Support for Active Directory multidomain forest. (#93)

In AD forest samAccountName (or uid) may not be unique in the
entire forest and userPrincipalName contains "@" symbol
disallowed in Matrix User Identifiers.
This commit adds mxid generation logic to work around above
restrictions.

Signed-off-by: Yuri Konotopov <[email protected]>

Author: nE0sIghT

README.rst

@@ -80,6 +80,51 @@ in search mode is provided below:
         bind_password: "ch33kym0nk3y"
         #filter: "(objectClass=posixAccount)"
 
+Active Directory forest support
+-------------------------------
+
+If the ``active_directory`` flag is set to ``true``, an Active Directory forest will be
+searched for the login details.
+In this mode, the user enters their login details in one of the forms:
+
+- ``<login>/<domain>``
+- ``<domain>\<login>``
+
+In either case, this will be mapped to the Matrix UID ``<login>/<domain>`` (The 
+normal AD domain separators, ``@`` and ``\``, cannot be used in Matrix User Identifiers, so 
+``/`` is used instead.)
+
+Let's say you have several domains in the ``example.com`` forest:
+
+.. code:: yaml
+
+   password_providers:
+    - module: "ldap_auth_provider.LdapAuthProvider"
+      config:
+        enabled: true
+        mode: "search"
+        uri: "ldap://main.example.com:389"
+        base: "dc=example,dc=com"
+        # Must be true for this feature to work
+        active_directory: true
+        # Optional. Users from this domain may log in without specifying the domain part
+        default_domain: main.example.com
+        attributes:
+           uid: "userPrincipalName"
+           mail: "mail"
+           name: "givenName"
+        bind_dn: "cn=hacker,ou=svcaccts,dc=example,dc=com"
+        bind_password: "ch33kym0nk3y"
+
+With this configuration the user can log in with either ``main.example.com\someuser``,
+``someuser/main.example.com`` or ``someuser``.
+
+Users of other domains in the ``example.com`` forest can log in with ``domain\login``
+or ``login/domain``.
+
+Please note that ``userPrincipalName`` or a similar-looking LDAP attribute in the format
+``login@domain`` must be used when the ``active_directory`` option is enabled.
+
 Troubleshooting and Debugging
 -----------------------------
 

ldap_auth_provider.py

@@ -47,6 +47,11 @@
 logger = logging.getLogger(__name__)
 
 
+class ActiveDirectoryUPNException(Exception):
+    """Raised in case the user's login credentials cannot be mapped to a UPN"""
+    pass
+
+
 class LDAPMode(object):
     SIMPLE = "simple",
     SEARCH = "search",
@@ -76,18 +81,48 @@ def __init__(self, config, account_handler):
             self.ldap_bind_password = config.bind_password
             self.ldap_filter = config.filter
 
+        self.ldap_active_directory = config.active_directory
+        if self.ldap_active_directory:
+            self.ldap_default_domain = config.default_domain
+
+    def get_supported_login_types(self):
+        return {'m.login.password': ('password',)}
+
     @defer.inlineCallbacks
-    def check_password(self, user_id, password):
+    def check_auth(self, username, login_type, login_dict):
         """ Attempt to authenticate a user against an LDAP Server
             and register an account if none exists.
 
             Returns:
-                True if authentication against LDAP was successful
+                Canonical user ID if authentication against LDAP was successful
         """
+        password = login_dict['password']
+        # According to section 5.1.2. of RFC 4513 an attempt to log in with
+        # non-empty DN and empty password is called Unauthenticated
+        # Authentication Mechanism of Simple Bind which is used to establish
+        # an anonymous authorization state and not suitable for user
+        # authentication.
         if not password:
             defer.returnValue(False)
-        # user_id is of the form @foo:bar.com
-        localpart = user_id.split(":", 1)[0][1:]
+
+        if username.startswith("@") and ":" in username:
+            # username is of the form @foo:bar.com
+            username = username.split(":", 1)[0][1:]
+
+        # Used in LDAP queries as value of ldap_attributes['uid'] attribute.
+        uid_value = username
+        # Default display name for the user, if a new account is registered.
+        default_display_name = username
+        # Local part of Matrix ID which will be used in registration process
+        localpart = username
+
+        if self.ldap_active_directory:
+            try:
+                (login, domain, localpart) = self._map_login_to_upn(username)
+                uid_value = login + "@" + domain
+                default_display_name = login
+            except ActiveDirectoryUPNException:
+                defer.returnValue(False)
 
         try:
             tls = ldap3.Tls(validate=ssl.CERT_REQUIRED)
@@ -102,7 +137,7 @@ def check_password(self, user_id, password):
             if self.ldap_mode == LDAPMode.SIMPLE:
                 bind_dn = "{prop}={value},{base}".format(
                     prop=self.ldap_attributes['uid'],
-                    value=localpart,
+                    value=uid_value,
                     base=self.ldap_base
                 )
                 result, conn = yield self._ldap_simple_bind(
@@ -117,7 +152,7 @@ def check_password(self, user_id, password):
                 if not result:
                     defer.returnValue(False)
             elif self.ldap_mode == LDAPMode.SEARCH:
-                filters = [(self.ldap_attributes["uid"], localpart)]
+                filters = [(self.ldap_attributes["uid"], uid_value)]
                 result, conn, _ = yield self._ldap_authenticated_search(
                     server=server, password=password, filters=filters
                 )
@@ -148,41 +183,46 @@ def check_password(self, user_id, password):
                 )
                 defer.returnValue(False)
 
+            # Get full user id from localpart
+            user_id = self.account_handler.get_qualified_user_id(localpart)
+
             # check if user with user_id exists
             if (yield self.account_handler.check_user_exists(user_id)):
                 # exists, authentication complete
                 if hasattr(conn, "unbind"):
                     yield threads.deferToThread(conn.unbind)
-                defer.returnValue(True)
+                defer.returnValue(user_id)
 
             else:
                 # does not exist, register
                 if self.ldap_mode == LDAPMode.SEARCH:
                     # search enabled, fetch metadata for account creation from
                     # existing ldap connection
-                    filters = [(self.ldap_attributes['uid'], localpart)]
+                    filters = [(self.ldap_attributes['uid'], uid_value)]
 
                     result, conn, response = yield self._ldap_authenticated_search(
                         server=server, password=password, filters=filters,
                     )
 
                     # These results will always return an array
-                    givenName = response["attributes"].get(
+                    display_name = response["attributes"].get(
                         self.ldap_attributes["name"], [localpart]
                     )
-                    givenName = (
-                        givenName[0] if len(givenName) == 1 else localpart
+                    display_name = (
+                        display_name[0]
+                        if len(display_name) == 1
+                        else default_display_name
                     )
 
                     mail = response["attributes"].get("mail", [None])
                     mail = mail[0] if len(mail) == 1 else None
                 else:
                     # search disabled, register account with basic information
-                    givenName = localpart
+                    display_name = default_display_name
                     mail = None
 
                 # Register the user
-                user_id = yield self.register_user(localpart, givenName, mail)
+                user_id = yield self.register_user(localpart, display_name, mail)
 
                 defer.returnValue(user_id)
 
@@ -237,6 +277,10 @@ def check_3pid_auth(self, medium, address, password):
                 response
             )
 
+            # Close connection
+            if hasattr(conn, "unbind"):
+                yield threads.deferToThread(conn.unbind)
+
             if not result:
                 defer.returnValue(None)
 
@@ -245,6 +289,16 @@ def check_3pid_auth(self, medium, address, password):
                 self.ldap_attributes["uid"], [None]
             )
             localpart = localpart[0] if len(localpart) == 1 else None
+            if self.ldap_active_directory and localpart and "@" in localpart:
+                (login, domain) = localpart.lower().rsplit("@", 1)
+                localpart = login + "/" + domain
+
+                if (
+                    self.ldap_default_domain
+                    and domain.lower() == self.ldap_default_domain.lower()
+                ):
+                    # Users in default AD domain don't have `/domain` suffix
+                    localpart = login
 
             givenName = response["attributes"].get(
                 self.ldap_attributes["name"], [localpart]
@@ -347,6 +401,10 @@ class _LdapConfig(object):
             "mail",
         ])
 
+        ldap_config.active_directory = config.get("active_directory", False)
+        if ldap_config.active_directory:
+            ldap_config.default_domain = config.get("default_domain", None)
+
         return ldap_config
 
     @defer.inlineCallbacks
@@ -523,6 +581,45 @@ def _ldap_authenticated_search(self, server, password, filters):
             logger.warning("Error during LDAP authentication: %s", e)
             raise
 
+    def _map_login_to_upn(self, username):
+        """Maps user provided login to Active Directory UPN and
+        local part of Matrix ID.
+
+        Args:
+            username (str): The user's login
+
+        Raises:
+            ActiveDirectoryUPNException: if username can not be
+                mapped to userPrincipalName
+
+        Returns:
+            Tuple[str, str, str]: a tuple of Active Directory login,
+            Active Directory domain and local part of Matrix ID.
+        """
+        login = username.lower()
+        domain = self.ldap_default_domain
+        localpart = username
+
+        if '\\' in username:
+            (domain, login) = username.lower().rsplit('\\', 1)
+        elif "/" in username:
+            (login, domain) = username.lower().rsplit("/", 1)
+        else:
+            if not self.ldap_default_domain:
+                logger.info(
+                    'No LDAP separator "/" was found in uid "%s" '
+                    'and LDAP default domain was not configured.',
+                    username
+                )
+                raise ActiveDirectoryUPNException()
+
+        if self.ldap_default_domain and domain == self.ldap_default_domain.lower():
+            localpart = login
+        else:
+            localpart = login + "/" + domain
+
+        return (login, domain, localpart)
+
 
 def _require_keys(config, required):
     missing = [key for key in required if key not in config]

tests/__init__.py

@@ -23,10 +23,28 @@
 objectClass: dcObject
 objectClass: organization
 
+dn: dc=main,dc=example,dc=org
+dc: main
+objectClass: dcObject
+objectClass: organization
+
+dn: dc=subsidiary,dc=example,dc=org
+dc: subsidiary
+objectClass: dcObject
+objectClass: organization
+
 dn: ou=people,dc=example,dc=org
 objectClass: organizationalUnit
 ou: people
 
+dn: ou=users,dc=main,dc=example,dc=org
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=users,dc=subsidiary,dc=example,dc=org
+objectClass: organizationalUnit
+ou: users
+
 dn: cn=bob,ou=people,dc=example,dc=org
 cn: bob
 objectclass: person
@@ -49,6 +67,42 @@
 # password is: eekretsay
 userPassword: {SSHA}mtIQXzjeID+j1LdjduYB1kjaHPgup8UnK4ofgw==
 
+dn: cn=mainuser,ou=users,dc=main,dc=example,dc=org
+userPrincipalName: [email protected]
+cn: mainuser
+gn: One Of
+mail: [email protected]
+objectClass: user
+# password is: abracadabra
+userPassword: {SSHA}qLzlip9HesTLxT6qpWIawKXeKsy4L2h6
+
+dn: cn=uniqueuser,ou=users,dc=main,dc=example,dc=org
+userPrincipalName: [email protected]
+cn: uniqueuser
+gn: One Of
+mail: [email protected]
+objectClass: user
+# password is: nothing
+userPassword: {SSHA}jK5IJ/ozmZnEE5g6UU9WBsBBPe6LKFZz
+
+dn: cn=nonmainuser,ou=users,dc=subsidiary,dc=example,dc=org
+userPrincipalName: [email protected]
+cn: nonmainuser
+gn: Someone Else
+mail: [email protected]
+objectClass: user
+# password is: simsalabim
+userPassword: {SSHA}sHNj89kojBZ5DBHWDwwvzqmL0iuXn0mM
+
+dn: cn=mainuser,ou=users,dc=subsidiary,dc=example,dc=org
+userPrincipalName: [email protected]
+cn: mainuser
+gn: One Of
+mail: [email protected]
+objectClass: user
+# password is: changeit
+userPassword: {SSHA}AmOdJt9kOXZ2X4L89w00eKaPQN69W6yb
+
 """
 
 
@@ -136,3 +190,10 @@ def create_auth_provider(server, account_handler, config=None):
         })
 
     return LdapAuthProvider(config, account_handler=account_handler)
+
+
+def get_qualified_user_id(username):
+    if not username.startswith('@'):
+        return "@%s:test" % username
+
+    return username