diff options
Diffstat (limited to 'app/Auth/Ldap.php')
-rw-r--r-- | app/Auth/Ldap.php | 110 |
1 files changed, 76 insertions, 34 deletions
diff --git a/app/Auth/Ldap.php b/app/Auth/Ldap.php index cc1b3f95..2f8f791e 100644 --- a/app/Auth/Ldap.php +++ b/app/Auth/Ldap.php @@ -46,7 +46,7 @@ class Ldap extends Base else { // We create automatically a new user - if (LDAP_ACCOUNT_CREATION && $this->createUser($username, $result['name'], $result['email'])) { + if (LDAP_ACCOUNT_CREATION && $this->user->create($result) !== false) { $user = $this->user->getByUsername($username); } else { @@ -65,28 +65,6 @@ class Ldap extends Base } /** - * Create a new local user after the LDAP authentication - * - * @access public - * @param string $username Username - * @param string $name Name of the user - * @param string $email Email address - * @return bool - */ - public function createUser($username, $name, $email) - { - $values = array( - 'username' => $username, - 'name' => $name, - 'email' => $email, - 'is_admin' => 0, - 'is_ldap_user' => 1, - ); - - return $this->user->create($values); - } - - /** * Find the user from the LDAP server * * @access public @@ -99,7 +77,7 @@ class Ldap extends Base $ldap = $this->connect(); if ($ldap !== false && $this->bind($ldap, $username, $password)) { - return $this->search($ldap, $username, $password); + return $this->getProfile($ldap, $username, $password); } return false; @@ -180,7 +158,7 @@ class Ldap extends Base } /** - * LDAP user lookup + * Get LDAP user profile * * @access public * @param resource $ldap @@ -188,12 +166,11 @@ class Ldap extends Base * @param string $password * @param string $base_dn * @param string $user_pattern - * @param array $attributes * @return boolean|array */ - public function search($ldap, $username, $password, $base_dn = LDAP_ACCOUNT_BASE, $user_pattern = LDAP_USER_PATTERN, array $attributes = array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL)) + public function getProfile($ldap, $username, $password, $base_dn = LDAP_ACCOUNT_BASE, $user_pattern = LDAP_USER_PATTERN) { - $sr = ldap_search($ldap, $base_dn, sprintf($user_pattern, $username), $attributes); + $sr = ldap_search($ldap, $base_dn, sprintf($user_pattern, $username), $this->getProfileAttributes()); if ($sr === false) { return false; @@ -206,11 +183,62 @@ class Ldap extends Base } if (@ldap_bind($ldap, $entries[0]['dn'], $password)) { - return array( - 'username' => $username, - 'name' => $this->getEntry($entries, LDAP_ACCOUNT_FULLNAME), - 'email' => $this->getEntry($entries, LDAP_ACCOUNT_EMAIL), - ); + return $this->prepareProfile($ldap, $entries, $username); + } + + return false; + } + + /** + * Build user profile from LDAP information + * + * @access public + * @param resource $ldap + * @param array $entries + * @param string $username + * @return boolean|array + */ + public function prepareProfile($ldap, array $entries, $username) + { + return array( + 'username' => $username, + 'name' => $this->getEntry($entries, LDAP_ACCOUNT_FULLNAME), + 'email' => $this->getEntry($entries, LDAP_ACCOUNT_EMAIL), + 'is_admin' => (int) $this->isMemberOf($this->getEntries($entries, LDAP_ACCOUNT_MEMBEROF), LDAP_GROUP_ADMIN_DN), + 'is_project_admin' => (int) $this->isMemberOf($this->getEntries($entries, LDAP_ACCOUNT_MEMBEROF), LDAP_GROUP_PROJECT_ADMIN_DN), + 'is_ldap_user' => 1, + ); + } + + /** + * Ge the list of attributes to fetch when reading the LDAP user entry + * + * @access public + * @return array + */ + public function getProfileAttributes() + { + return array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_MEMBEROF); + } + + /** + * Check group membership + * + * @access public + * @param array $group_entries + * @param string $group_dn + * @return boolean + */ + public function isMemberOf(array $group_entries, $group_dn) + { + if (! isset($group_entries['count']) || empty($group_dn)) { + return false; + } + + for ($i = 0; $i < $group_entries['count']; $i++) { + if ($group_entries[$i] === $group_dn) { + return true; + } } return false; @@ -286,7 +314,7 @@ class Ldap extends Base } /** - * Return a value from the LDAP info + * Return one entry from a list of entries * * @access private * @param array $entries LDAP entries @@ -298,4 +326,18 @@ class Ldap extends Base { return isset($entries[0][$key][0]) ? $entries[0][$key][0] : $default; } + + /** + * Return subset of entries + * + * @access private + * @param array $entries + * @param string $key + * @param array $default + * @return array + */ + private function getEntries(array $entries, $key, $default = array()) + { + return isset($entries[0][$key]) ? $entries[0][$key] : $default; + } } |