* `sslopts`: additional SSL options
* `base`: LDAP base, e.g. "dc=example,dc=com"
* `uid`: attribute type to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
+
+## Pleroma.Web.Auth.Authenticator
+
+* `Pleroma.Web.Auth.PleromaAuthenticator`: default database authenticator
+* `Pleroma.Web.Auth.LDAPAuthenticator`: LDAP authentication
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
-defmodule Pleroma.LDAP do
+defmodule Pleroma.Web.Auth.LDAPAuthenticator do
alias Pleroma.User
require Logger
+ @behaviour Pleroma.Web.Auth.Authenticator
+
@connection_timeout 10_000
@search_timeout 10_000
- def get_user(name, password) do
+ def get_user(%Plug.Conn{} = conn) do
+ if Pleroma.Config.get([:ldap, :enabled]) do
+ {name, password} =
+ case conn.params do
+ %{"authorization" => %{"name" => name, "password" => password}} ->
+ {name, password}
+
+ %{"grant_type" => "password", "username" => name, "password" => password} ->
+ {name, password}
+ end
+
+ case ldap_user(name, password) do
+ %User{} = user ->
+ {:ok, user}
+
+ {:error, {:ldap_connection_error, _}} ->
+ # When LDAP is unavailable, try default authenticator
+ Pleroma.Web.Auth.PleromaAuthenticator.get_user(conn)
+
+ error ->
+ error
+ end
+ else
+ # Fall back to default authenticator
+ Pleroma.Web.Auth.PleromaAuthenticator.get_user(conn)
+ end
+ end
+
+ def handle_error(%Plug.Conn{} = _conn, error) do
+ error
+ end
+
+ def auth_template, do: nil
+
+ defp ldap_user(name, password) do
ldap = Pleroma.Config.get(:ldap, [])
host = Keyword.get(ldap, :host, "localhost")
port = Keyword.get(ldap, :port, 389)
end
end
- def register_user(connection, base, uid, name, password) do
+ defp register_user(connection, base, uid, name, password) do
case :eldap.search(connection, [
{:base, to_charlist(base)},
{:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
@behaviour Pleroma.Web.Auth.Authenticator
def get_user(%Plug.Conn{} = conn) do
- %{"authorization" => %{"name" => name, "password" => password}} = conn.params
+ {name, password} =
+ case conn.params do
+ %{"authorization" => %{"name" => name, "password" => password}} ->
+ {name, password}
+
+ %{"grant_type" => "password", "username" => name, "password" => password} ->
+ {name, password}
+ end
with {_, %User{} = user} <- {:user, User.get_by_nickname_or_email(name)},
{_, true} <- {:checkpw, Pbkdf2.checkpw(password, user.password_hash)} do
alias Pleroma.Web.OAuth.App
alias Pleroma.Repo
alias Pleroma.User
- alias Comeonin.Pbkdf2
import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]
def token_exchange(
conn,
- %{"grant_type" => "password", "username" => name, "password" => password} = params
+ %{"grant_type" => "password"} = params
) do
- with %App{} = app <- get_app_from_request(conn, params),
- %User{} = user <- get_user(name, password),
+ with {_, {:ok, %User{} = user}} <- {:get_user, Authenticator.get_user(conn)},
+ %App{} = app <- get_app_from_request(conn, params),
{:auth_active, true} <- {:auth_active, User.auth_active?(user)},
scopes <- oauth_scopes(params, app.scopes),
[] <- scopes -- app.scopes,
nil
end
end
-
- defp get_user(name, password) do
- if Pleroma.Config.get([:ldap, :enabled]) do
- case Pleroma.LDAP.get_user(name, password) do
- %User{} = user ->
- user
-
- {:error, {:ldap_connection_error, _}} ->
- # When LDAP is unavailable, try default login
- with %User{} = user <- User.get_by_nickname_or_email(name),
- true <- Pbkdf2.checkpw(password, user.password_hash) do
- user
- end
-
- error ->
- error
- end
- else
- with %User{} = user <- User.get_by_nickname_or_email(name),
- true <- Pbkdf2.checkpw(password, user.password_hash) do
- user
- end
- end
- end
end
projects / akkoma / commitdiff