From 35988d92732e53291d82141c7b2146bebd4e15de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Tue, 27 Nov 2018 13:04:17 +0100
Subject: [PATCH] Use sasl authentication for LDAP (by root user)

---
 data/actionsmap/test.yml          | 16 ++++++++++++++--
 lib/test/test.py                  |  4 ++++
 moulinette/authenticators/ldap.py | 13 ++++++++++---
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/data/actionsmap/test.yml b/data/actionsmap/test.yml
index 4b835dc1..36d1a270 100644
--- a/data/actionsmap/test.yml
+++ b/data/actionsmap/test.yml
@@ -13,7 +13,7 @@ _global:
                 parameters:
                     uri: ldap://localhost:389
                     base_dn: dc=yunohost,dc=org
-                    user_rdn: cn=admin
+                    user_rdn: cn=admin,dc=yunohost,dc=org
             ldap-anonymous:
                 vendor: ldap
                 parameters:
@@ -25,7 +25,14 @@ _global:
                 parameters:
                     uri: ldap://localhost:389
                     base_dn: dc=yunohost,dc=org
-                    user_rdn: cn=admin
+                    user_rdn: cn=admin,dc=yunohost,dc=org
+            as-root:
+                vendor: ldap
+                parameters:
+                    # We can get this uri by (urllib.quote_plus('/var/run/slapd/ldapi')
+                    uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
+                    base_dn: dc=yunohost,dc=org
+                    user_rdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
         argument_auth: true
         lock: false
 
@@ -52,6 +59,11 @@ test:
             configuration:
                 authenticate:
                     - cli
+        root-auth:
+            api: GET /test/root-auth
+            configuration:
+                authenticate: all
+                authenticator: as-root
         anonymous:
             api: GET /test/anon
             configuration:
diff --git a/lib/test/test.py b/lib/test/test.py
index 8a9e6e6c..04e88fe1 100644
--- a/lib/test/test.py
+++ b/lib/test/test.py
@@ -17,3 +17,7 @@ def test_auth_cli():
 def test_anonymous():
     return {'action': 'anonymous',
             'authenticator': 'ldap-anonymous', 'authenticate': 'all'}
+
+def test_root():
+    return {'action': 'root-auth',
+            'authenticator': 'as-root', 'authenticate': 'all'}
diff --git a/moulinette/authenticators/ldap.py b/moulinette/authenticators/ldap.py
index cf04f0c1..0a84399c 100644
--- a/moulinette/authenticators/ldap.py
+++ b/moulinette/authenticators/ldap.py
@@ -8,6 +8,7 @@ import random
 import string
 import crypt
 import ldap
+import ldap.sasl
 import ldap.modlist as modlist
 
 from moulinette import m18n
@@ -41,8 +42,11 @@ class Authenticator(BaseAuthenticator):
         self.uri = uri
         self.basedn = base_dn
         if user_rdn:
-            self.userdn = '%s,%s' % (user_rdn, base_dn)
-            self.con = None
+            self.userdn = user_rdn
+            if 'cn=external,cn=auth' in user_rdn:
+                self.authenticate(None)
+            else:
+                self.con = None
         else:
             # Initialize anonymous usage
             self.userdn = ''
@@ -78,7 +82,10 @@ class Authenticator(BaseAuthenticator):
         try:
             con = ldap.initialize(self.uri)
             if self.userdn:
-                con.simple_bind_s(self.userdn, password)
+                if 'cn=external,cn=auth' in self.userdn:
+                    con.sasl_non_interactive_bind_s('EXTERNAL')
+                else:
+                    con.simple_bind_s(self.userdn, password)
             else:
                 con.simple_bind_s()
         except ldap.INVALID_CREDENTIALS: