Implement LDAP user lookup.

This is required to improve compatibility when the DN cannot be easily
computed from the user name. Additionally, this allows automatically
getting the full name and email address from LDAP.

3 files changed, 41 insertions, 8 deletions

diff --git a/app/Model/Ldap.php b/app/Model/Ldap.php
index 3359318c..9e7d0445 100644
--- a/app/Model/Ldap.php
+++ b/app/Model/Ldap.php
@@ -33,8 +33,20 @@ class Ldap extends Base
         ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
         ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
 
-        if (@ldap_bind($ldap, sprintf(LDAP_USER_DN, $username), $password)) {
-            return $this->create($username);
+        if (!@ldap_bind($ldap, LDAP_USERNAME, LDAP_PASSWORD)) {
+            die('Unable to bind to the LDAP server: "'.LDAP_SERVER.'"');
+        }
+
+        $sr = ldap_search($ldap, LDAP_ACCOUNT_BASE, sprintf(LDAP_USER_PATTERN, $username), array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL));
+        $info = ldap_get_entries($ldap, $sr);
+        if (count($info) == 0 || $info['count'] == 0) {
+            //User not found
+            return false;
+        }
+
+        if (@ldap_bind($ldap,  $info[0]['dn'], $password)) {
+            error_log("Bind to user OK");
+            return $this->create($username, $info[0][LDAP_ACCOUNT_FULLNAME][0], $info[0][LDAP_ACCOUNT_EMAIL][0]);
         }
 
         return false;
@@ -45,9 +57,11 @@ class Ldap extends Base
      *
      * @access public
      * @param  string  $username  Username
+     * @param  string  $name      Name of the user
+     * @param  string  $email       Email address
      * @return bool
      */
-    public function create($username)
+    public function create($username, $name, $email)
     {
         $userModel = new User($this->db, $this->event);
         $user = $userModel->getByUsername($username);
@@ -70,6 +84,8 @@ class Ldap extends Base
         // Create a LDAP user
         $values = array(
             'username' => $username,
+            'name' => $name,
+            'email' => $email,
             'is_admin' => 0,
             'is_ldap_user' => 1,
         );
diff --git a/app/common.php b/app/common.php
index 5a26860f..023494d8 100644
--- a/app/common.php
+++ b/app/common.php
@@ -44,7 +44,8 @@ defined('DB_NAME') or define('DB_NAME', 'kanboard');
 defined('LDAP_AUTH') or define('LDAP_AUTH', false);
 defined('LDAP_SERVER') or define('LDAP_SERVER', '');
 defined('LDAP_PORT') or define('LDAP_PORT', 389);
-defined('LDAP_USER_DN') or define('LDAP_USER_DN', '%s');
+defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname');
+defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail');
 
 // Google authentication
 defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false);
diff --git a/config.default.php b/config.default.php
index 6810ce9d..db3b7221 100644
--- a/config.default.php
+++ b/config.default.php
@@ -30,10 +30,26 @@ define('LDAP_SERVER', '');
 // LDAP server port (389 by default)
 define('LDAP_PORT', 389);
 
-// User LDAP DN
-// Example for ActiveDirectory: 'MYDOMAIN\\%s' or '%s@mydomain.local'
-// Example for OpenLDAP: 'uid=%s,ou=People,dc=example,dc=com'
-define('LDAP_USER_DN', '%s');
+// LDAP username to connect with. NULL for anonymous bind (by default).
+define('LDAP_USERNAME', null);
+
+// LDAP password to connect with. NULL for anonymous bind (by default).
+define('LDAP_PASSWORD', null);
+
+// LDAP account base, i.e. root of all user account
+// Example: ou=people,dc=example,dc=com
+define('LDAP_ACCOUNT_BASE', '');
+
+// LDAP query pattern to use when searching for a user account
+// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))'
+// Example for OpenLDAP: 'uid=%s'
+define('LDAP_USER_PATTERN', '');
+
+// Name of an attribute of the user account object which should be used as the full name of the user.
+define('LDAP_ACCOUNT_FULLNAME', 'displayname');
+
+// Name of an attribute of the user account object which should be used as the email of the user.
+define('LDAP_ACCOUNT_EMAIL', 'mail');
 
 // Enable/disable Google authentication
 define('GOOGLE_AUTH', false);