From b57fa59ea90c7bbdcfea4c458897795e44ec794e Mon Sep 17 00:00:00 2001 From: Crivaledaz Date: Mon, 21 Aug 2017 23:10:20 +0200 Subject: [PATCH] Add service account support to get LDAP information (resource.php) and correct some minor bugs --- Puppet/mattermostldap/README.md | 83 ++++++++----------- Puppet/mattermostldap/manifests/init.pp | 6 +- Puppet/mattermostldap/manifests/params.pp | 2 + Puppet/mattermostldap/metadata.json | 5 +- .../templates/config_ldap.php.erb | 4 + README.md | 12 ++- oauth/LDAP/LDAP.php | 20 ++++- oauth/LDAP/LDAPInterface.php | 8 +- oauth/LDAP/config_ldap.php | 12 ++- oauth/resource.php | 2 +- 10 files changed, 88 insertions(+), 66 deletions(-) mode change 100644 => 100755 README.md mode change 100644 => 100755 oauth/LDAP/LDAP.php mode change 100644 => 100755 oauth/LDAP/LDAPInterface.php mode change 100644 => 100755 oauth/LDAP/config_ldap.php mode change 100644 => 100755 oauth/resource.php diff --git a/Puppet/mattermostldap/README.md b/Puppet/mattermostldap/README.md index 6c84162..24f3d9d 100755 --- a/Puppet/mattermostldap/README.md +++ b/Puppet/mattermostldap/README.md @@ -7,15 +7,15 @@ This is a puppet module to manage configuration and installation of Mattermost-L Mattermost-LDAP is a module which provides an external LDAP authentication in Mattermost for the Team Edition. Actually, Mattermost and LDAP are mainly used by companies which should manage their servers, services and configurations with automated processes. Many companies use Puppet, an open-source software configuration management tool, to automated their configuration deployement. -Mattermost-LDAP project provides a Puppet module to easily manage and configure the Oauth serveur and the LDAP for Mattermost. +In this way, Mattermost-LDAP project provides a Puppet module to easily manage and configure the oauth serveur and the LDAP for Mattermost. ## Module Description -This module installs and configures Mattermost-LDAP, to provide LDAP support on Mattermost. For more information about Mattermost-LDAP please refer to : https://github.com/Crivaledaz/Mattermost-LDAP +This module installs and configures Mattermost-LDAP, to provide the LDAP support on Mattermost. For more information about Mattermost-LDAP please refer to : https://github.com/Crivaledaz/Mattermost-LDAP -The use of this Puppet module substitute to the standard installation and configuration steps described on the Mattermost-LDAP project page. See below to install and configure Mattermost-LDAP with Puppet. +The use of this puppet module substitute to the standard installation and configuration steps describe on the Mattermost-LDAP project page. See below to install and configure Mattermost-LDAP with puppet. -The Puppet Mattermost-LDAP module installs the Oauth server and associated files from a release archive provided in this repository, create and configure a database for the Oauth server depending on your database server (PostgreSQL or MySQL), and configures the Oauth server to interact with LDAP according to settings you provide. +The Puppet Mattermost-LDAP module installs the oauth server and associated files from a release archive provided in this repository, create and configure a database for the oauth server depending on your database server (PostgreSQL or MySQL), and configures the oauth server to interact with LDAP according to settings you provide. ## Setup @@ -27,7 +27,7 @@ This module requires the following : * puppetlabs/stdlib * git -To know the necessary dependencies for Mattermost-LDAP (which will be installed with this puppet module), please refer to : https://github.com/Crivaledaz/Mattermost-LDAP +To know the dependencies necessary for Mattermost-LDAP (which will be installed with this puppet module), please refer to : https://github.com/Crivaledaz/Mattermost-LDAP ### Pre-install * Install Puppet (Centos 7, RHEL 7 and Fedora) : @@ -48,7 +48,6 @@ puppet agent -t puppet cert sign CLIENT_NAME ``` -Change SERVER_NAME and CLIENT_NAME by your settings. * Install required Puppet modules : @@ -69,9 +68,9 @@ Clone (or download and extract) this repository : git clone https://github.com/crivaledaz/Mattermost-LDAP.git ``` -Move mattermostldap directory from the Puppet directory to /etc/puppet/modules on your Puppet Master, in order to add this module in Puppet. Make a tar.gz archive with the Oauth directory and it is recommended to put this archive on a http server. Thus, the archive will be reachable from a url. +Move mattermostldap directory from the Puppet directory to /etc/puppet/modules on your Puppet Master, in order to install add this module in Puppet. Make a tar.gz archive with the oauth directory and it is recommended to put this archive on a http server. Thus, the archive will be reachable from a url. -If you have already a Mattermost server running, and a suitable database configured for the Oauth server, this is the minimum you need to get Mattermost-LDAP working: +If you have already a Mattermost server running, and a suitable database configured for the oauth server, this is the minimum you need to get Mattermost-LDAP working: ``` class { 'mattermostldap': @@ -134,7 +133,7 @@ Below, there is an example of Mattermost-LDAP Puppet module using Mattermost and }, } - ########################---Config Oauth---########################### + ########################---Config de Oauth---########################### postgresql::server::db { 'oauth_db': user => 'oauth', @@ -165,13 +164,13 @@ Below, there is an example of Mattermost-LDAP Puppet module using Mattermost and $timezone = 'Europe/Paris' } ``` -With the code above, you should be able to access the Mattermost application at http://mattermost.company.com:8065 (with your company address) and sign in with your LDAP credentials using the Gitlab button. +With the above code, you should be able to access the Mattermost application at http://mattermost.company.com:8065 (with your company address) and sign in with your LDAP credentials using the Gitlab button. -Please refer to ligger1978/mattermost and puppetlabs/postgresql modules in puppet forge for more information about the use of these modules. +Please refer to ligger1978/mattermost and puppetlabs/postgresql modules in puppet forge for more information about use of these modules. ## Usage -If you have succeeded on previous step you only have to go to the login page of your Mattermost server and click on the Gitlab Button. You will be redirected to a form asking for your LDAP credentials. If your credentials are valid, you will be asked to authorize Oauth to give your information to Mattermost. After authorizing you should be redirected on Mattermost connected with your account. +If you have succeeded previous step you only have to go to the login page of your Mattermost server and click on the Gitlab Button. You will be redirected to a form asking for your LDAP credentials. If your credentials are valid, you will be asked to authorize Oauth to give your information to Mattermost. After authorizing you should be redirected on Mattermost connected with your account. Keep in mind this will create a new account on your Mattermost server with information from LDAP. The process will fail if an existing user already use your LDAP email. To bind a user to the LDAP authentication, sign in mattermost with this user account, go in account settings > security > sign-in method and "switch to using Gitlab SSO". @@ -179,67 +178,51 @@ Keep in mind this will create a new account on your Mattermost server with infor ## References #### project_url (Required) -The URL or the path of the project archive (which contains the Oauth directory) - +The URL or the path of the project archive (which contains the oauth directory) #### base_url (Required) -The base URL of your Mattermost server. This is the URL provided in the site URL field in Mattermost admin panel. (ex : http://mattermost.company.com or http://mattermost.company.com:8065) - +The base URL of your Mattermost server. This is the URL provided in the site URL field in Mattermost admin panel. (ex : http://mattermost.company.com or http://mattermost.company.com:8065) #### install_path (Optional) Directory where the Oauth server will be installed, by default /var/www/html/. The directory must be your httpd root directory. - #### ldap_base (Required) -The base directory name of your LDAP server. (ex : ou=People,o=Company) - +The base directory name of your LDAP server. (ex : ou=People,o=Company) #### ldap_filter (Optional) -Additional filters for your LDAP, see LDAP.php class for more information (used by resource.php to get user informations) - +Additional filters for your LDAP, see LDAP.php class for more information (use by resource.php to get user informations) #### ldap_uri (Required) -Your LDAP hostname or LDAP IP, to connect to the LDAP server. - +Your LDAP hostname or LDAP IP, to connect the LDAP server. #### ldap_port (Optional) -Your LDAP port, to connect to the LDAP server. By default : 389. - +Your LDAP port, to connect the LDAP server. By default : 389. #### ldap_rdn (Required) -The LDAP Relative Directory Name suffix to identify a user in LDAP, see LDAP.php class for more information (use by authorize.php to check user credentials on LDAP) - +The LDAP Relative Directory Name suffixto identify a user in LDAP, see LDAP.php class for more information (use by authorize.php to check user credentials on LDAP) #### db_user (Optional) -Oauth user in the database. This user must have rights on the Oauth database to store Oauth tokens. By default : oauth - +Oauth user in the database. This user must have right on the oauth database to store oauth tokens. By default : oauth #### db_pass (Optional) Oauth user password in the database. By default, oauth_secure-pass - #### db_host (Optional) Hostname or IP address of the database. By default : localhost - #### db_port -The database port to connect. By default : 5432 (postgres) - +The port listenning by database to connect. By default : 5432 (postgres) #### db_type (Optional) -Database type to adapt scripts and configurations to your database server. Should be mysql or pqsql. By default : pgsql - +Database type to adapt script and configuration to your database server. Should be mysql or pqsql. By default : pgsql #### db_name (Optional) -Database name for oauth server. By default : oauth_db - +Database name for oauth server. By default : oauth_db #### client_id (Required) -The application ID shared with mattermost. This ID should be a random token. You can use openssl to generate this token (openssl rand -hex 32). If the ID is not filled, the database will not be initialised and the client will not be created. - +The application ID shared with mattermost. This ID should be a random token. You can use openssl to generate this token (openssl rand -hex 32). If the ID is not filled, database will not be initialised and client will not be created. #### client_secret (Required) -The application secret shared with mattermost. This secret should be a random token. You can use openssl to generate this token (openssl rand -hex 32). If the secret is not filled, the database will not be initialised and the client will not be created. The secret must be different of the client ID. - +The application secret shared with mattermost. This secret should be a random token. You can use openssl to generate this token (openssl rand -hex 32). If the secret is not filled, database will not be initialised and client will not be created. Secret must be different of the client ID. #### redirect_uri (Optional) -The callback address where Oauth will send tokens to Mattermost. Normally it should be http://mattermost.company.com/signup/gitlab/complete (and this is the default value). - +The callback address where oauth will send tokens to Mattermost. Normally it should be http://mattermost.company.com/signup/gitlab/complete (and this is the default value) #### grant_types (Optional) -The type of authentification use by Mattermost. It should be authorization_code (default value). - +The type of authentification use by Mattermost. It should be authorization_code (default value) #### scope (Optional) -The scope of authentification use by Mattermost. It should be api (default value). - +The scope of authentification use by Mattermost. It should be api (default value) #### user_id (Optional) The username of the user who create the Mattermost client in Oauth. This field has no impact, and could be used as a commentary field. By default this field is empty. - #### timezone (Optional) -The date.timezone parameter for oauth server script. This parameter will set timezone only for this script. This parameter must be set to avoid E.Notice raise by strtotime() (in Pdo.php). Note that if date.timezone is not defined, Mattermost could return a bad token request error. By default Europe/Paris (Because I love my country :D) +The date.timezone parameter for php.ini. This parameter will change the php.ini. This parameter must be set to avoid E.Notice raise by strtotime() (in Pdo.php). Note that if date.timezone is not defined, Mattermost will return a bad token request error. By default Europe/Paris (Because I love my country :D) +#### ldap_bind_dn (Optional) +The LDAP Directory Name of an service account to allow LDAP search. This ption is required if your LDAP is restrictive, else by default is an empty string (""). (ex : cn=mattermost_ldap,dc=Example,dc=com) +#### ldap_bind_pass (Optional) +The password associated to the service account to allow LDAP search. This ption is required if your LDAP you provide an bind user, else by default is an empty string (""). ## Limitation @@ -265,7 +248,7 @@ I wish to thank my company and my colleagues for their help and support. Also, I Try to add a new rule in your firewall (or use iptables -F on both Mattermost server and Oauth server) * .htaccess does not work - Add following lines to your httpd.conf and restart httpd service. + Add following lines to your php.ini and restart httpd service. ``` AllowOverride All diff --git a/Puppet/mattermostldap/manifests/init.pp b/Puppet/mattermostldap/manifests/init.pp index 19f6cfd..9278a8b 100755 --- a/Puppet/mattermostldap/manifests/init.pp +++ b/Puppet/mattermostldap/manifests/init.pp @@ -20,6 +20,8 @@ class mattermostldap ( $scope = $mattermostldap::params::scope, $user_id = $mattermostldap::params::user_id, $timezone = $mattermostldap::params::timezone, + $ldap_bind_rdn = $mattermostldap::params::ldap_bind_rdn, + $ldap_bind_pass = $mattermostldap::params::ldap_bind_pass, ) inherits mattermostldap::params { @@ -44,7 +46,9 @@ class mattermostldap ( validate_string($grant_types) validate_string($scope) validate_string($user_id) - validate_string($timezone) + validate_string($timezone) + validate_string($ldap_bind_rdn) + validate_string($ldap_bind_pass) diff --git a/Puppet/mattermostldap/manifests/params.pp b/Puppet/mattermostldap/manifests/params.pp index a1f16a1..540fb7c 100755 --- a/Puppet/mattermostldap/manifests/params.pp +++ b/Puppet/mattermostldap/manifests/params.pp @@ -19,4 +19,6 @@ class mattermostldap::params { $scope = 'api' $user_id = '' $timezone = 'Europe/Paris' + $ldap_bind_rdn = '', + $ldap_bind_pass = '', } diff --git a/Puppet/mattermostldap/metadata.json b/Puppet/mattermostldap/metadata.json index 929b5b9..cdfd701 100755 --- a/Puppet/mattermostldap/metadata.json +++ b/Puppet/mattermostldap/metadata.json @@ -1,6 +1,6 @@ { "name": "Crivaledaz-mattermostldap", - "version": "0.1.0", + "version": "1.0.0", "author": "Crivaledaz", "summary": "Puppet module for the plugin Mattermost-LDAP", "license": "MIT", @@ -8,8 +8,7 @@ "project_page": "https://github.com/Crivaledaz/Mattermost-LDAP", "issues_url": null, "dependencies": [ - {"name":"puppetlabs-stdlib","version_requirement":">= 1.0.0", - "name":"puppet-archive","version_requirement":">= 0.4.4"} + {"name":"puppetlabs-stdlib","version_requirement":">= 1.0.0"},{"name":"puppet-archive","version_requirement":">= 0.4.4"} ] } diff --git a/Puppet/mattermostldap/templates/config_ldap.php.erb b/Puppet/mattermostldap/templates/config_ldap.php.erb index 58c592d..043446f 100755 --- a/Puppet/mattermostldap/templates/config_ldap.php.erb +++ b/Puppet/mattermostldap/templates/config_ldap.php.erb @@ -10,6 +10,10 @@ $rdn_suffix = "<%= @ldap_rdn %>"; $base = "<%= @ldap_base %>"; $filter = "<%= @ldap_filter %>"; +// ldap service user to allow search in ldap +$bind_dn = "<%= @ldap_bind_rdn %>"; +$bind_pass = "<%= @ldap_bind_pass %>"; + //add virgule to concat in php script if ($filter != "") { diff --git a/README.md b/README.md old mode 100644 new mode 100755 index 8826e6f..a6ebb2f --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Hostname or IP address of the database. By default : 127.0.0.1 #### port The port to connect to the database. By default : 5432 (postgres) #### oauth_db_name -Database name for oauth server. By default : oauth_db +Database name for oauth server. By default : oauth_db #### client_id The application ID shared with mattermost. This ID should be a random token. You can use openssl to generate this token (openssl rand -hex 32). By default, this variable contain the openssl command, which use the openssl package. The token will be printed at the end of the script. #### client_secret @@ -140,10 +140,11 @@ Oauth user in the database. This user must have right on the oauth database to s Oauth user password in the database. If you use init script make sure to use the same database user. (ex : oauth_secure-pass) * LDAP config -Edit oauth/LDAP/config_ldap.php : +Edit oauth/LDAP/onfig_ldap.php : 1. Provide your ldap address and port. 2. Change the base directory name ($base) and the filter ($filter) to comply with your LDAP configuration, these variables will be use in resource.php. -3. Change the relative directory name suffix ($rdn) to comply with your LDAP configuration, this variable will be use in connexion.php. +3. Change the relative directory name suffix ($rdn) to comply with your LDAP configuration, this variable will be use in connexion.php. +4. If necessary, you can provide a LDAP account to allow search in LDAP (only restrictive LDAP). #### $hostname Your LDAP hostname or LDAP IP, to connect to the LDAP server. @@ -155,6 +156,11 @@ The LDAP Relative Directory Name suffix to identify a user in LDAP, see LDAP.php The base directory name of your LDAP server. (ex : ou=People,o=Company) #### $filter Additional filters for your LDAP, see LDAP.php class for more information (used to get user informations). Note that the user id (uid) will be add to the filter (concat) to get only user data from the LDAP. The uid is provided by username field in the form from oauth/index.php. +#### $bind_dn +The LDAP Directory Name of an service account to allow LDAP search. This ption is required if your LDAP is restrictive, else put an empty string (""). (ex : cn=mattermost_ldap,dc=Example,dc=com) +#### $bind_pass +The password associated to the service account to allow LDAP search. This ption is required if your LDAP you provide an bind user, else put an empty string (""). + To try your configuration you can use ldap.php available at the root of this project which use the LDAP library for PHP or you can use ldapsearch command in a shell. diff --git a/oauth/LDAP/LDAP.php b/oauth/LDAP/LDAP.php old mode 100644 new mode 100755 index b7abbdf..b4b9430 --- a/oauth/LDAP/LDAP.php +++ b/oauth/LDAP/LDAP.php @@ -68,12 +68,16 @@ class LDAP implements LDAPInterface * @param string @base_dn * The LDAP base DN. * @param string @filter - * A filter to get relevant data. Often the user id in ldap (uid or sAMAccountName). + * A filter to get relevant data. Often the user id in ldap (uid or sAMAccountName). + * @param string @bind_dn + * The directory name of a service user to bind before search. Must be a user with read permission on LDAP. + * @param string @bind_pass + * The password associated to the service user to bind before search. * * @return * An array with the user's mail and complete name. */ - public function getDataForMattermost($base_dn, $filter) { + public function getDataForMattermost($base_dn, $filter, $bind_dn, $bind_pass) { $attribute=array("cn","mail"); @@ -86,6 +90,18 @@ class LDAP implements LDAPInterface throw new InvalidArgumentException('Second argument to LDAP/getData must be a filter to get relevant data. Often is the user id in ldap (string). Ex : uid=jdupont'); } + // If LDAP service account for search is specified, do an ldap_bind with this account + if ($bind_dn != '' && $bind_dn != null) + { + $bind_result=ldap_bind($this->ldap_server,$bind_dn,$bind_pass); + + // If authentification failed, throw an exception + if (!$bind_result) + { + throw new Exception('An error has occured during ldap_bind execution. Please check parameter of LDAP/getData, and make sure that user provided have read permission on LDAP.'); + } + } + $result = ldap_search($this->ldap_server, $base_dn, $filter, $attribute, 0, 1, 500); if (!$result) diff --git a/oauth/LDAP/LDAPInterface.php b/oauth/LDAP/LDAPInterface.php old mode 100644 new mode 100755 index a894aca..3ef6f51 --- a/oauth/LDAP/LDAPInterface.php +++ b/oauth/LDAP/LDAPInterface.php @@ -28,9 +28,13 @@ interface LDAPInterface * The LDAP base DN. * @param string @filter * A filter to get relevant data. Often the user id in ldap (uid or sAMAccountName). - * + * @param string @bind_dn + * The directory name of a service user to bind before search. Must be a user with read permission on LDAP. + * @param string @bind_pass + * The password associated to the service user to bind before search. + * * @return * An array with the user's mail and complete name. */ - public function getDataForMattermost($base_dn, $filter); + public function getDataForMattermost($base_dn, $filter,$bind_dn,$bind_pass); } diff --git a/oauth/LDAP/config_ldap.php b/oauth/LDAP/config_ldap.php old mode 100644 new mode 100755 index 32b4cf6..67059ca --- a/oauth/LDAP/config_ldap.php +++ b/oauth/LDAP/config_ldap.php @@ -1,15 +1,19 @@ getDataForMattermost($base,$filter); + $data = $ldap->getDataForMattermost($base,$filter,$bind_dn,$bind_pass); $resp = array("name" => $data['cn'],"username" => $uid,"id" => $assoc_id,"state" => "active","email" => $data['mail']); } catch (Exception $e)