Add Json API to create LDAP user.

This allows setting up permissions before the LDAP users actually connect to Kanboard, and even importing the permissions from other tools.
2015-01-16 17:08:48 +01:00
parent fd22b95575
commit 969d60ab41
5 changed files with 111 additions and 0 deletions
--- a/app/Auth/Ldap.php
+++ b/app/Auth/Ldap.php
@@ -206,4 +206,52 @@ class Ldap extends Base

        return false;
    }
+
+    /**
+     * Retrieve info on LDAP user.
+     *
+     * @param resource $ldap      LDAP connection
+     * @param string   $username  Username
+     * @param string   $email     Email address
+     */
+    public function lookup($username = null, $email = null)
+    {
+        if ($username && $email)
+            $query = '(&('.sprintf(LDAP_USER_PATTERN, $username).')('.sprintf(LDAP_ACCOUNT_EMAIL, $email).')';
+        else if ($username)
+            $query = sprintf(LDAP_USER_PATTERN, $username);
+        else if ($email)
+            $query = '('.LDAP_ACCOUNT_EMAIL.'='.$email.')';
+        else
+            return false;
+
+        // Connect and attempt anonymous bind
+        $ldap = $this->connect();
+        if (!is_resource($ldap) || !$this->bind($ldap, null, null))
+            return false;
+
+        // Try to find user
+        $sr = @ldap_search($ldap, LDAP_ACCOUNT_BASE, $query, array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_ID));
+        if ($sr === false) {
+            return false;
+        }
+
+        $info = ldap_get_entries($ldap, $sr);
+
+        // User not found
+        if (count($info) == 0 || $info['count'] == 0) {
+            return false;
+        }
+
+        // User id not retrieved: LDAP_ACCOUNT_ID not properly configured
+        if (!$username && !isset($info[0][LDAP_ACCOUNT_ID][0])) {
+            return false;
+        }
+
+        return array(
+            'username' => isset($info[0][LDAP_ACCOUNT_ID][0]) ? $info[0][LDAP_ACCOUNT_ID][0] : $username,
+            'name' => isset($info[0][LDAP_ACCOUNT_FULLNAME][0]) ? $info[0][LDAP_ACCOUNT_FULLNAME][0] : '',
+            'email' => isset($info[0][LDAP_ACCOUNT_EMAIL][0]) ? $info[0][LDAP_ACCOUNT_EMAIL][0] : $email,
+        );
+    }
 }
--- a/app/constants.php
+++ b/app/constants.php
@@ -34,6 +34,7 @@ defined('LDAP_ACCOUNT_BASE') or define('LDAP_ACCOUNT_BASE', '');
 defined('LDAP_USER_PATTERN') or define('LDAP_USER_PATTERN', '');
 defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname');
 defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail');
+defined('LDAP_ACCOUNT_ID') or define('LDAP_ACCOUNT_ID', '');

 // Google authentication
 defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false);
--- a/config.default.php
+++ b/config.default.php
@@ -74,6 +74,11 @@ define('LDAP_ACCOUNT_FULLNAME', 'displayname');
 // Name of an attribute of the user account object which should be used as the email of the user.
 define('LDAP_ACCOUNT_EMAIL', 'mail');

+// Name of an attribute of the user account object which should be used as the id of the user.
+// Example for ActiveDirectory: 'samaccountname'
+// Example for OpenLDAP: 'uid'
+define('LDAP_ACCOUNT_ID', 'samaccountname');
+
 // Enable/disable Google authentication
 define('GOOGLE_AUTH', false);

--- a/docs/api-json-rpc.markdown
+++ b/docs/api-json-rpc.markdown
@@ -1330,6 +1330,43 @@ Response example:
 }
 ```

+### createLdapUser
+
+- Purpose: **Create a new user authentified by LDAP**
+- Parameters:
+    - **username** (string, optional if email is set)
+    - **email** (string, optional if username is set)
+    - **is_admin** Set the value 1 for admins or 0 for regular users (integer, optional)
+    - **default_project_id** (integer, optional)
+- Result on success: **user_id**
+- Result on failure: **false**
+
+The user will only be created if a matching is found on the LDAP server.
+Username or email (or both) must be provided.
+
+Request example:
+
+```json
+{
+    "jsonrpc": "2.0",
+    "method": "createLdapUser",
+    "id": 1518863034,
+    "params": {
+        "username": "biloute",
+    }
+}
+```
+
+Response example:
+
+```json
+{
+    "jsonrpc": "2.0",
+    "id": 1518863034,
+    "result": 22
+}
+```
+
 ### getUser

 - Purpose: **Get user information**
--- a/jsonrpc.php
+++ b/jsonrpc.php
@@ -157,6 +157,26 @@ $server->register('createUser', function($username, $password, $name = '', $emai
    return $container['user']->create($values);
 });

+$server->register('createLdapUser', function($username = '', $email = '', $is_admin = 0, $default_project_id = 0) use ($container) {
+
+    $ldap = new Auth\Ldap($container);
+    $res = $ldap->lookup($username, $email);
+
+    if (!$res)
+        return false;
+
+    $values = array(
+        'username' => $res['username'],
+        'name' => $res['name'],
+        'email' => $res['email'],
+        'is_ldap_user' => 1,
+        'is_admin' => $is_admin,
+        'default_project_id' => $default_project_id,
+    );
+
+    return $container['user']->create($values);
+});
+
 $server->register('updateUser', function($id, $username = null, $name = null, $email = null, $is_admin = null, $default_project_id = null) use ($container) {

    $values = array(