Merge pull request #12 from henriquecrang/master

Group authentication improved
2016-11-18 23:22:43 +01:00 · 2016-11-18 23:22:43 +01:00 · de00e141c2
commit de00e141c2
parent 04d1464d6d 0950958232
2 changed files with 22 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -39,6 +39,9 @@ To check group membership before authenticating:
  * define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); // (optional) LDAP groups attr
  * define( 'LDAPAUTH_GROUP_REQ', 'the-group;another-admin-group'); // (only if LDAPAUTH_GROUP_REQ set) Group/s user must be in. Allows multiple, semicolon delimited
 To define the scope of group req search:
  * define( 'LDAPAUTH_GROUP_SCOP', 'sub' ); // if not defined the default is 'sub', and will check for the user in all the subtree. The other option is 'base', that will search only members of the exactly req
 To define the type of user cache used:
  * define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be one day
--- a/plugin.php
+++ b/plugin.php
@ -12,6 +12,7 @@ Author URI: http://k3a.me
 // No direct call
 if( !defined( 'YOURLS_ABSPATH' ) ) die();
 // returns true if the environment is set up right
 function ldapauth_environment_check() {
 	$required_params = array(
@ -140,22 +141,28 @@ function ldapauth_is_valid_user( $value ) {
 		if (empty($ldapSuccess)) { // we don't need to do this if we already bound using username and LDAPAUTH_BIND_WITH_USER_TEMPLATE
 		  $ldapSuccess = @ldap_bind($ldapConnection, $userDn, $_REQUEST['password']);
 		}
-		@ldap_close($ldapConnection);
+	
 		// success?
 		if ($ldapSuccess)
 		{
 			// are we checking group auth?
 			if (defined('LDAPAUTH_GROUP_ATTR') && defined('LDAPAUTH_GROUP_REQ')) {
-				if (!array_key_exists(LDAPAUTH_GROUP_ATTR, $searchResult[0])) die('Not in any LDAP groups');
+	
-				
+                           $in_group = false;
-				$in_group = false;
+			   $bind = ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS);
-				$groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array
+
-				
+			   $groups_to_check = explode(";", strtolower(LDAPAUTH_GROUP_REQ)); // This is now an array
-				foreach($searchResult[0][LDAPAUTH_GROUP_ATTR] as $grps) {
+			   foreach($groups_to_check as $group){
-					if (in_array(strtolower($grps), $groups_to_check)) { $in_group = true; break;  }
+		                   $searchGroup = ldap_search($ldapConnection, $group, LDAPAUTH_GROUP_ATTR . "=" . $_REQUEST['username']);
-				}
+	                           $searchG = ldap_get_entries($ldapConnection,$searchGroup);
-				if (!$in_group) die('Not in admin group');
+				   if ( LDAPAUTH_GROUP_SCOP == 'base'){
 					if ($searchG[0]['dn'] == $group) $in_group = true;
 					}
 				   else{
 					if ($searchG[0]['dn']) $in_group = true;
 				   }
 			   }
 			   if (!$in_group) die('Not in admin group');
 			}
 			// attribute index returned by ldap_get_entries is lowercased (http://php.net/manual/en/function.ldap-get-entries.php)
@ -218,6 +225,7 @@ function ldapauth_logout_hook( $args ) {
 * will work. Users that exist in both users/config.php and LDAP will need to use 
 * their LDAP passwords
 */
 yourls_add_action ('plugins_loaded', 'ldapauth_merge_users');
 function ldapauth_merge_users() {
 	global $ydb;
@ -230,7 +238,6 @@ function ldapauth_merge_users() {
 		$yourls_user_passwords = array_merge($yourls_user_passwords, $ydb->option['ldapauth_usercache']);
 	}
 }
 /**
 * Create user in config file
 * Code reused from yourls_hash_passwords_now()
@ -263,7 +270,6 @@ function ldapauth_create_user( $user, $new_password ) {
 	return $pass_hash;
 }
 /**
 * Hashes password the same way as yourls_hash_passwords_now()
 **/
@ -274,7 +280,6 @@ function ldapauth_hash_password ($password) {
 	return $pass_hash;
 }
 function ldapauth_debug ($msg) {
 	if (defined('LDAPAUTH_DEBUG') && LDAPAUTH_DEBUG) { 
 		error_log("yourls_ldap_auth: " . $msg);