From ba3503ebe0d711b3c5867590c232b873f38f7524 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Thu, 11 Apr 2019 14:52:23 -0700
Subject: [PATCH] LDAP fixes.

---
 meshcentral.js |  1 +
 package.json   |  2 +-
 webserver.js   | 84 +++++++++++++++++++++++++++++++++-----------------
 3 files changed, 58 insertions(+), 29 deletions(-)

diff --git a/meshcentral.js b/meshcentral.js
index dbe2bc60..6cead309 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -558,6 +558,7 @@ function CreateMeshCentralServer(config, args) {
                 process.exit();
                 return;
             }
+            if ((obj.config.domains[i].auth == 'ldap') || (obj.config.domains[i].auth == 'sspi')) { obj.config.domains[i].newaccounts = 0; } // No new accounts allowed in SSPI/LDAP authentication modes.
         }
 
         // Log passed arguments into Windows Service Log
diff --git a/package.json b/package.json
index 83a01954..88b79aa6 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.3.2-i",
+  "version": "0.3.2-k",
   "keywords": [
     "Remote Management",
     "Intel AMT",
diff --git a/webserver.js b/webserver.js
index c733515d..923e858e 100644
--- a/webserver.js
+++ b/webserver.js
@@ -219,36 +219,64 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         if (!module.parent) console.log('authenticating %s:%s:%s', domain.id, name, pass);
 
         if (domain.auth == 'ldap') {
-            // LDAP login
-            var LdapAuth = require('ldapauth-fork');
-            var ldap = new LdapAuth(domain.ldapoptions);
-            ldap.authenticate(name, pass, function (err, xxuser) {
-                try { ldap.close(); } catch (ex) { console.log(ex); } // Close the LDAP object
-                if (err) { fn(new Error('invalid password')); return; }
-                if (xxuser.objectSid == null) { fn(new Error('no objectSid')); return; }
-                var userid = 'user/' + domain.id + '/' + Buffer.from(xxuser.objectSid, 'binary').toString('hex').toLowerCase();
-                var user = obj.users[userid];
-                if (user == null) {
-                    // This user does not exist, create a new account.
-                    var name = null;
-                    if (xxuser.displayName) { name = xxuser.displayName; }
-                    else if (xxuser.name) { name = xxuser.name; }
-                    else if (xxuser.cn) { name = xxuser.cn; }
-                    if (name == null) { fn(new Error('no user name')); return; }
-                    var user = { type: 'user', _id: userid, name: name, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id };
-                    var usercount = 0;
-                    for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
-                    if (usercount == 0) { user.siteadmin = 0xFFFFFFFF; if (domain.newaccounts === 2) { domain.newaccounts = 0; } } // If this is the first user, give the account site admin.
-                    obj.users[user._id] = user;
-                    obj.db.SetUser(user);
-                    obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, name is ' + name, domain: domain.id });
-                    return fn(null, user._id);
+            if (domain.ldapoptions.url == 'test') {
+                // Fake LDAP login
+                var xxuser = domain.ldapoptions[name.toLowerCase()];
+                if (xxuser == null) {
+                    fn(new Error('invalid password'));
+                    return;
                 } else {
-                    // This is an existing user
-                    if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
-                    return fn(null, user._id);
+                    var shortname = null;
+                    if (xxuser.name) { shortname = xxuser.name; }
+                    else if (xxuser.cn) { shortname = xxuser.cn; }
+                    if (shortname == null) { fn(new Error('no short name')); return; }
+                    var userid = 'user/' + domain.id + '/' + shortname;
+                    var user = obj.users[userid];
+                    if (user == null) {
+                        var user = { type: 'user', _id: userid, name: shortname, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id };
+                        var usercount = 0;
+                        for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
+                        if (usercount == 0) { user.siteadmin = 0xFFFFFFFF; if (domain.newaccounts === 2) { domain.newaccounts = 0; } } // If this is the first user, give the account site admin.
+                        obj.users[user._id] = user;
+                        obj.db.SetUser(user);
+                        obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, name is ' + name, domain: domain.id });
+                        return fn(null, user._id);
+                    } else {
+                        // This is an existing user
+                        if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
+                        return fn(null, user._id);
+                    }
                 }
-            });
+            } else {
+                // LDAP login
+                var LdapAuth = require('ldapauth-fork');
+                var ldap = new LdapAuth(domain.ldapoptions);
+                ldap.authenticate(name, pass, function (err, xxuser) {
+                    try { ldap.close(); } catch (ex) { console.log(ex); } // Close the LDAP object
+                    if (err) { fn(new Error('invalid password')); return; }
+                    var shortname = null;
+                    if (xxuser.name) { shortname = xxuser.name; }
+                    else if (xxuser.cn) { shortname = xxuser.cn; }
+                    if (shortname == null) { fn(new Error('no short name')); return; }
+                    var userid = 'user/' + domain.id + '/' + shortname;
+                    var user = obj.users[userid];
+                    if (user == null) {
+                        // This user does not exist, create a new account.
+                        var user = { type: 'user', _id: userid, name: shortname, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), domain: domain.id };
+                        var usercount = 0;
+                        for (var i in obj.users) { if (obj.users[i].domain == domain.id) { usercount++; } }
+                        if (usercount == 0) { user.siteadmin = 0xFFFFFFFF; if (domain.newaccounts === 2) { domain.newaccounts = 0; } } // If this is the first user, give the account site admin.
+                        obj.users[user._id] = user;
+                        obj.db.SetUser(user);
+                        obj.parent.DispatchEvent(['*', 'server-users'], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msg: 'Account created, name is ' + name, domain: domain.id });
+                        return fn(null, user._id);
+                    } else {
+                        // This is an existing user
+                        if ((user.siteadmin) && (user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & 32) != 0) { fn('locked'); return; }
+                        return fn(null, user._id);
+                    }
+                });
+            }
         } else {
             // Regular login
             var user = obj.users['user/' + domain.id + '/' + name.toLowerCase()];