From bb6f3b4cfde1f3bf7608384d8987371c39bcb9ee Mon Sep 17 00:00:00 2001
From: Juan Ferrer Toribio <juan@verdnatura.es>
Date: Fri, 17 Nov 2023 08:56:25 +0100
Subject: [PATCH] fix: refs #6432 account sync fixes

---
 Dockerfile                                  |  2 +-
 modules/account/back/models/samba-config.js | 20 ++++++++++++--------
 modules/account/front/samba/index.html      | 19 ++++++++++++-------
 modules/account/front/samba/locale/es.yml   |  1 +
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ce63da8ab..61dd758b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,7 +31,7 @@ RUN apt-get update \
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-        samba-common-bin \
+        samba-common-bin samba-dsdb-modules\
     && rm -rf /var/lib/apt/lists/* \
     && npm -g install pm2
 
diff --git a/modules/account/back/models/samba-config.js b/modules/account/back/models/samba-config.js
index b6692be02..7714fb01c 100644
--- a/modules/account/back/models/samba-config.js
+++ b/modules/account/back/models/samba-config.js
@@ -33,16 +33,17 @@ module.exports = Self => {
                 .split('.')
                 .map(part => `dc=${part}`)
                 .join(',');
-            const ldapUser = `cn=${this.adUser},cn=Users,${baseDn}`;
+            const bindDn = `cn=${this.adUser},cn=Users,${baseDn}`;
 
             const adClient = ldap.createClient({
                 url: `ldaps://${this.adController}:636`,
                 tlsOptions: {rejectUnauthorized: this.verifyCert}
             });
-            await adClient.bind(ldapUser, this.adPassword);
+            await adClient.bind(bindDn, this.adPassword);
             Object.assign(this, {
                 adClient,
-                fullUsersDn: `${this.userDn},${baseDn}`
+                fullUsersDn: `${this.userDn},${baseDn}`,
+                bindDn
             });
         },
 
@@ -51,11 +52,14 @@ module.exports = Self => {
         },
 
         async sambaTool(command, args = []) {
-            const authArgs = [
-                '--URL', `ldap://${this.adController}`,
-                '--username', this.adUser,
+            let authArgs = [
+                '--URL', `ldaps://${this.adController}`,
+                '--simple-bind-dn', this.bindDn,
                 '--password', this.adPassword
             ];
+            if (!this.verifyCert)
+                authArgs.push('--option', 'tls verify peer = no_check');
+
             const allArgs = [command].concat(
                 args, authArgs
             );
@@ -151,8 +155,8 @@ module.exports = Self => {
          */
         async getUsers(usersToSync) {
             const LDAP_MATCHING_RULE_BIT_AND = '1.2.840.113556.1.4.803';
-            // eslint-disable-next-line max-len
-            const filter = `!(userAccountControl:${LDAP_MATCHING_RULE_BIT_AND}:=${UserAccountControlFlags.ACCOUNTDISABLE})`;
+            const filter = `!(userAccountControl:${LDAP_MATCHING_RULE_BIT_AND}`
+                + `:=${UserAccountControlFlags.ACCOUNTDISABLE})`;
 
             const opts = {
                 scope: 'sub',
diff --git a/modules/account/front/samba/index.html b/modules/account/front/samba/index.html
index 4379f10a2..0186cac7c 100644
--- a/modules/account/front/samba/index.html
+++ b/modules/account/front/samba/index.html
@@ -12,7 +12,7 @@
     <vn-card class="vn-pa-lg" vn-focus>
         <vn-vertical>
             <vn-check
-                label="Enable synchronization" 
+                label="Enable synchronization"
                 ng-model="watcher.hasData">
             </vn-check>
         </vn-vertical>
@@ -20,28 +20,33 @@
             ng-if="watcher.hasData"
             class="vn-mt-md">
             <vn-textfield
-                label="AD domain" 
+                label="AD domain"
                 ng-model="$ctrl.config.adDomain"
                 rule="SambaConfig">
             </vn-textfield>
             <vn-textfield
-                label="Domain controller" 
+                label="Domain controller"
                 ng-model="$ctrl.config.adController"
                 rule="SambaConfig">
             </vn-textfield>
             <vn-textfield
-                label="AD user" 
+                label="AD user"
                 ng-model="$ctrl.config.adUser"
                 rule="SambaConfig">
             </vn-textfield>
             <vn-textfield
-                label="AD password" 
+                label="AD password"
                 ng-model="$ctrl.config.adPassword"
                 type="password"
                 rule="SambaConfig">
             </vn-textfield>
+            <vn-textfield
+                label="User DN (without domain part)"
+                ng-model="$ctrl.config.userDn"
+                rule="SambaConfig">
+            </vn-textfield>
             <vn-check
-                label="Verify certificate" 
+                label="Verify certificate"
                 ng-model="$ctrl.config.verifyCert">
             </vn-check>
         </vn-vertical>
@@ -63,4 +68,4 @@
             ng-click="watcher.loadOriginalData()">
         </vn-button>
     </vn-button-bar>
-</form>
\ No newline at end of file
+</form>
diff --git a/modules/account/front/samba/locale/es.yml b/modules/account/front/samba/locale/es.yml
index d098a4fbe..efa3b1597 100644
--- a/modules/account/front/samba/locale/es.yml
+++ b/modules/account/front/samba/locale/es.yml
@@ -3,6 +3,7 @@ Domain controller: Controlador de dominio
 AD domain: Dominio AD
 AD user: Usuario AD
 AD password: Contraseña AD
+User DN (without domain part): DN usuarios (sin la parte del dominio)
 Verify certificate: Verificar certificado
 Test connection: Probar conexión
 Samba connection established!: ¡Conexión con Samba establecida!