Merge pull request #12 from henriquecrang/master

Group authentication improved
This commit is contained in:
K3A 2016-11-18 23:22:43 +01:00 committed by GitHub
commit de00e141c2
2 changed files with 22 additions and 14 deletions

View File

@ -39,6 +39,9 @@ To check group membership before authenticating:
* define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr * define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr
* define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited * define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited
To define the scope of group req search:
* define( 'LDAPAUTH_GROUP_SCOP', 'sub' ); // if not defined the default is 'sub', and will check for the user in all the subtree. The other option is 'base', that will search only members of the exactly req
To define the type of user cache used: To define the type of user cache used:
* define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day * define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day

View File

@ -12,6 +12,7 @@ Author URI: http://k3a.me
// No direct call // No direct call
if( !defined( 'YOURLS_ABSPATH' ) ) die(); if( !defined( 'YOURLS_ABSPATH' ) ) die();
// returns true if the environment is set up right // returns true if the environment is set up right
function ldapauth_environment_check() { function ldapauth_environment_check() {
$required_params = array( $required_params = array(
@ -140,20 +141,26 @@ function ldapauth_is_valid_user( $value ) {
if (empty($ldapSuccess)) { // we don't need to do this if we already bound using username and LDAPAUTH_BIND_WITH_USER_TEMPLATE if (empty($ldapSuccess)) { // we don't need to do this if we already bound using username and LDAPAUTH_BIND_WITH_USER_TEMPLATE
$ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']); $ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
} }
@ldap_close($ldapConnection);
// success? // success?
if ($ldapSuccess) if ($ldapSuccess)
{ {
// are we checking group auth? // are we checking group auth?
if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) { if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) {
if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups');
$in_group = false; $in_group = false;
$groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array $bind = ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS);
foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) { $groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array
if (in_array(strtolower($grps), $groups_to_check)) { $in_group = true; break; } foreach($groups_to_check as $group){
$searchGroup = ldap_search($ldapConnection, $group, LDAPAUTH_GROUP_ATTR . "=" . $_REQUEST['username']);
$searchG = ldap_get_entries($ldapConnection,$searchGroup);
if ( LDAPAUTH_GROUP_SCOP == 'base'){
if ($searchG[0]['dn'] == $group) $in_group = true;
}
else{
if ($searchG[0]['dn']) $in_group = true;
}
} }
if (!$in_group) die('Not in admin group'); if (!$in_group) die('Not in admin group');
} }
@ -218,6 +225,7 @@ function ldapauth_logout_hook( $args ) {
* will work. Users that exist in both users/config.php and LDAP will need to use * will work. Users that exist in both users/config.php and LDAP will need to use
* their LDAP passwords * their LDAP passwords
*/ */
yourls_add_action ('plugins_loaded', 'ldapauth_merge_users'); yourls_add_action ('plugins_loaded', 'ldapauth_merge_users');
function ldapauth_merge_users() { function ldapauth_merge_users() {
global $ydb; global $ydb;
@ -230,7 +238,6 @@ function ldapauth_merge_users() {
$yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']); $yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']);
} }
} }
/** /**
* Create user in config file * Create user in config file
* Code reused from yourls_hash_passwords_now() * Code reused from yourls_hash_passwords_now()
@ -263,7 +270,6 @@ function ldapauth_create_user( $user, $new_password ) {
return $pass_hash; return $pass_hash;
} }
/** /**
* Hashes password the same way as yourls_hash_passwords_now() * Hashes password the same way as yourls_hash_passwords_now()
**/ **/
@ -274,7 +280,6 @@ function ldapauth_hash_password ($password) {
return $pass_hash; return $pass_hash;
} }
function ldapauth_debug ($msg) { function ldapauth_debug ($msg) {
if (defined('LDAPAUTH_DEBUG') && LDAPAUTH_DEBUG) { if (defined('LDAPAUTH_DEBUG') && LDAPAUTH_DEBUG) {
error_log("yourls_ldap_auth: " . $msg); error_log("yourls_ldap_auth: " . $msg);