From 9220c54aea20148f900ce8266499155a18e8600c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Schplurtz=20le=20D=C3=A9boulonn=C3=A9?= Date: Fri, 15 May 2020 09:38:50 +0200 Subject: [PATCH 1/2] add mail address import capability from LDAP --- webserver.js | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/webserver.js b/webserver.js index b71d3510..f5213557 100644 --- a/webserver.js +++ b/webserver.js @@ -370,10 +370,25 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (shortname == null) { fn(new Error('no user identifier')); return; } var userid = 'user/' + domain.id + '/' + shortname; var user = obj.users[userid]; + var email = null; + if (domain.ldapuseremail) { + email = xxuser[domain.ldapuseremail]; + } else if (xxuser.mail) { // use default + email = xxuser.mail; + } + if ('[object Array]' == Object.prototype.toString.call(email)) { + // mail may be multivalued in ldap in which case, answer is an array. Use the 1st value. + email=email[0]; + } + if (email) { email = email.toLowerCase(); } // it seems some code otherwhere also lowercase the emailaddress. be compatible. if (user == null) { // Create a new user var user = { type: 'user', _id: userid, name: username, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id }; + if (email) { + user['email'] = email; + user['emailVerified'] = true; + } if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } var usercount = 0; for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } } @@ -394,6 +409,23 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come. parent.DispatchEvent(['*', 'server-users', user._id], obj, event); } + // Check if user email has changed + var emailreason = null; + if (user.email && ! email) { // email unset in ldap => unset + delete user.email; + delete user.emailVerified; + emailreason = 'Unset email (no more email in LDAP)' + } else if (user.email != email) { // update email + user['email'] = email; + user['emailVerified'] = true; + emailreason = 'Set account email to ' + email + '. Sync with LDAP.'; + } + if (emailreason) { + obj.db.SetUser(user); + var event = { etype: 'user', userid: userid, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: emailreason, domain: domain.id }; + if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come. + parent.DispatchEvent(['*', 'server-users', user._id], obj, event); + } // If user is locker out, block here. if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; } return fn(null, user._id); @@ -407,6 +439,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { try { ldap.close(); } catch (ex) { console.log(ex); } // Close the LDAP object if (err) { fn(new Error('invalid password')); return; } var shortname = null; + var email = null; + if (domain.ldapuseremail) { + email = xxuser[domain.ldapuseremail]; + } else if (xxuser.mail) { + email = xxuser.mail; + } + if ('[object Array]' == Object.prototype.toString.call(email)) { + // mail may be multivalued in ldap in which case, answer would be an array. Use the 1st one. + email=email[0]; + } + if (email) { email = email.toLowerCase(); } // it seems some code otherwhere also lowercase the emailaddress. be compatible. var username = xxuser['displayName']; if (domain.ldapusername) { username = xxuser[domain.ldapusername]; } if (domain.ldapuserbinarykey) { @@ -430,6 +473,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (user == null) { // This user does not exist, create a new account. var user = { type: 'user', _id: userid, name: shortname, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id }; + if (email) { + user['email'] = email; + user['emailVerified'] = true; + } if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } var usercount = 0; for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } } @@ -450,6 +497,23 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come. parent.DispatchEvent(['*', 'server-users', user._id], obj, event); } + // Check if user email has changed + var emailreason = null; + if (user.email && ! email) { // email unset in ldap => unset + delete user.email; + delete user.emailVerified; + emailreason = 'Unset email (no more email in LDAP)' + } else if (user.email != email) { // update email + user['email'] = email; + user['emailVerified'] = true; + emailreason = 'Set account email to ' + email + '. Sync with LDAP.'; + } + if (emailreason) { + obj.db.SetUser(user); + var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: emailreason, domain: domain.id }; + if (obj.db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come. + parent.DispatchEvent(['*', 'server-users', user._id], obj, event); + } // If user is locker out, block here. if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; } return fn(null, user._id); @@ -5410,4 +5474,4 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } return obj; -}; \ No newline at end of file +}; From 0c95dff71715fac619c2c93ff783101699da43ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Schplurtz=20le=20D=C3=A9boulonn=C3=A9?= Date: Fri, 15 May 2020 09:39:07 +0200 Subject: [PATCH 2/2] add ldapuseremail to the list of domainValues --- meshctrl.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meshctrl.js b/meshctrl.js index 0da0d765..34b24312 100644 --- a/meshctrl.js +++ b/meshctrl.js @@ -418,7 +418,7 @@ function displayConfigHelp() { } function performConfigOperations(args) { - var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapoptions', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide', 'loginkey']; + var domainValues = ['title', 'title2', 'titlepicture', 'trustedcert', 'welcomepicture', 'welcometext', 'userquota', 'meshquota', 'newaccounts', 'usernameisemail', 'newaccountemaildomains', 'newaccountspass', 'newaccountsrights', 'geolocation', 'lockagentdownload', 'userconsentflags', 'Usersessionidletimeout', 'auth', 'ldapoptions', 'ldapusername', 'ldapuserbinarykey', 'ldapoptions', 'ldapuseremail', 'footer', 'certurl', 'loginKey', 'userallowedip', 'agentallowedip', 'agentnoproxy', 'agentconfig', 'orphanagentuser', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording', 'hide', 'loginkey']; var domainObjectValues = [ 'ldapoptions', 'httpheaders', 'yubikey', 'passwordrequirements', 'limits', 'amtacmactivation', 'redirects', 'sessionrecording' ]; var domainArrayValues = [ 'newaccountemaildomains', 'newaccountsrights', 'loginkey', 'agentconfig' ]; var configChange = false; @@ -1139,4 +1139,4 @@ function displayDeviceInfo(sysinfo, lastconnect, network) { } } } -} \ No newline at end of file +}