Skip to content
Permalink
Browse files

Add support referral binding

  • Loading branch information...
c12simple committed Dec 8, 2017
1 parent 9dbbd11 commit 3b409827984a73c54597d1b0ef19fe367cf76e40
Showing with 24 additions and 7 deletions.
  1. +23 −7 core/src/plugins/auth.ldap/LdapAuthDriver.php
  2. +1 −0 core/src/plugins/auth.ldap/manifest.xml
@@ -55,6 +55,7 @@ class LdapAuthDriver extends AbstractAuthDriver
public $mappedRolePrefix;
public $pageSize;
public $userRecursiveMemberOf = false;
public $referralBind = false;
public $ldapconn = null;
public $separateGroup = "";
@@ -98,6 +99,7 @@ public function init(ContextInterface $ctx, $options = [])
}
if ($options["LDAP_PAGE_SIZE"]) $this->pageSize = $options["LDAP_PAGE_SIZE"];
if ($options["LDAP_REFERRAL_BIND"]) $this->referralBind = $options["LDAP_REFERRAL_BIND"];
if ($options["LDAP_GROUP_PREFIX"]) $this->mappedRolePrefix = $options["LDAP_GROUP_PREFIX"];
if ($options["LDAP_DN"]) $this->ldapDN = $this->parseReplicatedParams($options, array("LDAP_DN"));
if ($options["LDAP_GDN"]) $this->ldapGDN = $this->parseReplicatedParams($options, array("LDAP_GDN"));
@@ -236,7 +238,11 @@ public function LDAP_Connect()
if ($ldapconn) {
$this->logDebug(__FUNCTION__, 'ldap_connect(' . $this->ldapUrl . ',' . $this->ldapPort . ') OK');
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option( $ldapconn, LDAP_OPT_REFERRALS, 0 );
if($this->referralBind){
ldap_set_option( $ldapconn, LDAP_OPT_REFERRALS, 1);
}else{
ldap_set_option( $ldapconn, LDAP_OPT_REFERRALS, 0);
}
if (empty($this->pageSize) || !is_numeric($this->pageSize)) {
$this->pageSize = 500;
}
@@ -596,6 +602,15 @@ public function checkPassword($login, $pass)
$entries = $this->getUserEntries($login);
if ($entries['count'] > 0) {
$this->logDebug(__FUNCTION__, 'Ldap Password Check: Got user ' . $login);
if($this->referralBind){
$this->rebind_pass = $pass;
$this->rebind_dn = $entries[0]["dn"];
@ldap_set_rebind_proc($this->ldapconn, 'rebind');
// bind
if(@ldap_bind($this->ldapconn, $this->rebind_dn, $pass)){
return true;
}
}
if (@ldap_bind($this->ldapconn, $entries[0]["dn"], $pass)) {
$this->logDebug(__FUNCTION__, 'Ldap Password Check: Got user ' . $entries[0]["cn"][0]);
return true;
@@ -1179,22 +1194,23 @@ public function sanitize($s, $level = InputFilter::SANITIZE_HTML)
return $newS;
}
/*
public $rebind_dn;
public $rebind_pass;
function rebind($ldap, $referral) {
public function rebind($ldap, $referral) {
$server= preg_replace('!^(ldap://[^/]+)/.*$!', '\\1', $referral);
if (!($ldap = ldap_connect($server))){
return true;
// return error
return 1;
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 1);
ldap_set_rebind_proc($ldap, "rebind");
if (!ldap_bind($ldap,$this->rebind_dn,$this->rebind_pass)){
return true;
// return error
return 1;
}
// return success
return 0;
}
*/
}
@@ -46,6 +46,7 @@
<param name="LDAP_VALUE_MEMBERATTR_IN_GROUP" group="CONF_MESSAGE[Advanced Parameters]" type="boolean" label="CONF_MESSAGE[Fake MemberOf. value of member/memberUid attribute of group]" description="CONF_MESSAGE[value of member/memberUid attribute of group: can be user DN or user CN. Use with Fake memberOf enabled. YES use DN, otherwise CN]" default="true" mandatory="false"/>
<param name="LDAP_SEARCHUSER_ATTR" group="CONF_MESSAGE[Advanced Parameters]" type="string" label="CONF_MESSAGE[Search Users by Attribute]" description="CONF_MESSAGE[When looking for a user through autocomplete, search on a specific parameter instead of user ID]" mandatory="false" default=""/>
<param name="LDAP_PAGE_SIZE" group="CONF_MESSAGE[Advanced Parameters]" type="string" label="CONF_MESSAGE[LDAP Server page size]" description="CONF_MESSAGE[Page size of LDAP Server]" mandatory="false" default="500"/>
<param name="LDAP_REFERRAL_BIND" group="CONF_MESSAGE[Advanced Parameters]" type="boolean" label="CONF_MESSAGE[Use referral bind]" description="CONF_MESSAGE[Use referral bind]" mandatory="false" default="false"/>
<param name="LDAP_COUNT_CACHE_TTL" group="CONF_MESSAGE[Advanced Parameters]" type="integer" label="CONF_MESSAGE[Cache User Count (hours)]" description="CONF_MESSAGE[Locally cache the total number of users during X hours. Can be handy for huge directories.]" mandatory="false" default="1"/>

</server_settings>

0 comments on commit 3b40982

Please sign in to comment.
You can’t perform that action at this time.