prefix
This commit is contained in:
root
parent
e5d5e8e71b
commit
8a619851e7
11
README.md
11
README.md
@ -7,7 +7,7 @@ Installation
|
||||
------------
|
||||
1. Download the latest yourls-ldap-plugin.
|
||||
1. Copy the plugin folder into your user/plugins folder for YOURLS.
|
||||
1. Set up the parameters for yourls-ldap-plugin in YOURLS configuration (see below).
|
||||
1. Set up the parameters for yourls-ldap-plugin in YOURLS configuration user/config.php (see below).
|
||||
1. Activate the plugin with the plugin manager in the admin interface.
|
||||
|
||||
Usage
|
||||
@ -16,10 +16,11 @@ When yourls-cas-plugin is enabled and user was not successfuly authenticated usi
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
* `LDAP_HOST` LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
|
||||
* `LDAP_PORT` LDAP server port - often 389 or 636 for TLS (LDAPS)
|
||||
* `LDAP_BASE` Base DN (location of users)
|
||||
* `LDAP_USERNAME_FIELD` (optional) LDAP field name in which username is store
|
||||
|
||||
* define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
|
||||
* define( 'LDAPAUTH_PORT', '636' ) LDAP server port - often 389 or 636 for TLS (LDAPS)
|
||||
* define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) Base DN (location of users)
|
||||
* define( 'LDAPAUTH_USERNAME_FIELD', 'uid') (optional) LDAP field name in which username is store
|
||||
|
||||
Troubleshooting
|
||||
---------------
|
||||
|
||||
74
plugin.php
74
plugin.php
@ -13,12 +13,12 @@ Author URI: http://k3a.me
|
||||
if( !defined( 'YOURLS_ABSPATH' ) ) die();
|
||||
|
||||
// returns true if the environment is set up right
|
||||
function ldap_environment_check() {
|
||||
function ldapauth_environment_check() {
|
||||
$required_params = array(
|
||||
'LDAP_HOST', // ldap host
|
||||
//'LDAP_PORT', // ldap port
|
||||
'LDAP_BASE', // base ldap path
|
||||
//'LDAP_USERNAME_FIELD', // field to check the username against
|
||||
'LDAPAUTH_HOST', // ldap host
|
||||
//'LDAAUTHP_PORT', // ldap port
|
||||
'LDAPAUTH_BASE', // base ldap path
|
||||
//'LDAPAUTH_USERNAME_FIELD', // field to check the username against
|
||||
);
|
||||
|
||||
foreach ($required_params as $pname) {
|
||||
@ -29,42 +29,42 @@ function ldap_environment_check() {
|
||||
}
|
||||
}
|
||||
|
||||
if ( !defined( 'LDAP_PORT' ) )
|
||||
define( 'LDAP_PORT', 389 );
|
||||
if ( !defined( 'LDAPAUTH_PORT' ) )
|
||||
define( 'LDAPAUTH_PORT', 389 );
|
||||
|
||||
if ( !defined( 'LDAP_USERNAME_FIELD' ) )
|
||||
define( 'LDAP_USERNAME_FIELD', 'uid' );
|
||||
if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) )
|
||||
define( 'LDAPAUTH_USERNAME_FIELD', 'uid' );
|
||||
|
||||
if ( !defined( 'LDAP_ALL_USERS_ADMIN' ) )
|
||||
define( 'LDAP_ALL_USERS_ADMIN', true );
|
||||
if ( !defined( 'LDAPAUTH_ALL_USERS_ADMIN' ) )
|
||||
define( 'LDAPAUTH_ALL_USERS_ADMIN', true );
|
||||
|
||||
global $ldap_authorized_admins;
|
||||
if ( !isset( $ldap_authorized_admins ) ) {
|
||||
if ( !LDAP_ALL_USERS_ADMIN ) {
|
||||
error_log('Undefined $ldap_authorized_admins');
|
||||
global $ldapauth_authorized_admins;
|
||||
if ( !isset( $ldapauth_authorized_admins ) ) {
|
||||
if ( !LDAPAUTH_ALL_USERS_ADMIN ) {
|
||||
error_log('Undefined $ldapauth_authorized_admins');
|
||||
}
|
||||
$ldap_authorized_admins = array();
|
||||
$ldapauth_authorized_admins = array();
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
yourls_add_filter( 'is_valid_user', 'ldap_is_valid_user' );
|
||||
yourls_add_filter( 'is_valid_user', 'ldapauth_is_valid_user' );
|
||||
|
||||
// returns true/false
|
||||
function ldap_is_valid_user( $value ) {
|
||||
function ldapauth_is_valid_user( $value ) {
|
||||
// doesn't work for API...
|
||||
if (yourls_is_API())
|
||||
return $value;
|
||||
|
||||
@session_start();
|
||||
|
||||
if ( isset( $_SESSION['LDAP_AUTH_USER'] ) ) {
|
||||
if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
|
||||
// already authenticated...
|
||||
$username = $_SESSION['LDAP_AUTH_USER'];
|
||||
if ( ldap_is_authorized_user( $username ) ) {
|
||||
yourls_set_user( $_SESSION['LDAP_AUTH_USER'] );
|
||||
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
|
||||
if ( ldapauth_is_authorized_user( $username ) ) {
|
||||
yourls_set_user( $_SESSION['LDAPAUTH_AUTH_USER'] );
|
||||
return true;
|
||||
} else {
|
||||
return $username.' is not admin user.';
|
||||
@ -72,28 +72,28 @@ function ldap_is_valid_user( $value ) {
|
||||
} else if ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] )
|
||||
&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) {
|
||||
|
||||
if ( !ldap_environment_check() ) {
|
||||
if ( !ldapauth_environment_check() ) {
|
||||
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
||||
}
|
||||
|
||||
// try to authenticate
|
||||
$ldapConnection = ldap_connect(LDAP_HOST, LDAP_PORT);
|
||||
if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAP_HOST);
|
||||
$searchDn = ldap_search($ldapConnection, LDAP_BASE, LDAP_USERNAME_FIELD . "=" . $_REQUEST['username'] );
|
||||
$ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
|
||||
if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST);
|
||||
$searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'] );
|
||||
if (!$searchDn) return $value;
|
||||
$searchResult = ldap_get_entries($ldapConnection, $searchDn);
|
||||
if (!$searchResult) return $value;
|
||||
$userDn = $searchResult[0]['dn'];
|
||||
if (!$userDn) return $value;
|
||||
$ldap_login = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
|
||||
$ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
|
||||
@ldap_close($ldapConnection);
|
||||
|
||||
// success?
|
||||
if ($ldap_login)
|
||||
if ($ldapSuccess)
|
||||
{
|
||||
$username = $searchResult[0][LDAP_USERNAME_FIELD][0];
|
||||
$username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0];
|
||||
yourls_set_user($username);
|
||||
$_SESSION['LDAP_AUTH_USER'] = $username;
|
||||
$_SESSION['LDAPAUTH_AUTH_USER'] = $username;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
@ -101,16 +101,16 @@ function ldap_is_valid_user( $value ) {
|
||||
return $value;
|
||||
}
|
||||
|
||||
function ldap_is_authorized_user( $username ) {
|
||||
function ldapauth_is_authorized_user( $username ) {
|
||||
// by default, anybody who can authenticate is also
|
||||
// authorized as an administrator.
|
||||
if ( LDAP_ALL_USERS_ADMIN ) {
|
||||
if ( LDAPAUTH_ALL_USERS_ADMIN ) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// users listed in config.php are admin users. let them in.
|
||||
global $ldap_authorized_admins;
|
||||
if ( in_array( $username, $ldap_authorized_admins ) ) {
|
||||
global $ldapauth_authorized_admins;
|
||||
if ( in_array( $username, $ldapauth_authorized_admins ) ) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -118,9 +118,9 @@ function ldap_is_authorized_user( $username ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
yourls_add_action( 'logout', 'ldap_logout_hook' );
|
||||
yourls_add_action( 'logout', 'ldapauth_logout_hook' );
|
||||
|
||||
function ldap_logout_hook( $args ) {
|
||||
unset($_SESSION['LDAP_AUTH_USER']);
|
||||
function ldapauth_logout_hook( $args ) {
|
||||
unset($_SESSION['LDAPAUTH_AUTH_USER']);
|
||||
setcookie('PHPSESSID', '', 0, '/');
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user