diff --git a/README.md b/README.md index 281f468..07c52ad 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Installation ------------ 1. Download the latest yourls-ldap-plugin. 1. Copy the plugin folder into your user/plugins folder for YOURLS. -1. Set up the parameters for yourls-ldap-plugin in YOURLS configuration (see below). +1. Set up the parameters for yourls-ldap-plugin in YOURLS configuration user/config.php (see below). 1. Activate the plugin with the plugin manager in the admin interface. Usage @@ -16,10 +16,11 @@ When yourls-cas-plugin is enabled and user was not successfuly authenticated usi Configuration ------------- - * `LDAP_HOST` LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS - * `LDAP_PORT` LDAP server port - often 389 or 636 for TLS (LDAPS) - * `LDAP_BASE` Base DN (location of users) - * `LDAP_USERNAME_FIELD` (optional) LDAP field name in which username is store + + * define( 'LDAPAUTH_HOST', 'ldaps://ldap.domain.com' ) LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS + * define( 'LDAPAUTH_PORT', '636' ) LDAP server port - often 389 or 636 for TLS (LDAPS) + * define( 'LDAPAUTH_BASE', 'dc=domain,dc=com' ) Base DN (location of users) + * define( 'LDAPAUTH_USERNAME_FIELD', 'uid') (optional) LDAP field name in which username is store Troubleshooting --------------- diff --git a/plugin.php b/plugin.php index bcf06ed..f3ba401 100644 --- a/plugin.php +++ b/plugin.php @@ -13,12 +13,12 @@ Author URI: http://k3a.me if( !defined( 'YOURLS_ABSPATH' ) ) die(); // returns true if the environment is set up right -function ldap_environment_check() { +function ldapauth_environment_check() { $required_params = array( - 'LDAP_HOST', // ldap host - //'LDAP_PORT', // ldap port - 'LDAP_BASE', // base ldap path - //'LDAP_USERNAME_FIELD', // field to check the username against + 'LDAPAUTH_HOST', // ldap host + //'LDAAUTHP_PORT', // ldap port + 'LDAPAUTH_BASE', // base ldap path + //'LDAPAUTH_USERNAME_FIELD', // field to check the username against ); foreach ($required_params as $pname) { @@ -29,42 +29,42 @@ function ldap_environment_check() { } } - if ( !defined( 'LDAP_PORT' ) ) - define( 'LDAP_PORT', 389 ); + if ( !defined( 'LDAPAUTH_PORT' ) ) + define( 'LDAPAUTH_PORT', 389 ); - if ( !defined( 'LDAP_USERNAME_FIELD' ) ) - define( 'LDAP_USERNAME_FIELD', 'uid' ); + if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) ) + define( 'LDAPAUTH_USERNAME_FIELD', 'uid' ); - if ( !defined( 'LDAP_ALL_USERS_ADMIN' ) ) - define( 'LDAP_ALL_USERS_ADMIN', true ); + if ( !defined( 'LDAPAUTH_ALL_USERS_ADMIN' ) ) + define( 'LDAPAUTH_ALL_USERS_ADMIN', true ); - global $ldap_authorized_admins; - if ( !isset( $ldap_authorized_admins ) ) { - if ( !LDAP_ALL_USERS_ADMIN ) { - error_log('Undefined $ldap_authorized_admins'); + global $ldapauth_authorized_admins; + if ( !isset( $ldapauth_authorized_admins ) ) { + if ( !LDAPAUTH_ALL_USERS_ADMIN ) { + error_log('Undefined $ldapauth_authorized_admins'); } - $ldap_authorized_admins = array(); + $ldapauth_authorized_admins = array(); } return true; } -yourls_add_filter( 'is_valid_user', 'ldap_is_valid_user' ); +yourls_add_filter( 'is_valid_user', 'ldapauth_is_valid_user' ); // returns true/false -function ldap_is_valid_user( $value ) { +function ldapauth_is_valid_user( $value ) { // doesn't work for API... if (yourls_is_API()) return $value; @session_start(); - if ( isset( $_SESSION['LDAP_AUTH_USER'] ) ) { + if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) { // already authenticated... - $username = $_SESSION['LDAP_AUTH_USER']; - if ( ldap_is_authorized_user( $username ) ) { - yourls_set_user( $_SESSION['LDAP_AUTH_USER'] ); + $username = $_SESSION['LDAPAUTH_AUTH_USER']; + if ( ldapauth_is_authorized_user( $username ) ) { + yourls_set_user( $_SESSION['LDAPAUTH_AUTH_USER'] ); return true; } else { return $username.' is not admin user.'; @@ -72,28 +72,28 @@ function ldap_is_valid_user( $value ) { } else if ( isset( $_REQUEST['username'] ) && isset( $_REQUEST['password'] ) && !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) { - if ( !ldap_environment_check() ) { + if ( !ldapauth_environment_check() ) { die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' ); } // try to authenticate - $ldapConnection = ldap_connect(LDAP_HOST, LDAP_PORT); - if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAP_HOST); - $searchDn = ldap_search($ldapConnection, LDAP_BASE, LDAP_USERNAME_FIELD . "=" . $_REQUEST['username'] ); + $ldapConnection = ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT); + if (!$ldapConnection) Die("Cannot connect to LDAP " . LDAPAUTH_HOST); + $searchDn = ldap_search($ldapConnection, LDAPAUTH_BASE, LDAPAUTH_USERNAME_FIELD . "=" . $_REQUEST['username'] ); if (!$searchDn) return $value; $searchResult = ldap_get_entries($ldapConnection, $searchDn); if (!$searchResult) return $value; $userDn = $searchResult[0]['dn']; if (!$userDn) return $value; - $ldap_login = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']); + $ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']); @ldap_close($ldapConnection); // success? - if ($ldap_login) + if ($ldapSuccess) { - $username = $searchResult[0][LDAP_USERNAME_FIELD][0]; + $username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0]; yourls_set_user($username); - $_SESSION['LDAP_AUTH_USER'] = $username; + $_SESSION['LDAPAUTH_AUTH_USER'] = $username; return true; } } @@ -101,16 +101,16 @@ function ldap_is_valid_user( $value ) { return $value; } -function ldap_is_authorized_user( $username ) { +function ldapauth_is_authorized_user( $username ) { // by default, anybody who can authenticate is also // authorized as an administrator. - if ( LDAP_ALL_USERS_ADMIN ) { + if ( LDAPAUTH_ALL_USERS_ADMIN ) { return true; } // users listed in config.php are admin users. let them in. - global $ldap_authorized_admins; - if ( in_array( $username, $ldap_authorized_admins ) ) { + global $ldapauth_authorized_admins; + if ( in_array( $username, $ldapauth_authorized_admins ) ) { return true; } @@ -118,9 +118,9 @@ function ldap_is_authorized_user( $username ) { return false; } -yourls_add_action( 'logout', 'ldap_logout_hook' ); +yourls_add_action( 'logout', 'ldapauth_logout_hook' ); -function ldap_logout_hook( $args ) { - unset($_SESSION['LDAP_AUTH_USER']); +function ldapauth_logout_hook( $args ) { + unset($_SESSION['LDAPAUTH_AUTH_USER']); setcookie('PHPSESSID', '', 0, '/'); }