e115934061
Publish `@librechat/data-schemas` to NPM / pack (push) Failing after 8s
Publish `@librechat/client` to NPM / pack (push) Failing after 0s
GitNexus Index / index (push) Failing after 1s
Sync Locize Translations & Create Translation PR / Create Translation PR on Version Published (push) Has been skipped
Sync Helm Chart Tags / Sync chart tags (push) Failing after 2s
Publish `librechat-data-provider` to NPM / pack (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile, librechat-dev, node) (push) Failing after 1s
Docker Dev Images Build / build (Dockerfile.multi, librechat-dev-api, api-build) (push) Failing after 0s
Sync Helm Chart Tags / Ignore non-main push (push) Has been skipped
Sync Locize Translations & Create Translation PR / Sync Translation Keys with Locize (push) Failing after 1s
Publish `@librechat/client` to NPM / publish-npm (push) Has been cancelled
Publish `librechat-data-provider` to NPM / publish-npm (push) Has been cancelled
GitNexus Index / post-index (push) Has been cancelled
Publish `@librechat/data-schemas` to NPM / publish-npm (push) Has been cancelled
187 lines
5.6 KiB
JavaScript
187 lines
5.6 KiB
JavaScript
const fs = require('fs');
|
|
const LdapStrategy = require('passport-ldapauth');
|
|
const { logger } = require('@librechat/data-schemas');
|
|
const { SystemRoles, ErrorTypes } = require('librechat-data-provider');
|
|
const {
|
|
isEnabled,
|
|
getBalanceConfig,
|
|
isEmailDomainAllowed,
|
|
resolveAppConfigForUser,
|
|
} = require('@librechat/api');
|
|
const { createUser, findUser, updateUser, countUsers } = require('~/models');
|
|
const { getAppConfig } = require('~/server/services/Config');
|
|
|
|
const {
|
|
LDAP_URL,
|
|
LDAP_BIND_DN,
|
|
LDAP_BIND_CREDENTIALS,
|
|
LDAP_USER_SEARCH_BASE,
|
|
LDAP_SEARCH_FILTER,
|
|
LDAP_CA_CERT_PATH,
|
|
LDAP_FULL_NAME,
|
|
LDAP_ID,
|
|
LDAP_USERNAME,
|
|
LDAP_EMAIL,
|
|
LDAP_TLS_REJECT_UNAUTHORIZED,
|
|
LDAP_STARTTLS,
|
|
} = process.env;
|
|
|
|
// Check required environment variables
|
|
if (!LDAP_URL || !LDAP_USER_SEARCH_BASE) {
|
|
module.exports = null;
|
|
}
|
|
|
|
const searchAttributes = [
|
|
'displayName',
|
|
'mail',
|
|
'uid',
|
|
'cn',
|
|
'name',
|
|
'commonname',
|
|
'givenName',
|
|
'sn',
|
|
'sAMAccountName',
|
|
];
|
|
|
|
if (LDAP_FULL_NAME) {
|
|
searchAttributes.push(...LDAP_FULL_NAME.split(','));
|
|
}
|
|
if (LDAP_ID) {
|
|
searchAttributes.push(LDAP_ID);
|
|
}
|
|
if (LDAP_USERNAME) {
|
|
searchAttributes.push(LDAP_USERNAME);
|
|
}
|
|
if (LDAP_EMAIL) {
|
|
searchAttributes.push(LDAP_EMAIL);
|
|
}
|
|
const rejectUnauthorized = isEnabled(LDAP_TLS_REJECT_UNAUTHORIZED);
|
|
const startTLS = isEnabled(LDAP_STARTTLS);
|
|
|
|
const ldapOptions = {
|
|
server: {
|
|
url: LDAP_URL,
|
|
bindDN: LDAP_BIND_DN,
|
|
bindCredentials: LDAP_BIND_CREDENTIALS,
|
|
searchBase: LDAP_USER_SEARCH_BASE,
|
|
searchFilter: LDAP_SEARCH_FILTER || 'mail={{username}}',
|
|
searchAttributes: [...new Set(searchAttributes)],
|
|
...(LDAP_CA_CERT_PATH && {
|
|
tlsOptions: {
|
|
rejectUnauthorized,
|
|
ca: (() => {
|
|
try {
|
|
return [fs.readFileSync(LDAP_CA_CERT_PATH)];
|
|
} catch (err) {
|
|
logger.error('[ldapStrategy]', 'Failed to read CA certificate', err);
|
|
throw err;
|
|
}
|
|
})(),
|
|
},
|
|
}),
|
|
...(startTLS && { starttls: true }),
|
|
},
|
|
usernameField: 'email',
|
|
passwordField: 'password',
|
|
};
|
|
|
|
const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
|
|
if (!userinfo) {
|
|
return done(null, false, { message: 'Invalid credentials' });
|
|
}
|
|
|
|
try {
|
|
const ldapId =
|
|
(LDAP_ID && userinfo[LDAP_ID]) || userinfo.uid || userinfo.sAMAccountName || userinfo.mail;
|
|
|
|
const fullNameAttributes = LDAP_FULL_NAME && LDAP_FULL_NAME.split(',');
|
|
const fullName =
|
|
fullNameAttributes && fullNameAttributes.length > 0
|
|
? fullNameAttributes.map((attr) => userinfo[attr]).join(' ')
|
|
: userinfo.cn || userinfo.name || userinfo.commonname || userinfo.displayName;
|
|
|
|
const username =
|
|
(LDAP_USERNAME && userinfo[LDAP_USERNAME]) || userinfo.givenName || userinfo.mail;
|
|
|
|
let mail = (LDAP_EMAIL && userinfo[LDAP_EMAIL]) || userinfo.mail || username + '@ldap.local';
|
|
mail = Array.isArray(mail) ? mail[0] : mail;
|
|
|
|
if (!userinfo.mail && !(LDAP_EMAIL && userinfo[LDAP_EMAIL])) {
|
|
logger.warn(
|
|
'[ldapStrategy]',
|
|
`No valid email attribute found in LDAP userinfo. Using fallback email: ${username}@ldap.local`,
|
|
`LDAP_EMAIL env var: ${LDAP_EMAIL || 'not set'}`,
|
|
`Available userinfo attributes: ${Object.keys(userinfo).join(', ')}`,
|
|
'Full userinfo:',
|
|
JSON.stringify(userinfo, null, 2),
|
|
);
|
|
}
|
|
|
|
// Domain check before findUser for two-phase fast-fail (consistent with SAML/OpenID/social).
|
|
// This means cross-provider users from blocked domains get 'Email domain not allowed'
|
|
// instead of AUTH_FAILED — both deny access.
|
|
const baseConfig = await getAppConfig({ baseOnly: true });
|
|
if (!isEmailDomainAllowed(mail, baseConfig?.registration?.allowedDomains)) {
|
|
logger.error(
|
|
`[LDAP Strategy] Authentication blocked - email domain not allowed [Email: ${mail}]`,
|
|
);
|
|
return done(null, false, { message: 'Email domain not allowed' });
|
|
}
|
|
|
|
let user = await findUser({ ldapId });
|
|
if (user && user.provider !== 'ldap') {
|
|
logger.info(
|
|
`[ldapStrategy] User ${user.email} already exists with provider ${user.provider}`,
|
|
);
|
|
return done(null, false, {
|
|
message: ErrorTypes.AUTH_FAILED,
|
|
});
|
|
}
|
|
|
|
const appConfig = user?.tenantId
|
|
? await resolveAppConfigForUser(getAppConfig, user)
|
|
: baseConfig;
|
|
|
|
if (!isEmailDomainAllowed(mail, appConfig?.registration?.allowedDomains)) {
|
|
logger.error(
|
|
`[LDAP Strategy] Authentication blocked - email domain not allowed [Email: ${mail}]`,
|
|
);
|
|
return done(null, false, { message: 'Email domain not allowed' });
|
|
}
|
|
|
|
if (!user) {
|
|
const isFirstRegisteredUser = (await countUsers()) === 0;
|
|
const role = isFirstRegisteredUser ? SystemRoles.ADMIN : SystemRoles.USER;
|
|
|
|
user = {
|
|
provider: 'ldap',
|
|
ldapId,
|
|
username,
|
|
email: mail,
|
|
emailVerified: true, // The ldap server administrator should verify the email
|
|
name: fullName,
|
|
role,
|
|
};
|
|
const balanceConfig = getBalanceConfig(appConfig);
|
|
const userId = await createUser(user, balanceConfig);
|
|
user._id = userId;
|
|
} else {
|
|
// Users registered in LDAP are assumed to have their user information managed in LDAP,
|
|
// so update the user information with the values registered in LDAP
|
|
user.provider = 'ldap';
|
|
user.ldapId = ldapId;
|
|
user.email = mail;
|
|
user.username = username;
|
|
user.name = fullName;
|
|
}
|
|
|
|
user = await updateUser(user._id, user);
|
|
done(null, user);
|
|
} catch (err) {
|
|
logger.error('[ldapStrategy]', err);
|
|
done(err);
|
|
}
|
|
});
|
|
|
|
module.exports = ldapLogin;
|