Made groups work on OpenDirectory (Apple's OpenLDAP shipped with OS X Server),
which is like standard POSIX. Existing AD group support should also still work (but has not been tested as I don't have a working AD setup). Added support for the group check to the login code (which was still missing) Improved the user experience by only dumping a newly created user on the profile page when the e-mail address was missing.
This commit is contained in:
@@ -53,7 +53,7 @@ if (isset($_POST['check_ldap'])){
|
|||||||
$error=$me->check_ldap();
|
$error=$me->check_ldap();
|
||||||
if($error==1 && $username) {
|
if($error==1 && $username) {
|
||||||
if ($me->ldap_bind_as($username,$_POST['PASSWORD'])){
|
if ($me->ldap_bind_as($username,$_POST['PASSWORD'])){
|
||||||
if($me->check_ldap_group_membership($username,$me->config['ld_group'])){
|
if($me->check_ldap_group_membership($username,$_POST['USERNAME'])){
|
||||||
$template->assign('LD_CHECK_LDAP','<p style="color:green;">Configuration LDAP OK : '.$username.'</p>');
|
$template->assign('LD_CHECK_LDAP','<p style="color:green;">Configuration LDAP OK : '.$username.'</p>');
|
||||||
} else {
|
} else {
|
||||||
$template->assign('LD_CHECK_LDAP','<p style="color:orange;">Credentials OK, Check GroupMembership for: '.$username.'</p>');
|
$template->assign('LD_CHECK_LDAP','<p style="color:orange;">Credentials OK, Check GroupMembership for: '.$username.'</p>');
|
||||||
|
|||||||
@@ -125,11 +125,6 @@ class Ldap {
|
|||||||
return ldap_err2str(ldap_errno($this->cnx));
|
return ldap_err2str(ldap_errno($this->cnx));
|
||||||
}
|
}
|
||||||
|
|
||||||
// return the name ldap understand
|
|
||||||
public function ldap_name($name){
|
|
||||||
return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
|
|
||||||
}
|
|
||||||
|
|
||||||
// authentication public
|
// authentication public
|
||||||
public function ldap_bind_as($user,$user_passwd){
|
public function ldap_bind_as($user,$user_passwd){
|
||||||
$this->write_log("[function]> ldap_bind_as");
|
$this->write_log("[function]> ldap_bind_as");
|
||||||
@@ -152,16 +147,18 @@ class Ldap {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function ldap_mail($name){
|
public function ldap_get_email($user_dn){
|
||||||
//echo $this->cnx;
|
$sr=@ldap_read($this->cnx, $user_dn, "(objectclass=*)", array('mail'));
|
||||||
//echo $this->ldap_name($name);
|
|
||||||
$sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
|
|
||||||
$entry = @ldap_get_entries($this->cnx, $sr);
|
$entry = @ldap_get_entries($this->cnx, $sr);
|
||||||
|
|
||||||
if (!empty($entry[0]['mail'])) {
|
if (!empty($entry[0]['mail'])) {
|
||||||
return $entry[0]['mail'][0];
|
return $entry[0]['mail'][0];
|
||||||
}
|
}
|
||||||
return False;
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function ldap_get_user_email($username) {
|
||||||
|
return $this->ldap_email($this->ldap_get_dn($username));
|
||||||
}
|
}
|
||||||
|
|
||||||
// return userdn (and username) for authentication
|
// return userdn (and username) for authentication
|
||||||
@@ -205,8 +202,9 @@ class Ldap {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// look for LDAP group membership
|
// look for LDAP group membership
|
||||||
public function check_ldap_group_membership($user_dn,$group_dn){
|
public function check_ldap_group_membership($user_dn, $user_login){
|
||||||
$this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")");
|
$group_dn = $this->config['ld_group'];
|
||||||
|
$this->write_log("[function]> check_ldap_group_membership('$user_dn', '$group_dn', '$user_login')");
|
||||||
//if no group specified return true
|
//if no group specified return true
|
||||||
if(!$group_dn){
|
if(!$group_dn){
|
||||||
return true;
|
return true;
|
||||||
@@ -219,22 +217,17 @@ class Ldap {
|
|||||||
$this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
|
$this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
// search for all memberOf-attributes for a given user_dn
|
// search for all member and memberUid attributes for a group_dn
|
||||||
$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
|
$search_filter = "(|(&(objectClass=posixGroup)(memberUid=$user_login))(&(objectClass=group)(member=$user_dn)))";
|
||||||
if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
|
$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,'$group_dn', '$search_filter', array('memberOf'),0,1)");
|
||||||
|
if($search = @ldap_search($this->cnx, $group_dn, $search_filter, array("dn"),0,1)){
|
||||||
$entry = @ldap_get_entries($this->cnx, $search);
|
$entry = @ldap_get_entries($this->cnx, $search);
|
||||||
//check if there are memberof-attributes
|
//check if there are dn-attributes
|
||||||
if(isset($entry[0]["memberof"])){
|
if (!empty($entry[0]["dn"])) {
|
||||||
$this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
|
$this->write_log("[check_ldap_group_membership]> match found: ".$entry[0]["dn"]);
|
||||||
for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
|
return true;
|
||||||
$this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
|
|
||||||
if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
|
|
||||||
$this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
$this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
|
$this->write_log("[check_ldap_group_membership]> no group membership for user found for given group and user, check on ldap side");
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
|
$this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
|
||||||
|
|||||||
32
main.inc.php
32
main.inc.php
@@ -61,10 +61,13 @@ function login($success, $username, $password, $remember_me){
|
|||||||
$obj->load_config();
|
$obj->load_config();
|
||||||
$obj->ldap_conn() or die("Unable to connect LDAP server : ".$ldap->getErrorString());
|
$obj->ldap_conn() or die("Unable to connect LDAP server : ".$ldap->getErrorString());
|
||||||
|
|
||||||
//if (!$obj->ldap_bind_as($username,$password)){ // bind with userdn
|
$user_dn = $obj->ldap_search_dn($username); // retrieve the userdn
|
||||||
if (!$obj->ldap_search_dn($username) || !$obj->ldap_bind_as($obj->ldap_search_dn($username),$password)){ // bind with userdn
|
|
||||||
|
// If we have userdn, attempt to login an check user's group access
|
||||||
|
if (!($user_dn && !$obj->ldap_bind_as($user_dn,$password) &&
|
||||||
|
check_ldap_group_membership($user_dn, $username))) {
|
||||||
trigger_notify('login_failure', stripslashes($username));
|
trigger_notify('login_failure', stripslashes($username));
|
||||||
return false; // wrong password
|
return false; // wrong user/password or no group access
|
||||||
}
|
}
|
||||||
|
|
||||||
// search user in piwigo database
|
// search user in piwigo database
|
||||||
@@ -84,24 +87,19 @@ function login($success, $username, $password, $remember_me){
|
|||||||
// this is where we check we are allowed to create new users upon that.
|
// this is where we check we are allowed to create new users upon that.
|
||||||
if ($obj->config['allow_newusers']) {
|
if ($obj->config['allow_newusers']) {
|
||||||
|
|
||||||
// we got the email address
|
// retrieve LDAP e-mail address and create a new user
|
||||||
if ($obj->ldap_mail($username)) {
|
$mail = $obj->ldap_get_email($user_dn);
|
||||||
$mail = $obj->ldap_mail($username);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$mail = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
// we actually register the new user
|
|
||||||
$new_id = register_user($username,random_password(8),$mail);
|
$new_id = register_user($username,random_password(8),$mail);
|
||||||
|
|
||||||
// now we fetch again his id in the piwigo db, and we get them, as we just created him !
|
// Login user
|
||||||
//$query = 'SELECT '.$conf['user_fields']['id'].' AS id FROM '.USERS_TABLE.' WHERE '.$conf['user_fields']['username'].' = \''.pwg_db_real_escape_string($username).'\' ;';
|
|
||||||
//$row = pwg_db_fetch_assoc(pwg_query($query));
|
|
||||||
|
|
||||||
log_user($new_id, False);
|
log_user($new_id, False);
|
||||||
trigger_notify('login_success', stripslashes($username));
|
trigger_notify('login_success', stripslashes($username));
|
||||||
redirect('profile.php');
|
|
||||||
|
// in case the e-mail address is empty, redirect to profile page
|
||||||
|
if($mail==NULL) {
|
||||||
|
redirect('profile.php');
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
// else : this is the normal behavior ! user is not created.
|
// else : this is the normal behavior ! user is not created.
|
||||||
|
|||||||
Reference in New Issue
Block a user