Fix LDAP plugin error and add option disabling anonymous login befor bind

This commit is contained in:
Web5 2013-03-24 11:50:11 -04:00
parent 7be3fcd5e1
commit 02be0aef29
1 changed files with 17 additions and 9 deletions
plugins/auth_ldap

View File

@ -10,12 +10,13 @@
* Configuration * Configuration
* Put the following options in config.php and customize them for your environment * Put the following options in config.php and customize them for your environment
* *
* define('LDAP_AUTH_SERVER_URI, 'ldaps://LDAPServerHostname:port/'); * define('LDAP_AUTH_SERVER_URI', 'ldaps://LDAPServerHostname:port/');
* define('LDAP_AUTH_USETLS, FALSE); // Enable TLS Support for ldaps:// * define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
* define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate * define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
* define('LDAP_AUTH_BINDDN', 'cn=serviceaccount,dc=example,dc=com'); * define('LDAP_AUTH_BINDDN', 'cn=serviceaccount,dc=example,dc=com');
* define('LDAP_AUTH_BINDPW', 'ServiceAccountsPassword'); * define('LDAP_AUTH_BINDPW', 'ServiceAccountsPassword');
* define('LDAP_AUTH_BASEDN', 'dc=example,dc=com'); * define('LDAP_AUTH_BASEDN', 'dc=example,dc=com');
* define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
* // ??? will be replaced with the entered username(escaped) at login * // ??? will be replaced with the entered username(escaped) at login
* define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=person)(uid=???))'); * define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=person)(uid=???))');
*/ */
@ -54,7 +55,7 @@ class Auth_Ldap extends Plugin implements IAuthModule {
} }
private function _log($msg) { private function _log($msg) {
trigger_error($msg, E_USER_WARN); trigger_error($msg, E_USER_WARNING);
} }
function authenticate($login, $password) { function authenticate($login, $password) {
@ -73,10 +74,15 @@ class Auth_Ldap extends Plugin implements IAuthModule {
return FALSE; return FALSE;
} }
$ldapConnParams=array( $ldapConnParams=array(
'host'=>$parsedURI['scheme'].'://'.$parsedURI['host'], 'host'=>$parsedURI['host'],
'basedn'=>LDAP_AUTH_BASEDN, 'basedn'=>LDAP_AUTH_BASEDN,
'options' => array('LDAP_OPT_REFERRALS' => 0) 'options' => array('LDAP_OPT_REFERRALS' => 0)
); );
if (!LDAP_AUTH_ANONYMOUSBEFOREBIND) {
$ldapConnParams['binddn']= LDAP_AUTH_BINDDN;
$ldapConnParams['bindpw']= LDAP_AUTH_BINDPW;
}
$ldapConnParams['starttls']= defined('LDAP_AUTH_USETLS') ? $ldapConnParams['starttls']= defined('LDAP_AUTH_USETLS') ?
LDAP_AUTH_USETLS : FALSE; LDAP_AUTH_USETLS : FALSE;
@ -92,12 +98,14 @@ class Auth_Ldap extends Plugin implements IAuthModule {
$this->_log('Could not connect to LDAP Server: '.$ldapConn->getMessage()); $this->_log('Could not connect to LDAP Server: '.$ldapConn->getMessage());
return FALSE; return FALSE;
} }
// Bind with service account // Bind with service account if orignal connexion was anonymous
if (LDAP_AUTH_ANONYMOUSBEFOREBIND) {
$binding=$ldapConn->bind(LDAP_AUTH_BINDDN, LDAP_AUTH_BINDPW); $binding=$ldapConn->bind(LDAP_AUTH_BINDDN, LDAP_AUTH_BINDPW);
if (Net_LDAP2::isError($binding)) { if (Net_LDAP2::isError($binding)) {
$this->_log('Cound not bind service account: '.$binding->getMessage()); $this->_log('Cound not bind service account: '.$binding->getMessage());
return FALSE; return FALSE;
} }
}
//Searching for user //Searching for user
$completedSearchFiler=str_replace('???',$login,LDAP_AUTH_SEARCHFILTER); $completedSearchFiler=str_replace('???',$login,LDAP_AUTH_SEARCHFILTER);
$filterObj=Net_LDAP2_Filter::parse($completedSearchFiler); $filterObj=Net_LDAP2_Filter::parse($completedSearchFiler);