From 218955f830eb618f7366a0d3b0d8152895beab90 Mon Sep 17 00:00:00 2001
From: William Turner <william.turner@aero.bombardier.com>
Date: Wed, 22 Mar 2017 12:59:44 -0400
Subject: [PATCH] Changes TLS to StartTLS

---
 .../src/metabase/admin/settings/selectors.js  |  2 +-
 src/metabase/api/session.clj                  |  1 +
 src/metabase/integrations/ldap.clj            | 30 +++++++------------
 src/metabase/models/user.clj                  |  6 ++--
 4 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/frontend/src/metabase/admin/settings/selectors.js b/frontend/src/metabase/admin/settings/selectors.js
index e0312348473..e17dc319262 100644
--- a/frontend/src/metabase/admin/settings/selectors.js
+++ b/frontend/src/metabase/admin/settings/selectors.js
@@ -180,7 +180,7 @@ const SECTIONS = [
                 display_name: "LDAP Security",
                 description: null,
                 type: "radio",
-                options: { none: "None", ssl: "SSL", tls: "TLS" },
+                options: { none: "None", ssl: "SSL", starttls: "StartTLS" },
                 defaultValue: 'none'
             },
             {
diff --git a/src/metabase/api/session.clj b/src/metabase/api/session.clj
index 3ae46fbe278..91cb2d72edd 100644
--- a/src/metabase/api/session.clj
+++ b/src/metabase/api/session.clj
@@ -55,6 +55,7 @@
     ;; First try LDAP if it's enabled
     (when (ldap/ldap-configured?)
       (when-let [{:keys [first-name last-name email], :as user-info} (ldap/find-user username)]
+        (println user-info)
         (if (ldap/verify-password user-info password)
           (ldap-fetch-or-create-user! first-name last-name email password)
           ;; Since LDAP knows about our user, fail fast here to prevent the local strategy to be tried with a potentially outdated password
diff --git a/src/metabase/integrations/ldap.clj b/src/metabase/integrations/ldap.clj
index 0d3aa9a65cb..1a1189308a8 100644
--- a/src/metabase/integrations/ldap.clj
+++ b/src/metabase/integrations/ldap.clj
@@ -15,7 +15,7 @@
   :default "none"
   :setter  (fn [new-value]
              (when-not (nil? new-value)
-               (assert (contains? #{"none" "ssl" "tls"} new-value)))
+               (assert (contains? #{"none" "ssl" "starttls"} new-value)))
              (setting/set-string! :ldap-security new-value)))
 
 (defsetting ldap-bind-dn
@@ -57,7 +57,7 @@
                  :bind-dn   (ldap-bind-dn)
                  :password  (ldap-password)
                  :ssl?      (= (ldap-security) "ssl")
-                 :startTLS? (= (ldap-security) "tls")}))
+                 :startTLS? (= (ldap-security) "starttls")}))
 
 (defn- with-connection [f & args]
   "Applies `f` with a connection pool followed by `args`"
@@ -80,27 +80,19 @@
           email-attr (keyword (ldap-attribute-email))]
       (when-let [[result] (ldap/search conn (ldap-base) {:scope      :sub
                                                          :filter     (s/replace (ldap-user-filter) "{login}" (escape-value username))
-                                                         :attributes [:dn :distinguishedName fname-attr lname-attr email-attr]
+                                                         :attributes [:dn :distinguishedName :membderOf fname-attr lname-attr email-attr]
                                                          :size-limit 1})]
-        {:dn         (or (:dn result) (:distinguishedName result)) ; TODO - Check if AD also provides "dn"
+        {:dn         (or (:dn result) (:distinguishedName result))
          :first-name (get result fname-attr)
          :last-name  (get result lname-attr)
-         :email      (get result email-attr)}))))
-
-(defn auth-user
-  "Authenticates the user with an LDAP bind operation. Returns the user information when successful, nil otherwise."
-  ([username password]
-    (with-connection auth-user username password))
-  ([conn username password]
-    ;; first figure out the user even exists, we also need the DN to reliably bind with LDAP
-    (when-let [{:keys [dn], :as user} (find-user conn username)]
-      ;; then try a bind with the DN we got and the supplied password
-      (when (ldap/bind? conn dn password)
-        user))))
+         :email      (get result email-attr)
+         :groups     (or (:membderOf result) [])}))))
 
 (defn verify-password
-  "Verifies if the password supplied is correct. `user-info` is what `find-user` returns (alternarively only the :dn needs to be filled in)"
+  "Verifies if the password supplied is valid for the supplied `user-info` (from `find-user`) or DN."
   ([user-info password]
     (with-connection verify-password user-info password))
-  ([conn {:keys [dn]} password]
-    (ldap/bind? conn dn password)))
+  ([conn user-info password]
+    (if (string? user-info)
+      (ldap/bind? conn user-info password)
+      (ldap/bind? conn (:dn user-info) password))))
diff --git a/src/metabase/models/user.clj b/src/metabase/models/user.clj
index f18bddaa74a..a1bf89f09b6 100644
--- a/src/metabase/models/user.clj
+++ b/src/metabase/models/user.clj
@@ -142,14 +142,14 @@
     (email/send-user-joined-admin-notification-email! <>, :google-auth? true)))
 
 (defn create-new-ldap-auth-user!
-  "Convenience for creating a new user via Google Auth. This account is considered active immediately; thus all active admins will recieve an email right away."
-  [first-name last-name email-address]
+  "Convenience for creating a new user via LDAP. This account is considered active immediately; thus all active admins will recieve an email right away."
+  [first-name last-name email-address password]
   {:pre [(string? first-name) (string? last-name) (u/is-email? email-address)]}
   (u/prog1 (db/insert! User
              :email      email-address
              :first_name first-name
              :last_name  last-name
-             :password   (str (UUID/randomUUID))
+             :password   password
              :ldap_auth  true)
     ;; send an email to everyone including the site admin if that's set
     (email/send-user-joined-admin-notification-email! <>, :ldap-auth? true)))
-- 
GitLab