From 98bd694e2bd47b0c4ed8247546b1903c762ffdde Mon Sep 17 00:00:00 2001 From: Francois Ferrand Date: Mon, 30 Jun 2014 17:49:32 +0200 Subject: [PATCH] Implement LDAP user lookup. This is required to improve compatibility when the DN cannot be easily computed from the user name. Additionally, this allows automatically getting the full name and email address from LDAP. --- app/Model/Ldap.php | 22 +++++++++++++++++++--- app/common.php | 3 ++- config.default.php | 24 ++++++++++++++++++++---- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/app/Model/Ldap.php b/app/Model/Ldap.php index 3359318c3..9e7d0445e 100644 --- a/app/Model/Ldap.php +++ b/app/Model/Ldap.php @@ -33,8 +33,20 @@ class Ldap extends Base ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - if (@ldap_bind($ldap, sprintf(LDAP_USER_DN, $username), $password)) { - return $this->create($username); + if (!@ldap_bind($ldap, LDAP_USERNAME, LDAP_PASSWORD)) { + die('Unable to bind to the LDAP server: "'.LDAP_SERVER.'"'); + } + + $sr = ldap_search($ldap, LDAP_ACCOUNT_BASE, sprintf(LDAP_USER_PATTERN, $username), array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL)); + $info = ldap_get_entries($ldap, $sr); + if (count($info) == 0 || $info['count'] == 0) { + //User not found + return false; + } + + if (@ldap_bind($ldap, $info[0]['dn'], $password)) { + error_log("Bind to user OK"); + return $this->create($username, $info[0][LDAP_ACCOUNT_FULLNAME][0], $info[0][LDAP_ACCOUNT_EMAIL][0]); } return false; @@ -45,9 +57,11 @@ class Ldap extends Base * * @access public * @param string $username Username + * @param string $name Name of the user + * @param string $email Email address * @return bool */ - public function create($username) + public function create($username, $name, $email) { $userModel = new User($this->db, $this->event); $user = $userModel->getByUsername($username); @@ -70,6 +84,8 @@ class Ldap extends Base // Create a LDAP user $values = array( 'username' => $username, + 'name' => $name, + 'email' => $email, 'is_admin' => 0, 'is_ldap_user' => 1, ); diff --git a/app/common.php b/app/common.php index 5a26860fa..023494d8a 100644 --- a/app/common.php +++ b/app/common.php @@ -44,7 +44,8 @@ defined('DB_NAME') or define('DB_NAME', 'kanboard'); defined('LDAP_AUTH') or define('LDAP_AUTH', false); defined('LDAP_SERVER') or define('LDAP_SERVER', ''); defined('LDAP_PORT') or define('LDAP_PORT', 389); -defined('LDAP_USER_DN') or define('LDAP_USER_DN', '%s'); +defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname'); +defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail'); // Google authentication defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false); diff --git a/config.default.php b/config.default.php index 6810ce9d3..db3b7221b 100644 --- a/config.default.php +++ b/config.default.php @@ -30,10 +30,26 @@ define('LDAP_SERVER', ''); // LDAP server port (389 by default) define('LDAP_PORT', 389); -// User LDAP DN -// Example for ActiveDirectory: 'MYDOMAIN\\%s' or '%s@mydomain.local' -// Example for OpenLDAP: 'uid=%s,ou=People,dc=example,dc=com' -define('LDAP_USER_DN', '%s'); +// LDAP username to connect with. NULL for anonymous bind (by default). +define('LDAP_USERNAME', null); + +// LDAP password to connect with. NULL for anonymous bind (by default). +define('LDAP_PASSWORD', null); + +// LDAP account base, i.e. root of all user account +// Example: ou=people,dc=example,dc=com +define('LDAP_ACCOUNT_BASE', ''); + +// LDAP query pattern to use when searching for a user account +// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))' +// Example for OpenLDAP: 'uid=%s' +define('LDAP_USER_PATTERN', ''); + +// Name of an attribute of the user account object which should be used as the full name of the user. +define('LDAP_ACCOUNT_FULLNAME', 'displayname'); + +// Name of an attribute of the user account object which should be used as the email of the user. +define('LDAP_ACCOUNT_EMAIL', 'mail'); // Enable/disable Google authentication define('GOOGLE_AUTH', false);