yourls-ldap-auth/plugin.php

155 lines
4.5 KiB
PHP
Raw Normal View History

2013-08-25 16:18:57 +02:00
<?php
/*
Plugin Name: Simple LDAP Auth
Plugin URI:
Description: This plugin enables use of LDAP provider for authentication
Version: 1.0
Author: k3a
Author URI: http://k3a.me
*/
// Thanks to nicwaller (https://github.com/nicwaller) for cas plugin I used as a reference!
// No direct call
if( !defined( 'YOURLS_ABSPATH' ) ) die();
// returns true if the environment is set up right
2013-08-25 20:00:04 +02:00
function ldapauth_environment_check() {
2013-08-25 16:18:57 +02:00
$required_params = array(
2013-08-25 20:00:04 +02:00
'LDAPAUTH_HOST', // ldap host
//'LDAAUTHP_PORT', // ldap port
'LDAPAUTH_BASE', // base ldap path
//'LDAPAUTH_USERNAME_FIELD', // field to check the username against
2013-08-25 16:18:57 +02:00
);
foreach ($required_params as $pname) {
if ( !defined( $pname ) ) {
$message = 'Missing defined parameter '.$pname.' in plugin '. $thisplugname;
error_log($message);
return false;
}
}
2013-08-25 20:00:04 +02:00
if ( !defined( 'LDAPAUTH_PORT' ) )
define( 'LDAPAUTH_PORT', 389 );
2013-08-25 16:18:57 +02:00
2013-08-25 20:00:04 +02:00
if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) )
define( 'LDAPAUTH_USERNAME_FIELD', 'uid' );
2013-08-25 16:18:57 +02:00
2013-08-25 20:00:04 +02:00
if ( !defined( 'LDAPAUTH_ALL_USERS_ADMIN' ) )
define( 'LDAPAUTH_ALL_USERS_ADMIN', true );
2013-08-25 16:18:57 +02:00
2013-08-25 20:00:04 +02:00
global $ldapauth_authorized_admins;
if ( !isset( $ldapauth_authorized_admins ) ) {
if ( !LDAPAUTH_ALL_USERS_ADMIN ) {
error_log('Undefined $ldapauth_authorized_admins');
2013-08-25 16:18:57 +02:00
}
2013-08-25 20:00:04 +02:00
$ldapauth_authorized_admins = array();
2013-08-25 16:18:57 +02:00
}
return true;
}
2013-08-25 20:00:04 +02:00
yourls_add_filter( 'is_valid_user', 'ldapauth_is_valid_user' );
2013-08-25 16:18:57 +02:00
// returns true/false
2013-08-25 20:00:04 +02:00
function ldapauth_is_valid_user( $value ) {
2013-08-25 16:18:57 +02:00
// doesn't work for API...
if (yourls_is_API())
return $value;
@session_start();
2013-08-25 20:00:04 +02:00
if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
2013-08-25 16:18:57 +02:00
// already authenticated...
2013-08-25 20:00:04 +02:00
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
if ( ldapauth_is_authorized_user( $username ) ) {
yourls_set_user( $_SESSION['LDAPAUTH_AUTH_USER'] );
2013-08-25 16:18:57 +02:00
return true;
} else {
return $username.' is not admin user.';
}
} else if ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )
&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) {
2013-08-25 20:00:04 +02:00
if ( !ldapauth_environment_check() ) {
2013-08-25 16:18:57 +02:00
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
}
// try to authenticate
2013-08-25 20:00:04 +02:00
$ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
// Check if using a privileged user account to search
if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS')) {
if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) {
die('Couldn\'t bind search user ' . LDAPAUTH_SEARCH_USER);
}
}
// Limit the attrs to the ones we need
$attrs = array('dn', LDAPAUTH_USERNAME_FIELD);
if (defined('LDAPAUTH_GROUP_ATTR'))
array_push($attrs, LDAPAUTH_GROUP_ATTR);
$searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'], $attrs );
2013-08-25 16:18:57 +02:00
if (!$searchDn) return $value;
$searchResult = ldap_get_entries($ldapConnection, $searchDn);
if (!$searchResult) return $value;
$userDn = $searchResult[0]['dn'];
if (!$userDn) return $value;
2013-08-25 20:00:04 +02:00
$ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
2013-08-25 16:18:57 +02:00
@ldap_close($ldapConnection);
// success?
2013-08-25 20:00:04 +02:00
if ($ldapSuccess)
2013-08-25 16:18:57 +02:00
{
// are we checking group auth?
if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) {
if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups');
$in_group = false;
foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) {
if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; error_log("YESSS"); break; }
}
if (!$in_group) die('Not in admin group');
}
2013-08-25 20:00:04 +02:00
$username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0];
2013-08-25 16:18:57 +02:00
yourls_set_user($username);
global $yourls_user_passwords;
$yourls_user_passwords[$username] = uniqid("",true);
2013-08-25 20:00:04 +02:00
$_SESSION['LDAPAUTH_AUTH_USER'] = $username;
2013-08-25 16:18:57 +02:00
return true;
}
}
return $value;
}
2013-08-25 20:00:04 +02:00
function ldapauth_is_authorized_user( $username ) {
2013-08-25 16:18:57 +02:00
// by default, anybody who can authenticate is also
// authorized as an administrator.
2013-08-25 20:00:04 +02:00
if ( LDAPAUTH_ALL_USERS_ADMIN ) {
2013-08-25 16:18:57 +02:00
return true;
}
// users listed in config.php are admin users. let them in.
2013-08-25 20:00:04 +02:00
global $ldapauth_authorized_admins;
if ( in_array( $username, $ldapauth_authorized_admins ) ) {
2013-08-25 16:18:57 +02:00
return true;
}
// not an admin user
return false;
}
2013-08-25 20:00:04 +02:00
yourls_add_action( 'logout', 'ldapauth_logout_hook' );
2013-08-25 16:18:57 +02:00
2013-08-25 20:00:04 +02:00
function ldapauth_logout_hook( $args ) {
unset($_SESSION['LDAPAUTH_AUTH_USER']);
2013-08-25 16:18:57 +02:00
setcookie('PHPSESSID', '', 0, '/');
}