Patch for Mattermost 4.4 -> 4.9 + some bug fix

Crivaledaz · May 19, 2018 · 5afe073 · 5afe073
1 parent 502ae7e
commit 5afe073
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 30 deletions.
diff --git a/README.md b/README.md
@@ -50,8 +50,17 @@ sudo apt-get -y install httpd php postgresql-server postgresql php-ldap php-pdo
 #For MySQL
 sudo apt-get -y install httpd php mariadb-server mariadb php-ldap php-pdo php-mysql git
 ```
+Setup your SQL server with the following command :
+```
+#For PostgreSQL (create a new database cluster)
+sudo postgresql-setup initdb
+
+#For MySQL (optional configuration for a secure MySQL server)
+sudo mysql_secure_installation
+```
+By default, PostgreSQL does not allow client authentication on the server or a database. So we need to enable it by editing pg_hba.conf file (in /var/lib/pgsql). Open this file and replace 'ident' by 'md5' on the first three lines (local, host 127.0.0.1 and host ::1/128). It's recommended to backup the original file before editing it.
 
-Start and enable service for Apache and Database (for all distribution using systemd):
+Then, start and enable service for Apache and Database (for all distribution using systemd):
 ```
 #For PostgreSQL
 sudo systemctl start httpd
@@ -90,6 +99,8 @@ This script will automatically create and add a new client in the oauth server,
 
 ## Configuration
 
+Configuration files are provided with examples and default values. Each config file has an ".example" extension, so you need to copy and to rename them without this extension. You can find a detailed description of each parameters available below.
+
 * Init script configuration :
 #### oauth_user
 Oauth user in the database. This user must have right on the oauth database to store oauth tokens. By default : oauth	
@@ -121,7 +132,9 @@ User API Endpoint : http://HOSTNAME/oauth/resource.php
 Auth Endpoint: http://HOSTNAME/oauth/authorize.php
 Token Endpoint: http://HOSTNAME/oauth/token.php
 ```
-Change HOSTNAME by hostname or ip of the server where you have installed Mattermost-LDAP module. 
+Change HOSTNAME by hostname or ip of the server where you have installed Mattermost-LDAP module.
+
+In Mattermost 4.9, these fields are disable  in admin panel, so you need to edit directly the configuration file config.json. 
 
 * Database credentials
 Edit oauth/config_db.php and adapt, with your settings, to set up database in PHP.
@@ -141,7 +154,7 @@ Oauth user password in the database. If you use init script make sure to use the
 
 * LDAP config
 Edit oauth/LDAP/config_ldap.php : 
-1. Provide your ldap address and port.
+1. Provide your ldap address, port and version.
 2. Change the base directory name ($base) and the filter ($filter) to comply with your LDAP configuration.
 3. Change the user ID attribute ($ldap_attribute) to comply with your LDAP configuration (uid, sAMAccountName, email, cn ..).
 4. If necessary, you can provide a LDAP account to allow search in LDAP (only restrictive LDAP).  
@@ -150,6 +163,8 @@ Edit oauth/LDAP/config_ldap.php :
 Your LDAP hostname or LDAP IP, to connect to the LDAP server.
 #### $port
 Your LDAP port, to connect to the LDAP server. By default : 389.
+#### $ldap_version
+Your LDAP version, or protocol version used by your server. By default : 3. This parameter avoid LDAP blind error with LDAP 3 (issue )
 #### $search_attribute
 The attribute used to identify user on your LDAP. Should be uid, email, cn or sAMAccountName.
 #### $base
@@ -174,7 +189,7 @@ Keep in mind this will create a new account on your Mattermost server with infor
 
 
 ## Limitation
-This module has been tested on Centos 7, Fedora and Ubuntu with PostgreSQL.
+This module has been tested on Centos 7, Fedora and Ubuntu with PostgreSQL and Mattermost Community Edition version 4.1 and 4.9.
 
 Others operating systems has not been tested yet but should work fine. 
 

diff --git a/config_init.sh → config_init.sh.example b/config_init.sh → config_init.sh.example
diff --git a/ldap.php b/ldap.php
@@ -7,6 +7,9 @@
 //Ldap adress and port 
 $hostname = "ldap://company.com:389";
 
+//LDAP version
+$ldap_version = 3;
+
 //Unique identifier of user on LDAP
 $uid = "username";
 $email = "username@company.com";
@@ -25,6 +28,7 @@
 echo "<h3>LDAP : Test Center</h3>";
 echo "Attempting to connect LDAP server ... <br />";
 $ldap=ldap_connect($hostname);
+ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
 
 if ($ldap) {
 	echo "Successful connection ! <br />"; 

diff --git a/oauth/LDAP/LDAP.php b/oauth/LDAP/LDAP.php
@@ -19,11 +19,13 @@ class LDAP implements LDAPInterface
      * @param string @hostname
      * Either a hostname or, with OpenLDAP 2.x.x and later, a full LDAP URI
      * @param int @port
-     * An optional int to specify ldap server port
+     * An optional int to specify ldap server port, by default : 389
+     * @param int @ldap_version
+     * An optional int to specify ldap version, by default LDAP V3 protocol is used
      * 
      * Initiate LDAP connection by creating an associated resource  
      */
-    public function __construct($hostname, $port = 389)
+    public function __construct($hostname, $port = 389, $ldap_version = 3)
     {
         if (!is_string($hostname)) 
         {
@@ -38,6 +40,16 @@ public function __construct($hostname, $port = 389)
         $ldap = ldap_connect($hostname, $port) 
         	or die("Unable to connect to the ldap server : $ldaphost ! Please check your configuration.");
 
+        // Support LDAP V3 since many users have encountered difficulties with LDAP V3.
+        if (is_int($ldap_version) && $ldap_version <= 3 && $ldap_version > 0)
+        {
+            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
+        }
+        else
+        {
+            throw new InvalidArgumentException('Third argument to LDAP must be the ldap version (int). Ex : 3');
+        }
+
         $this->ldap_server = $ldap;
     }
 
@@ -148,7 +160,7 @@ public function checkLogin($user, $password = null, $search_attribute, $filter =
      * A ldap username or email or sAMAccountName  
      * 
      * @return 
-     * An array with the user's mail and complete name.
+     * An array with the user's mail, complete name and directory name.
      */
     public function getDataForMattermost($base_dn, $filter, $bind_dn, $bind_pass, $search_attribute, $user) {
 

diff --git a/oauth/LDAP/LDAPInterface.php b/oauth/LDAP/LDAPInterface.php
@@ -44,7 +44,7 @@ public function checkLogin($user,$password = null,$search_attribute,$filter = nu
      * A ldap username or email or sAMAccountName  
      * 
      * @return 
-     * An array with the user's mail and complete name.
+     * An array with the user's mail, complete name and directory name.
      */
     public function getDataForMattermost($base_dn, $filter, $bind_dn, $bind_pass, $search_attribute, $user);
 }
diff --git a/oauth/LDAP/config_ldap.php → oauth/LDAP/config_ldap.php.example b/oauth/LDAP/config_ldap.php → oauth/LDAP/config_ldap.php.example
@@ -1,6 +1,8 @@
 <?php
+// LDAP parameters
 $hostname = "ldap://company.com/";
 $port = 389;
+$ldap_version = 3;
 
 // Attribute use to identify user on LDAP - ex : uid, mail, sAMAccountName	
 $search_attribute = "uid";

diff --git a/oauth/authorize.php b/oauth/authorize.php
@@ -54,7 +54,7 @@
 
           <tr>
             <td align="center">
-              <div class="LoginTitle">Mattermost souhaite accéder à vos données LDAP :</div>
+              <div class="LoginTitle">Mattermost desires access to your LDAP data:</div>
         
 
             <form method="post">
@@ -71,16 +71,16 @@
                     </tr>
                     <tr>
                       <td align="center" width="100%" class="LoginUsername">
-                        Connecté en tant que : <b>' . $_SESSION['uid'] . ' </b>
+                        Login as : <b>' . $_SESSION['uid'] . ' </b>
                       </td>
                     </tr>
                     <tr>
                       <td align="left" width="100%" class="LoginUsername">
                          
                         <br/>
-                        Données souhaitées : <br/>
-                        &nbsp; -> Identifiant,<br/>
-                        &nbsp; -> Nom complet,<br/> 
+                        Requested Data : <br/>
+                        &nbsp; -> Username,<br/>
+                        &nbsp; -> Full Name,<br/> 
                         &nbsp; -> Email
                       
                       </td>
@@ -115,18 +115,11 @@
 
 if ($is_authorized) 
 {
-  // this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
+  // This is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
   $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
   header('Location: ' . $response->getHttpHeader('Location'));
   exit();
 }
 
 // Send message in case of error
-$response->send();
-
-/*<form method="post">
-  <label>Mattermost souhaite accéder à vos données LDAP (Identifiant, nom complet, mail) </label><br />
-  <input type="submit" name="authorized" value="Authorize">
-  <input type="submit" name="authorized" value="Deny">
-</form>
-*/
+$response->send();
diff --git a/oauth/config_db.php → oauth/config_db.php.example b/oauth/config_db.php → oauth/config_db.php.example
diff --git a/oauth/connexion.php b/oauth/connexion.php
@@ -12,20 +12,20 @@
 // Verify all fields have been filled 
 if (empty($_POST['user']) || empty($_POST['password'])) 
 {
-	echo 'You must fill each field<br /><br />';
+	echo 'Please fill in your Username and Password<br /><br />';
 	echo 'Click <a href="./index.php">here</a> to come back to login page';
 }
 else
 {
 	// Check received data length (to prevent code injection) 
 	if (strlen($_POST['user']) > 15)
  	{
-  		echo 'Strange username ... Please try again<br /><br />';
+  		echo 'Username has incorrect format ... Please try again<br /><br />';
 		echo 'Click <a href="./index.php">here</a> to come back to login page';
     }
     elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7)
     {
-    	echo 'Strange password ... Please try again<br /><br />';
+    	echo 'Password has incorrect format ... Please try again<br /><br />';
 		echo 'Click <a href="./index.php">here</a> to come back to login page';
     } 
     else
@@ -37,10 +37,20 @@
     	$password=$_POST['password'];
 
     	// Open a LDAP connection
-    	$ldap = new LDAP($hostname,$port);
+    	$ldap = new LDAP($hostname,$port,$ldap_version);
 
 		// Check user credential on LDAP
-		if ($ldap->checkLogin($user,$password,$search_attribute,$filter,$base,$bind_dn,$bind_pass)) 
+		try{
+			$authenticated = $ldap->checkLogin($user,$password,$search_attribute,$filter,$base,$bind_dn,$bind_pass);
+		}
+		catch (Exception $e)
+		{
+			echo json_encode(array("error" => "Impossible to get data", "message" => $e->getMessage()));
+			$authenticated = false;
+		}
+
+		// If user is authenticated
+		if ($authenticated) 
 		{
 		    $_SESSION['uid']=$user;
 

diff --git a/oauth/resource.php b/oauth/resource.php
@@ -19,21 +19,26 @@
 }
 
 // set default error message
-$resp = array("error" => "Unknow error", "message" => "An unknown error has occured, please report this bug");
+$resp = array("error" => "Unknown error", "message" => "An unknown error has occured, please report this bug");
 
 // get information on user associated to the token
 $info_oauth = $server->getAccessTokenData(OAuth2\Request::createFromGlobals());
 $user = $info_oauth["user_id"];
 $assoc_id = $info_oauth["assoc_id"];
 
 // Open a LDAP connection
-$ldap = new LDAP($hostname,$port);
+$ldap = new LDAP($hostname,$port,$ldap_version);
 
 // Try to get user data on the LDAP
 try
 {
 	$data = $ldap->getDataForMattermost($base,$filter,$bind_dn,$bind_pass,$search_attribute,$user);
-	$resp = array("name" => $data['cn'],"username" => $user,"id" => $assoc_id,"state" => "active","email" => $data['mail']);
+
+	// Here is the patch for Mattermost 4.4 and older. Gitlab has changed the JSON output of oauth service. Many data are not used by Mattermost, but there is a stack error if we delete them. That's the reason why date and many parameters are null or empty.
+	$resp = array("id" => $assoc_id,"name" => $data['cn'],"username" => $user,"state" => "active","avatar_url" => "","web_url" => "","created_at" => "0000-00-00T00:00:00.000Z","bio" => null,"location" => null,"skype" => "","linkedin" => "","twitter" => "","website_url" => "","organization" => null,"last_sign_in_at" => "0000-00-00T00:00:00.000Z","confirmed_at" => "0000-00-00T00:00:00.000Z","last_activity_on" => null,"email" => $data['mail'],"theme_id" => 1,"color_scheme_id" => 1,"projects_limit" => 100000,"current_sign_in_at" => "0000-00-00T00:00:00.000Z","identities" => array(array("provider" => "ldapmain","extern_uid" => $data['dn'])),"can_create_group" => true,"can_create_project" => true,"two_factor_enabled" => false,"external" => false,"shared_runners_minutes_limit" => null);
+
+	// Below is the old version, still consistent with Mattermost before version 4.4
+	// $resp = array("name" => $data['cn'],"username" => $user,"id" => $assoc_id,"state" => "active","email" => $data['mail']);
 }
 catch (Exception $e)
 {