when run natively, you need a blank forms file and certificates.

Author: vcmirko

ldap.model.js

@@ -0,0 +1,152 @@
+'use strict';
+const logger=require("../lib/logger");
+const mysql=require("./db.model")
+const helpers=require("../lib/common")
+const YAML=require("yaml")
+const {encrypt,decrypt} = require("../lib/crypto")
+
+//ldap object create
+var Ldap=function(ldap){
+    this.server = ldap.server;
+    this.port = ldap.port;
+    this.ignore_certs = (ldap.ignore_certs)?1:0;
+    this.enable_tls = (ldap.enable_tls)?1:0;
+    this.cert = ldap.cert;
+    this.ca_bundle = ldap.ca_bundle;
+    this.bind_user_dn = ldap.bind_user_dn;
+    this.bind_user_pw = encrypt(ldap.bind_user_pw);
+    this.search_base = ldap.search_base;
+    this.username_attribute = ldap.username_attribute;
+    this.groups_attribute = ldap.groups_attribute;
+    this.enable = (ldap.enable)?1:0;
+    this.is_advanced = (ldap.is_advanced)?1:0;
+    this.groups_search_base = (ldap.is_advanced)?ldap.groups_search_base:""
+    this.group_class = (ldap.is_advanced)?ldap.group_class:""
+    this.group_member_attribute = (ldap.is_advanced)?ldap.group_member_attribute:""
+    this.group_member_user_attribute = (ldap.is_advanced)?ldap.group_member_user_attribute:""
+    this.mail_attribute = ldap.mail_attribute
+};
+Ldap.update = function (record) {
+  logger.info(`Updating ldap ${record.server}`)
+  return mysql.do("UPDATE AnsibleForms.`ldap` set ?", record)
+};
+Ldap.find = function(){
+  return mysql.do("SELECT * FROM AnsibleForms.`ldap` limit 1;")
+    .then((res)=>{
+      if(res.length>0){
+        try{
+          res[0].bind_user_pw=decrypt(res[0].bind_user_pw)
+        }catch(e){
+          logger.error("Couldn't decrypt ldap binding password, did the secretkey change ?")
+          res[0].bind_user_pw=""
+        }
+        return res[0]
+      }else{
+        logger.error("No ldap record in the database, something is wrong")
+        throw "No ldap record in the database, something is wrong"
+      }
+    })
+}
+Ldap.check = function(ldapConfig){
+  return new Promise(async (resolve,reject)=>{
+
+    const { authenticate } = require('../lib/ldap-authentication')
+    // auth with admin
+    var badCertificates=false
+    let options = {
+      ldapOpts: {
+        url: ((ldapConfig.enable_tls==1)?"ldaps":"ldap") + "://" + ldapConfig.server + ":" + ldapConfig.port,
+        tlsOptions: {
+          // cert: cert,
+          // requestCert: tls,
+          // rejectUnauthorized: rejectUnauthorized,
+          // ca: ca
+        }
+      },
+      adminDn: ldapConfig.bind_user_dn,
+      adminPassword: decrypt(ldapConfig.bind_user_pw),
+      userPassword: "dummypassword_for_check",
+      userSearchBase: ldapConfig.search_base,
+      usernameAttribute: ldapConfig.username_attribute,
+      username: "dummyuser_for_check",
+      // starttls: false
+    }
+    // new in v4.0.20, add advanced ldap properties
+    if(ldapConfig.is_advanced){
+      if(ldapConfig.groups_search_base){ options.groupsSearchBase = ldapConfig.groups_search_base }
+      if(ldapConfig.group_class){ options.groupClass = ldapConfig.group_class }
+      if(ldapConfig.group_member_attribute){ options.groupMemberAttribute = ldapConfig.group_member_attribute }
+      if(ldapConfig.group_member_user_attribute){ options.groupMemberUserAttribute = ldapConfig.group_member_user_attribute }
+    }
+    // console.log(options)
+    // ldap-authentication has bad cert check, so we check first !!
+    if(ldapConfig.enable_tls && !(ldapConfig.ignore_certs==1)){
+      if(!helpers.checkCertificate(ldapConfig.cert)){
+        badCertificates=true
+      }
+      if(!helpers.checkCertificate(ldapConfig.ca_bundle)){
+        badCertificates=true
+      }
+    }else{
+      ldapConfig.cert=""
+      ldapConfig.ca_bundle=""
+    }
+    // enable tls/ldaps
+    if(ldapConfig.enable_tls==1){
+      options.ldapOpts.tlsOptions.requestCert = (ldapConfig.enable_tls==1)
+      if(ldapConfig.cert!=""){
+        options.ldapOpts.tlsOptions.cert = ldapConfig.cert
+      }
+      if(ldapConfig.ca_bundle!=""){
+        options.ldapOpts.tlsOptions.ca = ldapConfig.ldapTlsCa
+      }
+      options.ldapOpts.tlsOptions.rejectUnauthorized = !(ldapConfig.ignore_certs==1)
+      logger.info("use tls : " + (ldapConfig.enable_tls==1))
+      logger.info("reject invalid certificates : " + !(ldapConfig.ignore_certs==1))
+    }
+
+    if(badCertificates){
+      reject("Certificate is not valid")
+    }else{
+      logger.notice("Certificates are valid")
+      try{
+        // logger.debug(JSON.stringify(options))
+        logger.notice("Authenticating")
+        var user = await authenticate(options)
+        resolve(user)
+      }catch(err){
+        var em =""
+        if(err.message){
+          em = err.message
+        }else{
+          try{ em = YAML.stringify(err)}catch(e){em = err}
+        }
+        if(err.admin){
+          if(err.admin.lde_message){
+            try{ em = YAML.stringify(err.admin.lde_message)}catch(e){em = err}
+          }
+          else if(err.admin.code){
+            try{ em = YAML.stringify(err.admin)}catch(e){em = err}
+            if(err.admin.code=="UNABLE_TO_VERIFY_LEAF_SIGNATURE"){
+              em = "Unable to verify the certificate"
+            }else if(err.admin.code==49){
+              em = "Wrong binding credentials"
+            }else if(err.admin.code=="ENOTFOUND"){
+              em = "Bad server or port (connection failed)"
+            }
+          }
+        }
+        
+        if(em.includes("user not found")){
+          logger.notice("Checking ldap connection ok")
+          resolve()
+        }else{
+          logger.notice("Checking ldap connection result : " + em)
+          reject(em)
+        }
+      }
+    }
+  })
+}
+
+module.exports= Ldap;

server/templates/cert.pem.template

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgIJAMMW5u/nBgdrMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
+BAYTAkJFMREwDwYDVQQIDAhCcnVzc2VsczERMA8GA1UEBwwIQnJ1c3NlbHMxEzAR
+BgNVBAoMCkFuc2libGVHdXkxFTATBgNVBAsMDEFuc2libGVGb3JtczEVMBMGA1UE
+AwwMYW5zaWJsZWZvcm1zMB4XDTIxMTEwMjE1MjIzMVoXDTMxMTAzMTE1MjIzMVow
+djELMAkGA1UEBhMCQkUxETAPBgNVBAgMCEJydXNzZWxzMREwDwYDVQQHDAhCcnVz
+c2VsczETMBEGA1UECgwKQW5zaWJsZUd1eTEVMBMGA1UECwwMQW5zaWJsZUZvcm1z
+MRUwEwYDVQQDDAxhbnNpYmxlZm9ybXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCy4Gb5xWWG7w1CQ09m+PhG3kZaytv0nNs44q4rIBJNmphJ2tem8AIb
+Ggg81SeuOW7e+Ze04IXzNGqEMJ+2I/Hq357a/SlSCL6HnW2c/hZ3CRdrHu1SyFk9
+YrbpWIOBPaJB0KEY5tn4SAds0WR7HUhDsd9/EgkV95mFm16EPfNIzGAdEAZgQkfi
+GGUdfwPAUJoZlZzmSz2soxZJBFA0/x+cq21f0xrxesqM7Il4bWCZAVmYiIkAY1HA
+YOy4C7DKDrPpvifPJdMiOHQ6fwP/JAOZ4HoyDYoUQDCBbAadK3ws4x6i8YlKfltm
+Vq2t3zWZHSVwRF9abDbEGzmUSeYx91k3AgMBAAGjSzBJMA4GA1UdDwEB/wQEAwID
+iDATBgNVHSUEDDAKBggrBgEFBQcDATAiBgNVHREEGzAZggxhbnNpYmxlZm9ybXOC
+CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAHiY3mFawVyqeAN01jjGvF2+E
+QjtHOL5Q4dtVdoZLvVFdXlRZkqtCZaQna3nYdzLlwWYQy8SC23QkU+P1wNAakf0N
+na4M11Yi71h1hkHTo5Ub88DMWbz/VMaCo/Iefr4Sv1QoEmEeFEUtPbEAO6v9trqp
+GOZv+6H3tuhuQkR+wWllBw7hqnWTvXTGRZXBlQH1wH04Vw6uUXg91ZMUE8DSddEz
+nygVGVTEGWs3eld2j7rICRvGrtKOYrg6m+MfQN/skE1aa+auqu6OySAy0HBvS0u9
+G2+Ka6a54la0RR13lKmUR4y8B0izh5ThI0/FXtmVPI5XmG27Fellw7JG9bt1PQ==
+-----END CERTIFICATE-----

server/templates/forms.yaml.template

@@ -0,0 +1,27 @@
+categories: # a list of categories to group forms
+  - name: Default
+    icon: bars
+roles: # a list of roles
+  - name: admin
+    groups:
+      - local/admins
+  - name: public
+    groups: []
+constants: {} # free objects to re-use over all forms
+forms: # a list of forms
+  - name: Demo Form
+    showHelp: true
+    help: >
+      This is a demo form
+    roles:
+      - public
+    description: A simple form
+    categories:
+      - Demo
+    icon: heart
+    playbook: dummy.yaml
+    type: ansible
+    fields:
+      - type: text
+        name: username
+        label: Username

server/templates/key.pem.template

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCy4Gb5xWWG7w1C
+Q09m+PhG3kZaytv0nNs44q4rIBJNmphJ2tem8AIbGgg81SeuOW7e+Ze04IXzNGqE
+MJ+2I/Hq357a/SlSCL6HnW2c/hZ3CRdrHu1SyFk9YrbpWIOBPaJB0KEY5tn4SAds
+0WR7HUhDsd9/EgkV95mFm16EPfNIzGAdEAZgQkfiGGUdfwPAUJoZlZzmSz2soxZJ
+BFA0/x+cq21f0xrxesqM7Il4bWCZAVmYiIkAY1HAYOy4C7DKDrPpvifPJdMiOHQ6
+fwP/JAOZ4HoyDYoUQDCBbAadK3ws4x6i8YlKfltmVq2t3zWZHSVwRF9abDbEGzmU
+SeYx91k3AgMBAAECggEAYX0X4m0JBl9m9IRG1DJA7i7aXUVOV6TdfcVdczeJgi4N
+bcMN4XfRTgAEGVN6yuOWX4PcgMIVfxVEMENn6BbzFDVIGMX9LS6C2NqeEQASMlIM
+J1+1rHZw3JneYpLRKTD0K7aO9klq5nwrP81nXAn7hpl8235y4TwOudiRzLUO0M9Z
+Da6DT5R7bgGfXpkwZKKzlZwLYZq/gw+TBtEXRN//k8cRDqGCNvetgYczinJrg3HQ
++PDayHAhMqm5ufr59cpGKGWScdNdnLAnporbSHd+6UHHm0Lpza3z2nI3z1R0B7xs
+kgvKh8g4N3lcAkjzMYSYr6Sf+aL16GP7imM8I/O2kQKBgQDaNZVYxs0pbnKocNaU
+YYqNkxT4eNxgU7h3Zqxq9dd++bVq4tOOpO7ocugBc1lrmbQ9kQKRtv3/nUgU9iCI
+ohPjJZRBlvlIaQfPo6zDD3K4xtVe083nlyeKiEN7yslTRl3N9zQDN+Cmb0h6U0Id
+g+q2hX8Ke1ofopQEKqZxpbxvswKBgQDR2vuNdfd77G/Qp7kOU6u+V7752W2nDLEu
+f7FBlwB9tHkfGiS2G/8HZ90Ei9ZC9rDjlsib7HG8tV/EZMhAtKgta3MHJm3h8tEA
+KtX3sRo9W+ArOp+jvu+6Bj7Jn+GOHXYwpOodP1zt47xPrnayFuPV7/5XtS2zrsuo
+CwZyEuAObQKBgE2nwhWM8lhrSPyu43581A0cKdtfT7YsNTqw3G1YPi+e+DQosvdR
+tQAeXHifr1P+qEk8wPhQckY0mAF1shBN9dvhdMh+zQo67p+zdPkaF06w3CBaKi3f
++h9v7OwyN8GeCiYRcn4utZEli1qVJLNSTgZUrehyC5m0hw6QixlozQ3HAoGBAItq
+cuIo8/C1RBeXxb554chDnRF53Ho1WWSt2oHboqzgf/MkuCzv7n7qBpBlokO8hgm8
++6ty6qDW0je0SMGMA4qhLrsaUbfhS+5ThvDWDLuk1QmDGdl8GOE6Eu56NCvo8MMi
+XJJvrPox6MH7AsoPoO9ZUFzOdf1Aa/ZI1NBmL8oFAoGBALduRfv4J1kFvauCWueM
+QKn7y8DIuFuPZiBmLIKPSPZlzayPLJjS99jRjX/f1l27wOVAbW2Jl6HcRgcZiyoo
+BNT1HmUcnP/G9OljB76j/URVjcfAUY12R8bnfuGlb1gzXaUccg0NdXMhOELXgnvx
+eO0iTAwAMg0zebMbkmfBe/Zw
+-----END PRIVATE KEY-----