From 98bd694e2bd47b0c4ed8247546b1903c762ffdde Mon Sep 17 00:00:00 2001 From: Francois Ferrand Date: Mon, 30 Jun 2014 17:49:32 +0200 Subject: [PATCH 1/2] Implement LDAP user lookup. This is required to improve compatibility when the DN cannot be easily computed from the user name. Additionally, this allows automatically getting the full name and email address from LDAP. --- app/Model/Ldap.php | 22 +++++++++++++++++++--- app/common.php | 3 ++- config.default.php | 24 ++++++++++++++++++++---- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/app/Model/Ldap.php b/app/Model/Ldap.php index 3359318c3..9e7d0445e 100644 --- a/app/Model/Ldap.php +++ b/app/Model/Ldap.php @@ -33,8 +33,20 @@ class Ldap extends Base ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - if (@ldap_bind($ldap, sprintf(LDAP_USER_DN, $username), $password)) { - return $this->create($username); + if (!@ldap_bind($ldap, LDAP_USERNAME, LDAP_PASSWORD)) { + die('Unable to bind to the LDAP server: "'.LDAP_SERVER.'"'); + } + + $sr = ldap_search($ldap, LDAP_ACCOUNT_BASE, sprintf(LDAP_USER_PATTERN, $username), array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL)); + $info = ldap_get_entries($ldap, $sr); + if (count($info) == 0 || $info['count'] == 0) { + //User not found + return false; + } + + if (@ldap_bind($ldap, $info[0]['dn'], $password)) { + error_log("Bind to user OK"); + return $this->create($username, $info[0][LDAP_ACCOUNT_FULLNAME][0], $info[0][LDAP_ACCOUNT_EMAIL][0]); } return false; @@ -45,9 +57,11 @@ class Ldap extends Base * * @access public * @param string $username Username + * @param string $name Name of the user + * @param string $email Email address * @return bool */ - public function create($username) + public function create($username, $name, $email) { $userModel = new User($this->db, $this->event); $user = $userModel->getByUsername($username); @@ -70,6 +84,8 @@ class Ldap extends Base // Create a LDAP user $values = array( 'username' => $username, + 'name' => $name, + 'email' => $email, 'is_admin' => 0, 'is_ldap_user' => 1, ); diff --git a/app/common.php b/app/common.php index 5a26860fa..023494d8a 100644 --- a/app/common.php +++ b/app/common.php @@ -44,7 +44,8 @@ defined('DB_NAME') or define('DB_NAME', 'kanboard'); defined('LDAP_AUTH') or define('LDAP_AUTH', false); defined('LDAP_SERVER') or define('LDAP_SERVER', ''); defined('LDAP_PORT') or define('LDAP_PORT', 389); -defined('LDAP_USER_DN') or define('LDAP_USER_DN', '%s'); +defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname'); +defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail'); // Google authentication defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false); diff --git a/config.default.php b/config.default.php index 6810ce9d3..db3b7221b 100644 --- a/config.default.php +++ b/config.default.php @@ -30,10 +30,26 @@ define('LDAP_SERVER', ''); // LDAP server port (389 by default) define('LDAP_PORT', 389); -// User LDAP DN -// Example for ActiveDirectory: 'MYDOMAIN\\%s' or '%s@mydomain.local' -// Example for OpenLDAP: 'uid=%s,ou=People,dc=example,dc=com' -define('LDAP_USER_DN', '%s'); +// LDAP username to connect with. NULL for anonymous bind (by default). +define('LDAP_USERNAME', null); + +// LDAP password to connect with. NULL for anonymous bind (by default). +define('LDAP_PASSWORD', null); + +// LDAP account base, i.e. root of all user account +// Example: ou=people,dc=example,dc=com +define('LDAP_ACCOUNT_BASE', ''); + +// LDAP query pattern to use when searching for a user account +// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))' +// Example for OpenLDAP: 'uid=%s' +define('LDAP_USER_PATTERN', ''); + +// Name of an attribute of the user account object which should be used as the full name of the user. +define('LDAP_ACCOUNT_FULLNAME', 'displayname'); + +// Name of an attribute of the user account object which should be used as the email of the user. +define('LDAP_ACCOUNT_EMAIL', 'mail'); // Enable/disable Google authentication define('GOOGLE_AUTH', false); From 0a3049c17293e6b7b416b4264ace1f373bda6728 Mon Sep 17 00:00:00 2001 From: Francois Ferrand Date: Thu, 3 Jul 2014 10:25:25 +0200 Subject: [PATCH 2/2] Add option to disable SSL certificate verification for LDAP. --- app/Model/Ldap.php | 5 +++++ app/common.php | 1 + config.default.php | 3 +++ 3 files changed, 9 insertions(+) diff --git a/app/Model/Ldap.php b/app/Model/Ldap.php index 9e7d0445e..4e605eb27 100644 --- a/app/Model/Ldap.php +++ b/app/Model/Ldap.php @@ -24,6 +24,11 @@ class Ldap extends Base die('The PHP LDAP extension is required'); } + if (!LDAP_SSL_VERIFY) { + //Skip SSL certificate verification + putenv('LDAPTLS_REQCERT=never'); + } + $ldap = ldap_connect(LDAP_SERVER, LDAP_PORT); if (! is_resource($ldap)) { diff --git a/app/common.php b/app/common.php index 023494d8a..c5fb34e29 100644 --- a/app/common.php +++ b/app/common.php @@ -44,6 +44,7 @@ defined('DB_NAME') or define('DB_NAME', 'kanboard'); defined('LDAP_AUTH') or define('LDAP_AUTH', false); defined('LDAP_SERVER') or define('LDAP_SERVER', ''); defined('LDAP_PORT') or define('LDAP_PORT', 389); +defined('LDAP_SSL_VERIFY') or define('LDAP_SSL_VERIFY', true); defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname'); defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail'); diff --git a/config.default.php b/config.default.php index db3b7221b..e35519940 100644 --- a/config.default.php +++ b/config.default.php @@ -30,6 +30,9 @@ define('LDAP_SERVER', ''); // LDAP server port (389 by default) define('LDAP_PORT', 389); +// By default, require certificate to be verified for ldaps:// style URL. Set to false to skip the verification. +define('LDAP_SSL_VERIFY', true); + // LDAP username to connect with. NULL for anonymous bind (by default). define('LDAP_USERNAME', null);