ldap_authenticator.ex
View Options

	# Pleroma: A lightweight social networking server
	# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
	# SPDX-License-Identifier: AGPL-3.0-only

	defmodule Pleroma.Web.Auth.LDAPAuthenticator do
	alias Pleroma.User

	require Logger

	import Pleroma.Web.Auth.Authenticator,
	only: [fetch_credentials: 1, fetch_user: 1]

	@behaviour Pleroma.Web.Auth.Authenticator
	@base Pleroma.Web.Auth.PleromaAuthenticator

	@connection_timeout 10_000
	@search_timeout 10_000

	defdelegate get_registration(conn), to: @base
	defdelegate create_from_registration(conn, registration), to: @base
	defdelegate handle_error(conn, error), to: @base
	defdelegate auth_template, to: @base
	defdelegate oauth_consumer_template, to: @base

	def get_user(%Plug.Conn{} = conn) do
	with {:ldap, true} <- {:ldap, Pleroma.Config.get([:ldap, :enabled])},
	{:ok, {name, password}} <- fetch_credentials(conn),
	%User{} = user <- ldap_user(name, password) do
	{:ok, user}
	else
	{:ldap, _} ->
	@base.get_user(conn)

	error ->
	error
	end
	end

	defp ldap_user(name, password) do
	ldap = Pleroma.Config.get(:ldap, [])
	host = Keyword.get(ldap, :host, "localhost")
	port = Keyword.get(ldap, :port, 389)
	ssl = Keyword.get(ldap, :ssl, false)
	sslopts = Keyword.get(ldap, :sslopts, [])

	options =
	[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
	if sslopts != [], do: [{:sslopts, sslopts}], else: []

	case :eldap.open([to_charlist(host)], options) do
	{:ok, connection} ->
	try do
	if Keyword.get(ldap, :tls, false) do
	:application.ensure_all_started(:ssl)

	case :eldap.start_tls(
	connection,
	Keyword.get(ldap, :tlsopts, []),
	@connection_timeout
	) do
	:ok ->
	:ok

	error ->
	Logger.error("Could not start TLS: #{inspect(error)}")
	end
	end

	bind_user(connection, ldap, name, password)
	after
	:eldap.close(connection)
	end

	{:error, error} ->
	Logger.error("Could not open LDAP connection: #{inspect(error)}")
	{:error, {:ldap_connection_error, error}}
	end
	end

	defp bind_user(connection, ldap, name, password) do
	uid = Keyword.get(ldap, :uid, "cn")
	base = Keyword.get(ldap, :base)

	case :eldap.simple_bind(connection, "#{uid}=#{name},#{base}", password) do
	:ok ->
	case fetch_user(name) do
	%User{} = user ->
	user

	_ ->
	register_user(connection, base, uid, name)
	end

	error ->
	error
	end
	end

	defp register_user(connection, base, uid, name) do
	case :eldap.search(connection, [
	{:base, to_charlist(base)},
	{:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
	{:scope, :eldap.wholeSubtree()},
	{:timeout, @search_timeout}
	]) do
	{:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} ->
	params = %{
	name: name,
	nickname: name,
	password: nil
	}

	params =
	case List.keyfind(attributes, 'mail', 0) do
	{_, [mail]} -> Map.put_new(params, :email, :erlang.list_to_binary(mail))
	_ -> params
	end

	changeset = User.register_changeset_ldap(%User{}, params)

	case User.register(changeset) do
	{:ok, user} -> user
	error -> error
	end

	error ->
	error
	end
	end
	end

File Metadata

Mime Type: text/x-ruby
Expires: Mon, Jun 29, 9:31 AM (1 d, 12 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 1633478
Default Alt Text: ldap_authenticator.ex (3 KB)

ldap_authenticator.ex
No OneTemporary
Actions

ldap_authenticator.ex
View Options

File Metadata

Event Timeline

ldap_authenticator.exNo OneTemporaryActions

ldap_authenticator.exView Options

File Metadata

Event Timeline

ldap_authenticator.ex
No OneTemporary
Actions

ldap_authenticator.ex
View Options