CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased (in 'dev')

2.0.3 - 2024-12-28

Changed

• set node version in docker container to 22 (fix #87) (build is kept at version 18 because of an issue)
• removed placeholder secrets from the dockerfile to prevent export error of SecretsUsedInArgOrEnv
• removed build for ppc64le arch due to build errors with the new node version
• updated dependencies, removed package fs:0.0.1-security as fs is npm default
• fetch customSecurityAttributes by default if entra app permissions are set correctly (probably also fixes #94)

Fixed

• handling missing .cache dir if startet directly in npm
• write group without special chars to disk (probably fix #90)

2.0.2 - 2024-06-01

Changed

• updated npm dependencies
• renamed Azure, AzureAD, ... to Microsoft Entra ID

Fixed

• Checked and fixed all links throughout the application.
• Resolved issue #68, ensuring that the container can start even if the original JSON is corrupt.

Added

• usage examples for Portainer, Authelia and Synology Radius with UniFi in the documentation
• Introducing new environment variable LDAP_USERS_SYNCONLYINGROUP:
  • When set, only users within the specified groups are fetched and made available in the wrapper.
  • Multiple group names can be specified using the pipe character (|).
  • This addresses also issue #65. The variable can be used in conjunction with LDAP_USERS_SETDEFAULTGROUP (the next new one).
• New environment variable LDAP_USERS_SETDEFAULTGROUP:
  • When set, the first specified group associated with the user will be used as the default group.
  • Multiple group names can be specified using the pipe character (|).
  • For example, admins|finance|hr. If a user is within both groups (finance and hr), the default group will be set to finance because it was defined first.
  • With DSM 7, there are some issues regarding group permissions (#47). ACL and UID/GID shifting can help. However, when losing the permissions, there seems to be some sort of fallback to the default group. With this setting, you can adjust the default group for your users.
• Experimental environment variable LDAP_DOMAIN_OU:
  • In a tenant with multiple domains, the same username can also be used multiple times (issue #74)
  • When the env var is set, the domain name for each user is appended in the username as ou=domain.tld So instead of cn=bob it will become cn=bob,ou=domain.tld. This way bob from domain1 and domain2 can be separated by bob,ou=domain1.tld and bob,ou=domain2.tld.
  • The feature is only experimental. There will be changes in handling the different domains.

2.0.1 - 2023-07-21

Changed

• Set ConsistencyLevel to eventual to enable the use of advanced queries and filters. (#55)
• Set $count parameter to to true for fetching users and groups, allowing the use of advanced queries and filters.
• Removed LDAP_BASEDN in dockerfile, because the value is generated by default from LDAP_DOMAIN.

Fixed

• Include specific error from the Graph API as graphErrorDetail instead of displaying only 'Request failed with status code 400' to failing fetching requests. (#55)
• Detection of external users (#61)
• Treat error code AADSTS50158 also as successful login if env var GRAPH_IGNORE_MFA_ERRORS is set. (#62)

2.0.0 - 2023-06-18

Changed

• Updated minimum required Node version to v17 (--openssl-legacy-provider for md4 in sambaNTPassword)

• Replaced use of smbhash with crypto.createHash

• Replaced usage of @azure/identity with @azure/msal-node

• Updated ldapjs to v3.0.1

• Refactored codebase to improve maintainability, including restructuring the project into multiple files for better organization and readability. As a result, existing customizers (mapped /app/customizer/ldap_customizer.js) must be modified to use the following paths:

  const config = require('../src/config');
  const helper = require('../src/helper');

Fixed

• Usernames are now case-insensitive (issue #40)
• Searches are generally case-insensitive, while results are returned in CamelCase.
• Searches for 'one' (singleLevel/singleLevel) no longer return the base entry itself.

Added

• Multi-arch build and Docker images
• Documentation now available with GitHub Pages: https://ahaenggli.github.io/AzureAD-LDAP-wrapper
• Environment variables now checked at startup
• TenantId, AppId, AppSecret, and AppPermissions in Graph API are now checked at startup
• Added ability to specify AZURE_ENDPOINT, GRAPH_ENDPOINT, and GRAPH_API_VERSION variables
• Nested groups are partially supported. They are added as members of other groups, but no filter query like :1.2.840.113556.1.4.1941: is implemented yet.

1.8.2 - 2022-09-25

Added

• Env var GRAPH_IGNORE_MFA_ERRORS to allow logins despite required MFA. When set to true, some MFA-related error codes are treated as successful logins. Attention, this is only a first attempt and may not work in all cases. Please open an issue if you encounter any problems with this.
• Deleted users and groups in Azure are now also removed from the LDAP entries. The number of days these entries should be kept in this wrapper before deletion can be specified with the env var LDAP_DAYSTOKEEPDELETEDUSERS. (see FAQ for more details)
• Env var LDAP_PORT to set a custom port for the listener (e.g. 389 for running the container directly on the host network)
• Print version at start-up, so you don't have to remember which version you are currently using.
• Check if the volume /app/.cache is mapped inside a docker container

Fixed

• if env var LDAP_SAMBANTPWD_MAXCACHETIME is set to 0 (= no cache), the hashed password will never be written to the cache file.
• update npm dependencies

1.8.1 - 2022-07-24

Changed

• env var LDAP_ANONYMOUSBIND default value is set to domain, so everything works normal on a Synology NAS. However, you may need to change this value to all or none depending on how you use it.
• env var DSM7 is set to true as default on new containers
• env var GRAPH_FILTER_GROUPS is set to securityEnabled eq true as default on new containers

Fixed

• Modify-Requests: Update custom attributes/values and keep the CamelCase for the attribute names

Added

• env var LDAP_ANONYMOUSBIND to restrict access for ldap queries without any authentication if needed.
• env var LDAP_SECURE_ATTRIBUTES to restrict access for the specified attributes only to superusers.
• env var LDAP_SENSITIVE_ATTRIBUTES to restrict access to the specified attributes to the respective user only and superusers.
• customizer options to change api endpoints from e.g. v1.0 to beta

1.8.0 - 2022-07-09

Changed

• Reset .cache folder owner every time the container is started
• Use the SIDs for users/groups from Azure instead of a "randomly" generated one. However, you can enable the old handling by setting the env var LDAP_SAMBA_USEAZURESID to false.

Added

• support for proxies (env var HTTPS_PROXY or HTTP_PROXY)

1.7.0 - 2022-03-19

Changed

• to support #ext#-users the following changes were necessary:
  • added ldap attribute AzureADuserPrincipalName with the original AAD-User (for login/password check in the AAD)
  • allowed domain mismatch for AD-Domain and LDAP-Domain
  • try binding via AzureADuserPrincipalName if no entry for uid/dn is found
  • env var GRAPH_FILTER_USERS to filter user entries in graph using the $filter query parameter
    (default is set to userType eq 'Member', so external users (guests) will not be synced automatically by default)
  • env var GRAPH_FILTER_GROUPS to filter group entries in graph using the $filter query parameter
    (e.g. set it to securityEnabled eq true so only security groups will be sync and not every teams-group)
• SID calculation for users is now sambaSID: fixedBase + "-" + (uidNumber * 2 + 1000)
• SID calculation for groups is now sambaSID: fixedBase + "-" + (gidNumber * 2 + 1001)

Added

• support #ext#-users (guest users from other ExternalAzureAD)
• add ldap attribute sambaPrimaryGroupSID for users
• optional env var LDAP_SAMBADOMAINNAME to manually set the sambaDomainName attribute in the LDAP
• optional env var SAMBA_BASESID to overwrite the fixed base SID

Fixed

• documentation for join a device with a non AAD user
• handle for @odata.nextLink in graph responses (should fix parts of #14)
• converted schema csv files from utf-16 to utf-8
• handle cn=subschema like any other ldap entries instead of fixed search attributes
• register an error handler for the server (EventEmitter)
• escape LDAP special chars ,=+<>#;\ with an additional backslash

1.6.0 - 2021-12-19

Changed

• Switched from @azure/ms-rest-nodeauth to @azure/Identity (ADAL to MSAL) Treat application as a public client may be set to true
  Set Allow public client flows to Yes and add the permission User.Read for Delegated in your Azure Portal or you can't login anymore. The settings are described with some images in the README.
  Those changes were necessary to use MSAL instead of ADAL.

Added

• handler to add new ldap entries
• handler to remove/delete new ldap entries
• handler to modify/edit ldap entires

1.5.0 - 2021-10-07

Added

• env var LDAP_SYNC_TIME to set the interval for fetching users/groups from azure database. Default is 30 minutes. (thx @oleksandr-mazur)
• env var DSM7 to activate the DSM 7 workaround. It handles gidNumber and uidNumber as integers instead of strings.
• Handler to use custom JavaScript to modify your ldap attributes
  This allows you e.g. to filter your azure user/groups or modify the ldap attributes. This method is also used in the DSM7 workaround. Look at this file for an example. Customize it as you need and map the file in your docker setup as /app/customizer/ldap_customizer.js.

1.4.0 - 2021-07-25

Added

• entry point for customizable schema modifications

Changed

• Changed the "sambaDomainName" attribute to be in upper case to respect the standard configuration of samba configs. (thx @DreydenGys)

1.3.1 - 2021-07-15

Fixed

• gidNumber and uidNumber are strings again

1.3.0 - 2021-07-13

Added/Fixed

• more schema data to avoid errors in DSM 7 (ldap schema data was extracted from syno directory server)
• sambaDomainName is now part of the ldap schema information

Changed

• merge ldap entries with matching entryUUIDs
• removed subschemaSubentry and hasSubordinates values from ldap entries

Security

• npm dependencies updated

1.2.0 - 2021-04-15

Added

• "rename" group if another with same entryUID exists

Changed

• groups entryDN:
  • replace accents with the latin alternatives (ç -> c, è -> e, ö -> o, ...)
  • replace non alpha-numeric chars with dashes

1.1.0 - 2021-04-06

Added

• limit the time a cached sambaNTPassword hash can be used with env var LDAP_SAMBANTPWD_MAXCACHETIME
• entryUID and osx-attributes for ldap entries
• "rename" user if another with same entryUID exists
• LDAPS (LDAP over SSL) support

Changed

• the docker image is now using tini (nodejs is not running as PID 1 anymore)
• always log 30 minutes refresh info (to be sure it's still running)

1.0.2 - 2021-04-02

Fixed

• format logs
• distinct user membership (user could be in same group multiple times due to wrong creation/edit)

Security

• no login from cache for inactive users

1.0.1 - 2021-04-02

Added

• more logs for debugging

Fixed

• users without groups

1.0.0 - 2021-03-31

Added

• new environment variable to allow login from cached sambaNTPassword LDAP_ALLOWCACHEDLOGINONFAILURE, default: true if set to true and the login is failed, the login is retried against the sambaNTPassword, except the error says "wrong credentials". (useful for unstable internet connection)
• this CHANGELOG file

Changed

• README file (more samples, map-folder)
• errors are always logged
• allow multiple bind-user (ex. ldapsearch1|mysecret||searchy2|othersecret)

Fixed

• load existing db on startup-error (ex. unstable internet connection)

Security

• sambaNTPassword can only be accessed from defined LDAP_BINDUSER and on accessing your own entries (userA can only access userA-sambaNTPassword, LDAP_BINDUSER-user can access all sambaNTPasswords)

[0.2.0-beta] - 2021-03-27

Added

• LDAP server
• AzureAD Connection
• Dockerfile
• Container on hub.docker.cm