Merge pull request #12 from henriquecrang/master
Group authentication improved
This commit is contained in:
commit
de00e141c2
@ -39,6 +39,9 @@ To check group membership before authenticating:
|
|||||||
* define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr
|
* define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr
|
||||||
* define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited
|
* define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited
|
||||||
|
|
||||||
|
To define the scope of group req search:
|
||||||
|
* define( 'LDAPAUTH_GROUP_SCOP', 'sub' ); // if not defined the default is 'sub', and will check for the user in all the subtree. The other option is 'base', that will search only members of the exactly req
|
||||||
|
|
||||||
To define the type of user cache used:
|
To define the type of user cache used:
|
||||||
* define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day
|
* define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day
|
||||||
|
|
||||||
|
21
plugin.php
21
plugin.php
@ -12,6 +12,7 @@ Author URI: http://k3a.me
|
|||||||
// No direct call
|
// No direct call
|
||||||
if( !defined( 'YOURLS_ABSPATH' ) ) die();
|
if( !defined( 'YOURLS_ABSPATH' ) ) die();
|
||||||
|
|
||||||
|
|
||||||
// returns true if the environment is set up right
|
// returns true if the environment is set up right
|
||||||
function ldapauth_environment_check() {
|
function ldapauth_environment_check() {
|
||||||
$required_params = array(
|
$required_params = array(
|
||||||
@ -140,20 +141,26 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
if (empty($ldapSuccess)) { // we don't need to do this if we already bound using username and LDAPAUTH_BIND_WITH_USER_TEMPLATE
|
if (empty($ldapSuccess)) { // we don't need to do this if we already bound using username and LDAPAUTH_BIND_WITH_USER_TEMPLATE
|
||||||
$ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
|
$ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
|
||||||
}
|
}
|
||||||
@ldap_close($ldapConnection);
|
|
||||||
|
|
||||||
// success?
|
// success?
|
||||||
if ($ldapSuccess)
|
if ($ldapSuccess)
|
||||||
{
|
{
|
||||||
// are we checking group auth?
|
// are we checking group auth?
|
||||||
if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) {
|
if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) {
|
||||||
if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups');
|
|
||||||
|
|
||||||
$in_group = false;
|
$in_group = false;
|
||||||
$groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array
|
$bind = ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS);
|
||||||
|
|
||||||
foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) {
|
$groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array
|
||||||
if (in_array(strtolower($grps), $groups_to_check)) { $in_group = true; break; }
|
foreach($groups_to_check as $group){
|
||||||
|
$searchGroup = ldap_search($ldapConnection, $group, LDAPAUTH_GROUP_ATTR . "=" . $_REQUEST['username']);
|
||||||
|
$searchG = ldap_get_entries($ldapConnection,$searchGroup);
|
||||||
|
if ( LDAPAUTH_GROUP_SCOP == 'base'){
|
||||||
|
if ($searchG[0]['dn'] == $group) $in_group = true;
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
if ($searchG[0]['dn']) $in_group = true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (!$in_group) die('Not in admin group');
|
if (!$in_group) die('Not in admin group');
|
||||||
}
|
}
|
||||||
@ -218,6 +225,7 @@ function ldapauth_logout_hook( $args ) {
|
|||||||
* will work. Users that exist in both users/config.php and LDAP will need to use
|
* will work. Users that exist in both users/config.php and LDAP will need to use
|
||||||
* their LDAP passwords
|
* their LDAP passwords
|
||||||
*/
|
*/
|
||||||
|
|
||||||
yourls_add_action ('plugins_loaded', 'ldapauth_merge_users');
|
yourls_add_action ('plugins_loaded', 'ldapauth_merge_users');
|
||||||
function ldapauth_merge_users() {
|
function ldapauth_merge_users() {
|
||||||
global $ydb;
|
global $ydb;
|
||||||
@ -230,7 +238,6 @@ function ldapauth_merge_users() {
|
|||||||
$yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']);
|
$yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create user in config file
|
* Create user in config file
|
||||||
* Code reused from yourls_hash_passwords_now()
|
* Code reused from yourls_hash_passwords_now()
|
||||||
@ -263,7 +270,6 @@ function ldapauth_create_user( $user, $new_password ) {
|
|||||||
|
|
||||||
return $pass_hash;
|
return $pass_hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Hashes password the same way as yourls_hash_passwords_now()
|
* Hashes password the same way as yourls_hash_passwords_now()
|
||||||
**/
|
**/
|
||||||
@ -274,7 +280,6 @@ function ldapauth_hash_password ($password) {
|
|||||||
|
|
||||||
return $pass_hash;
|
return $pass_hash;
|
||||||
}
|
}
|
||||||
|
|
||||||
function ldapauth_debug ($msg) {
|
function ldapauth_debug ($msg) {
|
||||||
if (defined('LDAPAUTH_DEBUG') && LDAPAUTH_DEBUG) {
|
if (defined('LDAPAUTH_DEBUG') && LDAPAUTH_DEBUG) {
|
||||||
error_log("yourls_ldap_auth: " . $msg);
|
error_log("yourls_ldap_auth: " . $msg);
|
||||||
|
Loading…
Reference in New Issue
Block a user