Add LDAP authentication

.env.production.sample

@@ -105,3 +105,42 @@ STREAMING_CLUSTER_NUM=1
 # If you use Docker, you may want to assign UID/GID manually.
 # UID=1000
 # GID=1000
+
+# LDAP configuration
+# Uncomment next line if you want to use LDAP on your instance
+# USE_LDAP=true
+#
+# Use only LDAP authentication (don't try other means)
+# LDAP_ONLY=false
+#
+# LDAP_HOST=localhost
+# LDAP_PORT=389
+#
+# LDAP attribute to find the user's e-mail. Necessary to create accounts
+# for not existing users
+# LDAP_MAIL_ATTRIBUTE="mail"
+#
+# On first login, this LDAP attribute will be used as the nickname for
+# the user.
+# LDAP_USERNAME_ATTRIBUTE="uid"
+#
+# Skip e-mail confirmation when creating an account via LDAP.
+# LDAP_SKIP_EMAIL_CONFIRMATION=true
+#
+# ----- Using BIND_DN and BIND_PW
+# LDAP_BIND_DN and LDAP_BIND_PW may be used if the mastodon instance
+# should be able to connect to LDAP to find and search for users.
+#
+# LDAP_BIND_DN="cn=mastodon,dc=example,dc=com"
+# LDAP_BIND_PW="password"
+# LDAP_SEARCH_BASE="dc=example,dc=com"
+#
+# This is the filter with which to search for the user. %{username} will
+# be replaced by the given login.
+# LDAP_SEARCH_FILTER="uid=%{username}"
+#
+# ----- Using template
+# This setting doesn't require a mastodon LDAP user. Use a template, and
+# mastodon will try to login with the templated dn and password
+#
+# LDAP_BIND_TEMPLATE="uid=%{username},dc=example,dc=com"

Gemfile

@@ -35,6 +35,7 @@ gem 'http_accept_language', '~> 2.1'
 gem 'httplog', '~> 0.99'
 gem 'kaminari', '~> 1.0'
 gem 'link_header', '~> 0.0'
+gem 'net-ldap', '~> 0.16'
 gem 'nokogiri', '~> 1.7'
 gem 'oj', '~> 3.0'
 gem 'ostatus2', '~> 2.0'

Gemfile.lock

@@ -241,6 +241,7 @@ GEM
     minitest (5.10.2)
     msgpack (1.1.0)
     multi_json (1.12.1)
+    net-ldap (0.16.0)
     net-scp (1.2.1)
       net-ssh (>= 2.6.5)
     net-ssh (4.1.0)
@@ -516,6 +517,7 @@ DEPENDENCIES
   link_header (~> 0.0)
   lograge (~> 0.5)
   microformats2 (~> 3.0)
+  net-ldap (~> 0.16)
   nokogiri (~> 1.7)
   oj (~> 3.0)
   ostatus2 (~> 2.0)

app/controllers/auth/registrations_controller.rb

@@ -34,7 +34,11 @@ def after_inactive_sign_up_path_for(_resource)
   end
 
   def check_enabled_registrations
-    redirect_to root_path if single_user_mode? || !Setting.open_registrations
+    if single_user_mode? || !Setting.open_registrations
+      redirect_to root_path
+    elsif Rails.configuration.x.use_ldap
+      redirect_to new_user_session_path
+    end
   end
 
   private

app/models/user.rb

@@ -31,6 +31,7 @@
 #  last_emailed_at           :datetime
 #  otp_backup_codes          :string           is an Array
 #  filtered_languages        :string           default([]), not null, is an Array
+#  ldap_dn                   :text
 #
 
 class User < ApplicationRecord
@@ -62,6 +63,7 @@ class User < ApplicationRecord
   # It seems possible that a future release of devise-two-factor will
   # handle this itself, and this can be removed from our User class.
   attribute :otp_secret
+  attribute :ldap_username
 
   has_many :session_activations, dependent: :destroy
 
@@ -105,12 +107,24 @@ def session_active?(id)
     session_activations.active? id
   end
 
+  def ldap_user?
+    Rails.configuration.x.use_ldap && ldap_dn.present?
+  end
+
   protected
 
   def send_devise_notification(notification, *args)
     devise_mailer.send(notification, self, *args).deliver_later
   end
 
+  def confirmation_required?
+    if ldap_user?
+      !Rails.configuration.x.ldap_skip_email_confirmation
+    else
+      super
+    end
+  end
+
   private
 
   def sanitize_languages

app/views/about/show.html.haml

@@ -29,7 +29,9 @@
       = render 'registration'
     - else
       .closed-registrations-message
-        - if @instance_presenter.closed_registrations_message.blank?
+        - if Rails.configuration.x.use_ldap
+          %p= t('about.ldap_registrations')
+        - elsif @instance_presenter.closed_registrations_message.blank?
           %p= t('about.closed_registrations')
         - else
           != @instance_presenter.closed_registrations_message

app/views/auth/sessions/new.html.haml

@@ -2,7 +2,10 @@
   = t('auth.login')
 
 = simple_form_for(resource, as: resource_name, url: session_path(resource_name)) do |f|
-  = f.input :email, autofocus: true, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email') }
+  - if Rails.configuration.x.use_ldap
+    = f.input :ldap_username, autofocus: true, placeholder: t('simple_form.labels.defaults.ldap_username'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.ldap_username') }
+  - else
+    = f.input :email, autofocus: true, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email') }
   = f.input :password, placeholder: t('simple_form.labels.defaults.password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.password') }
 
   .actions

config/initializers/0_ldap_authenticatable.rb

@@ -0,0 +1,109 @@
+require 'net/ldap'
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    class LdapAuthenticatable < Authenticatable
+      def valid?
+        Rails.configuration.x.use_ldap && params[:user].present?
+      end
+
+      def authenticate!
+        config = Rails.configuration
+
+        ldap = Net::LDAP.new
+        ldap.host = config.x.ldap_host
+        ldap.port = config.x.ldap_port
+
+        if config.x.ldap_manager_bind
+          ldap.auth config.x.ldap_manager_dn, config.x.ldap_manager_password
+
+          if !ldap.bind
+            return fail(:ldap_configuration_error)
+          end
+
+          search_filter = config.x.ldap_search_filter % { username: params[:user][:ldap_username] }
+
+          result = ldap.search(base: config.x.ldap_search_base, filter: search_filter, result_set: true)
+
+          if result.count != 1
+            return login_fail
+          end
+
+          user_dn    = result.first.dn
+          user_email = result.first[config.x.ldap_mail_attribute].first
+          user_name  = result.first[config.x.ldap_username_attribute].first
+        else
+          user_dn = config.x.ldap_bind_template % { username: params[:user][:ldap_username] }
+        end
+
+        ldap.auth user_dn, params[:user][:password]
+
+        if ldap.bind
+          user = User.find_by(ldap_dn: user_dn)
+
+          # We don't want to trust too much the email attribute from
+          # LDAP: if the user can edit it himself, he may login as
+          # anyone
+          if user.nil?
+            if !config.x.ldap_manager_bind
+              result = ldap.search(base: user_dn, scope: Net::LDAP::SearchScope_BaseObject, filter: "(objectClass=*)", result_set: true)
+              user_email = result.first[config.x.ldap_mail_attribute].first
+              user_name  = result.first[config.x.ldap_username_attribute].first
+            end
+
+            if user_email.present? && User.find_by(email: user_email).nil?
+              # Password is used for remember_me token
+              user = User.new(email: user_email, ldap_dn: user_dn, password: SecureRandom.hex, account_attributes: { username: user_name })
+              user.locale = I18n.locale
+              user.build_account if user.account.nil?
+              user.save
+            elsif User.find_by(email: user_email).present?
+              return fail(:ldap_existing_email)
+            else
+              return fail(:ldap_cannot_create_account_without_email)
+            end
+          end
+
+          success!(user)
+        else
+          return login_fail
+        end
+      end
+
+      def login_fail
+        if Rails.configuration.x.ldap_only
+          return fail(:ldap_invalid_login)
+        else
+          return pass
+        end
+      end
+    end
+  end
+end
+
+Rails.application.configure do
+  config.x.use_ldap = ENV.fetch('USE_LDAP') { nil }.present?
+  if config.x.use_ldap
+    config.x.ldap_host = ENV.fetch('LDAP_HOST') { 'localhost' }
+    config.x.ldap_port = ENV.fetch('LDAP_PORT') { 389 }
+    config.x.ldap_only = ENV.fetch('LDAP_ONLY') { nil }.present?
+
+    config.x.ldap_manager_bind = (ENV.fetch('LDAP_BIND_DN') { '' }).present?
+
+    config.x.ldap_username_attribute = ENV.fetch('LDAP_USERNAME_ATTRIBUTE') { 'uid' }
+    config.x.ldap_mail_attribute = ENV.fetch('LDAP_MAIL_ATTRIBUTE') { 'mail' }
+    config.x.ldap_skip_email_confirmation = ENV.fetch('LDAP_SKIP_EMAIL_CONFIRMATION') { true }
+
+    if config.x.ldap_manager_bind
+      config.x.ldap_manager_dn = ENV.fetch('LDAP_BIND_DN') { '' }
+      config.x.ldap_manager_password = ENV.fetch('LDAP_BIND_PW') { '' }
+      config.x.ldap_search_filter = ENV.fetch('LDAP_SEARCH_FILTER') { 'uid=%{username}' }
+      config.x.ldap_search_base = ENV.fetch('LDAP_SEARCH_BASE') { 'dc=example,dc=com' }
+    else
+      config.x.ldap_bind_template = ENV.fetch('LDAP_BIND_TEMPLATE') { 'uid=%{username},dc=example,dc=com' }
+    end
+  end
+end
+
+Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)

config/initializers/devise.rb

@@ -18,6 +18,7 @@
   config.warden do |manager|
     manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
     manager.default_strategies(scope: :user).unshift :two_factor_backupable
+    manager.default_strategies(scope: :user).unshift :ldap_authenticatable
   end
 
   # The secret key used by Devise. Devise uses this key to generate
@@ -50,7 +51,11 @@
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply a hash where the value is a boolean determining whether
   # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [:email]
+  if Rails.configuration.x.use_ldap
+    config.authentication_keys = [:ldap_username]
+  else
+    config.authentication_keys = [:email]
+  end
 
   # Configure parameters from the request object used for authentication. Each entry
   # given should be a request method and it will automatically be passed to the

config/locales/devise.en.yml

@@ -15,6 +15,11 @@ en:
       timeout: Your session expired. Please sign in again to continue.
       unauthenticated: You need to sign in or sign up before continuing.
       unconfirmed: You have to confirm your email address before continuing.
+      user:
+        ldap_configuration_error: LDAP configuration error.
+        ldap_invalid_login: Invalid LDAP credentials.
+        ldap_existing_email: A non-LDAP user already exists with your e-mail.
+        ldap_cannot_create_account_without_email: No e-mail was found in your LDAP informations. No account could be created.
     mailer:
       confirmation_instructions:
         subject: 'Mastodon: Confirmation instructions for %{instance}'

config/locales/devise.fr.yml

@@ -15,6 +15,11 @@ fr:
       timeout: Votre session a expiré. Veuillez vous reconnecter pour continuer.
       unauthenticated: Vous devez vous connecter ou vous inscrire pour continuer.
       unconfirmed: Vous devez valider votre compte pour continuer.
+      user:
+        ldap_configuration_error: Erreur de configuration LDAP.
+        ldap_invalid_login: login ou mot de passe LDAP incorrect.
+        ldap_existing_email: Un utilisateur non-LDAP existe déjà avec votre courriel.
+        ldap_cannot_create_account_without_email: Aucun courriel n’a pu être trouvé dans vos informations LDAP. Votre compte n’a pu être créé.
     mailer:
       confirmation_instructions:
         subject: "Merci de confirmer votre inscription sur %{instance}"

config/locales/en.yml

@@ -6,6 +6,7 @@ en:
     apps: Apps
     business_email: 'Business e-mail:'
     closed_registrations: Registrations are currently closed on this instance.
+    ldap_registrations: This instance accepts only LDAP registrations. Login with your LDAP username to create an account.
     contact: Contact
     description_headline: What is %{domain}?
     domain_count_after: other instances

config/locales/fr.yml

@@ -6,6 +6,7 @@ fr:
     apps: Applications
     business_email: Courriel professionnel
     closed_registrations: Les inscriptions sont actuellement fermées sur cette instance.
+    ldap_registrations: Cette instance n’accepte que des inscriptions par LDAP. Connectez-vous avec vos informations LDAP pour créer votre compte.
     contact: Contact
     description_headline: Qu'est-ce que %{domain} ?
     domain_count_after: autres instances

config/locales/simple_form.en.yml

@@ -28,6 +28,7 @@ en:
         display_name: Display name
         email: E-mail address
         header: Header
+        ldap_username: LDAP login or E-mail address
         locale: Language
         locked: Lock account
         new_password: New password

config/locales/simple_form.fr.yml

@@ -20,6 +20,7 @@ fr:
         display_name: Nom public
         email: Adresse courriel
         header: Image d’en-tête
+        ldap_username: Login LDAP ou Adresse courriel
         locale: Langue
         locked: Rendre le compte privé
         new_password: Nouveau mot de passe

db/migrate/20170618111000_add_ldap_dn_to_users.rb

@@ -0,0 +1,6 @@
+class AddLdapDnToUsers < ActiveRecord::Migration[5.0]
+  def change
+    add_column :users, :ldap_dn, :text, null: true, default: nil
+    add_index :users, :ldap_dn
+  end
+end

db/schema.rb

@@ -364,10 +364,12 @@
     t.datetime "last_emailed_at"
     t.string "otp_backup_codes", array: true
     t.string "filtered_languages", default: [], null: false, array: true
+    t.text "ldap_dn"
     t.index ["account_id"], name: "index_users_on_account_id"
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["filtered_languages"], name: "index_users_on_filtered_languages", using: :gin
+    t.index ["ldap_dn"], name: "index_users_on_ldap_dn"
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end
 

spec/models/user_spec.rb

@@ -219,6 +219,28 @@
     end
   end
 
+  describe '#ldap_user?' do
+    around(:each) do |example|
+      old_ldap = Rails.configuration.x.use_ldap
+
+      Rails.configuration.x.use_ldap = true
+
+      example.run
+
+      Rails.configuration.x.use_ldap = old_ldap
+    end
+
+    it 'returns true for ldap users' do
+      user = Fabricate(:user, ldap_dn: "uid=foo,dc=example,dc=com")
+      expect(user.ldap_user?).to eq true
+    end
+
+    it 'returns false for other users' do
+      user = Fabricate(:user)
+      expect(user.ldap_user?).to eq false
+    end
+  end
+
   describe 'whitelist' do
     around(:each) do |example|
       old_whitelist = Rails.configuration.x.email_whitelist