search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.13k stars 553 forks source link

LDAP Binding fields to users in MeshCentral #1776

Open LFM8787 opened 4 years ago

LFM8787 commented 4 years ago

I love MeshCentral, since in my organization we use Active Directory as the authentication method, it would be great to be able to use the data currently uploaded to Active Directory to fill in the fields for each user automatically.

This is the case for GLPI, each field is bind to an actual Active Directory (ldap) field: image

Since a lot of companies uses ldap for their users it could be populated automatically: image

Ylianst commented 4 years ago

This is a very good request. I don't have much knowledge of LDAP, but I think I can give this request a try.

Ylianst commented 4 years ago

Looking at the code, can you try this line in your config.json at the same level at "auth":"ldap":

      "auth": "ldap",
      "LDAPUserEmail": "mail"          <--------

This should indicate to MeshCentral to grab the email address from "mail". let me know if this works, If it does, I will add values for "RealName" and "Phone" since I don't have these yet. "Phone" is just in case you are using a SMS provider and want to support SMS 2FA.

Thanks, Ylian

LFM8787 commented 4 years ago

Looking at the code, can you try this line in your config.json at the same level at "auth":"ldap":

      "auth": "ldap",
      "LDAPUserEmail": "mail"          <--------

This should indicate to MeshCentral to grab the email address from "mail". let me know if this works, If it does, I will add values for "RealName" and "Phone" since I don't have these yet. "Phone" is just in case you are using a SMS provider and want to support SMS 2FA.

Thanks, Ylian

Thanks for the fast response, I've tested some combinations but none of them seem to work.

Test 1:

         "Auth": "sspi",
         "Auth": "ldap",
         "LDAPUserEmail": "mail",

Since I use sspi as auth method, try to keep this in config file, server service didn't start.

Test 2:

         "Auth": "sspi",
         "Auth": "_ldap",
         "LDAPUserEmail": "mail",

Server service starts but didn't fill the email field, tested with existing and new accounts.

Test 3:

         "Auth": "_sspi",
         "Auth": "ldap",
         "LDAPUserEmail": "mail",

Server service didn't start, I guess I'm missing LDAPUserName or LDAPOptions.

Test 4:

         "_Auth": "sspi",
         "Auth": "ldap",
         "_LDAPUserEmail": "mail",
      "LDAPOptions": {
        "URL": "ldap://1.2.3.4:389",
        "BindDN": "CN=Admin,CN=Users,DC=contoso,DC=com",
        "BindCredentials": "Admin_password_plain_text",
        "SearchBase": "OU=Users,DC=contoso,DC=com",
        "SearchFilter": "(sAMAccountName={{username}})"
      },

Where 1.2.3.4 is my main Domain Controller, the BindDN, the BindCredentials and SearchBase have been ofuscated but were correct (GLPI uses them). I received the following error when trying to login (lost sspi):

AssertionError [ERR_ASSERTION]: LDAP server URL not defined (opts.url)
    at new LdapAuth (C:\Program Files\Open Source\MeshCentral\node_modules\ldapauth-fork\lib\ldapauth.js:63:10)
    at Object.obj.authenticate (C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral\webserver.js:461:28)
    at handleLoginRequest (C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral\webserver.js:898:13)
    at handleRootPostRequest (C:\Program Files\Open Source\MeshCentral\node_modules\meshcentral\webserver.js:2473:29)
    at Layer.handle [as handle_request] (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\layer.js:95:5)
    at next (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\layer.js:95:5)
    at C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\index.js:281:22
    at Function.process_params (C:\Program Files\Open Source\MeshCentral\node_modules\express\lib\router\index.js:335:12

I think I came to a dead end, I'll continue testing...

Thank you!

Ylianst commented 4 years ago

Oh. In your first post you make it sound like everything is working except you don't have the email and real name set in the server. It looks like you don't have LDAP setup at all.

MeshCentral uses "ldapauth-fork" and so, the "LDAPOptions" are passed as-is to that library.

At some point I need to setup a LDAP server myself for testing, but I can't seem to find any easy way to get started with that. If you have suggestions, that would be great.

LFM8787 commented 4 years ago

Sorry for the misunderstood, I'll check that library to know how to use it with Active Directory, thank you!

LFM8787 commented 4 years ago

Oh. In your first post you make it sound like everything is working except you don't have the email and real name set in the server. It looks like you don't have LDAP setup at all.

MeshCentral uses "ldapauth-fork" and so, the "LDAPOptions" are passed as-is to that library.

At some point I need to setup a LDAP server myself for testing, but I can't seem to find any easy way to get started with that. If you have suggestions, that would be great.

After checking the library now the server starts but there is no authentication login, it asks for username and password, but the "Incorrect username or password message" appears when trying to login.

old setup:

         "_Auth": "sspi",
         "Auth": "ldap",
         "_LDAPUserEmail": "mail",
      "LDAPOptions": {
        "URL": "ldap://1.2.3.4:389",
        "BindDN": "CN=Admin,CN=Users,DC=contoso,DC=com",
        "BindCredentials": "Admin_password_plain_text",
        "SearchBase": "OU=Users,DC=contoso,DC=com",
        "SearchFilter": "(sAMAccountName={{username}})"
      },

new setup (options are case sensitive):

         "_Auth": "sspi",
         "Auth": "ldap",
         "_LDAPUserEmail": "mail",
      "LDAPOptions": {
        "url": "ldap://1.2.3.4:389",
        "BindDN": "CN=Admin,CN=Users,DC=contoso,DC=com",
        "BindCredentials": "Admin_password_plain_text",
        "searchBase": "CN=Users,DC=contoso,DC=com",
        "searchFilter": "(sAMAccountName={{Username}})"
      },

I'll continue testing but my skills are very limited. Maybe this could help: https://github.com/gheeres/node-activedirectory

treicadani commented 4 years ago

@LFM8787 at the moment, I had to manually edit node_modules/meshcentral/webserver.js and change the below code in 2 places

var userid = 'user/' + domain.id + '/' + shortname;

to

var userid = 'user/' + domain.id + '/' + xxuser.sAMAccountName;

to make it work, it was requested as a temporary solution the change to be added by default so we don't have to do this each time, but maybe it interferes with the default auth method hence the reason was not added.

You should be able to auth using LDAP if you do the change manually.

Ref: https://github.com/Ylianst/MeshCentral/issues/336

Ylianst commented 4 years ago

Instead of making the change to the code, you can revert the code change and add this line to the config.json file:

      "auth": "ldap",
      "ldapUserName": "sAMAccountName"           <-----------

It should do the same thing.

treicadani commented 4 years ago

Capture

My config has the ldapUserName field since long time but without editing the webserver.js when a user logs in is generated a long code as the username rather than the actual sAMAccountName and as I remember you can't assign users to groups since it expects a username in the field which doesn't exist.

compgeniuses commented 2 years ago

At some point I need to setup a LDAP server myself for testing, but I can't seem to find any easy way to get started with that. If you have suggestions, that would be great.

you should Checkout Nethserver for that.

ph4xo commented 2 years ago

Looking at the code, can you try this line in your config.json at the same level at "auth":"ldap":

      "auth": "ldap",
      "LDAPUserEmail": "mail"          <--------

This should indicate to MeshCentral to grab the email address from "mail". let me know if this works, If it does, I will add values for "RealName" and "Phone" since I don't have these yet. "Phone" is just in case you are using a SMS provider and want to support SMS 2FA.

Thanks, Ylian

Sorry for answering in this old thread but I'm struggling with ldapUserRealName. Whatever I try, the real name is never populated with any information. I tried "ldapUserRealName": "displayName" and also "ldapUserRealName": "name" but it is still empty. ldapUserEmail and the rest is working like a charm.

An just to add, it would be very nice to pick the user image from LDAP, too. We are managing all our pictures there. The image is in the attribute thumbnailPhoto and is base64 encoded. Some setting like "ldapUserImage": true would be perfect.

What do you think about this?

Cheers, Timo