o Clean-up docs and ready for pkging.

stefanocoding · Aug 18, 2013 · ee93330 · ee93330
1 parent d6d72b7
commit ee93330
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 27 deletions.
diff --git a/docs/plugins/auth/auth_ldap.md b/docs/plugins/auth/auth_ldap.md
@@ -1,27 +1,44 @@
 auth/auth_ldap
 ==============
 
-The `auth/auth_ldap` plugin...
+The `auth/auth_ldap` plugin uses an LDAP bind to authenticate a user. Currently
+only one server and multiple DNs can be configured. If any of the DN binds succeed, 
+the user is authenticated. 
 
 Configuration
 -------------
 
 Configuration is stored in `config/auth_ldap.ini` and uses the INI
 style formatting. 
 
-are only two methods supported : `CRAM-MD5` and `LOGIN`. Be aware, the LOGIN
-method is highly unsecure and can be used normaly only for local communication.
-We stronly recommend only `CRAM-MD5` to be used.
+Only the `LOGIN` authentication method is supported assuming that passwords in the
+LDAP database are not stored in cleartext (which would allow for CRAM-MD5). Note
+that this means passwords will be sent in the clear to the LDAP server unless
+an ldaps:// conection is used. 
+
+Current configuration options in [core] are:
+
+    server - the url of the LDAP server (ldap:// or ldaps://)
+
+    timeout - time in miliseconds to wait for the server resonse before giving up
+
+    rejectUnauthorized - boolean (true or false) as to whether to reject connections
+        not verified against a CA. Meaning, a "false" allows non-verified.  
 
 Example:
     [core]
-    methods=LOGIN,CRAM-MD5
-
+    server=ldaps://ldap.opoet.com
+    timeout=5000
+    rejectUnauthorized=false  
 
-Users are stored in the `[users]` section.
+The [dns] section (that is plural DN and not domain name system), is a list of DNs to use
+to bind. The "%u" in the strings is substituted with the user name used in the SMTP 
+authentication. Note that the keys have no meaning and the DNs are tried in series until
+the first successful bind. The LDAP RFC does not allow for parallel binds on a connection,
+so it is suggested that the most commonly used DN be placed earlier in the list. 
 
 Example:
+    [dns]
+    dn1=uid=%u,ou=Users,dc=opoet,dc=com
+    dn2=uid=%u,ou=people,dc=opoet,dc=com 
 
-    [users]
-    user1=password1
-    user@domain.com=password2
diff --git a/package.json b/package.json
@@ -21,7 +21,8 @@
     "semver"        : ">= 1.0.14",
     "async"         : ">= 0.1.22",
     "daemon"        : ">= 1.1.0",
-    "npid"          : ">= 0.3.1"
+    "npid"          : ">= 0.3.1",
+    "ldapjs"        : ">= 0.6.3"
   },
   "optionalDependencies": {
     "node-syslog"   : ">= 1.1.2"

diff --git a/plugins/auth/auth_ldap.js b/plugins/auth/auth_ldap.js
@@ -1,9 +1,5 @@
 // auth/auth_ldap
 
-// documentation via: haraka -c /root/haraka -h plugins/auth/auth_ldap
-
-// Put your plugin code here
-// type: `haraka -h Plugins` for documentation on how to create a plugin
 var ldap = require('ldapjs');
 var crypto = require('crypto');
 var async = require('async');
@@ -23,31 +19,39 @@ exports.register = function () {
 }
 
 exports.check_plain_passwd = function (connection, user, passwd, cb) {
-    // Get LDAP servers and dns from the config 
+    // Get LDAP config 
     var config = this.config.get('auth_ldap.ini');
     var ldap_url = 'ldap://127.0.0.1';
     if (config.core.server) {
         ldap_url = config.core.server;
     }
     var rejectUnauthorized = (config.core.rejectUnauthorized != undefined) ?
         config.core.rejectUnauthorized : true;
-
-    var client = ldap.createClient( { url: ldap_url,
-        timeout: (config.core.timeout != undefined) ? config.core.timeout : 5000,
-        tlsOptions: { rejectUnauthorized: rejectUnauthorized } } );
 
-    config.dns = Object.keys(config.dns).map(function(v) { return config.dns[v]; })
+    var client = ldap.createClient({
+        url: ldap_url,
+        timeout: (config.core.timeout != undefined) ? config.core.timeout : 5000,
+        tlsOptions: {
+            rejectUnauthorized: rejectUnauthorized
+        }
+    });
+
+    config.dns = Object.keys(config.dns).map(function (v) {
+        return config.dns[v];
+    })
     async.detectSeries(config.dns, function (dn, callback) {
-        dn = dn.replace(/%u/g,user);  
-        client.bind(dn, passwd, function(err) {
+        dn = dn.replace(/%u/g, user);
+        client.bind(dn, passwd, function (err) {
             if (err) {
-                connection.loginfo("auth_ldap: ("+dn+") "+err.message); 
+                connection.loginfo("auth_ldap: (" + dn + ") " + err.message);
                 return callback(false);
             } else {
-                client.unbind(); 
+                client.unbind();
                 return callback(true);
             }
-            }) }, function (result) { cb(result); } );
+        })
+    }, function (result) {
+        cb(result);
+    });
 }
 
-