From 58479c3055cd5c46f698b6acfe4212c9ba4cab52 Mon Sep 17 00:00:00 2001 From: Henrique de Andrade Date: Fri, 18 Nov 2016 10:52:22 -0200 Subject: [PATCH 1/3] Update README.md adding scope search docs --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f150ab7..16459fc 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,9 @@ To check group membership before authenticating: * define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr * define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited +To define the scope of group req search: + * define( 'LDAPAUTH_GROUP_SCOP', 'sub' ); // if not defined the default is 'sub', and will check for the user in all the subtree. The other option is 'base', that will search only members of the exactly req + To define the type of user cache used: * define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day From 1c92562cb892a511e699e1df4ac6dd7980629f9d Mon Sep 17 00:00:00 2001 From: Henrique de Andrade Date: Fri, 18 Nov 2016 10:54:11 -0200 Subject: [PATCH 2/3] Update plugin.php Fixing the group authentication and adding scope option. --- plugin.php | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/plugin.php b/plugin.php index 360b66a..1763b65 100644 --- a/plugin.php +++ b/plugin.php @@ -12,6 +12,7 @@ Author URI: http://k3a.me // No direct call if( !defined( 'YOURLS_ABSPATH' ) ) die(); + // returns true if the environment is set up right function ldapauth_environment_check() { $required_params = array( @@ -140,22 +141,27 @@ function ldapauth_is_valid_user( $value ) { if (empty($ldapSuccess)) { // we don't need to do this if we already bound using username and LDAPAUTH_BIND_WITH_USER_TEMPLATE $ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']); } - @ldap_close($ldapConnection); - + // success? if ($ldapSuccess) { // are we checking group auth? if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) { - if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups'); - - $in_group = false; - $groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array - - foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) { - if (in_array(strtolower($grps), $groups_to_check)) { $in_group = true; break; } - } - if (!$in_group) die('Not in admin group'); + + $in_group = false; +$bind = ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS); + + $searchGroup = ldap_search($ldapConnection, LDAPAUTH_GROUP_REQ, LDAPAUTH_GROUP_ATTR . "=" . $_REQUEST['username']); + $searchG = ldap_get_entries($ldapConnection,$searchGroup); + +if ( LDAPAUTH_GROUP_SCOP == 'base'){ + if ($searchG[0]['dn'] == LDAPAUTH_GROUP_REQ) $in_group = true; + } +else{ + if ($searchG[0]['dn']) $in_group = true; + } + +if (!$in_group) die('Not in admin group'); } // attribute index returned by ldap_get_entries is lowercased (http://php.net/manual/en/function.ldap-get-entries.php) @@ -218,6 +224,7 @@ function ldapauth_logout_hook( $args ) { * will work. Users that exist in both users/config.php and LDAP will need to use * their LDAP passwords */ + yourls_add_action ('plugins_loaded', 'ldapauth_merge_users'); function ldapauth_merge_users() { global $ydb; @@ -230,7 +237,6 @@ function ldapauth_merge_users() { $yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']); } } - /** * Create user in config file * Code reused from yourls_hash_passwords_now() @@ -263,7 +269,6 @@ function ldapauth_create_user( $user, $new_password ) { return $pass_hash; } - /** * Hashes password the same way as yourls_hash_passwords_now() **/ @@ -274,7 +279,6 @@ function ldapauth_hash_password ($password) { return $pass_hash; } - function ldapauth_debug ($msg) { if (defined('LDAPAUTH_DEBUG') && LDAPAUTH_DEBUG) { error_log("yourls_ldap_auth: " . $msg); From 0950958232ddf116f1cd075d066096bc86eb4c4a Mon Sep 17 00:00:00 2001 From: Henrique de Andrade Date: Fri, 18 Nov 2016 15:55:56 -0200 Subject: [PATCH 3/3] Update plugin.php Adding again the validation that allow more than one admin group --- plugin.php | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/plugin.php b/plugin.php index 1763b65..cee8e19 100644 --- a/plugin.php +++ b/plugin.php @@ -149,19 +149,20 @@ function ldapauth_is_valid_user( $value ) { if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) { $in_group = false; -$bind = ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS); + $bind = ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS); - $searchGroup = ldap_search($ldapConnection, LDAPAUTH_GROUP_REQ, LDAPAUTH_GROUP_ATTR . "=" . $_REQUEST['username']); - $searchG = ldap_get_entries($ldapConnection,$searchGroup); - -if ( LDAPAUTH_GROUP_SCOP == 'base'){ - if ($searchG[0]['dn'] == LDAPAUTH_GROUP_REQ) $in_group = true; - } -else{ - if ($searchG[0]['dn']) $in_group = true; - } - -if (!$in_group) die('Not in admin group'); + $groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array + foreach($groups_to_check as $group){ + $searchGroup = ldap_search($ldapConnection, $group, LDAPAUTH_GROUP_ATTR . "=" . $_REQUEST['username']); + $searchG = ldap_get_entries($ldapConnection,$searchGroup); + if ( LDAPAUTH_GROUP_SCOP == 'base'){ + if ($searchG[0]['dn'] == $group) $in_group = true; + } + else{ + if ($searchG[0]['dn']) $in_group = true; + } + } + if (!$in_group) die('Not in admin group'); } // attribute index returned by ldap_get_entries is lowercased (http://php.net/manual/en/function.ldap-get-entries.php)