Merge branch 'f-ldap' into 'dev'

F ldap See merge request caosdb/caosdb-server!37

Merge branch 'f-ldap' into 'dev'
67319563 · Henrik tom Wörden · 5e425272 · ee8784b9 · 67319563 · 67319563
Commit 67319563 authored 5 years ago by Henrik tom Wörden
--- a/conf/core/usersources.ini.template
+++ b/conf/core/usersources.ini.template
@@ -25,6 +25,7 @@ defaultRealm = PAM

 [PAM]
 class = caosdb.server.accessControl.Pam
+; pam_script = ./misc/pam_authentication/pam_authentication.sh
 default_status = ACTIVE
 ;include.user = [uncomment and put your users here]
 ;include.group = [uncomment and put your groups here]

--- a/misc/pam_authentication/ldap.conf
+++ b/misc/pam_authentication/ldap.conf
+# This file is sourced by the LDAP authentication script
+
+
+# Set the ldap server here.  This is also used to generate a fully qualified
+# user name.
+
+# LDAP_SERVER="example.com"
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
+#!/bin/bash
+
+# ** header v3.0
+# This file is a part of the CaosDB Project.
+#
+# Copyright (c) 2020 IndiScale GmbH
+# Copyright (c) 2020 Daniel Hornung <d.hornung@indiscale.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+# ** end header
+
+# Try to authenticate a user ($1) with a password ($2) via LDAP
+
+[[ "$#" == "2" ]] || {
+    echo "call this script with two arguments: user and password"
+    exit 1
+}
+
+# set LDAP_SERVER here
+# e.g. `LDAP_SERVER=example.com`
+exe_dir=$(dirname $0)
+. "$exe_dir/"ldap.conf
+
+testpw() {
+    username="${1}@${LDAP_SERVER}"
+    pw="$2"
+
+    if timeout 5s ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"; then
+        return 0
+    else
+        ret_code="$?"
+    fi
+
+    # Possibly try a second time
+    if [[ "$ret_code" != "124" ]] ; then
+        return "$ret_code"
+    fi
+
+    ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"
+
+}
+
+if testpw "$1" "$2" ; then
+    echo "[OK]"
+    exit 0
+else
+    echo "[FAILED]"
+    exit 1
+fi
--- a/src/main/java/caosdb/server/accessControl/Pam.java
+++ b/src/main/java/caosdb/server/accessControl/Pam.java
@@ -254,13 +254,17 @@ public class Pam implements UserSource {
   */
  private boolean isUserExistingNoCache(final String username) {
    logger.trace("Check UnixUser.exists", username);
-    return username != null && UnixUser.exists(username) && isIncorporated(username);
+    // TODO Decide what to do here.  Checking for existence may not always be possible without
+    // credentials.
+
+    // return username != null && UnixUser.exists(username) && isIncorporated(username);
+    return username != null && isIncorporated(username);
  }

  /** @see {@link UserSource#isValid(String, String)}. */
  @Override
  public boolean isValid(final String username, final String password) {
-    if (isUserExisting(username)) {
+    if (username != null && isIncorporated(username)) {
      return isValid(getPamScriptCaller(), username, password);
    }
    return false;