about summary refs log tree commit diff
diff options
context:
space:
mode:
authorMathieu Brunot <mathieu.brunot@monogramm.io>2019-12-01 18:52:21 +0100
committerEugen Rochko <eugen@zeonfederated.com>2019-12-01 18:52:21 +0100
commitbd8dc9bd0c9857470f14189c15572cab18bf8ab1 (patch)
tree74084369418bccb2e79e6a8c0d5043565f83969d
parent911cc144815babf83ddf99f2daa3682021d401b8 (diff)
:sparkles: Add an LDAP Mail attribute config (#12053)
Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>
-rw-r--r--.env.nanobox2
-rw-r--r--.env.production.sample3
-rw-r--r--app/models/concerns/ldap_authenticable.rb4
-rw-r--r--config/initializers/devise.rb5
4 files changed, 10 insertions, 4 deletions
diff --git a/.env.nanobox b/.env.nanobox
index fc6c3c42f..03aa01a34 100644
--- a/.env.nanobox
+++ b/.env.nanobox
@@ -183,6 +183,8 @@ SMTP_FROM_ADDRESS=notifications@${APP_NAME}.nanoapp.io
 # LDAP_BIND_DN=
 # LDAP_PASSWORD=
 # LDAP_UID=cn
+# LDAP_MAIL=mail
+# LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))
 # LDAP_UID_CONVERSION_ENABLED=true
 # LDAP_UID_CONVERSION_SEARCH=., -
 # LDAP_UID_CONVERSION_REPLACE=_
diff --git a/.env.production.sample b/.env.production.sample
index 6b078c7b2..9cab992e3 100644
--- a/.env.production.sample
+++ b/.env.production.sample
@@ -178,7 +178,8 @@ STREAMING_CLUSTER_NUM=1
 # LDAP_BIND_DN=
 # LDAP_PASSWORD=
 # LDAP_UID=cn
-# LDAP_SEARCH_FILTER=%{uid}=%{email}
+# LDAP_MAIL=mail
+# LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))
 # LDAP_UID_CONVERSION_ENABLED=true
 # LDAP_UID_CONVERSION_SEARCH=., -
 # LDAP_UID_CONVERSION_REPLACE=_
diff --git a/app/models/concerns/ldap_authenticable.rb b/app/models/concerns/ldap_authenticable.rb
index 2d2e1edbb..e3f94bb6c 100644
--- a/app/models/concerns/ldap_authenticable.rb
+++ b/app/models/concerns/ldap_authenticable.rb
@@ -6,7 +6,7 @@ module LdapAuthenticable
   class_methods do
     def authenticate_with_ldap(params = {})
       ldap   = Net::LDAP.new(ldap_options)
-      filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, email: params[:email])
+      filter = format(Devise.ldap_search_filter, uid: Devise.ldap_uid, mail: Devise.ldap_mail, email: params[:email])
 
       if (user_info = ldap.bind_as(base: Devise.ldap_base, filter: filter, password: params[:password]))
         ldap_get_user(user_info.first)
@@ -25,7 +25,7 @@ module LdapAuthenticable
       resource = joins(:account).find_by(accounts: { username: safe_username })
 
       if resource.blank?
-        resource = new(email: attributes[:mail].first, agreement: true, account_attributes: { username: safe_username }, admin: false, external: true, confirmed_at: Time.now.utc)
+        resource = new(email: attributes[Devise.ldap_mail.to_sym].first, agreement: true, account_attributes: { username: safe_username }, admin: false, external: true, confirmed_at: Time.now.utc)
         resource.save!
       end
 
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index fa9fd8cc4..59e69ad37 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -53,6 +53,8 @@ module Devise
   @@ldap_base = nil
   mattr_accessor :ldap_uid
   @@ldap_uid = nil
+  mattr_accessor :ldap_mail
+  @@ldap_mail = nil
   mattr_accessor :ldap_bind_dn
   @@ldap_bind_dn = nil
   mattr_accessor :ldap_password
@@ -369,8 +371,9 @@ Devise.setup do |config|
     config.ldap_bind_dn        = ENV.fetch('LDAP_BIND_DN')
     config.ldap_password       = ENV.fetch('LDAP_PASSWORD')
     config.ldap_uid            = ENV.fetch('LDAP_UID', 'cn')
+    config.ldap_mail           = ENV.fetch('LDAP_MAIL', 'mail')
     config.ldap_tls_no_verify  = ENV['LDAP_TLS_NO_VERIFY'] == 'true'
-    config.ldap_search_filter  = ENV.fetch('LDAP_SEARCH_FILTER', '%{uid}=%{email}')
+    config.ldap_search_filter  = ENV.fetch('LDAP_SEARCH_FILTER', '(|(%{uid}=%{email})(%{mail}=%{email}))')
     config.ldap_uid_conversion_enabled  = ENV['LDAP_UID_CONVERSION_ENABLED'] == 'true'
     config.ldap_uid_conversion_search   = ENV.fetch('LDAP_UID_CONVERSION_SEARCH', '.,- ')
     config.ldap_uid_conversion_replace  = ENV.fetch('LDAP_UID_CONVERSION_REPLACE', '_')