Compare commits
10 Commits
27cdeac6ae
...
00ad524b6b
| Author | SHA1 | Date | |
|---|---|---|---|
| 00ad524b6b | |||
| 247cc5a6b7 | |||
| 21fe3aadbc | |||
| 1ccfe95390 | |||
| b6323e66bf | |||
|
44c83c64ff | ||
|
|
976d223960 | ||
|
|
3379b1bfd1 | ||
|
|
fcb2cad1f3 | ||
|
|
64404a050b |
17
README.md
17
README.md
@@ -1,3 +1,20 @@
|
||||
# Ldap_Login
|
||||
LDAP authentication plugin for piwigo with user-group support
|
||||
|
||||
## Exmaple-Config for an M$-AD:
|
||||
|
||||
#### LDAP-Serververbindung
|
||||
**LDAP-Server**: srv.emxample.com</br>
|
||||
(x) **Secure connection** _(--> remember that the LDAPS-Server certificate must be imported on your piwigo server)_</br>
|
||||
**LDAP-Port**: 636</br>
|
||||
|
||||
#### LDAP Attribute
|
||||
**Base DN wo LDAP-Benutzer gefunden werden sollen (zB.: ou=users,dc=example,dc=com):**: cn=Users,dc=example,dc=com</br>
|
||||
**Attribute entsprechend des Benutzernamens**: sAMACcountName</br>
|
||||
**DN of group for membership-check (memberOf)**: dn=piwigo_users,cn=Users,dc=example,dc=com</br>
|
||||
|
||||
#### LDAP-Verbindungsreferenzen
|
||||
**Bind DN im LDAP-Style (zB.: cn=admin,dc=example,dc=com).**: cn=binduser,cn=Users,dc=exmaple,dc=com</br>
|
||||
**Bind passwort**: mysecret123</br>
|
||||
</br>
|
||||
_--> SAVE and enjoy :)_
|
||||
|
||||
@@ -13,15 +13,7 @@ $me = new Ldap();
|
||||
$me->load_config();
|
||||
//$me = get_plugin_data($plugin_id);
|
||||
|
||||
$template->assign('HOST', $me->config['host']);
|
||||
$template->assign('BASEDN', $me->config['basedn']); // racine !
|
||||
$template->assign('PORT', $me->config['port']);
|
||||
$template->assign('LD_ATTR', $me->config['ld_attr']);
|
||||
$template->assign('LD_GROUP', $me->config['ld_group']);
|
||||
$template->assign('LD_USE_SSL', $me->config['ld_use_ssl']);
|
||||
$template->assign('LD_BINDPW', $me->config['ld_bindpw']);
|
||||
$template->assign('LD_BINDDN', $me->config['ld_binddn']);
|
||||
|
||||
// Save LDAP configuration when submitted
|
||||
if (isset($_POST['save'])){
|
||||
$me->config['host'] = $_POST['HOST'];
|
||||
$me->config['basedn'] = $_POST['BASEDN'];
|
||||
@@ -36,10 +28,7 @@ if (isset($_POST['save'])){
|
||||
} else {
|
||||
$me->config['ld_use_ssl'] = False;
|
||||
}
|
||||
}
|
||||
|
||||
// Save LDAP configuration
|
||||
if (isset($_POST['save'])){
|
||||
$me->save_config();
|
||||
}
|
||||
|
||||
@@ -53,7 +42,7 @@ if (isset($_POST['check_ldap'])){
|
||||
$error=$me->check_ldap();
|
||||
if($error==1 && $username) {
|
||||
if ($me->ldap_bind_as($username,$_POST['PASSWORD'])){
|
||||
if($me->check_ldap_group_membership($username,$me->config['ld_group'])){
|
||||
if($me->check_ldap_group_membership($username,$_POST['USERNAME'])){
|
||||
$template->assign('LD_CHECK_LDAP','<p style="color:green;">Configuration LDAP OK : '.$username.'</p>');
|
||||
} else {
|
||||
$template->assign('LD_CHECK_LDAP','<p style="color:orange;">Credentials OK, Check GroupMembership for: '.$username.'</p>');
|
||||
@@ -71,5 +60,15 @@ if (isset($_POST['check_ldap'])){
|
||||
}
|
||||
}
|
||||
|
||||
// And build up the form with the new values
|
||||
$template->assign('HOST', $me->config['host']);
|
||||
$template->assign('BASEDN', $me->config['basedn']); // racine !
|
||||
$template->assign('PORT', $me->config['port']);
|
||||
$template->assign('LD_ATTR', $me->config['ld_attr']);
|
||||
$template->assign('LD_GROUP', $me->config['ld_group']);
|
||||
$template->assign('LD_USE_SSL', $me->config['ld_use_ssl']);
|
||||
$template->assign('LD_BINDPW', $me->config['ld_bindpw']);
|
||||
$template->assign('LD_BINDDN', $me->config['ld_binddn']);
|
||||
|
||||
$template->assign_var_from_handle( 'ADMIN_CONTENT', 'plugin_admin_content');
|
||||
?>
|
||||
|
||||
@@ -12,10 +12,7 @@ $me = new Ldap();
|
||||
$me->load_config();
|
||||
//$me = get_plugin_data($plugin_id);
|
||||
|
||||
$template->assign('ALLOW_NEWUSERS', $me->config['allow_newusers']);
|
||||
$template->assign('ADVERTISE_ADMINS', $me->config['advertise_admin_new_ldapuser']);
|
||||
$template->assign('SEND_CASUAL_MAIL', $me->config['send_password_by_mail_ldap']);
|
||||
|
||||
// Save LDAP configuration when submitted
|
||||
if (isset($_POST['save'])){
|
||||
|
||||
if (isset($_POST['ALLOW_NEWUSERS'])){
|
||||
@@ -34,11 +31,7 @@ if (isset($_POST['save'])){
|
||||
$me->config['send_password_by_mail_ldap'] = True;
|
||||
} else {
|
||||
$me->config['send_password_by_mail_ldap'] = False;
|
||||
}
|
||||
}
|
||||
|
||||
// Save LDAP configuration
|
||||
if (isset($_POST['save'])){
|
||||
$me->save_config();
|
||||
}
|
||||
|
||||
@@ -48,5 +41,10 @@ if (isset($_POST['save'])){
|
||||
// what do we do when there's no mail in the ldap ?
|
||||
// do we send mail to admins ?
|
||||
|
||||
// And build up the form with the new values
|
||||
$template->assign('ALLOW_NEWUSERS', $me->config['allow_newusers']);
|
||||
$template->assign('ADVERTISE_ADMINS', $me->config['advertise_admin_new_ldapuser']);
|
||||
$template->assign('SEND_CASUAL_MAIL', $me->config['send_password_by_mail_ldap']);
|
||||
|
||||
$template->assign_var_from_handle( 'ADMIN_CONTENT', 'plugin_admin_content');
|
||||
?>
|
||||
?>
|
||||
|
||||
@@ -125,11 +125,6 @@ class Ldap {
|
||||
return ldap_err2str(ldap_errno($this->cnx));
|
||||
}
|
||||
|
||||
// return the name ldap understand
|
||||
public function ldap_name($name){
|
||||
return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
|
||||
}
|
||||
|
||||
// authentication public
|
||||
public function ldap_bind_as($user,$user_passwd){
|
||||
$this->write_log("[function]> ldap_bind_as");
|
||||
@@ -152,22 +147,24 @@ class Ldap {
|
||||
return false;
|
||||
}
|
||||
|
||||
public function ldap_mail($name){
|
||||
//echo $this->cnx;
|
||||
//echo $this->ldap_name($name);
|
||||
$sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
|
||||
public function ldap_get_email($user_dn){
|
||||
$sr=@ldap_read($this->cnx, $user_dn, "(objectclass=*)", array('mail'));
|
||||
$entry = @ldap_get_entries($this->cnx, $sr);
|
||||
|
||||
if (!empty($entry[0]['mail'])) {
|
||||
return $entry[0]['mail'][0];
|
||||
}
|
||||
return False;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public function ldap_get_user_email($username) {
|
||||
return $this->ldap_email($this->ldap_get_dn($username));
|
||||
}
|
||||
|
||||
// return userdn (and username) for authentication
|
||||
public function ldap_search_dn($value_to_search){
|
||||
$this->write_log("[function]> ldap_search_dn(".$value_to_search.")");
|
||||
$filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
|
||||
$filter = '(&(objectClass=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
|
||||
|
||||
// connection handling
|
||||
$this->write_log("[ldap_search_dn]> Connecting to server");
|
||||
@@ -205,8 +202,9 @@ class Ldap {
|
||||
}
|
||||
|
||||
// look for LDAP group membership
|
||||
public function check_ldap_group_membership($user_dn,$group_dn){
|
||||
$this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")");
|
||||
public function check_ldap_group_membership($user_dn, $user_login){
|
||||
$group_dn = $this->config['ld_group'];
|
||||
$this->write_log("[function]> check_ldap_group_membership('$user_dn', '$group_dn', '$user_login')");
|
||||
//if no group specified return true
|
||||
if(!$group_dn){
|
||||
return true;
|
||||
@@ -219,22 +217,17 @@ class Ldap {
|
||||
$this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
|
||||
return false;
|
||||
}
|
||||
// search for all memberOf-attributes for a given user_dn
|
||||
$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
|
||||
if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
|
||||
// search for all member and memberUid attributes for a group_dn
|
||||
$search_filter = "(|(&(objectClass=posixGroup)(memberUid=$user_login))(&(objectClass=group)(member=$user_dn)))";
|
||||
$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,'$group_dn', '$search_filter', array('memberOf'),0,1)");
|
||||
if($search = @ldap_search($this->cnx, $group_dn, $search_filter, array("dn"),0,1)){
|
||||
$entry = @ldap_get_entries($this->cnx, $search);
|
||||
//check if there are memberof-attributes
|
||||
if(isset($entry[0]["memberof"])){
|
||||
$this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
|
||||
for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
|
||||
$this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
|
||||
if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
|
||||
$this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
|
||||
return true;
|
||||
}
|
||||
}
|
||||
//check if there are dn-attributes
|
||||
if (!empty($entry[0]["dn"])) {
|
||||
$this->write_log("[check_ldap_group_membership]> match found: ".$entry[0]["dn"]);
|
||||
return true;
|
||||
} else {
|
||||
$this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
|
||||
$this->write_log("[check_ldap_group_membership]> no group membership for user found for given group and user, check on ldap side");
|
||||
}
|
||||
} else {
|
||||
$this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
|
||||
|
||||
34
main.inc.php
34
main.inc.php
@@ -1,7 +1,7 @@
|
||||
<?php
|
||||
/*
|
||||
Plugin Name: Ldap_Login
|
||||
Version: 1.2
|
||||
Version: auto
|
||||
Description: Allow piwigo authentication along an ldap
|
||||
Plugin URI: http://piwigo.org/ext/extension_view.php?eid=650
|
||||
Author: 22decembre
|
||||
@@ -61,10 +61,13 @@ function login($success, $username, $password, $remember_me){
|
||||
$obj->load_config();
|
||||
$obj->ldap_conn() or die("Unable to connect LDAP server : ".$ldap->getErrorString());
|
||||
|
||||
//if (!$obj->ldap_bind_as($username,$password)){ // bind with userdn
|
||||
if (!$obj->ldap_search_dn($username) || !$obj->ldap_bind_as($obj->ldap_search_dn($username),$password)){ // bind with userdn
|
||||
$user_dn = $obj->ldap_search_dn($username); // retrieve the userdn
|
||||
|
||||
// If we have userdn, attempt to login an check user's group access
|
||||
if (!($user_dn && $obj->ldap_bind_as($user_dn,$password) &&
|
||||
$obj->check_ldap_group_membership($user_dn, $username))) {
|
||||
trigger_notify('login_failure', stripslashes($username));
|
||||
return false; // wrong password
|
||||
return false; // wrong user/password or no group access
|
||||
}
|
||||
|
||||
// search user in piwigo database
|
||||
@@ -84,24 +87,19 @@ function login($success, $username, $password, $remember_me){
|
||||
// this is where we check we are allowed to create new users upon that.
|
||||
if ($obj->config['allow_newusers']) {
|
||||
|
||||
// we got the email address
|
||||
if ($obj->ldap_mail($username)) {
|
||||
$mail = $obj->ldap_mail($username);
|
||||
}
|
||||
else {
|
||||
$mail = NULL;
|
||||
}
|
||||
|
||||
// we actually register the new user
|
||||
// retrieve LDAP e-mail address and create a new user
|
||||
$mail = $obj->ldap_get_email($user_dn);
|
||||
$new_id = register_user($username,random_password(8),$mail);
|
||||
|
||||
// now we fetch again his id in the piwigo db, and we get them, as we just created him !
|
||||
//$query = 'SELECT '.$conf['user_fields']['id'].' AS id FROM '.USERS_TABLE.' WHERE '.$conf['user_fields']['username'].' = \''.pwg_db_real_escape_string($username).'\' ;';
|
||||
//$row = pwg_db_fetch_assoc(pwg_query($query));
|
||||
|
||||
// Login user
|
||||
log_user($new_id, False);
|
||||
trigger_notify('login_success', stripslashes($username));
|
||||
redirect('profile.php');
|
||||
|
||||
// in case the e-mail address is empty, redirect to profile page
|
||||
if($mail==NULL) {
|
||||
redirect('profile.php');
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
// else : this is the normal behavior ! user is not created.
|
||||
|
||||
Reference in New Issue
Block a user