forked from tasansga/haraka-ldap
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathauthn.js
127 lines (109 loc) · 3.83 KB
/
authn.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
'use strict';
const util = require('util');
exports._verify_user = (userdn, passwd, cb, connection) => {
const pool = connection.server.notes.ldappool;
function onError(err) {
connection.logerror(
`Could not verify userdn and password: ${util.inspect(err)}`,
);
cb(false);
}
if (!pool) return onError('LDAP Pool not found');
pool._create_client((err, client) => {
if (err) return onError(err);
client.bind(userdn, passwd, (err2) => {
client.unbind();
if (err2) {
connection.logdebug(
`Login failed, could not bind ${util.inspect(userdn)}: ${util.inspect(err)}`,
);
return cb(false);
}
cb(true);
});
});
};
exports._get_search_conf = (user, connection) => {
const pool = connection.server.notes.ldappool;
const filter = pool.config.authn.searchfilter || '(&(objectclass=*)(uid=%u))';
return {
basedn: pool.config.authn.basedn || pool.config.basedn,
filter: filter.replace(/%u/g, user),
scope: pool.config.authn.scope || pool.config.scope,
attributes: ['dn'],
};
};
exports._get_dn_for_uid = function (uid, callback, connection) {
const pool = connection.server.notes.ldappool;
function onError(err) {
connection.logerror(`Could not get DN for UID ${uid}`);
connection.logdebug(`: ${util.inspect(err)}`);
callback(err);
}
if (!pool) return onError('LDAP Pool not found!');
pool.get((err, client) => {
if (err) return onError(err);
const config = this._get_search_conf(uid, connection);
connection.logdebug(`Getting DN for uid: ${util.inspect(config)}`);
try {
client.search(config.basedn, config, (search_error, res) => {
if (search_error) onError(search_error);
const userdn = [];
res.on('searchEntry', (entry) => {
userdn.push(entry.object.dn);
});
res.on('error', onError);
res.on('end', () => {
callback(null, userdn);
});
});
} catch (e) {
onError(e);
}
});
};
exports.check_plain_passwd = function (connection, user, passwd, cb) {
if (Array.isArray(connection.server.notes.ldappool.config.authn.dn)) {
return this.check_plain_passwd_dn(connection, user, passwd, cb);
}
connection.logdebug(`Looking up user ${util.inspect(user)} by search.`);
this._get_dn_for_uid(
user,
(err, userdn) => {
if (err) {
connection.logerror(
`Could not use LDAP for password check: ${util.inspect(err)}`,
);
cb(false);
} else if (userdn.length !== 1) {
connection.logdebug(
`None or nonunique LDAP search result for user ${util.inspect(user)}, access denied`,
);
cb(false);
} else {
this._verify_user(userdn[0], passwd, cb, connection);
}
},
connection,
);
};
exports.check_plain_passwd_dn = function (connection, user, passwd, cb) {
connection.logdebug(`Looking up user ${util.inspect(user)} by DN.`);
let iter = 0;
let cbCalled = false;
function cbOnce(result) {
iter++;
if (cbCalled) return;
if (result) {
cbCalled = true;
return cb(result);
}
if (iter === connection.server.notes.ldappool.config.authn.dn.length) {
cbCalled = true;
cb(result);
}
}
for (const dn of connection.server.notes.ldappool.config.authn.dn) {
this._verify_user(dn.replace(/%u/g, user), passwd, cbOnce, connection);
}
};