Merge pull request #6 from davoaust/master

Added adding of LDAP users to config.php
2015-05-19 18:22:05 +02:00 · 2015-05-19 18:22:05 +02:00 · 72aa29d405
commit 72aa29d405
parent 24995f3e42 35e8164917
2 changed files with 75 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -21,10 +21,10 @@ Setting the groups settings will check the user is a member of that group before
 Configuration
 -------------
-  * define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
+  * define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) // LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
-  * define( 'LDAPAUTH_PORT', '636' ) LDAP server port - often 389 or 636 for TLS (LDAPS)
+  * define( 'LDAPAUTH_PORT', '636' ) // LDAP server port - often 389 or 636 for TLS (LDAPS)
-  * define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) Base DN (location of users)
+  * define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) // Base DN (location of users)
-  * define( 'LDAPAUTH_USERNAME_FIELD', 'uid') (optional) LDAP field name in which username is store
+  * define( 'LDAPAUTH_USERNAME_FIELD', 'uid') // (optional) LDAP field name in which username is store
 To use a privileged account for the user search:
  * define( 'LDAPAUTH_SEARCH_USER', 'cn=your-user,dc=domain,dc=com' ) // (optional) Privileged user to search with
@ -34,6 +34,10 @@ To check group membership before authenticating:
  * define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ) // (optional) LDAP groups attr
  * define( 'LDAPAUTH_GROUP_REQ', 'the-group') // (only if LDAPAUTH_GROUP_REQ set) Group user must be in
 To automatically add LDAP users to config.php:
  * define( 'LDAPAUTH_ADD_NEW', true ) // (optional) Add LDAP users to config.php
 NOTE: This will require config.php to be writable by your webserver user
 Troubleshooting
 ---------------
  * Check PHP error log usually at `/var/log/php.log`
--- a/plugin.php
+++ b/plugin.php
@ -38,6 +38,9 @@ function ldapauth_environment_check() {
 	if ( !defined( 'LDAPAUTH_ALL_USERS_ADMIN' ) )
 		define( 'LDAPAUTH_ALL_USERS_ADMIN', true );
 	if ( !defined( 'LDAPAUTH_ADD_NEW' ) )
 		define( 'LDAPAUTH_ADD_NEW', false );
 	global $ldapauth_authorized_admins;
 	if ( !isset( $ldapauth_authorized_admins ) ) {
 		if ( !LDAPAUTH_ALL_USERS_ADMIN ) {
@ -60,6 +63,11 @@ function ldapauth_is_valid_user( $value ) {
 	@session_start();
 	// Always check & set early
 	if ( !ldapauth_environment_check() ) {
 		die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
 	}
 	if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
 		// already authenticated...
 		$username = $_SESSION['LDAPAUTH_AUTH_USER'];
@ -72,13 +80,13 @@ function ldapauth_is_valid_user( $value ) {
 	} else if ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )
 			&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password']  ) ) {
-		if ( !ldapauth_environment_check() ) {
+
-        	die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
+
-    	}	
+
 		// try to authenticate
 		$ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
-		if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST);
+		if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST);
 		ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
 		// Check if using a privileged user account to search
@ -111,7 +119,7 @@ function ldapauth_is_valid_user( $value ) {
 				$in_group = false;
 				foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) {
-					if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; error_log("YESSS"); break;  }
+					if (strtolower($grps) == strtolower(LDAPAUTH_GROUP_REQ)) { $in_group = true; break;  }
 				}
 				if (!$in_group) die('Not in admin group');
@ -120,9 +128,16 @@ function ldapauth_is_valid_user( $value ) {
 			$username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0];
 			yourls_set_user($username);
 			global $yourls_user_passwords;
-			$yourls_user_passwords[$username] = uniqid("",true);
+			
 			if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) {
 				ldapauth_create_user( $username, $_REQUEST['password'] );
 			}
 			$yourls_user_passwords[$username] = ldapauth_hash_password($_REQUEST['password']);
 			$_SESSION['LDAPAUTH_AUTH_USER'] = $username;
 			return true;
 		} else {
 			error_log("No LDAP success");
 		}
 	}
@ -152,3 +167,47 @@ function ldapauth_logout_hook( $args ) {
 	unset($_SESSION['LDAPAUTH_AUTH_USER']);
 	setcookie('PHPSESSID', '', 0, '/');
 }
 /**
 * Create user in config file
 * Code reused from yourls_hash_passwords_now()
 */
 function ldapauth_create_user( $user, $new_password ) {
 	$configdata = file_get_contents( YOURLS_CONFIGFILE );
 	if ( $configdata == FALSE )	{
 		die('Couldn\'t read the config file');
 	}
 	if (!is_writable(YOURLS_CONFIGFILE))
 		die('Can\'t write to config file');
 	$pass_hash = ldapauth_hash_password($new_password);
 	$user_line = "\t'$user' => 'phpass:$pass_hash' /* Password encrypted by YOURLS */,";
 	// Add the user on a new line after the start of the passwords array
 	$new_contents = preg_replace('/(yourls_user_passwords\s=\sarray\()/',  '$0 ' . PHP_EOL . $user_line, $configdata, -1, $count);
 	if ($count === 0) {
 		die('Couldn\'t add user, plugin may not be compatible with YourLS version');
 	} else if ($count > 1) {
 		die('Added user more than once. Check config file.');
 	}
 	$success = file_put_contents( YOURLS_CONFIGFILE, $new_contents );
 	if ( $success === false ) {
 		die('Unable to save config file');
 	}
 	return $pass_hash;
 }
 /**
 * Hashes password the same way as yourls_hash_passwords_now()
 **/
 function ldapauth_hash_password ($password) {
 	$pass_hash = yourls_phpass_hash( $password );
 	// PHP would interpret $ as a variable, so replace it in storage.
 	$pass_hash = str_replace( '$', '!', $pass_hash );
 	return $pass_hash;
 }