Some syntax adjustments to make ldap_bind work
This commit is contained in:
parent
5d85267e0f
commit
fd049a8928
61
plugin.php
61
plugin.php
@ -4,20 +4,18 @@ Plugin Name: Simple LDAP Auth
|
|||||||
Plugin URI:
|
Plugin URI:
|
||||||
Description: This plugin enables use of LDAP provider for authentication
|
Description: This plugin enables use of LDAP provider for authentication
|
||||||
Version: 1.1
|
Version: 1.1
|
||||||
Author: k3a
|
Author: vmario
|
||||||
Author URI: http://k3a.me
|
Author URI: https://gitea.fablabchemnitz.de/vmario/yourls-ldap-auth
|
||||||
*/
|
*/
|
||||||
// Thanks to nicwaller (https://github.com/nicwaller) for cas plugin I used as a reference!
|
// Thanks to nicwaller (https://github.com/nicwaller) for cas plugin I used as a reference!
|
||||||
|
|
||||||
// No direct call
|
// No direct call
|
||||||
if( !defined( 'YOURLS_ABSPATH' ) ) die();
|
if( !defined( 'YOURLS_ABSPATH' ) ) die();
|
||||||
|
|
||||||
|
|
||||||
// returns true if the environment is set up right
|
// returns true if the environment is set up right
|
||||||
function ldapauth_environment_check() {
|
function ldapauth_environment_check() {
|
||||||
$required_params = array(
|
$required_params = array(
|
||||||
'LDAPAUTH_HOST', // ldap host
|
'LDAPAUTH_HOST', // ldap host
|
||||||
//'LDAPAUTH_PORT', // ldap port
|
|
||||||
'LDAPAUTH_BASE', // base ldap path
|
'LDAPAUTH_BASE', // base ldap path
|
||||||
//'LDAPAUTH_USERNAME_FIELD', // field to check the username against
|
//'LDAPAUTH_USERNAME_FIELD', // field to check the username against
|
||||||
);
|
);
|
||||||
@ -30,9 +28,6 @@ function ldapauth_environment_check() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !defined( 'LDAPAUTH_PORT' ) )
|
|
||||||
define( 'LDAPAUTH_PORT', 389 );
|
|
||||||
|
|
||||||
if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) )
|
if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) )
|
||||||
define( 'LDAPAUTH_USERNAME_FIELD', 'uid' );
|
define( 'LDAPAUTH_USERNAME_FIELD', 'uid' );
|
||||||
|
|
||||||
@ -73,53 +68,9 @@ function ldapauth_shuffle_assoc($list) {
|
|||||||
return $random;
|
return $random;
|
||||||
}
|
}
|
||||||
|
|
||||||
// return list of Active Directory Ldap servers that are associated with a site and service
|
|
||||||
// example for $site = = '_ldap._tcp.corporate._sites.company.com'
|
|
||||||
function ldapauth_get_ad_servers_for_site() {
|
|
||||||
$results = [];
|
|
||||||
$ad_servers = dns_get_record(LDAPAUTH_DNS_SITES_AND_SERVICES, DNS_SRV, $authns, $addtl);
|
|
||||||
foreach ($ad_servers as $ad_server) {
|
|
||||||
array_push($results, $ad_server['target']);
|
|
||||||
}
|
|
||||||
$results = ldapauth_shuffle_assoc($results); #randomize the order
|
|
||||||
return $results;
|
|
||||||
}
|
|
||||||
|
|
||||||
// returns ldap connection
|
|
||||||
function ldapauth_get_ldap_connection() {
|
|
||||||
if (defined('LDAPAUTH_DNS_SITES_AND_SERVICES')) {
|
|
||||||
$connection = NULL;
|
|
||||||
$ldap_servers = ldapauth_get_ad_servers_for_site();
|
|
||||||
foreach ($ldap_servers as $ldap_server) {
|
|
||||||
$ldap_address = LDAPAUTH_HOST . $ldap_server;
|
|
||||||
try {
|
|
||||||
$temp_conn = ldap_connect($ldap_address, LDAPAUTH_PORT); # ldap_connect doesn't actually connect it just checks for plausiable parameters. Only ldap_bind connects
|
|
||||||
if ($temp_conn) {
|
|
||||||
$connection = $temp_conn;
|
|
||||||
break;
|
|
||||||
} else {
|
|
||||||
error_log('Warning, unable to connect to: ' . $ldap_address . ' on port ' . LDAPAUTH_PORT . '. ' . ldap_error($temp_conn));
|
|
||||||
}
|
|
||||||
} catch (Exception $e) {
|
|
||||||
error_log('Warning, unable to connect to: ' . $ldap_address . ' on port ' . LDAPAUTH_PORT . '. ' . __FILE__, __FUNCTION__,$e->getMessage());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($connection) {
|
|
||||||
return $connection;
|
|
||||||
} else {
|
|
||||||
die("Cannot connect to LDAP for site and service " . LDAPAUTH_DNS_SITES_AND_SERVICES);
|
|
||||||
}
|
|
||||||
|
|
||||||
} else {
|
|
||||||
return ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// returns true/false
|
// returns true/false
|
||||||
function ldapauth_is_valid_user( $value ) {
|
function ldapauth_is_valid_user( $value ) {
|
||||||
global $yourls_user_passwords;
|
global $yourls_user_passwords;
|
||||||
|
|
||||||
// Always check & set early
|
// Always check & set early
|
||||||
if ( !ldapauth_environment_check() ) {
|
if ( !ldapauth_environment_check() ) {
|
||||||
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
|
||||||
@ -139,7 +90,6 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
if (!defined(LDAPAUTH_USERCACHE_TYPE)) {
|
if (!defined(LDAPAUTH_USERCACHE_TYPE)) {
|
||||||
@session_start();
|
@session_start();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!defined(LDAPAUTH_USERCACHE_TYPE) && isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
|
if (!defined(LDAPAUTH_USERCACHE_TYPE) && isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
|
||||||
// already authenticated...
|
// already authenticated...
|
||||||
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
|
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
|
||||||
@ -163,7 +113,7 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) {
|
&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) {
|
||||||
|
|
||||||
// try to authenticate
|
// try to authenticate
|
||||||
$ldapConnection = ldapauth_get_ldap_connection();
|
$ldapConnection = ldap_connect(LDAPAUTH_HOST);
|
||||||
if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST);
|
if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST);
|
||||||
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||||
//ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
|
//ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
|
||||||
@ -176,7 +126,6 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
return $value;
|
return $value;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if using a privileged user account to search - only if not already bound with current user
|
// Check if using a privileged user account to search - only if not already bound with current user
|
||||||
if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS') && empty($ldapSuccess)) {
|
if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS') && empty($ldapSuccess)) {
|
||||||
if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) {
|
if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) {
|
||||||
@ -230,7 +179,6 @@ function ldapauth_is_valid_user( $value ) {
|
|||||||
if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) {
|
if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) {
|
||||||
ldapauth_create_user( $username, $_REQUEST['password'] );
|
ldapauth_create_user( $username, $_REQUEST['password'] );
|
||||||
}
|
}
|
||||||
|
|
||||||
if (LDAPAUTH_USERCACHE_TYPE == 1) {
|
if (LDAPAUTH_USERCACHE_TYPE == 1) {
|
||||||
// store the current user credentials in our cache. This cuts down calls to the LDAP
|
// store the current user credentials in our cache. This cuts down calls to the LDAP
|
||||||
// server, and allows API keys to work with LDAP users
|
// server, and allows API keys to work with LDAP users
|
||||||
@ -353,6 +301,3 @@ function ldapauth_debug ($msg) {
|
|||||||
error_log("yourls_ldap_auth: " . $msg);
|
error_log("yourls_ldap_auth: " . $msg);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user