From 57a27990b5f895f4e1ada8d965c1c1aae6f7bc0b Mon Sep 17 00:00:00 2001 From: Martin Kofahl Date: Fri, 25 Feb 2022 10:36:47 +0100 Subject: [PATCH] New feature #17520: Auto-create LDAP users without bind DN Dev Let LimeSurvey automatically create new users authenticated by AuthLDAP using their own credentials. --- .../core/plugins/AuthLDAP/AuthLDAP.php | 27 +++++++------------ 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/application/core/plugins/AuthLDAP/AuthLDAP.php b/application/core/plugins/AuthLDAP/AuthLDAP.php index 173775af4a7..37cc22a7fa9 100644 --- a/application/core/plugins/AuthLDAP/AuthLDAP.php +++ b/application/core/plugins/AuthLDAP/AuthLDAP.php @@ -206,9 +206,10 @@ public function createNewUser() * Create a LDAP user * * @param string $new_user + * @param string $password * @return null|integer New user ID */ - private function _createNewUser($new_user) + private function _createNewUser($new_user, $password = null) { $oEvent = $this->getEvent(); @@ -221,6 +222,8 @@ private function _createNewUser($new_user) $bindpwd = $this->get('bindpwd'); $mailattribute = $this->get('mailattribute'); $fullnameattribute = $this->get('fullnameattribute'); + $suffix = $this->get('domainsuffix'); + $prefix = $this->get('userprefix'); // Try to connect $ldapconn = $this->createConnection(); @@ -231,15 +234,12 @@ private function _createNewUser($new_user) return null; } + // Search email address and full name if (empty($ldapmode) || $ldapmode == 'simplebind') { - $oEvent->set('errorCode', self::ERROR_LDAP_MODE); - $oEvent->set('errorMessageTitle', gT("Failed to add user")); - $oEvent->set('errorMessageBody', gT("Simple bind LDAP configuration doesn't allow LDAP user creation")); - return null; + // Use the user's account for LDAP search + $ldapbindsearch = @ldap_bind($ldapconn, $prefix . $new_user . $suffix, $password); } - - // Search email address and full name - if (empty($binddn)) { + else if (empty($binddn)) { // There is no account defined to do the LDAP search, // let's use anonymous bind instead $ldapbindsearch = @ldap_bind($ldapconn); @@ -413,16 +413,9 @@ public function getPluginSettings($getValues = true) unset($aPluginSettings['domainsuffix']); } else { // Hide searchandbind settings - unset($aPluginSettings['searchuserattribute']); - unset($aPluginSettings['usersearchbase']); - unset($aPluginSettings['extrauserfilter']); unset($aPluginSettings['binddn']); unset($aPluginSettings['bindpwd']); unset($aPluginSettings['ldapoptreferrals']); - unset($aPluginSettings['mailattribute']); - unset($aPluginSettings['fullnameattribute']); - unset($aPluginSettings['autocreate']); - unset($aPluginSettings['automaticsurveycreation']); } } @@ -448,7 +441,7 @@ public function newUserSession() // No user found! if ($user === null) { // If ldap mode is searchandbind and autocreation is enabled we can continue - if ($ldapmode == 'searchandbind' && $this->get('autocreate', null, null, false) == true) { + if ($this->get('autocreate', null, null, false) == true) { $autoCreateFlag = true; } else { // If the user doesnt exist in the LS database, he can not login @@ -567,7 +560,7 @@ public function newUserSession() // Finally, if user didn't exist and auto creation (i.e. autoCreateFlag == true) is enabled, we create it if ($autoCreateFlag) { - if (($iNewUID = $this->_createNewUser($username)) && $this->get('automaticsurveycreation', null, null, false)) { + if (($iNewUID = $this->_createNewUser($username, $password)) && $this->get('automaticsurveycreation', null, null, false)) { Permission::model()->setGlobalPermission($iNewUID, 'surveys', array('create_p')); } $user = $this->api->getUserByName($username);