Make cache optional. Update README
This commit is contained in:
parent
7c1f6be501
commit
25747fc14a
43
README.md
43
README.md
@ -12,31 +12,39 @@ Installation
|
|||||||
|
|
||||||
Usage
|
Usage
|
||||||
-----
|
-----
|
||||||
When yourls-cas-plugin is enabled and user was not successfuly authenticated using data specified in yourls_user_passwords, an LDAP authentication attempt will be made. If LDAP authentication is successful, then you will immediately go to the admin interface.
|
When yourls-ldap-plugin is enabled and user was not successfuly authenticated using data specified in yourls_user_passwords, an LDAP authentication attempt will be made. If LDAP authentication is successful, then you will immediately go to the admin interface.
|
||||||
|
|
||||||
You can also set a privileged account to search the LDAP directory with. This is useful for directories that don't allow anonymous binding.
|
You can also set a privileged account to search the LDAP directory with. This is useful for directories that don't allow anonymous binding. If you define a suitable template, the current user will be used binding. This is useful for Active Directory / Samba.
|
||||||
|
|
||||||
Setting the groups settings will check the user is a member of that group before logging them in and storing their credentials. This check is only performed the first time they auth or when their password changes.
|
Setting the groups settings will check the user is a member of that group before logging them in and storing their credentials. This check is only performed the first time they auth or when their password changes.
|
||||||
|
|
||||||
|
yourls-ldap-plugin by default will now implement a simple cache of LDAP users. As well as reducing requests to the LDAP server this has the effect of allowing YOURLS API to work with LDAP users.
|
||||||
|
|
||||||
Configuration
|
Configuration
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
* define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) // LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
|
* define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ); // LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
|
||||||
* define( 'LDAPAUTH_PORT', '636' ) // LDAP server port - often 389 or 636 for TLS (LDAPS)
|
* define( 'LDAPAUTH_PORT', '636' ); // LDAP server port - often 389 or 636 for TLS (LDAPS)
|
||||||
* define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) // Base DN (location of users)
|
* define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ); // Base DN (location of users)
|
||||||
* define( 'LDAPAUTH_USERNAME_FIELD', 'uid') // (optional) LDAP field name in which username is store
|
* define( 'LDAPAUTH_USERNAME_FIELD', 'uid'); // (optional) LDAP field name in which username is store
|
||||||
|
|
||||||
To use a privileged account for the user search:
|
To use a privileged account for the user search:
|
||||||
* define( 'LDAPAUTH_SEARCH_USER', 'cn=your-user,dc=domain,dc=com' ) // (optional) Privileged user to search with
|
* define( 'LDAPAUTH_SEARCH_USER', 'cn=your-user,dc=domain,dc=com' ); // (optional) Privileged user to search with
|
||||||
* define( 'LDAPAUTH_SEARCH_PASS', 'the-pass') // (optional) (only if LDAPAUTH_SEARCH_USER set) Privileged user pass
|
* define( 'LDAPAUTH_SEARCH_PASS', 'the-pass'); // (optional) (only if LDAPAUTH_SEARCH_USER set) Privileged user pass
|
||||||
|
|
||||||
|
To define a template to bind using the current user for the search: Use %s as the place holder for the current user name
|
||||||
|
* define( 'LDAPAUTH_BIND_WITH_USER_TEMPLATE', '%s@myad.domain' ); // (optional) Use %s as the place holder for the current user name
|
||||||
|
|
||||||
To check group membership before authenticating:
|
To check group membership before authenticating:
|
||||||
* define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ) // (optional) LDAP groups attr
|
* define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr
|
||||||
* define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group') // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited
|
* define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited
|
||||||
|
|
||||||
|
To define the type of user cache used:
|
||||||
|
* define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day
|
||||||
|
|
||||||
To automatically add LDAP users to config.php:
|
To automatically add LDAP users to config.php:
|
||||||
* define( 'LDAPAUTH_ADD_NEW', true ) // (optional) Add LDAP users to config.php
|
* define( 'LDAPAUTH_ADD_NEW', true ); // (optional) Add LDAP users to config.php
|
||||||
NOTE: This will require config.php to be writable by your webserver user
|
NOTE: This will require config.php to be writable by your webserver user. This function is now largely unneeded because the database based cache offers similar benefits without the need to make config.php writeable. It is retained for backwards compatability
|
||||||
|
|
||||||
Troubleshooting
|
Troubleshooting
|
||||||
---------------
|
---------------
|
||||||
@ -44,6 +52,17 @@ Troubleshooting
|
|||||||
* Check your webserver logs
|
* Check your webserver logs
|
||||||
* You can try modifying plugin code to print some more debug info
|
* You can try modifying plugin code to print some more debug info
|
||||||
|
|
||||||
|
About the user cache
|
||||||
|
--------------------
|
||||||
|
When a successful login is made against an LDAP server the plugin will cache the username and encrypted password. Currently this is done by saving them in an array in YOURLS options table. This has some advantages:
|
||||||
|
|
||||||
|
* It reduces requests to the LDAP server
|
||||||
|
* It means that users can still log in even if the LDAP server is unreachable
|
||||||
|
* It means that the YOURLS API can be used by LDAP users
|
||||||
|
|
||||||
|
Unfortunately, the cache will not scale well. This is because it integrates tightly with YOURLS's internal auth mechanism, and that does not scale. If you have a few tens of LDAP users likely to use your YOURLS installation it should be fine. Much more than that and you may see performance issues. If so, you should probably disable the cache. This will mean
|
||||||
|
that your LDAP users will not be able to use the API. At least not unless they are listed in users/config.php, which suffers from the same scaling problems.
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
Copyright 2013 K3A, #1davoaust <BR>
|
Copyright 2013 K3A, #1davoaust <BR>
|
||||||
|
63
plugin.php
63
plugin.php
@ -41,6 +41,10 @@ function ldapauth_environment_check() {
|
|||||||
if ( !defined( 'LDAPAUTH_ADD_NEW' ) )
|
if ( !defined( 'LDAPAUTH_ADD_NEW' ) )
|
||||||
define( 'LDAPAUTH_ADD_NEW', false );
|
define( 'LDAPAUTH_ADD_NEW', false );
|
||||||
|
|
||||||
|
if ( !defined( 'LDAPAUTH_USERCACHE_TYPE' ) )
|
||||||
|
define( 'LDAPAUTH_USERCACHE_TYPE', 1 );
|
||||||
|
|
||||||
|
|
||||||
global $ldapauth_authorized_admins;
|
global $ldapauth_authorized_admins;
|
||||||
if ( !isset( $ldapauth_authorized_admins ) ) {
|
if ( !isset( $ldapauth_authorized_admins ) ) {
|
||||||
if ( !LDAPAUTH_ALL_USERS_ADMIN ) {
|
if ( !LDAPAUTH_ALL_USERS_ADMIN ) {
|
||||||
@ -60,7 +64,14 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
global $yourls_user_passwords;
|
global $yourls_user_passwords;
|
||||||
global $ydb;
|
global $ydb;
|
||||||
|
|
||||||
$ldapauth_usercache = $ydb->option['ldapauth_usercache'];
|
// Always check & set early
|
||||||
|
if ( !ldapauth_environment_check() ) {
|
||||||
|
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( LDAPAUTH_USERCACHE_TYPE == 1) {
|
||||||
|
$ldapauth_usercache = $ydb->option['ldapauth_usercache'];
|
||||||
|
}
|
||||||
|
|
||||||
// no point in continuing if the user has already been validated by core
|
// no point in continuing if the user has already been validated by core
|
||||||
if ($value) {
|
if ($value) {
|
||||||
@ -68,24 +79,23 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// session is only needed if we don't use usercache
|
||||||
@session_start();
|
if (empty(LDAPAUTH_USERCACHE_TYPE)) {
|
||||||
|
@session_start();
|
||||||
|
|
||||||
// Always check & set early
|
|
||||||
if ( !ldapauth_environment_check() ) {
|
|
||||||
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* is the cookie needed anymore? Since the user cache is merged with $yourls_user_passwords
|
if ( empty(LDAPAUTH_USERCACHE_TYPE) && isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
|
||||||
* core's yourls_check_auth_cookie should work. If so, a logged in user will arrive in this
|
|
||||||
* function with $value true, the function returns early and we never get here
|
|
||||||
*/
|
|
||||||
if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
|
|
||||||
// already authenticated...
|
// already authenticated...
|
||||||
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
|
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
|
||||||
// why is this checked here, but not before the cookie is set?
|
// why is this checked here, but not before the cookie is set?
|
||||||
if ( ldapauth_is_authorized_user( $username ) ) {
|
if ( ldapauth_is_authorized_user( $username ) ) {
|
||||||
|
if( !isset($yourls_user_passwords[$username]) ) {
|
||||||
|
// set a dummy password to work around the "Stealing cookies" problem
|
||||||
|
// we prepend with 'phpass:' to avoid YOURLS trying to auto-encrypt it and
|
||||||
|
// write it to user/config.php
|
||||||
|
ldapauth_debug('Setting dummy entry in $yourls_user_passwords for user ' . $username);
|
||||||
|
$yourls_user_passwords[$username]='phpass:ThereIsNoPasswordButHey,WhoCares?';
|
||||||
|
}
|
||||||
yourls_set_user( $_SESSION['LDAPAUTH_AUTH_USER'] );
|
yourls_set_user( $_SESSION['LDAPAUTH_AUTH_USER'] );
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
@ -156,13 +166,17 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
ldapauth_create_user( $username, $_REQUEST['password'] );
|
ldapauth_create_user( $username, $_REQUEST['password'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
// store the current user credentials in our cache. This cuts down calls to the LDAP
|
if (LDAPAUTH_USERCACHE_TYPE == 1) {
|
||||||
// server, and allows API keys to work with LDAP users
|
// store the current user credentials in our cache. This cuts down calls to the LDAP
|
||||||
$ldapauth_usercache[$username] = 'phpass:' . ldapauth_hash_password($_REQUEST['password']);
|
// server, and allows API keys to work with LDAP users
|
||||||
yourls_update_option('ldapauth_usercache', $ldapauth_usercache);
|
$ldapauth_usercache[$username] = 'phpass:' . ldapauth_hash_password($_REQUEST['password']);
|
||||||
|
yourls_update_option('ldapauth_usercache', $ldapauth_usercache);
|
||||||
|
}
|
||||||
|
|
||||||
$yourls_user_passwords[$username] = ldapauth_hash_password($_REQUEST['password']);
|
$yourls_user_passwords[$username] = ldapauth_hash_password($_REQUEST['password']);
|
||||||
$_SESSION['LDAPAUTH_AUTH_USER'] = $username;
|
if (empty(LDAPAUTH_USERCACHE_TYPE)) {
|
||||||
|
$_SESSION['LDAPAUTH_AUTH_USER'] = $username;
|
||||||
|
}
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
error_log("No LDAP success");
|
error_log("No LDAP success");
|
||||||
@ -192,8 +206,10 @@ function ldapauth_is_authorized_user( $username ) {
|
|||||||
yourls_add_action( 'logout', 'ldapauth_logout_hook' );
|
yourls_add_action( 'logout', 'ldapauth_logout_hook' );
|
||||||
|
|
||||||
function ldapauth_logout_hook( $args ) {
|
function ldapauth_logout_hook( $args ) {
|
||||||
unset($_SESSION['LDAPAUTH_AUTH_USER']);
|
if (empty(LDAPAUTH_USERCACHE_TYPE)) {
|
||||||
setcookie('PHPSESSID', '', 0, '/');
|
unset($_SESSION['LDAPAUTH_AUTH_USER']);
|
||||||
|
setcookie('PHPSESSID', '', 0, '/');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This action, called as early as possible, retrieves our cache of LDAP users and
|
/* This action, called as early as possible, retrieves our cache of LDAP users and
|
||||||
@ -206,9 +222,12 @@ yourls_add_action ('plugins_loaded', 'ldapauth_merge_users');
|
|||||||
function ldapauth_merge_users() {
|
function ldapauth_merge_users() {
|
||||||
global $ydb;
|
global $ydb;
|
||||||
global $yourls_user_passwords;
|
global $yourls_user_passwords;
|
||||||
if(isset($ydb->option['ldapauth_usercache'])) {
|
if ( !ldapauth_environment_check() ) {
|
||||||
|
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
||||||
|
}
|
||||||
|
if(LDAPAUTH_USERCACHE_TYPE==1 && isset($ydb->option['ldapauth_usercache'])) {
|
||||||
ldapauth_debug("Merging text file users and cached LDAP users");
|
ldapauth_debug("Merging text file users and cached LDAP users");
|
||||||
$yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']);
|
$yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user