diff options
| author | Francois Ferrand <thetypz@gmail.com> | 2015-01-16 17:08:48 +0100 |
|---|---|---|
| committer | Francois Ferrand <thetypz@gmail.com> | 2015-01-16 17:13:36 +0100 |
| commit | 969d60ab416c075db27f7a0247f0c48ab519afa6 (patch) | |
| tree | 5612bf783866291a24f7c5af913cbd584f7b7137 | |
| parent | fd22b955751075e4a69df9c1d24995f15b991be7 (diff) | |
Add Json API to create LDAP user.
This allows setting up permissions before the LDAP users actually connect
to Kanboard, and even importing the permissions from other tools.
| -rw-r--r-- | app/Auth/Ldap.php | 48 | ||||
| -rw-r--r-- | app/constants.php | 1 | ||||
| -rw-r--r-- | config.default.php | 5 | ||||
| -rw-r--r-- | docs/api-json-rpc.markdown | 37 | ||||
| -rw-r--r-- | jsonrpc.php | 20 |
5 files changed, 111 insertions, 0 deletions
diff --git a/app/Auth/Ldap.php b/app/Auth/Ldap.php index b3440614..22c9fb88 100644 --- a/app/Auth/Ldap.php +++ b/app/Auth/Ldap.php @@ -206,4 +206,52 @@ class Ldap extends Base return false; } + + /** + * Retrieve info on LDAP user. + * + * @param resource $ldap LDAP connection + * @param string $username Username + * @param string $email Email address + */ + public function lookup($username = null, $email = null) + { + if ($username && $email) + $query = '(&('.sprintf(LDAP_USER_PATTERN, $username).')('.sprintf(LDAP_ACCOUNT_EMAIL, $email).')'; + else if ($username) + $query = sprintf(LDAP_USER_PATTERN, $username); + else if ($email) + $query = '('.LDAP_ACCOUNT_EMAIL.'='.$email.')'; + else + return false; + + // Connect and attempt anonymous bind + $ldap = $this->connect(); + if (!is_resource($ldap) || !$this->bind($ldap, null, null)) + return false; + + // Try to find user + $sr = @ldap_search($ldap, LDAP_ACCOUNT_BASE, $query, array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_ID)); + if ($sr === false) { + return false; + } + + $info = ldap_get_entries($ldap, $sr); + + // User not found + if (count($info) == 0 || $info['count'] == 0) { + return false; + } + + // User id not retrieved: LDAP_ACCOUNT_ID not properly configured + if (!$username && !isset($info[0][LDAP_ACCOUNT_ID][0])) { + return false; + } + + return array( + 'username' => isset($info[0][LDAP_ACCOUNT_ID][0]) ? $info[0][LDAP_ACCOUNT_ID][0] : $username, + 'name' => isset($info[0][LDAP_ACCOUNT_FULLNAME][0]) ? $info[0][LDAP_ACCOUNT_FULLNAME][0] : '', + 'email' => isset($info[0][LDAP_ACCOUNT_EMAIL][0]) ? $info[0][LDAP_ACCOUNT_EMAIL][0] : $email, + ); + } } diff --git a/app/constants.php b/app/constants.php index a8d8f56e..f0384d30 100644 --- a/app/constants.php +++ b/app/constants.php @@ -34,6 +34,7 @@ defined('LDAP_ACCOUNT_BASE') or define('LDAP_ACCOUNT_BASE', ''); defined('LDAP_USER_PATTERN') or define('LDAP_USER_PATTERN', ''); defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname'); defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail'); +defined('LDAP_ACCOUNT_ID') or define('LDAP_ACCOUNT_ID', ''); // Google authentication defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false); diff --git a/config.default.php b/config.default.php index ed1d5fd8..c9a5d8a7 100644 --- a/config.default.php +++ b/config.default.php @@ -74,6 +74,11 @@ define('LDAP_ACCOUNT_FULLNAME', 'displayname'); // Name of an attribute of the user account object which should be used as the email of the user. define('LDAP_ACCOUNT_EMAIL', 'mail'); +// Name of an attribute of the user account object which should be used as the id of the user. +// Example for ActiveDirectory: 'samaccountname' +// Example for OpenLDAP: 'uid' +define('LDAP_ACCOUNT_ID', 'samaccountname'); + // Enable/disable Google authentication define('GOOGLE_AUTH', false); diff --git a/docs/api-json-rpc.markdown b/docs/api-json-rpc.markdown index ef013880..184739ad 100644 --- a/docs/api-json-rpc.markdown +++ b/docs/api-json-rpc.markdown @@ -1330,6 +1330,43 @@ Response example: } ``` +### createLdapUser + +- Purpose: **Create a new user authentified by LDAP** +- Parameters: + - **username** (string, optional if email is set) + - **email** (string, optional if username is set) + - **is_admin** Set the value 1 for admins or 0 for regular users (integer, optional) + - **default_project_id** (integer, optional) +- Result on success: **user_id** +- Result on failure: **false** + +The user will only be created if a matching is found on the LDAP server. +Username or email (or both) must be provided. + +Request example: + +```json +{ + "jsonrpc": "2.0", + "method": "createLdapUser", + "id": 1518863034, + "params": { + "username": "biloute", + } +} +``` + +Response example: + +```json +{ + "jsonrpc": "2.0", + "id": 1518863034, + "result": 22 +} +``` + ### getUser - Purpose: **Get user information** diff --git a/jsonrpc.php b/jsonrpc.php index d0951e73..3de9de1b 100644 --- a/jsonrpc.php +++ b/jsonrpc.php @@ -157,6 +157,26 @@ $server->register('createUser', function($username, $password, $name = '', $emai return $container['user']->create($values); }); +$server->register('createLdapUser', function($username = '', $email = '', $is_admin = 0, $default_project_id = 0) use ($container) { + + $ldap = new Auth\Ldap($container); + $res = $ldap->lookup($username, $email); + + if (!$res) + return false; + + $values = array( + 'username' => $res['username'], + 'name' => $res['name'], + 'email' => $res['email'], + 'is_ldap_user' => 1, + 'is_admin' => $is_admin, + 'default_project_id' => $default_project_id, + ); + + return $container['user']->create($values); +}); + $server->register('updateUser', function($id, $username = null, $name = null, $email = null, $is_admin = null, $default_project_id = null) use ($container) { $values = array( |