From f554c10762a807aa118cc1956dbdcef63a374aed Mon Sep 17 00:00:00 2001 From: davoaust Date: Mon, 18 May 2015 15:15:33 +1000 Subject: [PATCH 1/2] Support group auth, privileged account & attribute filter Added support for group auth, 2 new settings: - LDAPAUTH_GROUP_ATTR - LDAPAUTH_GROUP_REQ If they're not set don't check group membership. Added support for using a privileged account to do the user search. 2 new settings: - LDAPAUTH_SEARCH_USER - LDAPAUTH_SEARCH_PASS Limited returned attributes to only the ones we need. --- plugin.php | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/plugin.php b/plugin.php index 444cd52..afb06f8 100644 --- a/plugin.php +++ b/plugin.php @@ -80,7 +80,20 @@ function ldapauth_is_valid_user( $value ) { $ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT); if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST); ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); - $searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'] ); + + // Check if using a privileged user account to search + if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS')) { + if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) { + die('Couldn\'t bind search user ' . LDAPAUTH_SEARCH_USER); + } + } + + // Limit the attrs to the ones we need + $attrs = array('dn', LDAPAUTH_USERNAME_FIELD); + if (defined('LDAPAUTH_GROUP_ATTR')) + array_push($attrs, LDAPAUTH_GROUP_ATTR); + + $searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'], $attrs ); if (!$searchDn) return $value; $searchResult = ldap_get_entries($ldapConnection, $searchDn); if (!$searchResult) return $value; @@ -92,6 +105,18 @@ function ldapauth_is_valid_user( $value ) { // success? if ($ldapSuccess) { + // are we checking group auth? + if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) { + if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups'); + + $in_group = false; + foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) { + if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; error_log("YESSS"); break; } + } + + if (!$in_group) die('Not in admin group'); + } + $username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0]; yourls_set_user($username); global $yourls_user_passwords; From 898f1d2463fef80053d13c2dba66f71a1decf45d Mon Sep 17 00:00:00 2001 From: davoaust Date: Mon, 18 May 2015 15:20:41 +1000 Subject: [PATCH 2/2] Updating with privileged account and group settings Added information for connection to LDAP with a privileged account. Added information for authenticating users against a group. --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 07c52ad..db41c1b 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,10 @@ Usage ----- When yourls-cas-plugin is enabled and user was not successfuly authenticated using data specified in yourls_user_passwords, an LDAP authentication attempt will be made. If LDAP authentication is successful, then you will immediately go to the admin interface. +You can also set a privileged account to search the LDAP directory with. This is useful for directories that don't allow anonymous binding. + +Setting the groups settings will check the user is a member of that group before logging them in and storing their credentials. This check is only performed the first time they auth or when their password changes. + Configuration ------------- @@ -22,6 +26,14 @@ Configuration * define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) Base DN (location of users) * define( 'LDAPAUTH_USERNAME_FIELD', 'uid') (optional) LDAP field name in which username is store +To use a privileged account for the user search: + * define( 'LDAPAUTH_SEARCH_USER', 'cn=your-user,dc=domain,dc=com' ) // (optional) Privileged user to search with + * define( 'LDAPAUTH_SEARCH_PASS', 'the-pass') // (optional) (only if LDAPAUTH_SEARCH_USER set) Privileged user pass + +To check group membership before authenticating: + * define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ) // (optional) LDAP groups attr + * define( 'LDAPAUTH_GROUP_REQ', 'the-group') // (only if LDAPAUTH_GROUP_REQ set) Group user must be in + Troubleshooting --------------- * Check PHP error log usually at `/var/log/php.log`