From f7146583e5f1c2d0e8a198db00dfafced79d0706 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 08:15:57 -0500 Subject: [PATCH 1/9] Remove LDAP mail attribute as a requirement for registering an account --- lib/pleroma/web/auth/ldap_authenticator.ex | 30 ++++++++-------------- test/web/oauth/ldap_authorization_test.exs | 4 +-- 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index f63a66c03..f320ec746 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -105,29 +105,21 @@ defp register_user(connection, base, uid, name, password) do {:base, to_charlist(base)}, {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))}, {:scope, :eldap.wholeSubtree()}, - {:attributes, ['mail', 'email']}, {:timeout, @search_timeout} ]) do - {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} -> - with {_, [mail]} <- List.keyfind(attributes, 'mail', 0) do - params = %{ - email: :erlang.list_to_binary(mail), - name: name, - nickname: name, - password: password, - password_confirmation: password - } + {:ok, {:eldap_search_result, [{:eldap_entry, _, _}], _}} -> + params = %{ + name: name, + nickname: name, + password: password, + password_confirmation: password + } - changeset = User.register_changeset(%User{}, params) + changeset = User.register_changeset(%User{}, params) - case User.register(changeset) do - {:ok, user} -> user - error -> error - end - else - _ -> - Logger.error("Could not find LDAP attribute mail: #{inspect(attributes)}") - {:error, :ldap_registration_missing_attributes} + case User.register(changeset) do + {:ok, user} -> user + error -> error end error -> diff --git a/test/web/oauth/ldap_authorization_test.exs b/test/web/oauth/ldap_authorization_test.exs index 011642c08..76ae461c3 100644 --- a/test/web/oauth/ldap_authorization_test.exs +++ b/test/web/oauth/ldap_authorization_test.exs @@ -72,9 +72,7 @@ test "creates a new user after successful LDAP authorization" do equalityMatch: fn _type, _value -> :ok end, wholeSubtree: fn -> :ok end, search: fn _connection, _options -> - {:ok, - {:eldap_search_result, [{:eldap_entry, '', [{'mail', [to_charlist(user.email)]}]}], - []}} + {:ok, {:eldap_search_result, [{:eldap_entry, '', []}], []}} end, close: fn _connection -> send(self(), :close_connection) From 0f9aecbca49c828158d2cb549659a68fb21697df Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 08:18:16 -0500 Subject: [PATCH 2/9] Remove fallback to local database when LDAP is unavailable. In many environments this will not work as the LDAP password and the copy stored in Pleroma will stay synchronized. --- lib/pleroma/web/auth/ldap_authenticator.ex | 4 -- test/web/oauth/ldap_authorization_test.exs | 45 ---------------------- 2 files changed, 49 deletions(-) diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index f320ec746..ec47f6f91 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -28,10 +28,6 @@ def get_user(%Plug.Conn{} = conn) do %User{} = user <- ldap_user(name, password) do {:ok, user} else - {:error, {:ldap_connection_error, _}} -> - # When LDAP is unavailable, try default authenticator - @base.get_user(conn) - {:ldap, _} -> @base.get_user(conn) diff --git a/test/web/oauth/ldap_authorization_test.exs b/test/web/oauth/ldap_authorization_test.exs index 76ae461c3..63b1c0eb8 100644 --- a/test/web/oauth/ldap_authorization_test.exs +++ b/test/web/oauth/ldap_authorization_test.exs @@ -7,7 +7,6 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do alias Pleroma.Repo alias Pleroma.Web.OAuth.Token import Pleroma.Factory - import ExUnit.CaptureLog import Mock @skip if !Code.ensure_loaded?(:eldap), do: :skip @@ -99,50 +98,6 @@ test "creates a new user after successful LDAP authorization" do end end - @tag @skip - test "falls back to the default authorization when LDAP is unavailable" do - password = "testpassword" - user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password)) - app = insert(:oauth_app, scopes: ["read", "write"]) - - host = Pleroma.Config.get([:ldap, :host]) |> to_charlist - port = Pleroma.Config.get([:ldap, :port]) - - with_mocks [ - {:eldap, [], - [ - open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:error, 'connect failed'} end, - simple_bind: fn _connection, _dn, ^password -> :ok end, - close: fn _connection -> - send(self(), :close_connection) - :ok - end - ]} - ] do - log = - capture_log(fn -> - conn = - build_conn() - |> post("/oauth/token", %{ - "grant_type" => "password", - "username" => user.nickname, - "password" => password, - "client_id" => app.client_id, - "client_secret" => app.client_secret - }) - - assert %{"access_token" => token} = json_response(conn, 200) - - token = Repo.get_by(Token, token: token) - - assert token.user_id == user.id - end) - - assert log =~ "Could not open LDAP connection: 'connect failed'" - refute_received :close_connection - end - end - @tag @skip test "disallow authorization for wrong LDAP credentials" do password = "testpassword" From d5e4d8a6f3f7b577183809a4b371609aa29fa968 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 09:41:17 -0500 Subject: [PATCH 3/9] Define default authenticator in the config --- config/config.exs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/config.exs b/config/config.exs index 933a899ab..257b2e061 100644 --- a/config/config.exs +++ b/config/config.exs @@ -737,6 +737,8 @@ config :pleroma, :instances_favicons, enabled: false +config :pleroma, Pleroma.Web.Auth.Authenticator, Pleroma.Web.Auth.PleromaAuthenticator + # Import environment specific config. This must remain at the bottom # of this file so it overrides the configuration defined above. import_config "#{Mix.env()}.exs" From 2192d1e4920e2c6deffe9a205cc2ade27d4dc0b1 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 10:07:31 -0500 Subject: [PATCH 4/9] Permit LDAP users to register without capturing their password hash We don't need it, and local auth fallback has been removed. --- lib/pleroma/user.ex | 19 +++++++++++++++++++ lib/pleroma/web/auth/ldap_authenticator.ex | 7 +++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 09e606b37..df9f34baa 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -638,6 +638,25 @@ def force_password_reset_async(user) do @spec force_password_reset(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()} def force_password_reset(user), do: update_password_reset_pending(user, true) + # Used to auto-register LDAP accounts which don't have a password hash + def register_changeset(struct, params = %{password: password}) + when is_nil(password) do + params = Map.put_new(params, :accepts_chat_messages, true) + + struct + |> cast(params, [ + :name, + :nickname, + :accepts_chat_messages + ]) + |> unique_constraint(:nickname) + |> validate_exclusion(:nickname, Config.get([User, :restricted_nicknames])) + |> validate_format(:nickname, local_nickname_regex()) + |> put_ap_id() + |> unique_constraint(:ap_id) + |> put_following_and_follower_address() + end + def register_changeset(struct, params \\ %{}, opts \\ []) do bio_limit = Config.get([:instance, :user_bio_length], 5000) name_limit = Config.get([:instance, :user_name_length], 100) diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index ec47f6f91..f667da68b 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -88,7 +88,7 @@ defp bind_user(connection, ldap, name, password) do user _ -> - register_user(connection, base, uid, name, password) + register_user(connection, base, uid, name) end error -> @@ -96,7 +96,7 @@ defp bind_user(connection, ldap, name, password) do end end - defp register_user(connection, base, uid, name, password) do + defp register_user(connection, base, uid, name) do case :eldap.search(connection, [ {:base, to_charlist(base)}, {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))}, @@ -107,8 +107,7 @@ defp register_user(connection, base, uid, name, password) do params = %{ name: name, nickname: name, - password: password, - password_confirmation: password + password: nil } changeset = User.register_changeset(%User{}, params) From 81126b0142ec54c785952d0c84a2bdef76965fc7 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 11:36:12 -0500 Subject: [PATCH 5/9] Add email to user account only if it exists in LDAP --- lib/pleroma/user.ex | 9 +++++++++ lib/pleroma/web/auth/ldap_authenticator.ex | 8 +++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index df9f34baa..6d39c9d1b 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -643,12 +643,21 @@ def register_changeset(struct, params = %{password: password}) when is_nil(password) do params = Map.put_new(params, :accepts_chat_messages, true) + params = + if Map.has_key?(params, :email) do + Map.put_new(params, :email, params[:email]) + else + params + end + struct |> cast(params, [ :name, :nickname, + :email, :accepts_chat_messages ]) + |> validate_required([:name, :nickname]) |> unique_constraint(:nickname) |> validate_exclusion(:nickname, Config.get([User, :restricted_nicknames])) |> validate_format(:nickname, local_nickname_regex()) diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index f667da68b..b1645a359 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -103,13 +103,19 @@ defp register_user(connection, base, uid, name) do {:scope, :eldap.wholeSubtree()}, {:timeout, @search_timeout} ]) do - {:ok, {:eldap_search_result, [{:eldap_entry, _, _}], _}} -> + {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} -> params = %{ name: name, nickname: name, password: nil } + params = + case List.keyfind(attributes, 'mail', 0) do + {_, [mail]} -> Map.put_new(params, :email, :erlang.list_to_binary(mail)) + _ -> params + end + changeset = User.register_changeset(%User{}, params) case User.register(changeset) do From 2a4bca5bd7e33388193d252f9f956d10ce38ad77 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 11:40:09 -0500 Subject: [PATCH 6/9] Comments are good when they're precise... --- lib/pleroma/user.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 6d39c9d1b..69b0e1781 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -638,7 +638,7 @@ def force_password_reset_async(user) do @spec force_password_reset(User.t()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()} def force_password_reset(user), do: update_password_reset_pending(user, true) - # Used to auto-register LDAP accounts which don't have a password hash + # Used to auto-register LDAP accounts which won't have a password hash stored locally def register_changeset(struct, params = %{password: password}) when is_nil(password) do params = Map.put_new(params, :accepts_chat_messages, true) From cb7879c7c148cfc318a176d19b1402e370c509e7 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Wed, 5 Aug 2020 11:53:57 -0500 Subject: [PATCH 7/9] Add note about removal of Pleroma.Web.Auth.LDAPAuthenticator fallback to Pleroma.Web.Auth.PleromaAuthenticator --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index de017e30a..c0d0fe269 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Configuration: `:instance, rewrite_policy` moved to `:mrf, policies`, `:instance, :mrf_transparency` moved to `:mrf, :transparency`, `:instance, :mrf_transparency_exclusions` moved to `:mrf, :transparency_exclusions`. Old config namespace is deprecated. - Configuration: `:media_proxy, whitelist` format changed to host with scheme (e.g. `http://example.com` instead of `example.com`). Domain format is deprecated. - **Breaking:** Configuration: `:instance, welcome_user_nickname` moved to `:welcome, :direct_message, :sender_nickname`, `:instance, :welcome_message` moved to `:welcome, :direct_message, :message`. Old config namespace is deprecated. +- **Breaking:** LDAP: Fallback to local database authentication has been removed for security reasons and lack of a mechanism to ensure the passwords are synchronized when LDAP passwords are updated.
API Changes From 6ddea8ebe8794a9626f3907a5d0e0db9604bf949 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 7 Aug 2020 09:42:10 -0500 Subject: [PATCH 8/9] Add a note about the proper value for uid --- docs/configuration/cheatsheet.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuration/cheatsheet.md b/docs/configuration/cheatsheet.md index f23cf4fe4..d9115a958 100644 --- a/docs/configuration/cheatsheet.md +++ b/docs/configuration/cheatsheet.md @@ -890,6 +890,9 @@ Pleroma account will be created with the same name as the LDAP user name. * `base`: LDAP base, e.g. "dc=example,dc=com" * `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base" +Note, if your LDAP server is an Active Directory server the correct value is commonly `uid: "cn"`, but if you use an +OpenLDAP server the value may be `uid: "uid"`. + ### OAuth consumer mode OAuth consumer mode allows sign in / sign up via external OAuth providers (e.g. Twitter, Facebook, Google, Microsoft, etc.). From 474147a67a89f8bd92186dbda93d78d8e2045d52 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 7 Aug 2020 14:54:14 -0500 Subject: [PATCH 9/9] Make a new function instead of overloading register_changeset/3 --- lib/pleroma/user.ex | 2 +- lib/pleroma/web/auth/ldap_authenticator.ex | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index 69b0e1781..d1436a688 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -639,7 +639,7 @@ def force_password_reset_async(user) do def force_password_reset(user), do: update_password_reset_pending(user, true) # Used to auto-register LDAP accounts which won't have a password hash stored locally - def register_changeset(struct, params = %{password: password}) + def register_changeset_ldap(struct, params = %{password: password}) when is_nil(password) do params = Map.put_new(params, :accepts_chat_messages, true) diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index b1645a359..402ab428b 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -116,7 +116,7 @@ defp register_user(connection, base, uid, name) do _ -> params end - changeset = User.register_changeset(%User{}, params) + changeset = User.register_changeset_ldap(%User{}, params) case User.register(changeset) do {:ok, user} -> user