Guwan
/
ldap-matter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Better organization for configuration - add config file

This commit is contained in:
Crivaledaz 2017-08-17 00:05:49 +02:00
parent fa3ca7a924
commit d0aaf4723e
12 changed files with 217 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
README.md
View File

@ -25,23 +25,33 @@ This module requires the following :
* php-pgsql or php-mysql * php-pgsql or php-mysql
* httpd * httpd
* postgresql or mariadb (mysql) * postgresql or mariadb (mysql)
* postgresql-server or maridb-server * postgresql-server or mariadb-server
* git * git
Obviously, you must have a Mattermost Server installed and be administrator on it, and a LDAP server configured. Obviously, you must have a Mattermost Server installed and be administrator on it, and a LDAP server configured.
### Pre-install ### Pre-install
* For Centos 7, RHEL 7 and Fedora :
Install required packages : Install required packages :
* For Centos 7, RHEL 7 and Fedora :
``` ```
#For PostgreSQL #For PostgreSQL
sudo yum -y --nogpgcheck install httpd php postgresql-server postgresql php-ldap php-pdo php-psql git sudo yum -y --nogpgcheck install httpd php postgresql-server postgresql php-ldap php-pdo php-pgsql git
#For MySQL #For MySQL
sudo yum -y --nogpgcheck install httpd php mariadb-server mariadb php-ldap php-pdo php-mysql git sudo yum -y --nogpgcheck install httpd php mariadb-server mariadb php-ldap php-pdo php-mysql git
``` ```
* For Debian, ubuntu, Mint :
```
#For PostgreSQL
sudo apt-get -y install httpd php postgresql-server postgresql php-ldap php-pdo php-pgsql git
Start and enable service for Apache and Database : #For MySQL
sudo apt-get -y install httpd php mariadb-server mariadb php-ldap php-pdo php-mysql git
```
Start and enable service for Apache and Database (for all distribution using systemd):
``` ```
#For PostgreSQL #For PostgreSQL
sudo systemctl start httpd sudo systemctl start httpd
@ -63,14 +73,47 @@ Your system is ready to install and run Mattermost-LDAP module.
## Install ## Install
Clone (or download and extract) this repository in your /var/www/html (or your httpd root directory) : Clone (or download and extract) this repository in your /var/www/html (or your httpd root directory) :
``` ```
cd ~
git clone https://github.com/crivaledaz/Mattermost-LDAP.git git clone https://github.com/crivaledaz/Mattermost-LDAP.git
cd Mattermost-LDAP
cp -r oauth/ /var/www/html/
``` ```
You need to create a database for the oauth server. For this purpose, you can use the script "init_postgres.sh" or "init_mysql.sh". These scripts try to configure your database automatically, by creating a new user and a new database associated for the oauth server. Scripts also create all tables necessary for the module. If script failed, please report here, and try to configure manually your database by adapting command in scripts. Before running the script you can change the default settings by editing the .sh file and modifying configuration variables at the beginning of the file. You need to create a database for the oauth server. For this purpose, you can use the script "init_postgres.sh" or "init_mysql.sh". These scripts try to configure your database automatically, by creating a new user and a new database associated for the oauth server. Scripts also create all tables necessary for the module. If script failed, please report here, and try to configure manually your database by adapting command in scripts. Before running the script you can change the default settings by editing the config_init.sh file and modifying configuration variables. For postgresql, you can copy and paste following lines :
```
nano config_init.sh
./init_postgres.sh
```
This script will automatically create and add a new client in the oauth server, returning a client id and a client secret. You need to keep these two token to configure Mattermost. Please be sure the client secret remained secret. The redirect url in the script must comply with the hostname of your Mattermost server, else Mattermost could not get data from the Oauth server. This script will automatically create and add a new client in the oauth server, returning a client id and a client secret. You need to keep these two token to configure Mattermost. Please be sure the client secret remained secret. The redirect url in the script must comply with the hostname of your Mattermost server, else Mattermost could not get data from the Oauth server.
### configuration
## Configuration
* Init script configuration :
#### oauth_user
Oauth user in the database. This user must have right on the oauth database to store oauth tokens. By default : oauth
#### oauth_pass
Oauth user password in the database. By default, oauth_secure-pass
#### ip
Hostname or IP address of the database. By default : 127.0.0.1
#### port
The port to connect to the database. By default : 5432 (postgres)
#### oauth_db_name
Database name for oauth server. By default : oauth_db
#### client_id
The application ID shared with mattermost. This ID should be a random token. You can use openssl to generate this token (openssl rand -hex 32). By default, this variable contain the openssl command, which use the openssl package. The token will be printed at the end of the script.
#### client_secret
The application secret shared with mattermost. This secret should be a random token. You can use openssl to generate this token (openssl rand -hex 32). By default, this variable contain the openssl command, which use the openssl package. The token will be printed at the end of the script. Secret must be different of the client ID.
#### redirect_uri
The callback address where oauth will send tokens to Mattermost. Normally it should be http://mattermost.company.com/signup/gitlab/complete
#### grant_types
The type of authentification use by Mattermost. It should be "authorization_code".
#### scope
The scope of authentification use by Mattermost. It should be "api".
#### user_id
The username of the user who create the Mattermost client in Oauth. This field has no impact, and could be used as a commentary field. By default this field is empty.
* Mattermost : * Mattermost :
Active Gitlab authentication in system console > Gitlab (or config.json on server) and fill application id and secret with the two token got during install section. For the next fields use this : Active Gitlab authentication in system console > Gitlab (or config.json on server) and fill application id and secret with the two token got during install section. For the next fields use this :
``` ```
@ -80,20 +123,41 @@ Token Endpoint: http://HOSTNAME/oauth/token.php
``` ```
Change HOSTNAME by hostname or ip of the server where you have installed Mattermost-LDAP module. Change HOSTNAME by hostname or ip of the server where you have installed Mattermost-LDAP module.
* Database credential * Database credentials
Edit oauth/server.php and adapt, with your settings, variables for database connection : Edit oauth/config_db.php and adapt, with your settings, to set up database in PHP.
```
$dsn = 'pgsql:dbname=oauth_db;host=localhost;port=5432'; #### $host
$username = 'oauth'; Hostname or IP address of the database. (ex : localhost)
$password = 'oauth_secure-pass'; #### $port
``` The port of your database to connect. (ex : 5432 for postgres)
#### $name
Database name for oauth server. If you use init script make sure to use the same database name. (ex : oauth_db)
#### $type
Database type to adapt PDO to your database server. Should be mysql or pgsql.
#### $username
Oauth user in the database. This user must have right on the oauth database to store oauth tokens. If you use init script make sure to use the same database user. (ex : oauth)
#### $password
Oauth user password in the database. If you use init script make sure to use the same database user. (ex : oauth_secure-pass)
* LDAP config * LDAP config
Edit oauth/LDAP/ldap_config.php to provide your ldap address and port. Edit oauth/LDAP/config_ldap.php :
Edit oauth/resource.php to change the base directory name ($base) and the filter ($filter) to comply with your LDAP configuration. 1. Provide your ldap address and port.
Edit oauth/connexion.php to change the relative directory name ($rdn) to comply with your LDAP configuration. 2. Change the base directory name ($base) and the filter ($filter) to comply with your LDAP configuration, these variables will be use in resource.php.
3. Change the relative directory name suffix ($rdn) to comply with your LDAP configuration, this variable will be use in connexion.php.
To try your configuration you can use the LDAP library for PHP or ldapsearch command in a shell. #### $hostname
Your LDAP hostname or LDAP IP, to connect to the LDAP server.
#### $port
Your LDAP port, to connect to the LDAP server. By default : 389.
#### $rdn
The LDAP Relative Directory Name suffix to identify a user in LDAP, see LDAP.php class for more information (use to check user credentials on LDAP). Note that user id (uid) will be add to this suffix to produce a complete relative directory name. The uid is provided by username field in the form from oauth/index.php. For more information, refer to ldap_bind() in php documentation.
#### $base
The base directory name of your LDAP server. (ex : ou=People,o=Company)
#### $filter
Additional filters for your LDAP, see LDAP.php class for more information (used to get user informations). Note that the user id (uid) will be add to the filter (concat) to get only user data from the LDAP. The uid is provided by username field in the form from oauth/index.php.
To try your configuration you can use ldap.php available at the root of this project which use the LDAP library for PHP or you can use ldapsearch command in a shell.
Configure LDAP is certainly the most difficult step. Configure LDAP is certainly the most difficult step.
@ -128,13 +192,13 @@ I wish to thank my company and my colleagues for their help and support. Also, I
Try to restart httpd service. If this persists verify your LDAP configuration or your credentials. Try to restart httpd service. If this persists verify your LDAP configuration or your credentials.
* PHP date timezone error * PHP date timezone error
Edit php.ini to set up date.timezone option and restart httpd service. Edit php.ini to set up date.timezone option and restart httpd service, or use the date_default_timezone_set() function in config_db.php
* Token request failes * Token request failed
Try to add a new rule in your firewall (or use iptables -F on both Mattermost server and Oauth server) Try to add a new rule in your firewall (or use iptables -F on both Mattermost server and Oauth server)
* .htaccess does not work * .htaccess does not work
Add following lines to your php.ini and restart httpd service. Add following lines to your httpd.conf and restart httpd service.
``` ```
<Directory "/var/www/html/oauth"> <Directory "/var/www/html/oauth">
AllowOverride All AllowOverride All
@ -143,9 +207,3 @@ I wish to thank my company and my colleagues for their help and support. Also, I

16
config_init.sh Normal file
View File

@ -0,0 +1,16 @@
#####################################--CONFIGURATION FILE--########################################
#Client configuration
client_id=`openssl rand -hex 32`
client_secret=`openssl rand -hex 32`
redirect_uri="http://mattermost.company.com:8065/signup/gitlab/complete"
grant_types="authorization_code"
scope="api"
user_id=""
#Database configuration
oauth_user="oauth"
oauth_db_name="oauth_db"
oauth_pass="oauth_secure-pass"
ip="127.0.0.1"
port="5432"

18
init_mysql.sh
View File

@ -1,24 +1,10 @@
#!/bin/bash #!/bin/bash
#This script need right to become mysql user (so root) and to read/write in httpd directory #This script need right to become mysql user (so root) and to read/write in httpd directory
#######################################--CONFIGURATION--########################################### source config_init.sh
#Client configuration #If script does not work, fill the following variable with the mysql account password
client_id=`openssl rand -hex 32`
client_secret=`openssl rand -hex 32`
redirect_uri="http://hostname.com:8065/signup/gitlab/complete"
grant_types="authorization_code"
scope="api"
user_id=""
#Database configuration
oauth_user="oauth"
oauth_db_name="oauth_db"
oauth_pass="oauth_secure-pass"
ip="127.0.0.1"
port="3306"
mysql_pass="" mysql_pass=""
#######################################--Fonctions--############################################### #######################################--Fonctions--###############################################
ok() { echo -e '\e[32m'$1'\e[m'; } ok() { echo -e '\e[32m'$1'\e[m'; }

17
init_postgres.sh
View File

@ -1,22 +1,7 @@
#!/bin/bash #!/bin/bash
#This script need right to become postgres user (so root) and to read/write in httpd directory #This script need right to become postgres user (so root) and to read/write in httpd directory
#######################################--CONFIGURATION--########################################### source conf_init.sh
#Client configuration
client_id=`openssl rand -hex 32`
client_secret=`openssl rand -hex 32`
redirect_uri="http://hostname.com:8065/signup/gitlab/complete"
grant_types="authorization_code"
scope="api"
user_id=""
#Database configuration
oauth_user="oauth"
oauth_db_name="oauth_db"
oauth_pass="oauth_secure-pass"
ip="127.0.0.1"
port="5432"
#######################################--Fonctions--############################################### #######################################--Fonctions--###############################################

62
ldap.php Normal file
View File

@ -0,0 +1,62 @@
<?php
error_reporting(E_ALL);
###################################---Configuration---################################
//Ldap adress and port
$hostname = "ldap://company.com:389";
//Unique identifier of user on LDAP
$uid = "username";
$email = "username@company.com";
//directory name (dn)
$dn = "uid=username,ou=People,o=Company";
//Password (Only for test, we give the password in clear text)
$pass = "user_pass";
//Base directory name
$base = "ou=People,o=Company";
######################################################################################
echo "<h3>LDAP : Test Center</h3>";
echo "Attempting to connect LDAP server ... <br />";
$ldap=ldap_connect($hostname);
if ($ldap) {
echo "Successful connection ! <br />";
echo "Checking LDAP credentials ... <br />";
$is_valid=ldap_bind($ldap,$dn,$pass);
if ($is_valid) {
echo "Successful authentication ! <br />";
echo "Getting user informations ...<br />";
$user_data=ldap_search($ldap, $base, "mail=" . $email);
if ($user_data)
{
echo "Data recovered with success ! <br />";
echo "Extracting useful data : <br /><br />";
$info_user = ldap_get_entries($ldap, $user_data);
for ($i=0; $i<$info_user["count"]; $i++) {
echo "dn: " . $info_user[$i]["dn"] . "<br />";
echo "cn: " . $info_user[$i]["cn"][0] . "<br />";
echo "uid: " . $info_user[$i]["uid"][0] . "<br />";
echo "email: " . $info_user[$i]["mail"][0] . "<br /><hr />";
}
} else {
echo "No data recovered ! <br /><br />";
}
} else {
echo "Identification has failed ... Check your credentials<br /><br />";
}
echo "Closing LDAP connection.";
ldap_close($ldap);
} else {
echo "Impossible to connect to LDAP server !";
}

20
oauth/LDAP/config_ldap.php
View File

@ -1,3 +1,21 @@
<?php <?php
$hostname = "ldap://hostname.com/"; $hostname = "ldap://company.com/";
$port = 389; $port = 389;
// variable use in connexion.php
$rdn_suffix = 'ou=People,o=Company';
// variable use in resource.php
$base = "o=Company";
$filter = "";
//add coma to concat in php script
if ($filter != "")
{
$filter = "," . $filter;
}
if ($rdn_suffix != "")
{
$rdn_suffix = "," . $rdn_suffix;
}

5
oauth/authorize.php
View File

@ -23,7 +23,8 @@ if (!$server->validateAuthorizeRequest($request, $response)) {
if (!isset($_SESSION['uid'])) if (!isset($_SESSION['uid']))
{ {
//store the authorize request //store the authorize request
$_SESSION['auth_page']=end(explode("/", strip_tags(trim($_SERVER['REQUEST_URI'])))); $explode_url=explode("/", strip_tags(trim($_SERVER['REQUEST_URI'])));
$_SESSION['auth_page']=end($explode_url);
header('Location: index.php'); header('Location: index.php');
exit(); exit();
} }
@ -33,7 +34,7 @@ if (!isset($_SESSION['uid']))
if (empty($_POST)) { if (empty($_POST)) {
exit(' exit('
<form method="post"> <form method="post">
<label>Mattermost wants to access your LDAP informations (ID, complete name, mail) </label><br /> <label>Mattermost souhaite accéder à vos données LDAP (Identifiant, nom complet, mail) </label><br />
<input type="submit" name="authorized" value="Authorize"> <input type="submit" name="authorized" value="Authorize">
<input type="submit" name="authorized" value="Deny"> <input type="submit" name="authorized" value="Deny">
</form>'); </form>');

14
oauth/config_db.php Normal file
View File

@ -0,0 +1,14 @@
<?php
$port = 5432;
$host = "localhost";
$name = "oauth_db";
$type = "pgsql";
$username = "oauth";
$password = "oauth_secure-pass";
$dsn = $type . ":dbname=" . $name . ";host=" . $host . ";port=" . $port;
/* Uncomment the line below to set date.timezone to avoid E.Notice raise by strtotime() (in Pdo.php)
* If date.timezone is not defined in php.ini or with this function, Mattermost could return a bad token request error
*/
//date_default_timezone_set ('Europe/Paris');

11
oauth/connexion.php
View File

@ -12,7 +12,7 @@ require_once __DIR__.'/LDAP/config_ldap.php';
// Verify all fields have been filled // Verify all fields have been filled
if (empty($_POST['user']) || empty($_POST['password'])) if (empty($_POST['user']) || empty($_POST['password']))
{ {
echo 'You must fill each field'; echo 'You must fill each field<br /><br />';
echo 'Click <a href="./index.php">here</a> to come back to login page'; echo 'Click <a href="./index.php">here</a> to come back to login page';
} }
else else
@ -20,12 +20,12 @@ else
// Check received data length (to prevent code injection) // Check received data length (to prevent code injection)
if (strlen($_POST['user']) > 15) if (strlen($_POST['user']) > 15)
{ {
echo 'Strange username ... Please try again'; echo 'Strange username ... Please try again<br /><br />';
echo 'Click <a href="./index.php">here</a> to come back to login page'; echo 'Click <a href="./index.php">here</a> to come back to login page';
} }
elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7) elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7)
{ {
echo 'Strange password ... Please try again'; echo 'Strange password ... Please try again<br /><br />';
echo 'Click <a href="./index.php">here</a> to come back to login page'; echo 'Click <a href="./index.php">here</a> to come back to login page';
} }
else else
@ -41,9 +41,10 @@ else
//##################################################\\ //##################################################\\
// /!\ Adapt here with your LDAP config /!\ \\ // /!\ Adapt here with your LDAP config /!\ \\
// Now you can do this in ldap_config.php \\
//##################################################\\ //##################################################\\
$rdn = 'uid=' . $user . ',ou=People,o=Company'; $rdn = 'uid=' . $user . $rdn_suffix;
/****************************************************/ /****************************************************/
@ -67,7 +68,7 @@ else
// check login on LDAP has failed. Login and password were invalid or LDAP is unreachable // check login on LDAP has failed. Login and password were invalid or LDAP is unreachable
else else
{ {
echo "Authetification failed ... Check your username and password.<br />If error persist contact your administrator.<br /><br />"; echo "Authentication failed ... Check your username and password.<br />If error persist contact your administrator.<br /><br />";
echo 'Click <a href="./index.php">here</a> to come back to login page'; echo 'Click <a href="./index.php">here</a> to come back to login page';
} }
} }

8
oauth/index.php
View File

@ -5,16 +5,16 @@ session_start();
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<title>LDAP Connection Interface</title> <title>Interface de connexion LDAP</title>
</head> </head>
<body> <body>
<form method="post" action="connexion.php"> <form method="post" action="connexion.php">
<fieldset> <fieldset>
<legend>Connection</legend> <legend>Connexion</legend>
<p> <p>
<label for="user">Username :</label><input name="user" type="text" id="user" /><br /> <label for="user">Identifiant :</label><input name="user" type="text" id="user" /><br />
<label for="password">Password :</label><input type="password" name="password" id="password" /> <label for="password">Mot de Passe :</label><input type="password" name="password" id="password" />
</p> </p>
</fieldset> </fieldset>

4
oauth/resource.php
View File

@ -28,10 +28,10 @@ $assoc_id = $info_oauth["assoc_id"];
//##################################################\\ //##################################################\\
// /!\ Adapt here with your LDAP config /!\ \\ // /!\ Adapt here with your LDAP config /!\ \\
// Now you can do this in ldap_config.php \\
//##################################################\\ //##################################################\\
$base = "o=Company"; $filter = $filter . "uid=" . $uid;
$filter = "uid=" . $uid;
/****************************************************/ /****************************************************/

9
oauth/server.php
View File

@ -3,13 +3,8 @@
* Adapted from Oauth2-server-php cookbook * Adapted from Oauth2-server-php cookbook
* @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/ * @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
*/ */
// Include database configuration
$dsn = 'pgsql:dbname=oauth_db;host=localhost;port=5432'; require_once('config_db.php');
$username = 'oauth';
$password = 'oauth_secure-pass';
// error reporting (this is a demo, after all!)
ini_set('display_errors',1);error_reporting(E_ALL);
// Autoloading (composer is preferred, but for this example let's just do this) // Autoloading (composer is preferred, but for this example let's just do this)
require_once('OAuth2/Autoloader.php'); require_once('OAuth2/Autoloader.php');