Merge pull request bigbluebutton#177 from joshua-arts/master

LDAP Authentication Support
minhnhut0602 · Jul 7, 2017 · a45f4d4 · a45f4d4
2 parents 9bbb669 + 0b1ae24
commit a45f4d4
Show file tree

Hide file tree

Showing 11 changed files with 78 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -65,6 +65,7 @@ gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 gem 'omniauth', '1.3.1'
 gem 'omniauth-twitter', '1.2.1'
 gem 'omniauth-google-oauth2', '0.4.1'
+gem 'omniauth-ldap'
 
 gem 'bigbluebutton-api-ruby'
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -116,6 +116,7 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
+    net-ldap (0.16.0)
     nio4r (1.2.1)
     nokogiri (1.6.8.1)
       mini_portile2 (~> 2.1.0)
@@ -134,6 +135,11 @@ GEM
       multi_json (~> 1.3)
       omniauth (>= 1.1.1)
       omniauth-oauth2 (>= 1.3.1)
+    omniauth-ldap (1.0.5)
+      net-ldap (~> 0.12)
+      omniauth (~> 1.0)
+      pyu-ruby-sasl (~> 0.0.3.2)
+      rubyntlm (~> 0.3.4)
     omniauth-oauth (1.1.0)
       oauth
       omniauth (~> 1.0)
@@ -151,6 +157,7 @@ GEM
       mimemagic (= 0.3.0)
     pg (0.19.0)
     puma (3.6.0)
+    pyu-ruby-sasl (0.0.3.3)
     rack (2.0.1)
     rack-test (0.6.3)
       rack (>= 1.0)
@@ -184,6 +191,7 @@ GEM
     rb-fsevent (0.9.7)
     rb-inotify (0.9.7)
       ffi (>= 0.5.0)
+    rubyntlm (0.3.4)
     sass (3.4.22)
     sass-rails (5.0.6)
       railties (>= 4.0.0, < 6)
@@ -254,6 +262,7 @@ DEPENDENCIES
   mocha
   omniauth (= 1.3.1)
   omniauth-google-oauth2 (= 0.4.1)
+  omniauth-ldap
   omniauth-twitter (= 1.2.1)
   paperclip (~> 4.2)
   pg

diff --git a/app/assets/images/ldap_icon.png b/app/assets/images/ldap_icon.png
diff --git a/app/assets/stylesheets/main/landing.scss b/app/assets/stylesheets/main/landing.scss
@@ -114,3 +114,9 @@
 .tooltip-wrapper {
   display: inline-block;
 }
+
+ #youtube-footer{
+   font-size: 10px;
+   text-align: center;
+   margin-top: 10px; 
+ }
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -16,7 +16,13 @@
 
 class SessionsController < ApplicationController
 
+  skip_before_action :verify_authenticity_token
+
   def new
+    # If LDAP is enabled, just route to it instead.
+    if Rails.application.config.omniauth_ldap
+      redirect_to "#{relative_root}/auth/ldap"
+    end
   end
 
   def create
@@ -36,6 +42,12 @@ def destroy
   end
 
   def auth_failure
-    redirect_to '/'
+    if params[:message] == 'invalid_credentials'
+      redirect_to '/', flash: {danger: t('invalid_login') }
+    elsif params[:message] == 'ldap_error'
+      redirect_to '/', flash: {danger: t('ldap_error') }
+    else
+      redirect_to '/'
+    end
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -47,6 +47,14 @@ def self.google_email(auth_hash)
     auth_hash['info']['email']
   end
 
+  def self.ldap_username(auth_hash)
+    auth_hash['info']['nickname']
+  end
+
+  def self.ldap_email(auth_hash)
+    auth_hash['info']['email']
+  end
+
   def set_encrypted_id
     self.encrypted_id = "#{username[0..1]}-#{Digest::SHA1.hexdigest(uid+provider)[0..7]}"
   end

diff --git a/app/views/landing/rooms.html.erb b/app/views/landing/rooms.html.erb
@@ -76,6 +76,7 @@
             <%= t('upload') %>
           </button>
         </div>
+        <p id = 'youtube-footer'><%= t('youtube_footer') %></p>
     </form>
   </div>
   <div class='mail_youtube_popover'>

diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
@@ -1,11 +1,27 @@
-Rails.application.config.providers = [:google, :twitter]
+Rails.application.config.providers = [:google, :twitter, :ldap]
 
 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present?
 
 Rails.application.config.omniauth_twitter = ENV['TWITTER_ID'].present?
 
+Rails.application.config.omniauth_ldap = ENV['LDAP_SERVER'].present?
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :twitter, ENV['TWITTER_ID'], ENV['TWITTER_SECRET']
   provider :google_oauth2, ENV['GOOGLE_OAUTH2_ID'], ENV['GOOGLE_OAUTH2_SECRET'],
     scope: ['profile', 'email', 'youtube', 'youtube.upload'], access_type: 'online', name: 'google'
+  provider :ldap,
+    host: ENV['LDAP_SERVER'],
+    port: ENV['LDAP_PORT'],
+    method: ENV['LDAP_METHOD'].present? ? ENV['LDAP_METHOD'].to_sym : :plain,
+    allow_username_or_email_login: true,
+    uid: ENV['LDAP_UID'],
+    base: ENV['LDAP_BASE'],
+    bind_dn: ENV['LDAP_BIND_DN'],
+    password: ENV['LDAP_PASSWORD']
 end
+
+# Redirect back to login in development mode.
+OmniAuth.config.on_failure = Proc.new { |env|
+  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
+}
diff --git a/config/locales/en-us.yml b/config/locales/en-us.yml
@@ -92,6 +92,7 @@ en-US:
   home_page: Home page
   home_title: Welcome to BigBlueButton
   invalid_file: You may only upload an image file (jpg, gif, png).
+  invalid_login: Invalid log in credentials.
   invite: Invite
   invite_description: (share this link below to invite others to this meeting)
   join: Join
@@ -101,6 +102,7 @@ en-US:
     connect: Connect in real-time with others
     collaborate: Collaborate with friends
     teach: Teach students online
+  ldap_error: Unable to connect to the LDAP server. Please check your LDAP configuration in the env file and ensure your server is running.
   logged_in_description_html: You are logged in as %{link}
   login: login
   login_description: Want to record a meeting?
@@ -182,6 +184,7 @@ en-US:
   watch: Watch
   'yes': 'Yes'
   youtube_description: This recording was recorded with BigBlueButton. For more information check out %{url}.
+  youtube_footer: this will upload all webcam and audio data
   youtube_privacy_options:
     public: Public
     private: Private

diff --git a/env b/env
@@ -36,6 +36,20 @@ TWITTER_SECRET=
 GOOGLE_OAUTH2_ID=
 GOOGLE_OAUTH2_SECRET=
 
+# LDAP Login Provider (optional)
+#
+#   You can enable LDAP authentication by providing values for the variables below.
+#   For information about setting up LDAP, see: 
+#     http://docs.bigbluebutton.org/install/green-light.html#ldap-oauth
+#
+LDAP_SERVER=
+LDAP_PORT=
+LDAP_METHOD=
+LDAP_UID=
+LDAP_BASE=
+LDAP_BIND_DN=
+LDAP_PASSWORD=
+
 # If "true", GreenLight will register a webhook callback for each meeting
 # created. This callback is called for all events that happen in the meeting,
 # including the processing of its recording. These events are used to update

diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -8,7 +8,12 @@ class SessionsControllerTest < ActionController::TestCase
 
   test "should get new" do
     get :new
-    assert_response :success
+    # We redirect directly to LDAP if configured.
+    if ENV['LDAP_SERVER'].present?
+      assert_response :redirect
+    else
+      assert_response :success
+    end
   end
 
   test "should redirect to home on auth failture" do