Codimd: If uidNumber does not exist, session management fails with LDAP authentication.

Created on 24 Apr 2017  路  8Comments  路  Source: hackmdio/codimd

Hello, I am KONISHI Keisuke.

Thank you for providing HACKMD.

I built HackMD with Docker, but LDAP authentication did not work properly. (No problem if there is one user)

Within Hackmd, in the case of LDAP authentication, the uidNumber attribute of LDAP is fixed as profile.id. However, if uidNumber does not exist in LDAP, profile.id will always be "LDAP-undefined".
Because the profile.id is the same, all the sessions connected by LDAP are changed to the user who last logged in with LDAP.
(Private documents will be seen!)

In LDAP, uidNumber is not mandatory.
For this reason, we need to fix HackMD.
As a workaround, there is a method to make it possible to set arbitrary attributes in environment (for example, HMD_LDAP_PROFILE_ID_ATTRIBUTE), or to use the value of existing HMD_LDAP_SEARCHFILTER (after setting username) for profile.id.

auth.js
var profile = { id: 'LDAP-' + user.uidNumber, username: user.uid, displayName: user.displayName, emails: user.mail ? [user.mail] : [], avatarUrl: null, profileUrl: null, provider: 'ldap' }

Hacktoberfest auth provider bug
Source
picture komikoni
👍3

Most helpful comment

I came across the same problem, which is really kind of critical, as potentially private data may be revealed. I can send a pull-request, where I am using user.mail instead of user.uidNumber

picture mborejdo on 2 May 2017
👍2

All 8 comments

I came across the same problem, which is really kind of critical, as potentially private data may be revealed. I can send a pull-request, where I am using user.mail instead of user.uidNumber

mborejdo picture mborejdo on 2 May 2017
👍2

Pull request please.
I also used email for my own patch, but email is an item that may not exist in LDAP. If possible, I think that it is better to specify usename ("LDAP - {{username}}") to enter at login.

komikoni picture komikoni on 2 May 2017

@komikoni I havent sent a pull request, since I dont know which LDAP params might be optional. I think your config-option might be a better solution, but for me using email works for now. probably @jackycute has a better idea.

mborejdo picture mborejdo on 2 May 2017
👍1

You can possibly simply add some configs for those:
https://github.com/hackmdio/hackmd/blob/master/lib/auth.js#L128-L137

Shouldn't take a lot of work and would provide full flexibility.

SISheogorath picture SISheogorath on 2 May 2017
👍1

@FreyaTsao
I also use Docker. I also suffered from patch methods.
The solution is to specify the file to be patched with the VOLUME setting of Docker. This makes it unnecessary to rewrite the Docker file itself.
Of course, it is best to be incorporated in HackMD.

komikoni picture komikoni on 3 May 2017
👍1

OK, guys. I'm here.
We have to do more investigation to lure this down.

Any good example from other repo? I mean GitLab or Jenkins etc.
Seems like LDAP is too flexible that there's no required or a static field for id.
So please comment which field are you using to identify your users.

Many thanks.

jackycute picture jackycute on 4 May 2017

this is my redacted ldap conf:

        "ldap": {
            "url": "ldap://redacted",
            "bindDn": "CN=LDAP Auth, CN=Users, DC=redacted, DC=local",
            "bindCredentials": "redacted",
            "tokenSecret": "redacted",
            "searchBase": "CN=Users,DC=redacted,DC=local",
            "searchFilter": "(sAMAccountName={{username}})",
            "searchAttributes": "mail"
        },

uid
uidNumber

seem to be not defined

mborejdo picture mborejdo on 4 May 2017 
- HMD_DOMAIN=example.com
- HMD_URL_PATH=hackmd
- HMD_URL_ADDPORT=false
- HMD_ALLOW_ANONYMOUS=false
- HMD_LDAP_PROVIDERNAME=example
- HMD_LDAP_URL=ldap://ldap.example.com
- HMD_LDAP_SEARCHBASE=OU=Tokyo,DC=example,DC=com
- HMD_LDAP_SEARCHFILTER=(sAMAccountName={{username}})
- [email protected]
- HMD_LDAP_BINDCREDENTIALS=password
- HMD_EMAIL=false
- HMD_ALLOW_FREEURL=true
- HMD_IMAGE_UPLOAD_TYPE=filesystem
- POSTGRES_USER=hackmd
- POSTGRES_PASSWORD=hackmdpass

We are using Activedirectory as LDAP.

The unique attributes of AD are, for example, the following three.

|attribute|sample|
|---|---|
|distinguishedName |CN=nakamoto satoshi,OU=TEST2,DC=2008-domain,DC=local|
|userPrincipalName |[email protected]|
|sAMAccountName |TEST00002|

Reference URL

https://msdn.microsoft.com/en-us/library/ms677281(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/ms677979(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx

http://www.kouti.com/tables/userattributes.htm

komikoni picture komikoni on 8 May 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

almereyda picture almereyda  路  4Comments
mxmo0rhuhn picture mxmo0rhuhn  路  3Comments
sagesharp picture sagesharp  路  4Comments
dsprenkels picture dsprenkels  路  3Comments
mxmilkiib picture mxmilkiib  路  3Comments