Add check for undefined UUID

This check is needed at there are tons of LDAP implementations out there
and none has at least one guaranteed unique field. As we currently check
three fields and added an option to select one yourself, it's still not
said that any of these fields is set. This will now create an error
and fail the authentication instead of letting people may get access to
other people's notes which are stored under a this way deterministic
wrong userid named `LDAP-undefined`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-03-17 21:56:52 +01:00
parent 9cbe03d8a8
commit 638eae0dfb
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD

View file

@ -23,11 +23,18 @@ passport.use(new LDAPStrategy({
tlsOptions: config.ldap.tlsOptions || null tlsOptions: config.ldap.tlsOptions || null
} }
}, function (user, done) { }, function (user, done) {
var uuid = user.uidNumber || user.uid || user.sAMAccountName var uuid = user.uidNumber || user.uid || user.sAMAccountName || undefined
if (config.ldap.useridField && user[config.ldap.useridField]) { if (config.ldap.useridField && user[config.ldap.useridField]) {
uuid = user[config.ldap.useridField] uuid = user[config.ldap.useridField]
} }
if (typeof uuid === 'undefined') {
throw new Error('Could not determine UUID for LDAP user. Check that ' +
'either uidNumber, uid or sAMAccountName is set in your LDAP directory ' +
'or use another unique attribute and configure it using the ' +
'"useridField" option in ldap settings.')
}
var username = uuid var username = uuid
if (config.ldap.usernameField && user[config.ldap.usernameField]) { if (config.ldap.usernameField && user[config.ldap.usernameField]) {
username = user[config.ldap.usernameField] username = user[config.ldap.usernameField]