Merge pull request #6 from davoaust/master
Added adding of LDAP users to config.php
This commit is contained in:
K3A
commit
72aa29d405
12
README.md
12
README.md
@ -21,10 +21,10 @@ Setting the groups settings will check the user is a member of that group before
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
* define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
|
||||
* define( 'LDAPAUTH_PORT', '636' ) LDAP server port - often 389 or 636 for TLS (LDAPS)
|
||||
* define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) Base DN (location of users)
|
||||
* define( 'LDAPAUTH_USERNAME_FIELD', 'uid') (optional) LDAP field name in which username is store
|
||||
* define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) // LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
|
||||
* define( 'LDAPAUTH_PORT', '636' ) // LDAP server port - often 389 or 636 for TLS (LDAPS)
|
||||
* define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) // Base DN (location of users)
|
||||
* define( 'LDAPAUTH_USERNAME_FIELD', 'uid') // (optional) LDAP field name in which username is store
|
||||
|
||||
To use a privileged account for the user search:
|
||||
* define( 'LDAPAUTH_SEARCH_USER', 'cn=your-user,dc=domain,dc=com' ) // (optional) Privileged user to search with
|
||||
@ -33,6 +33,10 @@ To use a privileged account for the user search:
|
||||
To check group membership before authenticating:
|
||||
* define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ) // (optional) LDAP groups attr
|
||||
* define( 'LDAPAUTH_GROUP_REQ', 'the-group') // (only if LDAPAUTH_GROUP_REQ set) Group user must be in
|
||||
|
||||
To automatically add LDAP users to config.php:
|
||||
* define( 'LDAPAUTH_ADD_NEW', true ) // (optional) Add LDAP users to config.php
|
||||
NOTE: This will require config.php to be writable by your webserver user
|
||||
|
||||
Troubleshooting
|
||||
---------------
|
||||
|
||||
75
plugin.php
75
plugin.php
@ -38,6 +38,9 @@ function ldapauth_environment_check() {
|
||||
if ( !defined( 'LDAPAUTH_ALL_USERS_ADMIN' ) )
|
||||
define( 'LDAPAUTH_ALL_USERS_ADMIN', true );
|
||||
|
||||
if ( !defined( 'LDAPAUTH_ADD_NEW' ) )
|
||||
define( 'LDAPAUTH_ADD_NEW', false );
|
||||
|
||||
global $ldapauth_authorized_admins;
|
||||
if ( !isset( $ldapauth_authorized_admins ) ) {
|
||||
if ( !LDAPAUTH_ALL_USERS_ADMIN ) {
|
||||
@ -59,6 +62,11 @@ function ldapauth_is_valid_user( $value ) {
|
||||
return $value;
|
||||
|
||||
@session_start();
|
||||
|
||||
// Always check & set early
|
||||
if ( !ldapauth_environment_check() ) {
|
||||
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
||||
}
|
||||
|
||||
if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
|
||||
// already authenticated...
|
||||
@ -72,13 +80,13 @@ function ldapauth_is_valid_user( $value ) {
|
||||
} else if ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )
|
||||
&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) {
|
||||
|
||||
if ( !ldapauth_environment_check() ) {
|
||||
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
// try to authenticate
|
||||
$ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
|
||||
if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST);
|
||||
if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST);
|
||||
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
|
||||
// Check if using a privileged user account to search
|
||||
@ -92,7 +100,7 @@ function ldapauth_is_valid_user( $value ) {
|
||||
$attrs = array('dn', LDAPAUTH_USERNAME_FIELD);
|
||||
if (defined('LDAPAUTH_GROUP_ATTR'))
|
||||
array_push($attrs, LDAPAUTH_GROUP_ATTR);
|
||||
|
||||
|
||||
$searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'], $attrs );
|
||||
if (!$searchDn) return $value;
|
||||
$searchResult = ldap_get_entries($ldapConnection, $searchDn);
|
||||
@ -101,7 +109,7 @@ function ldapauth_is_valid_user( $value ) {
|
||||
if (!$userDn) return $value;
|
||||
$ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
|
||||
@ldap_close($ldapConnection);
|
||||
|
||||
|
||||
// success?
|
||||
if ($ldapSuccess)
|
||||
{
|
||||
@ -111,7 +119,7 @@ function ldapauth_is_valid_user( $value ) {
|
||||
|
||||
$in_group = false;
|
||||
foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) {
|
||||
if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; error_log("YESSS"); break; }
|
||||
if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; break; }
|
||||
}
|
||||
|
||||
if (!$in_group) die('Not in admin group');
|
||||
@ -120,9 +128,16 @@ function ldapauth_is_valid_user( $value ) {
|
||||
$username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0];
|
||||
yourls_set_user($username);
|
||||
global $yourls_user_passwords;
|
||||
$yourls_user_passwords[$username] = uniqid("",true);
|
||||
|
||||
if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) {
|
||||
ldapauth_create_user( $username, $_REQUEST['password'] );
|
||||
}
|
||||
|
||||
$yourls_user_passwords[$username] = ldapauth_hash_password($_REQUEST['password']);
|
||||
$_SESSION['LDAPAUTH_AUTH_USER'] = $username;
|
||||
return true;
|
||||
} else {
|
||||
error_log("No LDAP success");
|
||||
}
|
||||
}
|
||||
|
||||
@ -152,3 +167,47 @@ function ldapauth_logout_hook( $args ) {
|
||||
unset($_SESSION['LDAPAUTH_AUTH_USER']);
|
||||
setcookie('PHPSESSID', '', 0, '/');
|
||||
}
|
||||
|
||||
/**
|
||||
* Create user in config file
|
||||
* Code reused from yourls_hash_passwords_now()
|
||||
*/
|
||||
function ldapauth_create_user( $user, $new_password ) {
|
||||
$configdata = file_get_contents( YOURLS_CONFIGFILE );
|
||||
if ( $configdata == FALSE ) {
|
||||
die('Couldn\'t read the config file');
|
||||
}
|
||||
|
||||
if (!is_writable(YOURLS_CONFIGFILE))
|
||||
die('Can\'t write to config file');
|
||||
|
||||
$pass_hash = ldapauth_hash_password($new_password);
|
||||
$user_line = "\t'$user' => 'phpass:$pass_hash' /* Password encrypted by YOURLS */,";
|
||||
|
||||
// Add the user on a new line after the start of the passwords array
|
||||
$new_contents = preg_replace('/(yourls_user_passwords\s=\sarray\()/', '$0 ' . PHP_EOL . $user_line, $configdata, -1, $count);
|
||||
|
||||
if ($count === 0) {
|
||||
die('Couldn\'t add user, plugin may not be compatible with YourLS version');
|
||||
} else if ($count > 1) {
|
||||
die('Added user more than once. Check config file.');
|
||||
}
|
||||
|
||||
$success = file_put_contents( YOURLS_CONFIGFILE, $new_contents );
|
||||
if ( $success === false ) {
|
||||
die('Unable to save config file');
|
||||
}
|
||||
|
||||
return $pass_hash;
|
||||
}
|
||||
|
||||
/**
|
||||
* Hashes password the same way as yourls_hash_passwords_now()
|
||||
**/
|
||||
function ldapauth_hash_password ($password) {
|
||||
$pass_hash = yourls_phpass_hash( $password );
|
||||
// PHP would interpret $ as a variable, so replace it in storage.
|
||||
$pass_hash = str_replace( '$', '!', $pass_hash );
|
||||
|
||||
return $pass_hash;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user