RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/server/test/ldap/Client.test.ts

134 lines
4.3 KiB
TypeScript
Raw Normal View History

Use username matcher instead of user dn in group filter Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used.
2017-10-07 11:46:19 +00:00
import { LdapConfiguration } from "../../src/lib/configuration/Configuration";
import { Client } from "../../src/lib/ldap/Client";
import { LdapClientFactoryStub } from "../mocks/ldap/LdapClientFactoryStub";
import { LdapClientStub } from "../mocks/ldap/LdapClientStub";
import Sinon = require("sinon");
import BluebirdPromise = require("bluebird");
import Assert = require("assert");
import Winston = require("winston");
describe("test authelia ldap client", function () {
const USERNAME = "username";
const ADMIN_USER_DN = "cn=admin,dc=example,dc=com";
const ADMIN_PASSWORD = "password";
it("should replace {0} by username when searching for groups in LDAP", function () {
const options: LdapConfiguration = {
url: "ldap://ldap",
users_dn: "ou=users,dc=example,dc=com",
users_filter: "cn={0}",
groups_dn: "ou=groups,dc=example,dc=com",
groups_filter: "member=cn={0},ou=users,dc=example,dc=com",
group_name_attribute: "cn",
mail_attribute: "mail",
user: "cn=admin,dc=example,dc=com",
password: "password"
};
const factory = new LdapClientFactoryStub();
const ldapClient = new LdapClientStub();
factory.createStub.returns(ldapClient);
Add {dn} as an available matcher in LDAP groups filter Sometimes, LDAP organization is such that groups membership cannot be computed with username only. User DN is required to retrieve groups. e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups but cannot be computed from joe only. Issue was reported in issue #146
2017-10-15 12:27:20 +00:00
ldapClient.searchAsyncStub.returns(BluebirdPromise.resolve([{
cn: "group1"
}]));
Strengthen password in LDAP using SHA512 crypt algorithm Uses the crypt() function to do password encryption. This function handles several schemes such as: MD5, Blowfish, SHA1, SHA2. SHA-512 is used in Authelia for best security. The algorithm is fully described in https://www.akkadia.org/drepper/SHA-crypt.txt The 'crypt3' npm package has been added as a dependency to use the crypt() function. The package needs to be compiled in order to call the c function, that's why python, make and C++ compiler are installed temporarily in the Docker image.
2017-10-19 22:42:33 +00:00
const client = new Client(ADMIN_USER_DN, ADMIN_PASSWORD, options, factory, Winston);
Use username matcher instead of user dn in group filter Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used.
2017-10-07 11:46:19 +00:00
return client.searchGroups("user1")
.then(function () {
Assert.equal(ldapClient.searchAsyncStub.getCall(0).args[1].filter,
"member=cn=user1,ou=users,dc=example,dc=com");
});
});
Add {dn} as an available matcher in LDAP groups filter Sometimes, LDAP organization is such that groups membership cannot be computed with username only. User DN is required to retrieve groups. e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups but cannot be computed from joe only. Issue was reported in issue #146
2017-10-15 12:27:20 +00:00
it("should replace {dn} by user DN when searching for groups in LDAP", function () {
const USER_DN = "cn=user1,ou=users,dc=example,dc=com";
const options: LdapConfiguration = {
url: "ldap://ldap",
users_dn: "ou=users,dc=example,dc=com",
users_filter: "cn={0}",
groups_dn: "ou=groups,dc=example,dc=com",
groups_filter: "member={dn}",
group_name_attribute: "cn",
mail_attribute: "mail",
user: "cn=admin,dc=example,dc=com",
password: "password"
};
const factory = new LdapClientFactoryStub();
const ldapClient = new LdapClientStub();
factory.createStub.returns(ldapClient);
// Retrieve user DN
ldapClient.searchAsyncStub.withArgs("ou=users,dc=example,dc=com", {
scope: "sub",
sizeLimit: 1,
attributes: ["dn"],
filter: "cn=user1"
}).returns(BluebirdPromise.resolve([{
dn: USER_DN
}]));
// Retrieve groups
ldapClient.searchAsyncStub.withArgs("ou=groups,dc=example,dc=com", {
scope: "sub",
attributes: ["cn"],
filter: "member=" + USER_DN
}).returns(BluebirdPromise.resolve([{
cn: "group1"
}]));
Strengthen password in LDAP using SHA512 crypt algorithm Uses the crypt() function to do password encryption. This function handles several schemes such as: MD5, Blowfish, SHA1, SHA2. SHA-512 is used in Authelia for best security. The algorithm is fully described in https://www.akkadia.org/drepper/SHA-crypt.txt The 'crypt3' npm package has been added as a dependency to use the crypt() function. The package needs to be compiled in order to call the c function, that's why python, make and C++ compiler are installed temporarily in the Docker image.
2017-10-19 22:42:33 +00:00
const client = new Client(ADMIN_USER_DN, ADMIN_PASSWORD, options, factory, Winston);
Add {dn} as an available matcher in LDAP groups filter Sometimes, LDAP organization is such that groups membership cannot be computed with username only. User DN is required to retrieve groups. e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups but cannot be computed from joe only. Issue was reported in issue #146
2017-10-15 12:27:20 +00:00
return client.searchGroups("user1")
.then(function (groups: string[]) {
Assert.deepEqual(groups, ["group1"]);
});
});
Attribute mail_attribute is not correcty taken into account
2018-04-24 19:33:08 +00:00
it("should retrieve mail from custom attribute", function () {
const USER_DN = "cn=user1,ou=users,dc=example,dc=com";
const options: LdapConfiguration = {
url: "ldap://ldap",
users_dn: "ou=users,dc=example,dc=com",
users_filter: "cn={0}",
groups_dn: "ou=groups,dc=example,dc=com",
groups_filter: "member={dn}",
group_name_attribute: "cn",
mail_attribute: "custom_mail",
user: "cn=admin,dc=example,dc=com",
password: "password"
};
const factory = new LdapClientFactoryStub();
const ldapClient = new LdapClientStub();
factory.createStub.returns(ldapClient);
// Retrieve user DN
ldapClient.searchAsyncStub.withArgs("ou=users,dc=example,dc=com", {
scope: "sub",
sizeLimit: 1,
attributes: ["dn"],
filter: "cn=user1"
}).returns(BluebirdPromise.resolve([{
dn: USER_DN
}]));
// Retrieve email
ldapClient.searchAsyncStub.withArgs("cn=user1,ou=users,dc=example,dc=com", {
scope: "base",
sizeLimit: 1,
attributes: ["custom_mail"],
}).returns(BluebirdPromise.resolve([{
custom_mail: "user1@example.com"
}]));
const client = new Client(ADMIN_USER_DN, ADMIN_PASSWORD, options, factory, Winston);
return client.searchEmails("user1")
.then(function (emails: string[]) {
Assert.deepEqual(emails, ["user1@example.com"]);
});
});
Use username matcher instead of user dn in group filter Previously, string "{0}" was replaced by the user dn in the groups_filter attributes of the LDAP configuration. However, if the groups children only have a memberUid attribute, one would like to use the username instead of the user dn. Since the user dn can be built from the username, "{0}" is now replaced by the username instead of the user dn so that an LDAP relying on attribute 'memberUid' can be used.
2017-10-07 11:46:19 +00:00
});