Merge remote-tracking branch 'shasler/ldap-replace-uid' into fix-uid
This commit is contained in:
Sven Feyerabend
@@ -1,4 +1,4 @@
|
||||
FROM sharelatex/sharelatex:2.5.2
|
||||
FROM sharelatex/sharelatex:2.6.1
|
||||
# FROM sharelatex/sharelatex:latest
|
||||
# latest might not be tested
|
||||
# e.g. the AuthenticationManager.js script had to be adapted after versions 2.3.1
|
||||
@@ -7,7 +7,8 @@ LABEL version="0.1"
|
||||
|
||||
# passed from .env (via make)
|
||||
ARG collab_text
|
||||
ARG login_text
|
||||
ARG login_text
|
||||
ARG admin_is_sysadmin
|
||||
|
||||
# set workdir (might solve issue #2 - see https://stackoverflow.com/questions/57534295/)
|
||||
WORKDIR /var/www/sharelatex/web
|
||||
@@ -16,6 +17,7 @@ WORKDIR /var/www/sharelatex/web
|
||||
RUN npm install -g npm
|
||||
# clean cache (might solve issue #2)
|
||||
#RUN npm cache clean --force
|
||||
RUN npm install ldap-escape
|
||||
RUN npm install ldapts-search
|
||||
RUN npm install ldapts
|
||||
RUN npm install ldap-escape
|
||||
@@ -50,24 +52,27 @@ COPY sharelatex/navbar.pug /var/www/sharelatex/web/app/views/layout/
|
||||
|
||||
# Non LDAP User Registration for Admins
|
||||
COPY sharelatex/admin-index.pug /var/www/sharelatex/web/app/views/admin/index.pug
|
||||
COPY sharelatex/admin-sysadmin.pug /tmp/admin-sysadmin.pug
|
||||
RUN if [ "${admin_is_sysadmin}" = "true" ] ; then cp /tmp/admin-sysadmin.pug /var/www/sharelatex/web/app/views/admin/index.pug ; else rm /tmp/admin-sysadmin.pug ; fi
|
||||
|
||||
RUN rm /var/www/sharelatex/web/app/views/admin/register.pug
|
||||
|
||||
### To remove comments entirly (bug https://github.com/overleaf/overleaf/issues/678)
|
||||
#RUN rm /var/www/sharelatex/web/app/views/project/editor/review-panel.pug
|
||||
RUN rm /var/www/sharelatex/web/app/views/project/editor/review-panel.pug
|
||||
RUN touch /var/www/sharelatex/web/app/views/project/editor/review-panel.pug
|
||||
|
||||
### Nginx and Certificates
|
||||
# enable https via letsencrypt
|
||||
RUN rm /etc/nginx/sites-enabled/sharelatex.conf
|
||||
COPY nginx/sharelatex.conf /etc/nginx/sites-enabled/sharelatex.conf
|
||||
#RUN rm /etc/nginx/sites-enabled/sharelatex.conf
|
||||
#COPY nginx/sharelatex.conf /etc/nginx/sites-enabled/sharelatex.conf
|
||||
|
||||
# get maintained best practice ssl from certbot
|
||||
RUN wget https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf -O /etc/nginx/options-ssl-nginx.conf
|
||||
RUN wget https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem -O /etc/nginx/ssl-dhparams.pem
|
||||
#RUN wget https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf -O /etc/nginx/options-ssl-nginx.conf
|
||||
#RUN wget https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem -O /etc/nginx/ssl-dhparams.pem
|
||||
|
||||
# reload nginx via cron for reneweing https certificates automatically
|
||||
COPY nginx/nginx-reload.sh /etc/cron.weekly/
|
||||
RUN chmod 0744 /etc/cron.weekly/nginx-reload.sh
|
||||
#COPY nginx/nginx-reload.sh /etc/cron.weekly/
|
||||
#RUN chmod 0744 /etc/cron.weekly/nginx-reload.sh
|
||||
|
||||
## extract certificates from acme.json?
|
||||
# COPY nginx/nginx-cert.sh /etc/cron.weekly/
|
||||
|
||||
@@ -11,6 +11,7 @@ const util = require('util')
|
||||
|
||||
const { Client } = require('ldapts');
|
||||
const ldapEscape = require('ldap-escape');
|
||||
|
||||
// https://www.npmjs.com/package/@overleaf/o-error
|
||||
// have a look if we can do nice error messages.
|
||||
|
||||
@@ -110,7 +111,7 @@ const AuthenticationManager = {
|
||||
},
|
||||
|
||||
validateEmail(email) {
|
||||
// we use the emailadress from the ldap
|
||||
// we use the emailadress from the ldap
|
||||
// therefore we do not enforce checks here
|
||||
const parsed = EmailHelper.parseEmail(email)
|
||||
//if (!parsed) {
|
||||
@@ -203,7 +204,7 @@ const AuthenticationManager = {
|
||||
//if (!user || !user.email || !user._id) {
|
||||
// return callback(new Error('invalid user object'))
|
||||
//}
|
||||
|
||||
|
||||
console.log("Setting pass for user: " + JSON.stringify(user))
|
||||
const validationError = this.validatePassword(password, user.email)
|
||||
if (validationError) {
|
||||
@@ -273,10 +274,10 @@ const AuthenticationManager = {
|
||||
const ldap_reader = process.env.LDAP_BIND_USER
|
||||
const ldap_reader_pass = process.env.LDAP_BIND_PW
|
||||
const ldap_base = process.env.LDAP_BASE
|
||||
var mail = query.email
|
||||
var uid = query.email.split('@')[0]
|
||||
const filterstr = '(&' + process.env.LDAP_GROUP_FILTER + '(' + ldapEscape.filter`uid=${uid}` + '))'
|
||||
var userDn = "" //'uid=' + uid + ',' + ldap_bd;
|
||||
var uid = query.email
|
||||
const filterstr = process.env.LDAP_GROUP_FILTER.replaceAll('%u', ldapEscape.filter`${uid}`)
|
||||
const userDn = ldapEscape.filter`uid=${uid}` + ',' + ldap_bd;
|
||||
var mail = ""
|
||||
var firstname = ""
|
||||
var lastname = ""
|
||||
var isAdmin = false
|
||||
@@ -306,15 +307,15 @@ const AuthenticationManager = {
|
||||
}
|
||||
} catch (ex) {
|
||||
console.log("An Error occured while getting user data during ldapsearch: " + String(ex))
|
||||
await client.unbind();
|
||||
return callback(null, null)
|
||||
await client.unbind();
|
||||
return callback(null, null)
|
||||
}
|
||||
|
||||
try {
|
||||
// if admin filter is set - only set admin for user in ldap group
|
||||
// does not matter - admin is deactivated: managed through ldap
|
||||
if (process.env.LDAP_ADMIN_GROUP_FILTER) {
|
||||
const adminfilter = '(&' + process.env.LDAP_ADMIN_GROUP_FILTER + '(' +ldapEscape.filter`uid=${uid}` + '))'
|
||||
const adminfilter = process.env.LDAP_ADMIN_GROUP_FILTER.replaceAll('%u', ldapEscape.filter`${uid}`)
|
||||
adminEntry = await client.search(ldap_base, {
|
||||
scope: 'sub',
|
||||
filter: adminfilter,
|
||||
|
||||
79
ldap-overleaf-sl/sharelatex/admin-sysadmin.pug
Normal file
79
ldap-overleaf-sl/sharelatex/admin-sysadmin.pug
Normal file
@@ -0,0 +1,79 @@
|
||||
extends ../layout
|
||||
|
||||
block content
|
||||
.content.content-alt
|
||||
.container
|
||||
.row
|
||||
.col-xs-12
|
||||
.card(ng-controller="RegisterUsersController")
|
||||
.page-header
|
||||
h1 Admin Panel
|
||||
tabset(ng-cloak)
|
||||
tab(heading="System Messages")
|
||||
each message in systemMessages
|
||||
.alert.alert-info.row-spaced(ng-non-bindable) #{message.content}
|
||||
hr
|
||||
form(method='post', action='/admin/messages')
|
||||
input(name="_csrf", type="hidden", value=csrfToken)
|
||||
.form-group
|
||||
label(for="content")
|
||||
input.form-control(name="content", type="text", placeholder="Message...", required)
|
||||
button.btn.btn-primary(type="submit") Post Message
|
||||
hr
|
||||
form(method='post', action='/admin/messages/clear')
|
||||
input(name="_csrf", type="hidden", value=csrfToken)
|
||||
button.btn.btn-danger(type="submit") Clear all messages
|
||||
|
||||
|
||||
tab(heading="Register non LDAP User")
|
||||
form.form
|
||||
.row
|
||||
.col-md-4.col-xs-8
|
||||
input.form-control(
|
||||
name="email",
|
||||
type="text",
|
||||
placeholder="jane@example.com, joe@example.com",
|
||||
ng-model="inputs.emails",
|
||||
on-enter="registerUsers()"
|
||||
)
|
||||
.col-md-8.col-xs-4
|
||||
button.btn.btn-primary(ng-click="registerUsers()") #{translate("register")}
|
||||
|
||||
.row-spaced(ng-show="error").ng-cloak.text-danger
|
||||
p Sorry, an error occured
|
||||
|
||||
.row-spaced(ng-show="users.length > 0").ng-cloak.text-success
|
||||
p We've sent out welcome emails to the registered users.
|
||||
p You can also manually send them URLs below to allow them to reset their password and log in for the first time.
|
||||
p (Password reset tokens will expire after one week and the user will need registering again).
|
||||
|
||||
hr(ng-show="users.length > 0").ng-cloak
|
||||
table(ng-show="users.length > 0").table.table-striped.ng-cloak
|
||||
tr
|
||||
th #{translate("email")}
|
||||
th Set Password Url
|
||||
tr(ng-repeat="user in users")
|
||||
td {{ user.email }}
|
||||
td(style="word-break: break-all;") {{ user.setNewPasswordUrl }}
|
||||
tab(heading="Open/Close Editor" bookmarkable-tab="open-close-editor")
|
||||
if hasFeature('saas')
|
||||
| The "Open/Close Editor" feature is not available in SAAS.
|
||||
else
|
||||
.row-spaced
|
||||
form(method='post',action='/admin/closeEditor')
|
||||
input(name="_csrf", type="hidden", value=csrfToken)
|
||||
button.btn.btn-danger(type="submit") Close Editor
|
||||
p.small Will stop anyone opening the editor. Will NOT disconnect already connected users.
|
||||
|
||||
.row-spaced
|
||||
form(method='post',action='/admin/disconnectAllUsers')
|
||||
input(name="_csrf", type="hidden", value=csrfToken)
|
||||
button.btn.btn-danger(type="submit") Disconnect all users
|
||||
p.small Will force disconnect all users with the editor open. Make sure to close the editor first to avoid them reconnecting.
|
||||
|
||||
.row-spaced
|
||||
form(method='post',action='/admin/openEditor')
|
||||
input(name="_csrf", type="hidden", value=csrfToken)
|
||||
button.btn.btn-danger(type="submit") Reopen Editor
|
||||
p.small Will reopen the editor after closing.
|
||||
|
||||
Reference in New Issue
Block a user