diff options
| -rw-r--r-- | app/Model/Ldap.php | 27 | ||||
| -rw-r--r-- | app/common.php | 4 | ||||
| -rw-r--r-- | config.default.php | 27 |
3 files changed, 50 insertions, 8 deletions
diff --git a/app/Model/Ldap.php b/app/Model/Ldap.php index 3359318c..4e605eb2 100644 --- a/app/Model/Ldap.php +++ b/app/Model/Ldap.php @@ -24,6 +24,11 @@ class Ldap extends Base die('The PHP LDAP extension is required'); } + if (!LDAP_SSL_VERIFY) { + //Skip SSL certificate verification + putenv('LDAPTLS_REQCERT=never'); + } + $ldap = ldap_connect(LDAP_SERVER, LDAP_PORT); if (! is_resource($ldap)) { @@ -33,8 +38,20 @@ class Ldap extends Base ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - if (@ldap_bind($ldap, sprintf(LDAP_USER_DN, $username), $password)) { - return $this->create($username); + if (!@ldap_bind($ldap, LDAP_USERNAME, LDAP_PASSWORD)) { + die('Unable to bind to the LDAP server: "'.LDAP_SERVER.'"'); + } + + $sr = ldap_search($ldap, LDAP_ACCOUNT_BASE, sprintf(LDAP_USER_PATTERN, $username), array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL)); + $info = ldap_get_entries($ldap, $sr); + if (count($info) == 0 || $info['count'] == 0) { + //User not found + return false; + } + + if (@ldap_bind($ldap, $info[0]['dn'], $password)) { + error_log("Bind to user OK"); + return $this->create($username, $info[0][LDAP_ACCOUNT_FULLNAME][0], $info[0][LDAP_ACCOUNT_EMAIL][0]); } return false; @@ -45,9 +62,11 @@ class Ldap extends Base * * @access public * @param string $username Username + * @param string $name Name of the user + * @param string $email Email address * @return bool */ - public function create($username) + public function create($username, $name, $email) { $userModel = new User($this->db, $this->event); $user = $userModel->getByUsername($username); @@ -70,6 +89,8 @@ class Ldap extends Base // Create a LDAP user $values = array( 'username' => $username, + 'name' => $name, + 'email' => $email, 'is_admin' => 0, 'is_ldap_user' => 1, ); diff --git a/app/common.php b/app/common.php index 350e70b7..d607cf92 100644 --- a/app/common.php +++ b/app/common.php @@ -44,7 +44,9 @@ defined('DB_NAME') or define('DB_NAME', 'kanboard'); defined('LDAP_AUTH') or define('LDAP_AUTH', false); defined('LDAP_SERVER') or define('LDAP_SERVER', ''); defined('LDAP_PORT') or define('LDAP_PORT', 389); -defined('LDAP_USER_DN') or define('LDAP_USER_DN', '%s'); +defined('LDAP_SSL_VERIFY') or define('LDAP_SSL_VERIFY', true); +defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname'); +defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail'); // Google authentication defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false); diff --git a/config.default.php b/config.default.php index 9c12e5d2..027d8417 100644 --- a/config.default.php +++ b/config.default.php @@ -30,10 +30,29 @@ define('LDAP_SERVER', ''); // LDAP server port (389 by default) define('LDAP_PORT', 389); -// User LDAP DN -// Example for ActiveDirectory: 'MYDOMAIN\\%s' or '%s@mydomain.local' -// Example for OpenLDAP: 'uid=%s,ou=People,dc=example,dc=com' -define('LDAP_USER_DN', '%s'); +// By default, require certificate to be verified for ldaps:// style URL. Set to false to skip the verification. +define('LDAP_SSL_VERIFY', true); + +// LDAP username to connect with. NULL for anonymous bind (by default). +define('LDAP_USERNAME', null); + +// LDAP password to connect with. NULL for anonymous bind (by default). +define('LDAP_PASSWORD', null); + +// LDAP account base, i.e. root of all user account +// Example: ou=people,dc=example,dc=com +define('LDAP_ACCOUNT_BASE', ''); + +// LDAP query pattern to use when searching for a user account +// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))' +// Example for OpenLDAP: 'uid=%s' +define('LDAP_USER_PATTERN', ''); + +// Name of an attribute of the user account object which should be used as the full name of the user. +define('LDAP_ACCOUNT_FULLNAME', 'displayname'); + +// Name of an attribute of the user account object which should be used as the email of the user. +define('LDAP_ACCOUNT_EMAIL', 'mail'); // Enable/disable Google authentication define('GOOGLE_AUTH', false); |