piwigo/Ldap_Login
Archived
1
0
Fork 0
Code Activity

Compare commits

base: piwigo:27cdeac6aec691d603927423b809aea7619f90af
Branches Tags
piwigo:master
...
compare: piwigo:00ad524b6b83216098e5f1e8ba44ca869cc898a2
Branches Tags
piwigo:master

10 Commits
27cdeac6ae ... 00ad524b6b

Author SHA1 Message Date
Frederik Lindenaar
00ad524b6b Resolved issue with the login check, this could never have worked - need to test this better next time :-( 
Closes #8
 2015-07-20 10:25:58 +02:00
Frederik Lindenaar
247cc5a6b7 Fixed issue for not showing new values after submitting the configuration screen 
Closes #1
 2015-07-19 23:32:38 +02:00
Frederik Lindenaar
21fe3aadbc Fixed order of processing form data, after submit the new data is now shown 
Closes: #1
 2015-07-19 23:18:01 +02:00
Frederik Lindenaar
1ccfe95390 Made groups work on OpenDirectory (Apple's OpenLDAP shipped with OS X Server), 
which is like standard POSIX. Existing AD group support should also still work
(but has not been tested as I don't have a working AD setup).

Added support for the group check to the login code (which was still missing)

Improved the user experience by only dumping a newly created user on the profile
page when the e-mail address was missing.
 2015-07-19 17:03:59 +02:00
Frederik Lindenaar
b6323e66bf fixed ldap_search_dn for OpenLDAP/OpenDirectory (use objectClass instead of non-POSIX objectCategory) 2015-07-19 16:03:45 +02:00
spelth
44c83c64ff get rid of the "not compatible" error on extensions page 2015-06-04 20:56:46 +02:00
spelth
976d223960 Update README.md 2015-06-04 12:44:29 +02:00
spelth
3379b1bfd1 Update README.md 2015-06-04 12:44:09 +02:00
spelth
fcb2cad1f3 Update README.md 2015-06-04 12:42:55 +02:00
spelth
64404a050b Update README.md 2015-06-04 12:41:42 +02:00
5 changed files with 73 additions and 68 deletions
Expand all files Collapse all files

17
README.md
View File

@@ -1,3 +1,20 @@
# Ldap_Login
LDAP authentication plugin for piwigo with user-group support
## Exmaple-Config for an M$-AD:
#### LDAP-Serververbindung
**LDAP-Server**: srv.emxample.com</br>
(x) **Secure connection** _(--> remember that the LDAPS-Server certificate must be imported on your piwigo server)_</br>
**LDAP-Port**: 636</br>
#### LDAP Attribute
**Base DN wo LDAP-Benutzer gefunden werden sollen (zB.: ou=users,dc=example,dc=com):**: cn=Users,dc=example,dc=com</br>
**Attribute entsprechend des Benutzernamens**: sAMACcountName</br>
**DN of group for membership-check (memberOf)**: dn=piwigo_users,cn=Users,dc=example,dc=com</br>
#### LDAP-Verbindungsreferenzen
**Bind DN im LDAP-Style (zB.: cn=admin,dc=example,dc=com).**: cn=binduser,cn=Users,dc=exmaple,dc=com</br>
**Bind passwort**: mysecret123</br>
</br>
_--> SAVE and enjoy :)_

25
admin/configuration.php
View File

@@ -13,15 +13,7 @@ $me = new Ldap();
$me->load_config();
//$me = get_plugin_data($plugin_id);
$template->assign('HOST', $me->config['host']);
$template->assign('BASEDN', $me->config['basedn']); // racine !
$template->assign('PORT', $me->config['port']);
$template->assign('LD_ATTR', $me->config['ld_attr']);
$template->assign('LD_GROUP', $me->config['ld_group']);
$template->assign('LD_USE_SSL', $me->config['ld_use_ssl']);
$template->assign('LD_BINDPW', $me->config['ld_bindpw']);
$template->assign('LD_BINDDN', $me->config['ld_binddn']);
// Save LDAP configuration when submitted
if (isset($_POST['save'])){
$me->config['host'] = $_POST['HOST'];
$me->config['basedn'] = $_POST['BASEDN'];
@@ -36,10 +28,7 @@ if (isset($_POST['save'])){
} else {
$me->config['ld_use_ssl'] = False;
}
}
// Save LDAP configuration
if (isset($_POST['save'])){
$me->save_config();
}
@@ -53,7 +42,7 @@ if (isset($_POST['check_ldap'])){
$error=$me->check_ldap();
if($error==1 && $username) {
if ($me->ldap_bind_as($username,$_POST['PASSWORD'])){
if($me->check_ldap_group_membership($username,$me->config['ld_group'])){
if($me->check_ldap_group_membership($username,$_POST['USERNAME'])){
$template->assign('LD_CHECK_LDAP','<p style="color:green;">Configuration LDAP OK : '.$username.'</p>');
} else {
$template->assign('LD_CHECK_LDAP','<p style="color:orange;">Credentials OK, Check GroupMembership for: '.$username.'</p>');
@@ -71,5 +60,15 @@ if (isset($_POST['check_ldap'])){
}
}
// And build up the form with the new values
$template->assign('HOST', $me->config['host']);
$template->assign('BASEDN', $me->config['basedn']); // racine !
$template->assign('PORT', $me->config['port']);
$template->assign('LD_ATTR', $me->config['ld_attr']);
$template->assign('LD_GROUP', $me->config['ld_group']);
$template->assign('LD_USE_SSL', $me->config['ld_use_ssl']);
$template->assign('LD_BINDPW', $me->config['ld_bindpw']);
$template->assign('LD_BINDDN', $me->config['ld_binddn']);
$template->assign_var_from_handle( 'ADMIN_CONTENT', 'plugin_admin_content');
?>

14
admin/newusers.php
View File

@@ -12,10 +12,7 @@ $me = new Ldap();
$me->load_config();
//$me = get_plugin_data($plugin_id);
$template->assign('ALLOW_NEWUSERS', $me->config['allow_newusers']);
$template->assign('ADVERTISE_ADMINS', $me->config['advertise_admin_new_ldapuser']);
$template->assign('SEND_CASUAL_MAIL', $me->config['send_password_by_mail_ldap']);
// Save LDAP configuration when submitted
if (isset($_POST['save'])){
if (isset($_POST['ALLOW_NEWUSERS'])){
@@ -34,11 +31,7 @@ if (isset($_POST['save'])){
$me->config['send_password_by_mail_ldap'] = True;
} else {
$me->config['send_password_by_mail_ldap'] = False;
}
}
// Save LDAP configuration
if (isset($_POST['save'])){
$me->save_config();
}
@@ -48,5 +41,10 @@ if (isset($_POST['save'])){
// what do we do when there's no mail in the ldap ?
// do we send mail to admins ?
// And build up the form with the new values
$template->assign('ALLOW_NEWUSERS', $me->config['allow_newusers']);
$template->assign('ADVERTISE_ADMINS', $me->config['advertise_admin_new_ldapuser']);
$template->assign('SEND_CASUAL_MAIL', $me->config['send_password_by_mail_ldap']);
$template->assign_var_from_handle( 'ADMIN_CONTENT', 'plugin_admin_content');
?>

49
class.ldap.php
View File

@@ -125,11 +125,6 @@ class Ldap {
return ldap_err2str(ldap_errno($this->cnx));
}
// return the name ldap understand
public function ldap_name($name){
return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
}
// authentication public
public function ldap_bind_as($user,$user_passwd){
$this->write_log("[function]> ldap_bind_as");
@@ -152,22 +147,24 @@ class Ldap {
return false;
}
public function ldap_mail($name){
//echo $this->cnx;
//echo $this->ldap_name($name);
$sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
public function ldap_get_email($user_dn){
$sr=@ldap_read($this->cnx, $user_dn, "(objectclass=*)", array('mail'));
$entry = @ldap_get_entries($this->cnx, $sr);
if (!empty($entry[0]['mail'])) {
return $entry[0]['mail'][0];
}
return False;
}
return null;
}
public function ldap_get_user_email($username) {
return $this->ldap_email($this->ldap_get_dn($username));
}
// return userdn (and username) for authentication
public function ldap_search_dn($value_to_search){
$this->write_log("[function]> ldap_search_dn(".$value_to_search.")");
$filter = '(&(objectCategory=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
$filter = '(&(objectClass=person)('.$this->config['ld_attr'].'='.$value_to_search.'))';
// connection handling
$this->write_log("[ldap_search_dn]> Connecting to server");
@@ -205,8 +202,9 @@ class Ldap {
}
// look for LDAP group membership
public function check_ldap_group_membership($user_dn,$group_dn){
$this->write_log("[function]> check_ldap_group_membership(".$user_dn." , ".$group_dn.")");
public function check_ldap_group_membership($user_dn, $user_login){
$group_dn = $this->config['ld_group'];
$this->write_log("[function]> check_ldap_group_membership('$user_dn', '$group_dn', '$user_login')");
//if no group specified return true
if(!$group_dn){
return true;
@@ -219,22 +217,17 @@ class Ldap {
$this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
return false;
}
// search for all memberOf-attributes for a given user_dn
$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
// search for all member and memberUid attributes for a group_dn
$search_filter = "(|(&(objectClass=posixGroup)(memberUid=$user_login))(&(objectClass=group)(member=$user_dn)))";
$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,'$group_dn', '$search_filter', array('memberOf'),0,1)");
if($search = @ldap_search($this->cnx, $group_dn, $search_filter, array("dn"),0,1)){
$entry = @ldap_get_entries($this->cnx, $search);
//check if there are memberof-attributes
if(isset($entry[0]["memberof"])){
$this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
$this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
$this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
return true;
}
}
//check if there are dn-attributes
if (!empty($entry[0]["dn"])) {
$this->write_log("[check_ldap_group_membership]> match found: ".$entry[0]["dn"]);
return true;
} else {
$this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
$this->write_log("[check_ldap_group_membership]> no group membership for user found for given group and user, check on ldap side");
}
} else {
$this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());

34
main.inc.php
View File

@@ -1,7 +1,7 @@
<?php
/*
Plugin Name: Ldap_Login
Version: 1.2
Version: auto
Description: Allow piwigo authentication along an ldap
Plugin URI: http://piwigo.org/ext/extension_view.php?eid=650
Author: 22decembre
@@ -61,10 +61,13 @@ function login($success, $username, $password, $remember_me){
$obj->load_config();
$obj->ldap_conn() or die("Unable to connect LDAP server : ".$ldap->getErrorString());
//if (!$obj->ldap_bind_as($username,$password)){ // bind with userdn
if (!$obj->ldap_search_dn($username) || !$obj->ldap_bind_as($obj->ldap_search_dn($username),$password)){ // bind with userdn
$user_dn = $obj->ldap_search_dn($username); // retrieve the userdn
// If we have userdn, attempt to login an check user's group access
if (!($user_dn && $obj->ldap_bind_as($user_dn,$password) &&
$obj->check_ldap_group_membership($user_dn, $username))) {
trigger_notify('login_failure', stripslashes($username));
return false; // wrong password
return false; // wrong user/password or no group access
}
// search user in piwigo database
@@ -84,24 +87,19 @@ function login($success, $username, $password, $remember_me){
// this is where we check we are allowed to create new users upon that.
if ($obj->config['allow_newusers']) {
// we got the email address
if ($obj->ldap_mail($username)) {
$mail = $obj->ldap_mail($username);
}
else {
$mail = NULL;
}
// we actually register the new user
// retrieve LDAP e-mail address and create a new user
$mail = $obj->ldap_get_email($user_dn);
$new_id = register_user($username,random_password(8),$mail);
// now we fetch again his id in the piwigo db, and we get them, as we just created him !
//$query = 'SELECT '.$conf['user_fields']['id'].' AS id FROM '.USERS_TABLE.' WHERE '.$conf['user_fields']['username'].' = \''.pwg_db_real_escape_string($username).'\' ;';
//$row = pwg_db_fetch_assoc(pwg_query($query));
// Login user
log_user($new_id, False);
trigger_notify('login_success', stripslashes($username));
redirect('profile.php');
// in case the e-mail address is empty, redirect to profile page
if($mail==NULL) {
redirect('profile.php');
}
return true;
}
// else : this is the normal behavior ! user is not created.