support ldap auth

[zhangweiqaz]

Tick the checkbox if you understand [x]:

• I have read and understand the pull request rules.

Description

add ldap auth support. It will works if below enviroment variables exist

• AUTH_METHOD: LDAP
• LDAP_ADDRESS: 'ldap://ip:port'
• LDAP_BASE_DN: 'cn=users,dc=xxxx,dc=com'
• LDAP_UID=uid
  The auth DN will be 'uid=username,cn=users,dc=xxxx,dc=com'.
  If AUTH_METHOD not equal 'LDAP', it auth with local database user
  Fixes #(issue)

Type of change

Please delete any options that are not relevant.

• New feature (non-breaking change which adds functionality)

Checklist

• My code follows the style guidelines of this project
• I ran ESLint and other linters for modified files
• I have performed a self-review of my own code and tested it
• I have commented my code, particularly in hard-to-understand areas (including JSDoc for methods)
• My changes generates no new warnings
• My code needed automated testing. I have added them (this is optional task)

Screenshots (if any)

Please do not use any external image service. Instead, just paste in or drag and drop the image here, and it will be uploaded automatically.

[CommanderStorm]

Tip

Please see the part of the contribution guide where we talk about discussing plans beforehand for future PRs.
"Duping work" is not maintainable both for contributors or maintainers ^^

To the PR:

• Please rebase this PR on top of Add basic multiple admin users support #3571.
• How can this be tested?
  => Please include a short paragraph how to set up a docker/.. environment to test that LDAP is working.
• Could you write a first draft how this can be documented? (I have only a basic clue what half of the variables do)

Be aware that our current focus is on getting v2.0 out of the door (see #4500 for further details)
=> reviewing #3571 (as a prerequisite for this PR) might take longer.

[CommanderStorm]

please extract the ldap parts of this implementation into a function.
This method is too long already and adding more will not aid in readability ^^

[CommanderStorm]

please include debug logging what query is being executed

[CommanderStorm]

please refactor this to reject/resolve with the value of ldapAuthSuccess.
This way, future PRs can't mess with the logic and introduce potential security flaws. (this logic is fine, but lets not leave a footgun lying around ^^)

[CommanderStorm]

include the error message if it contains context aiding in debugging

[CommanderStorm]

Please extract the below parts into functions.
This is hard to comprehend => easy to make mistakes. Lets not risk this in security critical code ^^

[CommanderStorm]

lets use a template for better readability

Suggested change

	log.warn("auth", "ldap authentication failed for user: " + username);
	} else {
	log.info("auth", "ldap authentication succeeded for user: " + username);
	log.info("auth", `ldap failed for ${username} because ${err}`);
	} else {
	log.info("auth", `${username} successfully logged in via ldap`);

[CommanderStorm]

On the parameters to this function (ldapjs' docs):

• url does allow multiple LDAP servers.
  Should we support this as well?
• there are a few options regarding timouts. I think having timeouts for LDAP operations might be a good call.
• Should we add the reconnection parameter?

[zhangweiqaz]

Thanks for your advises, that help me a lot. Due to #3571 is big change, this PR can be delayed or restructured.
Ldap auth can be test below step:
1、create a temp ldap server
docker run --detach --rm --name openldap
-p 1389:1389
--env LDAP_ADMIN_USERNAME=admin
--env LDAP_ADMIN_PASSWORD=adminpassword
--env LDAP_USERS=customuser
--env LDAP_PASSWORDS=custompassword
--env LDAP_ROOT=dc=example,dc=org
--env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org
bitnami/openldap:latest
2、set the enviroment variables
export AUTH_METHOD="LDAP"
export LDAP_ADDRESS="ldap://ldap_server_ip:1389"
export LDAP_UID="cn"
export LDAP_BASE_DN="ou=users,dc=example,dc=org"
3、run uptime-kuma and use "customuser" and "custompassword" to login

[Zaid-maker]

Thanks for your advises, that help me a lot. Due to #3571 is big change, this PR can be delayed or restructured. Ldap auth can be test below step: 1、create a temp ldap server docker run --detach --rm --name openldap -p 1389:1389 --env LDAP_ADMIN_USERNAME=admin --env LDAP_ADMIN_PASSWORD=adminpassword --env LDAP_USERS=customuser --env LDAP_PASSWORDS=custompassword --env LDAP_ROOT=dc=example,dc=org --env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org bitnami/openldap:latest 2、set the enviroment variables export AUTH_METHOD="LDAP" export LDAP_ADDRESS="ldap://ldap_server_ip:1389" export LDAP_UID="cn" export LDAP_BASE_DN="ou=users,dc=example,dc=org" 3、run uptime-kuma and use "customuser" and "custompassword" to login

You can use handy tool to quickly test docker containers (sort of) Dockge