Future = Npm.require('fibers/future'); var slug = function (text) { text = slugify(text, '.'); return text.replace(/[^0-9a-z-_.]/g, ''); } // At a minimum, set up LDAP_DEFAULTS.url and .dn according to // your needs. url should appear as "ldap://your.url.here" // dn should appear in normal ldap format of comma separated attribute=value // e.g. "uid=someuser,cn=users,dc=somevalue" LDAP_DEFAULTS = { url: false, port: '389', dn: false, createNewUser: true, defaultDomain: false, searchResultsProfileMap: false, bindSearch: undefined }; /** @class LDAP @constructor */ var LDAP = function(options) { // Set options this.options = _.defaults(options, LDAP_DEFAULTS); // Make sure options have been set try { check(this.options.url, String); check(this.options.dn, String); } catch (e) { throw new Meteor.Error("Bad Defaults", "Options not set. Make sure to set LDAP_DEFAULTS.url and LDAP_DEFAULTS.dn!"); } // Because NPM ldapjs module has some binary builds, // We had to create a wraper package for it and build for // certain architectures. The package typ:ldap-js exports // "MeteorWrapperLdapjs" which is a wrapper for the npm module this.ldapjs = MeteorWrapperLdapjs; }; /** * Attempt to bind (authenticate) ldap * and perform a dn search if specified * * @method ldapCheck * * @param {Object} options Object with username, ldapPass and overrides for LDAP_DEFAULTS object */ LDAP.prototype.ldapCheck = function(options) { var self = this; options = options || {}; if (options.hasOwnProperty('username') && options.hasOwnProperty('ldapPass')) { var ldapAsyncFut = new Future(); // Create ldap client var fullUrl = self.options.url + ':' + self.options.port; var client = self.ldapjs.createClient({ url: fullUrl }); // Slide @xyz.whatever from username if it was passed in // and replace it with the domain specified in defaults var emailSliceIndex = options.username.indexOf('@'); var username; var domain = self.options.defaultDomain; // If user appended email domain, strip it out // And use the defaults.defaultDomain if set if (emailSliceIndex !== -1) { username = options.username.substring(0, emailSliceIndex); domain = domain || options.username.substring((emailSliceIndex + 1), options.username.length); } else { username = options.username; } var bind = function(dn) { console.log('Attempt to bind', dn) //Attempt to bind to ldap server with provided info client.bind(dn, options.ldapPass, function(err) { try { if (err) { // Bind failure, return error console.log(err); throw new Meteor.Error(err.code, err.message); } else { // Bind auth successful // Create return object var retObject = { username: username, searchResults: null }; // Set email on return object retObject.email = domain ? username + '@' + domain : false; // Return search results if specified if (self.options.searchResultsProfileMap) { client.search(dn, {}, function(err, res) { res.on('searchEntry', function(entry) { // Add entry results to return object retObject.searchResults = entry.object; ldapAsyncFut.return(retObject); }); }); } // No search results specified, return username and email object else { ldapAsyncFut.return(retObject); } } } catch (e) { console.log(e); ldapAsyncFut.return({ error: e }); } }); } if (LDAP_DEFAULTS.bindSearch && LDAP_DEFAULTS.bindSearch.trim() != '') { try { var bindSearch = LDAP_DEFAULTS.bindSearch.replace(/#{username}/g, options.username); var opts = JSON.parse(bindSearch); client.search(options.ldapOptions.dn, opts, function(err, res) { if (err) { console.log('LDAP: Error', err); return bind(self.options.dn); } var dn = self.options.dn; res.on('searchEntry', function(entry) { dn = entry.object.dn; }); res.on('error', function(err) { console.log('LDAP: Error', err); }); res.on('end', function(result) { bind(dn); }); }); } catch (e) { console.log('LDAP: Error', e); } } else { bind(self.options.dn); } return ldapAsyncFut.wait(); } else { throw new Meteor.Error(403, "Missing LDAP Auth Parameter"); } }; // Register login handler with Meteor // Here we create a new LDAP instance with options passed from // Meteor.loginWithLDAP on client side // @param {Object} loginRequest will consist of username, ldapPass, ldap, and ldapOptions Accounts.registerLoginHandler("ldap", function(loginRequest) { // If "ldap" isn't set in loginRequest object, // then this isn't the proper handler (return undefined) if (!loginRequest.ldap) { return undefined; } // Instantiate LDAP with options var userOptions = loginRequest.ldapOptions || {}; // Don't allow overwriting url and port delete userOptions.url; delete userOptions.port; var ldapObj = new LDAP(userOptions); // Call ldapCheck and get response var ldapResponse = ldapObj.ldapCheck(loginRequest); if (ldapResponse.error) { return { userId: null, error: ldapResponse.error } } else { // Set initial userId and token vals var userId = null; var stampedToken = { token: null }; // Look to see if user already exists var user = Meteor.users.findOne({ username: slug(ldapResponse.username) }); // Login user if they exist if (user) { if (user.ldap !== true) { return { userId: null, error: "LDAP Authentication succeded, but there's already an existing user with provided username in Mongo." }; } userId = user._id; // Create hashed token so user stays logged in stampedToken = Accounts._generateStampedLoginToken(); var hashStampedToken = Accounts._hashStampedToken(stampedToken); // Update the user's token in mongo Meteor.users.update(userId, { $push: { 'services.resume.loginTokens': hashStampedToken } }); } // Otherwise create user if option is set else if (ldapObj.options.createNewUser) { var userObject = { username: slug(ldapResponse.username) }; // Set email if (ldapResponse.email) userObject.email = ldapResponse.email; // Set profile values if specified in searchResultsProfileMap if (ldapResponse.searchResults && ldapObj.options.searchResultsProfileMap.length > 0) { var profileMap = ldapObj.options.searchResultsProfileMap; var profileObject = {}; // Loop through profileMap and set values on profile object for (var i = 0; i < profileMap.length; i++) { var resultKey = profileMap[i].resultKey; // If our search results have the specified property, set the profile property to its value if (ldapResponse.searchResults.hasOwnProperty(resultKey)) { profileObject[profileMap[i].profileProperty] = ldapResponse.searchResults[resultKey]; } } // Set userObject profile userObject.profile = profileObject; } userId = Accounts.createUser(userObject); Meteor.users.update(userId, {$set: { ldap: true }}); } else { // Ldap success, but no user created return { userId: null, error: "LDAP Authentication succeded, but no user exists in Mongo. Either create a user for this email or set LDAP_DEFAULTS.createNewUser to true" }; } return { userId: userId, token: stampedToken.token }; } return undefined; });