Use root UID to authenticate to LDAP

data/actionsmap/yunohost.yml

@@ -43,12 +43,19 @@ _global:
                 parameters:
                     uri: ldap://localhost:389
                     base_dn: dc=yunohost,dc=org
-                    user_rdn: cn=admin
+                    user_rdn: cn=admin,dc=yunohost,dc=org
             ldap-anonymous:
                 vendor: ldap
                 parameters:
                     uri: ldap://localhost:389
                     base_dn: dc=yunohost,dc=org
+            as-root:
+                vendor: ldap
+                parameters:
+                    # We can get this uri by (urllib.quote_plus('/var/run/slapd/ldapi')
+                    uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
+                    base_dn: dc=yunohost,dc=org
+                    user_rdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
         argument_auth: true
     arguments:
         -v:
@@ -84,6 +91,7 @@ user:
             api: POST /users
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 username:
                     help: The unique username to create
@@ -142,6 +150,7 @@ user:
             api: DELETE /users/<username>
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 username:
                     help: Username to delete
@@ -157,6 +166,7 @@ user:
             api: PUT /users/<username>
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 username:
                     help: Username to update
@@ -238,6 +248,7 @@ user:
                     api: POST /users/groups
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         groupname:
                             help: The unique group name to add
@@ -252,6 +263,7 @@ user:
                     api: DELETE /users/groups/<groupname>
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         groupname:
                             help: Username to delete
@@ -264,6 +276,7 @@ user:
                     api: PUT /users/groups/<groupname>
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         groupname:
                             help: Username to update
@@ -335,6 +348,7 @@ user:
                     api: POST /users/permission/<app>
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         app:
                             help: Application to manage the permission
@@ -365,6 +379,7 @@ user:
                     api: PUT /users/permission/<app>
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         app:
                             help: Application to manage the permission
@@ -395,6 +410,7 @@ user:
                     api: DELETE /users/permission/<app>
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         app:
                             help: Application to manage the permission
@@ -414,6 +430,7 @@ user:
                     api: POST /users/ssh/enable
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         username:
                             help: Username of the user
@@ -426,6 +443,7 @@ user:
                     api: POST /users/ssh/disable
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         username:
                             help: Username of the user
@@ -438,6 +456,7 @@ user:
                     api: GET /users/ssh/keys
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         username:
                             help: Username of the user
@@ -450,6 +469,7 @@ user:
                     api: POST /users/ssh/key
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         username:
                             help: Username of the user
@@ -467,6 +487,7 @@ user:
                     api: DELETE /users/ssh/key
                     configuration:
                         authenticate: all
+                        authenticator: as-root
                     arguments:
                         username:
                             help: Username of the user
@@ -497,6 +518,7 @@ domain:
             api: POST /domains
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 domain:
                     help: Domain name to add
@@ -515,6 +537,7 @@ domain:
             api: DELETE /domains/<domain>
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 domain:
                     help: Domain to delete
@@ -734,6 +757,7 @@ app:
             api: POST /apps
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 app:
                     help: Name, local path or git URL of the app to install
@@ -758,6 +782,7 @@ app:
             api: DELETE /apps/<app>
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 app:
                     help: App(s) to delete
@@ -768,7 +793,7 @@ app:
             api: PUT /upgrade/apps
             configuration:
                 authenticate: all
-                authenticator: ldap-anonymous
+                authenticator: as-root
             arguments:
                 app:
                     help: App(s) to upgrade (default all)
@@ -786,6 +811,7 @@ app:
             api: PUT /apps/<app>/changeurl
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 app:
                     help: Target app instance name
@@ -931,6 +957,7 @@ app:
             api: PUT /access
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 apps:
                     nargs: "+"
@@ -944,6 +971,7 @@ app:
             api: DELETE /access
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 apps:
                     nargs: "+"
@@ -957,6 +985,7 @@ app:
             api: POST /access
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 apps:
                     nargs: "+"
@@ -1659,6 +1688,7 @@ tools:
             api: POST /ldap
             configuration:
                 authenticate: all
+                authenticator: as-root
 
         ### tools_adminpw()
         adminpw:
@@ -1666,6 +1696,7 @@ tools:
             api: PUT /adminpw
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 -n:
                     full: --new-password
@@ -1683,6 +1714,7 @@ tools:
                 - PUT /domains/main
             configuration:
                 authenticate: all
+                authenticator: as-root
             arguments:
                 -n:
                     full: --new-domain
@@ -1773,6 +1805,7 @@ tools:
         shell:
             configuration:
                 authenticate: all
+                authenticator: as-root
             action_help: Launch a development shell
             arguments:
                 -c:

data/templates/slapd/slapd.conf

@@ -82,6 +82,7 @@ checkpoint      512 30
 # These access lines apply to database #1 only
 access to attrs=userPassword,shadowLastChange
         by dn="cn=admin,dc=yunohost,dc=org" write
+        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
         by anonymous auth
         by self write
         by * none
@@ -91,6 +92,7 @@ access to attrs=userPassword,shadowLastChange
 # Others should be able to see it.
 access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
         by dn="cn=admin,dc=yunohost,dc=org" write
+        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
         by self write
         by * read
 
@@ -109,6 +111,7 @@ access to dn.base="" by * read
 # can read everything.
 access to *
         by dn="cn=admin,dc=yunohost,dc=org" write
+        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
         by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
         by * read
 

src/yunohost/tools.py

@@ -68,11 +68,11 @@ def tools_ldapinit():
     """
 
     # Instantiate LDAP Authenticator
-    auth = init_authenticator(('ldap', 'default'),
-                              {'uri': "ldap://localhost:389",
-                               'base_dn': "dc=yunohost,dc=org",
-                               'user_rdn': "cn=admin"})
-    auth.authenticate('yunohost')
+    AUTH_IDENTIFIER = ('ldap', 'as-root')
+    AUTH_PARAMETERS = {'uri': 'ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi',
+                       'base_dn': 'dc=yunohost,dc=org',
+                       'user_rdn': 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'}
+    auth = init_authenticator(AUTH_IDENTIFIER, AUTH_PARAMETERS)
 
     with open('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml') as f:
         ldap_map = yaml.load(f)