Some syntax adjustments to make ldap_bind work

This commit is contained in:
Mario Voigt 2023-03-16 18:25:13 +01:00
parent 5d85267e0f
commit fd049a8928

View File

@ -4,20 +4,18 @@ Plugin Name: Simple LDAP Auth
Plugin URI: Plugin URI:
Description: This plugin enables use of LDAP provider for authentication Description: This plugin enables use of LDAP provider for authentication
Version: 1.1 Version: 1.1
Author: k3a Author: vmario
Author URI: http://k3a.me Author URI: https://gitea.fablabchemnitz.de/vmario/yourls-ldap-auth
*/ */
// Thanks to nicwaller (https://github.com/nicwaller) for cas plugin I used as a reference! // Thanks to nicwaller (https://github.com/nicwaller) for cas plugin I used as a reference!
// No direct call // No direct call
if( !defined( 'YOURLS_ABSPATH' ) ) die(); if( !defined( 'YOURLS_ABSPATH' ) ) die();
// returns true if the environment is set up right // returns true if the environment is set up right
function ldapauth_environment_check() { function ldapauth_environment_check() {
$required_params = array( $required_params = array(
'LDAPAUTH_HOST', // ldap host 'LDAPAUTH_HOST', // ldap host
//'LDAPAUTH_PORT', // ldap port
'LDAPAUTH_BASE', // base ldap path 'LDAPAUTH_BASE', // base ldap path
//'LDAPAUTH_USERNAME_FIELD', // field to check the username against //'LDAPAUTH_USERNAME_FIELD', // field to check the username against
); );
@ -30,9 +28,6 @@ function ldapauth_environment_check() {
} }
} }
if ( !defined( 'LDAPAUTH_PORT' ) )
define( 'LDAPAUTH_PORT', 389 );
if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) ) if ( !defined( 'LDAPAUTH_USERNAME_FIELD' ) )
define( 'LDAPAUTH_USERNAME_FIELD', 'uid' ); define( 'LDAPAUTH_USERNAME_FIELD', 'uid' );
@ -73,53 +68,9 @@ function ldapauth_shuffle_assoc($list) {
return $random; return $random;
} }
// return list of Active Directory Ldap servers that are associated with a site and service
// example for $site = = '_ldap._tcp.corporate._sites.company.com'
function ldapauth_get_ad_servers_for_site() {
$results = [];
$ad_servers = dns_get_record(LDAPAUTH_DNS_SITES_AND_SERVICES, DNS_SRV, $authns, $addtl);
foreach ($ad_servers as $ad_server) {
array_push($results, $ad_server['target']);
}
$results = ldapauth_shuffle_assoc($results); #randomize the order
return $results;
}
// returns ldap connection
function ldapauth_get_ldap_connection() {
if (defined('LDAPAUTH_DNS_SITES_AND_SERVICES')) {
$connection = NULL;
$ldap_servers = ldapauth_get_ad_servers_for_site();
foreach ($ldap_servers as $ldap_server) {
$ldap_address = LDAPAUTH_HOST . $ldap_server;
try {
$temp_conn = ldap_connect($ldap_address, LDAPAUTH_PORT); # ldap_connect doesn't actually connect it just checks for plausiable parameters. Only ldap_bind connects
if ($temp_conn) {
$connection = $temp_conn;
break;
} else {
error_log('Warning, unable to connect to: ' . $ldap_address . ' on port ' . LDAPAUTH_PORT . '. ' . ldap_error($temp_conn));
}
} catch (Exception $e) {
error_log('Warning, unable to connect to: ' . $ldap_address . ' on port ' . LDAPAUTH_PORT . '. ' . __FILE__, __FUNCTION__,$e->getMessage());
}
}
if ($connection) {
return $connection;
} else {
die("Cannot connect to LDAP for site and service " . LDAPAUTH_DNS_SITES_AND_SERVICES);
}
} else {
return ldap_connect(LDAPAUTH_HOST, LDAPAUTH_PORT);
}
}
// returns true/false // returns true/false
function ldapauth_is_valid_user( $value ) { function ldapauth_is_valid_user( $value ) {
global $yourls_user_passwords; global $yourls_user_passwords;
// Always check & set early // Always check & set early
if ( !ldapauth_environment_check() ) { if ( !ldapauth_environment_check() ) {
die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' ); die( 'Invalid configuration for YOURLS LDAP plugin. Check PHP error log.' );
@ -139,7 +90,6 @@ function ldapauth_is_valid_user( $value ) {
if (!defined(LDAPAUTH_USERCACHE_TYPE)) { if (!defined(LDAPAUTH_USERCACHE_TYPE)) {
@session_start(); @session_start();
} }
if (!defined(LDAPAUTH_USERCACHE_TYPE) && isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) { if (!defined(LDAPAUTH_USERCACHE_TYPE) && isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
// already authenticated... // already authenticated...
$username = $_SESSION['LDAPAUTH_AUTH_USER']; $username = $_SESSION['LDAPAUTH_AUTH_USER'];
@ -163,7 +113,7 @@ function ldapauth_is_valid_user( $value ) {
&& !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) { && !empty( $_REQUEST['username'] ) && !empty( $_REQUEST['password'] ) ) {
// try to authenticate // try to authenticate
$ldapConnection = ldapauth_get_ldap_connection(); $ldapConnection = ldap_connect(LDAPAUTH_HOST);
if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST); if (!$ldapConnection) die("Cannot connect to LDAP " . LDAPAUTH_HOST);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
//ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); //ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
@ -176,7 +126,6 @@ function ldapauth_is_valid_user( $value ) {
return $value; return $value;
} }
} }
// Check if using a privileged user account to search - only if not already bound with current user // Check if using a privileged user account to search - only if not already bound with current user
if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS') && empty($ldapSuccess)) { if (defined('LDAPAUTH_SEARCH_USER') && defined('LDAPAUTH_SEARCH_PASS') && empty($ldapSuccess)) {
if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) { if (!@ldap_bind($ldapConnection, LDAPAUTH_SEARCH_USER, LDAPAUTH_SEARCH_PASS)) {
@ -230,7 +179,6 @@ function ldapauth_is_valid_user( $value ) {
if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) { if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) {
ldapauth_create_user( $username, $_REQUEST['password'] ); ldapauth_create_user( $username, $_REQUEST['password'] );
} }
if (LDAPAUTH_USERCACHE_TYPE == 1) { if (LDAPAUTH_USERCACHE_TYPE == 1) {
// store the current user credentials in our cache. This cuts down calls to the LDAP // store the current user credentials in our cache. This cuts down calls to the LDAP
// server, and allows API keys to work with LDAP users // server, and allows API keys to work with LDAP users
@ -353,6 +301,3 @@ function ldapauth_debug ($msg) {
error_log("yourls_ldap_auth: " . $msg); error_log("yourls_ldap_auth: " . $msg);
} }
} }