please resolve merge conflict A merge-conflict needs to be addressed before reviewing makes sense again
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature Request: Add LDAP Authentication
4 participants
@zhangweiqaz @Zaid-maker @CommanderStorm @zhangwei0181