Allow ldap bind with authenticating user

ldap-overleaf-sl/sharelatex/AuthenticationManager.js

@@ -269,28 +269,40 @@ const AuthenticationManager = {
     const client = new Client({
       url: process.env.LDAP_SERVER,
     });
-    //const bindDn = process.env.LDAP_BIND_USER
-    //const bindPassword = process.env.LDAP_BIND_PW
+
     const ldap_reader = process.env.LDAP_BIND_USER
     const ldap_reader_pass = process.env.LDAP_BIND_PW
     const ldap_base = process.env.LDAP_BASE
-    var uid = query.email
-    const replacer = new RegExp("%u", "g")
-    const filterstr = process.env.LDAP_USER_FILTER.replace(replacer, ldapEscape.filter`${uid}`) //replace all appearances
-    console.log("filterstr:" + filterstr)
-    var userDn = "" //ldapEscape.filter`uid=${uid}` + ',' + ldap_bd;
-    var mail = ""
+
+    var mail = query.email
+    var uid = query.email.split('@')[0]
     var firstname = ""
     var lastname = ""
     var isAdmin = false
+    var userDn = ""
+
+    //replace all appearences of %u with uid and all %m with mail:
+    const replacerUid = new RegExp("%u", "g")
+    const replacerMail = new RegExp("%m","g")
+    const filterstr = process.env.LDAP_USER_FILTER.replace(replacerUid, ldapEscape.filter`${uid}`).replace(replacerMail, ldapEscape.filter`${mail}`) //replace all appearances
+
     // check bind
     try {
-      await client.bind(ldap_reader, ldap_reader_pass);
-      //await client.bind(userDn,password);
+      if(process.env.LDAP_BINDDN){ //try to bind directly with the user trying to log in
+        userDn = process.env.LDAP_BINDDN.replace(replacerUid,ldapEscape.filter`${uid}`).replace(replacerMail, ldapEscape.filter`${mail}`);
+        await client.bind(userDn,password);
+      }else{// use fixed bind user
+        await client.bind(ldap_reader, ldap_reader_pass);
+      }
     } catch (ex) {
-      console.log("Could not bind LDAP reader: " + ldap_reader + " err: " + String(ex))
+      if(process.env.LDAP_BINDDN){
+        console.log("Could not bind user: " + userDn);
+      }else{
+        console.log("Could not bind LDAP reader: " + ldap_reader + " err: " + String(ex))
+      }
       return callback(null, null)
     }
+
     // get user data
     try {
       const {searchEntries, searchRef,} = await client.search(ldap_base, {
@@ -304,7 +316,9 @@ const AuthenticationManager = {
         uid = searchEntries[0].uid
         firstname = searchEntries[0].givenName
         lastname = searchEntries[0].sn
+        if(!process.env.LDAP_BINDDN){ //dn is already correctly assembled
         userDn = searchEntries[0].dn
+        }
         console.log("Found user: " + mail + " Name: " + firstname + " " + lastname + " DN: " + userDn)
       }
     } catch (ex) {
@@ -317,7 +331,7 @@ const AuthenticationManager = {
       // if admin filter is set - only set admin for user in ldap group
       // does not matter - admin is deactivated: managed through ldap
       if (process.env.LDAP_ADMIN_GROUP_FILTER) {
-        const adminfilter = process.env.LDAP_ADMIN_GROUP_FILTER.replace(replacer, ldapEscape.filter`${uid}`)
+        const adminfilter = process.env.LDAP_ADMIN_GROUP_FILTER.replace(replacerUid, ldapEscape.filter`${uid}`).replace(replacerMail, ldapEscape.filter`${mail}`)
         adminEntry = await client.search(ldap_base, {
           scope: 'sub',
           filter: adminfilter,
@@ -339,15 +353,17 @@ const AuthenticationManager = {
       console.log("Mail / userDn not set - exit. This should not happen - please set mail-entry in ldap.")
       return callback(null, null)
     }
-    try {
-      await client.bind(userDn, password);
-    } catch (ex) {
-      console.log("Could not bind User: " + userDn + " err: " + String(ex))
-      return callback(null, null)
-    } finally{
-      await client.unbind()
-    }
 
+    if(!process.env.BINDDN){//since we used a fixed bind user to obtain the correct userDn we need to bind again to authenticate
+      try {
+        await client.bind(userDn, password);
+      } catch (ex) {
+        console.log("Could not bind User: " + userDn + " err: " + String(ex))
+        return callback(null, null)
+      } finally{
+        await client.unbind()
+      }
+    }
     //console.log("Logging in user: " + mail + " Name: " + firstname + " " + lastname + " isAdmin: " + String(isAdmin))
     // we are authenticated now let's set the query to the correct mail from ldap
     query.email = mail