Use root UID to authenticate to LDAP

2024-09-03 20:06:10 +02:00 · 2018-11-28 08:20:55 +01:00 · 2018-11-28 08:20:55 +01:00 · ad628b7620
commit ad628b7620
parent 05ba65b8d3
3 changed files with 43 additions and 7 deletions
--- a/data/actionsmap/yunohost.yml
+++ b/data/actionsmap/yunohost.yml
@ -43,12 +43,19 @@ _global:
                parameters:
                    uri: ldap://localhost:389
                    base_dn: dc=yunohost,dc=org
-                    user_rdn: cn=admin
+                    user_rdn: cn=admin,dc=yunohost,dc=org
            ldap-anonymous:
                vendor: ldap
                parameters:
                    uri: ldap://localhost:389
                    base_dn: dc=yunohost,dc=org
            as-root:
                vendor: ldap
                parameters:
                    # We can get this uri by (urllib.quote_plus('/var/run/slapd/ldapi')
                    uri: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi
                    base_dn: dc=yunohost,dc=org
                    user_rdn: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
        argument_auth: true
    arguments:
        -v:
@ -84,6 +91,7 @@ user:
            api: POST /users
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                username:
                    help: The unique username to create
@ -142,6 +150,7 @@ user:
            api: DELETE /users/<username>
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                username:
                    help: Username to delete
@ -157,6 +166,7 @@ user:
            api: PUT /users/<username>
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                username:
                    help: Username to update
@ -238,6 +248,7 @@ user:
                    api: POST /users/groups
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        groupname:
                            help: The unique group name to add
@ -252,6 +263,7 @@ user:
                    api: DELETE /users/groups/<groupname>
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        groupname:
                            help: Username to delete
@ -264,6 +276,7 @@ user:
                    api: PUT /users/groups/<groupname>
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        groupname:
                            help: Username to update
@ -335,6 +348,7 @@ user:
                    api: POST /users/permission/<app>
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        app:
                            help: Application to manage the permission
@ -365,6 +379,7 @@ user:
                    api: PUT /users/permission/<app>
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        app:
                            help: Application to manage the permission
@ -395,6 +410,7 @@ user:
                    api: DELETE /users/permission/<app>
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        app:
                            help: Application to manage the permission
@ -414,6 +430,7 @@ user:
                    api: POST /users/ssh/enable
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        username:
                            help: Username of the user
@ -426,6 +443,7 @@ user:
                    api: POST /users/ssh/disable
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        username:
                            help: Username of the user
@ -438,6 +456,7 @@ user:
                    api: GET /users/ssh/keys
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        username:
                            help: Username of the user
@ -450,6 +469,7 @@ user:
                    api: POST /users/ssh/key
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        username:
                            help: Username of the user
@ -467,6 +487,7 @@ user:
                    api: DELETE /users/ssh/key
                    configuration:
                        authenticate: all
                        authenticator: as-root
                    arguments:
                        username:
                            help: Username of the user
@ -497,6 +518,7 @@ domain:
            api: POST /domains
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                domain:
                    help: Domain name to add
@ -515,6 +537,7 @@ domain:
            api: DELETE /domains/<domain>
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                domain:
                    help: Domain to delete
@ -734,6 +757,7 @@ app:
            api: POST /apps
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                app:
                    help: Name, local path or git URL of the app to install
@ -758,6 +782,7 @@ app:
            api: DELETE /apps/<app>
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                app:
                    help: App(s) to delete
@ -768,7 +793,7 @@ app:
            api: PUT /upgrade/apps
            configuration:
                authenticate: all
-                authenticator: ldap-anonymous
+                authenticator: as-root
            arguments:
                app:
                    help: App(s) to upgrade (default all)
@ -786,6 +811,7 @@ app:
            api: PUT /apps/<app>/changeurl
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                app:
                    help: Target app instance name
@ -931,6 +957,7 @@ app:
            api: PUT /access
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                apps:
                    nargs: "+"
@ -944,6 +971,7 @@ app:
            api: DELETE /access
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                apps:
                    nargs: "+"
@ -957,6 +985,7 @@ app:
            api: POST /access
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                apps:
                    nargs: "+"
@ -1659,6 +1688,7 @@ tools:
            api: POST /ldap
            configuration:
                authenticate: all
                authenticator: as-root
        ### tools_adminpw()
        adminpw:
@ -1666,6 +1696,7 @@ tools:
            api: PUT /adminpw
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                -n:
                    full: --new-password
@ -1683,6 +1714,7 @@ tools:
                - PUT /domains/main
            configuration:
                authenticate: all
                authenticator: as-root
            arguments:
                -n:
                    full: --new-domain
@ -1773,6 +1805,7 @@ tools:
        shell:
            configuration:
                authenticate: all
                authenticator: as-root
            action_help: Launch a development shell
            arguments:
                -c:
--- a/data/templates/slapd/slapd.conf
+++ b/data/templates/slapd/slapd.conf
@ -82,6 +82,7 @@ checkpoint      512 30
 # These access lines apply to database #1 only
 access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=yunohost,dc=org" write
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
        by anonymous auth
        by self write
        by * none
@ -91,6 +92,7 @@ access to attrs=userPassword,shadowLastChange
 # Others should be able to see it.
 access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
        by dn="cn=admin,dc=yunohost,dc=org" write
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
        by self write
        by * read
@ -109,6 +111,7 @@ access to dn.base="" by * read
 # can read everything.
 access to *
        by dn="cn=admin,dc=yunohost,dc=org" write
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
        by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
        by * read
--- a/src/yunohost/tools.py
+++ b/src/yunohost/tools.py
@ -68,11 +68,11 @@ def tools_ldapinit():
    """
    # Instantiate LDAP Authenticator
-    auth = init_authenticator(('ldap', 'default'),
+    AUTH_IDENTIFIER = ('ldap', 'as-root')
-                              {'uri': "ldap://localhost:389",
+    AUTH_PARAMETERS = {'uri': 'ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi',
-                               'base_dn': "dc=yunohost,dc=org",
+                       'base_dn': 'dc=yunohost,dc=org',
-                               'user_rdn': "cn=admin"})
+                       'user_rdn': 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'}
-    auth.authenticate('yunohost')
+    auth = init_authenticator(AUTH_IDENTIFIER, AUTH_PARAMETERS)
    with open('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml') as f:
        ldap_map = yaml.load(f)