Login against ActiveDirectory, Boss Filter for authentification/authorization.
earlier this year, i had to connect and authenticate an user against Active Directory from erlang,
erlang/OTP have ldap client include since R15,
i tryed to connect to an Active Directory but without success :(, MS, MS, again MS ...
back to my favorite search engine, after googling some time,
i find out that ejabberd from preocess-one,
can connect and authenticate user against ActiveDirectory, WOW :), and it is open-source,
i decided to extract the code and package it here.
in this tutorial, you will find out how to use ChicagoBoss with an external dep,
boss filter for authentification and authorization.
Get started.
i assume you have an Active Directory Server ready somewhere in your network,
and installed ChicagoBoss, mostly you can copy paste to your shell when you see shell code,
this tuto was made against last version of CB, 17 september 2015
cd ChicagoBoss
make
make app PROJECT=ad
cd ../ad
edit your rebar.config file and add eldap repo in the deps section.
{deps, [
{boss, ".*", {git, "git://github.com/ChicagoBoss/ChicagoBoss.git", {tag, "v0.8.15"}}},
{eldap, ".*", {git, "git://github.com/mihawk/ldap.git", {tag, "master"}}}
]}.
{deps_dir, ["./deps"]}.
{plugin_dir, ["priv/rebar"]}.
{plugins, [boss_plugin]}.
{eunit_compile_opts, [{src_dirs, ["src/test"]}]}.
{lib_dirs, ["../ChicagoBoss/deps/elixir/lib"]}.
- fetch and compile our new deps.
cd ad
make all
i had this error during compilation process.
==> lager (compile)
ERROR: /home/mihawk/workspace/ad/deps/lager/.rebar/erlcinfo file version is incompatible. expected: 1 got: 2
ERROR: compile failed while processing /home/mihawk/workspace/ad/deps/lager: rebar_abort
i do this:
find . -name .rebar -type d | xargs rm -fr
make compile
Let's try to connect to ActiveDirectory
./init-dev.sh
oups forget to configure our eldap.
edit boss.config and add the config for eldap.
just like follow, update your config according to your env.
[
{eldap, [
{default, [
{ldap_servers, ["ldap.MyDomain.com"]},
{ldap_encrypt, none},
{ldap_port, 389},
{ldap_uids, [{"sAMAccountName", "%u"}]},
{ldap_base, "CN=Users,DC=MyDomain,DC=com"},
{ldap_rootdn, "CN=Administrator,CN=Users,DC=MyDomain,DC=com"},
{ldap_password, "MyPassword"},
{ldap_filter, "(memberOf=*)"}
]
}
]
},
{boss, [
{path, "./deps/boss"},
{applications, [ad]},
{assume_locale, "en"},
...
let's try again
./init-dev.sh
(ad@xyz)1>
(ad@xyz)1>application:start(eldap).
ok
(ad@xyz)2>eldap_api:start().
00:55:36.645 [info] LDAP connection on xxx.xx.xx.xx:389
00:55:36.646 [info] LDAP connection on xxx.xx.xx.xx:389
{ok,<0.86.0>}
test user credential:
(ad@xyz)4> eldap_api:check_password(default, <<"administrator">>, <<"mypass1">>).
true
(ad@xyz)5> eldap_api:check_password(default, <<"administrator">>, <<"mypass2">>).
false
Start eldap at boot.
in CB, we have init folder where you can perform some task at the boot time of your CB app.
let's write what we did previously in the shell into a module.
cat < priv/init/ad_02_eldap.erl
-module(ad_02_eldap).
-compile(export_all).
init() ->
{ok, Pid} = case application:start(eldap) of
ok ->
lager:info("starting eldap interface..."),
eldap_api:start();
Err ->
lager:error("starting eldap interface fail ~p", [Err])
end,
{ok, []}.
stop(_) ->
application:stop(eldap),
ok.
EOF
./init-dev.sh
if you lunch your app, you application crash miserably, what happen here,
the culprit is lager :(, it's a parse transform,
a parse transform is a hook into the compilation chaine
where the code is transformed before compilation.
the easiest way to fix this, is to add this magic line:
-compile({parse_transform, lager_transform}).
-compile({parse_transform, lager_transform}).
-module(ad_02_eldap).
-compile(export_all).
...
now your app should start properly.
./init-dev.sh
...
13:14:19.947 [info] starting eldap interface...
13:14:19.978 [info] LDAP connection on xxx.xx.xxx.xx:389
13:14:19.978 [info] LDAP connection on xxx.xx.xxx.xx:389
(ad@xyz)1> eldap_api:check_password(default, <<"administrator">>, <<"mypass1">>).
true
(ad@xyz)2>
cool we can call eldap_api:check_password/3 from our controller :)
Boss filter for authentification/authorization.
i assume you have read the README_FILTERS.md from the boss repo.
from the doc we have:
-module(my_before_filter).
-export([before_filter/2]).
before_filter(_Config, RequestContext) ->
IsAdmin = is_admin(RequestContext),
{ok, [{is_admin, IsAdmin}|RequestContext]}.
let's write our own module, which does nothing but just log some information.
cat < src/lib/ad_filter.erl
-compile({parse_transform, lager_transform}).
-module(ad_filter).
-export([before_filter/2]).
before_filter(Cfg, ReqCtx) ->
lager:info("Cfg:~p",[Cfg]),
lager:info("ReqCtx:~p",[ReqCtx]),
{ok, ReqCtx}.
EOF
we need a basic page
basic controller:
cat < src/controller/ad_index_controller.erl
-module(ad_index_controller,[Req,Sid]).
-export([index/3]).
-default_action(index).
index('GET', [], _ReqCtx) ->
{ok, [{msg, "Hello World!!"}]}.
EOF
basic view:
mkdir -p src/view/index
cat < src/view/index/index.html
{{msg}}
EOF
activate your filter, edit your boss.config like below:
%% controller_filter_config - Specify defaults for controller filters
%% Sub-key 'lang' can be set to the atom 'auto' to autodetermine language
%% universally, or can be set to a specific language by setting a string (e.g.
%% "en" or "de")
{controller_filter_modules, [ad_filter]},
% {controller_filter_config, [
% {lang, auto}
% ]},
open an other shell an fetch the page with curl:
curl -XGET http://localhost:8001/index
...
here the corresponding log from the REPL.
13:45:16.444 [info] Cfg:undefined
13:45:16.444 [info] ReqCtx:[{controller_module,ad_index_controller},{request,....},{session_id,"219ec9e933d968b595c2c85e6721a6dab98699ec"},{method,'GET'},{action,"index"},{tokens,[]}]
13:45:16.462 [warning] GET /index [ad] 404 49ms
we see that ReqCtx contain:
- controller_module
- request
- session_id
- method
- action
- token
let's add a login page, and redirect all user who want to access /index/index to the login page.
auth controller:
cat < src/controller/ad_auth_controller.erl
-module(ad_auth_controller,[Req,Sid]).
-export([login/3]).
-default_action(login).
login('GET', [], _ReqCtx) ->
{ok, []};
login('POST', [], _ReqCtx) ->
{ok, []}.
EOF
login view:
mkdir -p src/view/auth
cat < src/view/auth/login.html
EOF
let s try our new login page.
open your webrowser an go to the url http://localhost:8001/auth/login,
you should see our login form
or you can get the page using curl like below:
curl -X GET http://localhost:8001/auth/login
we got the page. nice
now let's authenticate our user against Active Directory,
edit the auth controller like follow:
login('POST', [], _ReqCtx) ->
%% extract value returned by the login form
Params = Req:post_params(),
%% extract login and password convert them into binary
Login = list_to_binary(proplists:get_value("login", Params)),
Password = list_to_binary(proplists:get_value("login", Params)),
%% check against active directory
case eldap_api:check_password(default, Login, Password) of
true ->
%%if user is authentified, link is current session
boss_session:set_session_data(Sid, user, Login);
{ok, [{success_msg, "You are authentified"}]};
false ->
{ok, [{error_msg, "Not Authorized"}]}
end.
edit your view and add the error message.
{% if success_msg %}{{success_msg}}
{% endif %}
{% if error_msg %}{{error_msg}}
{% endif %}