From fd049a8928ca4bf155f59e3ea4b9ed7761992155 Mon Sep 17 00:00:00 2001 From: Mario Voigt Date: Thu, 16 Mar 2023 18:25:13 +0100 Subject: [PATCH] Some syntax adjustments to make ldap_bind work --- plugin.php | 61 +++--------------------------------------------------- 1 file changed, 3 insertions(+), 58 deletions(-) diff --git a/plugin.php b/plugin.php index ca7cb1e..5a239a4 100644 --- a/plugin.php +++ b/plugin.php @@ -4,20 +4,18 @@ Plugin Name: Simple LDAP Auth Plugin URI: Description: This plugin enables use of LDAP provider for authentication Version: 1.1 -Author: k3a -Author URI: http://k3a.me +Author: vmario +Author URI: https://gitea.fablabchemnitz.de/vmario/yourls-ldap-auth */ // Thanks to nicwaller (https://github.com/nicwaller) for cas plugin I used as a reference! // No direct call if( !defined( 'YOURLS_ABSPATH' ) ) die(); - // returns true if the environment is set up right function ldapauth_environment_check() { $required_params = array( 'LDAPAUTH_HOST', // ldap host - //'LDAPAUTH_PORT', // ldap port 'LDAPAUTH_BASE', // base ldap path //'LDAPAUTH_USERNAME_FIELD', // field to check the username against ); @@ -30,9 +28,6 @@ function ldapauth_environment_check() { } } - if ( !defined( 'LDAPAUTH_PORT' ) ) - define( 'LDAPAUTH_PORT', 389 ); - if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) ) define( 'LDAPAUTH_USERNAME_FIELD', 'uid' ); @@ -73,53 +68,9 @@ function ldapauth_shuffle_assoc($list) { return $random; } -// return list of Active Directory Ldap servers that are associated with a site and service -// example for $site = = '_ldap._tcp.corporate._sites.company.com' -function ldapauth_get_ad_servers_for_site() { - $results = []; - $ad_servers = dns_get_record(LDAPAUTH_DNS_SITES_AND_SERVICES, DNS_SRV, $authns, $addtl); - foreach ($ad_servers as $ad_server) { - array_push($results, $ad_server['target']); - } - $results = ldapauth_shuffle_assoc($results); #randomize the order - return $results; -} - -// returns ldap connection -function ldapauth_get_ldap_connection() { - if (defined('LDAPAUTH_DNS_SITES_AND_SERVICES')) { - $connection = NULL; - $ldap_servers = ldapauth_get_ad_servers_for_site(); - foreach ($ldap_servers as $ldap_server) { - $ldap_address = LDAPAUTH_HOST . $ldap_server; - try { - $temp_conn = ldap_connect($ldap_address, LDAPAUTH_PORT); # ldap_connect doesn't actually connect it just checks for plausiable parameters. Only ldap_bind connects - if ($temp_conn) { - $connection = $temp_conn; - break; - } else { - error_log('Warning, unable to connect to: ' . $ldap_address . ' on port ' . LDAPAUTH_PORT . '. ' . ldap_error($temp_conn)); - } - } catch (Exception $e) { - error_log('Warning, unable to connect to: ' . $ldap_address . ' on port ' . LDAPAUTH_PORT . '. ' . __FILE__, __FUNCTION__,$e->getMessage()); - } - } - - if ($connection) { - return $connection; - } else { - die("Cannot connect to LDAP for site and service " . LDAPAUTH_DNS_SITES_AND_SERVICES); - } - - } else { - return ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT); - } -} - // returns true/false function ldapauth_is_valid_user( $value ) { global $yourls_user_passwords; - // Always check & set early if ( !ldapauth_environment_check() ) { die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' ); @@ -139,7 +90,6 @@ function ldapauth_is_valid_user( $value ) { if (!defined(LDAPAUTH_USERCACHE_TYPE)) { @session_start(); } - if (!defined(LDAPAUTH_USERCACHE_TYPE) && isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) { // already authenticated... $username = $_SESSION['LDAPAUTH_AUTH_USER']; @@ -163,7 +113,7 @@ function ldapauth_is_valid_user( $value ) { && !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) { // try to authenticate - $ldapConnection = ldapauth_get_ldap_connection(); + $ldapConnection = ldap_connect(LDAPAUTH_HOST); if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST); ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); //ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); @@ -176,7 +126,6 @@ function ldapauth_is_valid_user( $value ) { return $value; } } - // Check if using a privileged user account to search - only if not already bound with current user if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS') && empty($ldapSuccess)) { if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) { @@ -230,7 +179,6 @@ function ldapauth_is_valid_user( $value ) { if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) { ldapauth_create_user( $username, $_REQUEST['password'] ); } - if (LDAPAUTH_USERCACHE_TYPE == 1) { // store the current user credentials in our cache. This cuts down calls to the LDAP // server, and allows API keys to work with LDAP users @@ -353,6 +301,3 @@ function ldapauth_debug ($msg) { error_log("yourls_ldap_auth: " . $msg); } } - - -