diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/Auth/Ldap.php | 76 | ||||
-rw-r--r-- | app/Auth/ReverseProxy.php | 1 |
2 files changed, 42 insertions, 35 deletions
diff --git a/app/Auth/Ldap.php b/app/Auth/Ldap.php index 262c5cd7..cc1b3f95 100644 --- a/app/Auth/Ldap.php +++ b/app/Auth/Ldap.php @@ -109,9 +109,11 @@ class Ldap extends Base * LDAP connection * * @access public + * @param string $ldap_hostname + * @param integer $ldap_port * @return resource|boolean */ - public function connect() + public function connect($ldap_hostname = LDAP_SERVER, $ldap_port = LDAP_PORT) { if (! function_exists('ldap_connect')) { $this->logger->error('The PHP LDAP extension is required'); @@ -123,12 +125,13 @@ class Ldap extends Base putenv('LDAPTLS_REQCERT=never'); } - $ldap = ldap_connect(LDAP_SERVER, LDAP_PORT); + $ldap = ldap_connect($ldap_hostname, $ldap_port); if ($ldap === false) { $this->logger->error('Unable to connect to the LDAP server: "'.LDAP_SERVER.'"'); return false; } + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 1); @@ -143,7 +146,7 @@ class Ldap extends Base } /** - * LDAP bind + * LDAP authentication * * @access public * @param resource $ldap @@ -179,33 +182,34 @@ class Ldap extends Base /** * LDAP user lookup * - * @access private - * @param resource $ldap LDAP connection - * @param string $username Username - * @param string $password Password + * @access public + * @param resource $ldap + * @param string $username + * @param string $password + * @param string $base_dn + * @param string $user_pattern + * @param array $attributes * @return boolean|array */ - private function search($ldap, $username, $password) + public function search($ldap, $username, $password, $base_dn = LDAP_ACCOUNT_BASE, $user_pattern = LDAP_USER_PATTERN, array $attributes = array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL)) { - $sr = @ldap_search($ldap, LDAP_ACCOUNT_BASE, sprintf(LDAP_USER_PATTERN, $username), array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL)); + $sr = ldap_search($ldap, $base_dn, sprintf($user_pattern, $username), $attributes); if ($sr === false) { return false; } - $info = ldap_get_entries($ldap, $sr); + $entries = ldap_get_entries($ldap, $sr); - // User not found - if (count($info) === 0 || $info['count'] == 0) { + if ($entries === false || count($entries) === 0 || $entries['count'] == 0) { return false; } - // We got our user - if (@ldap_bind($ldap, $info[0]['dn'], $password)) { + if (@ldap_bind($ldap, $entries[0]['dn'], $password)) { return array( 'username' => $username, - 'name' => $this->getFromInfo($info, LDAP_ACCOUNT_FULLNAME), - 'email' => $this->getFromInfo($info, LDAP_ACCOUNT_EMAIL), + 'name' => $this->getEntry($entries, LDAP_ACCOUNT_FULLNAME), + 'email' => $this->getEntry($entries, LDAP_ACCOUNT_EMAIL), ); } @@ -215,24 +219,26 @@ class Ldap extends Base /** * Retrieve info on LDAP user * - * @param string $username Username - * @param string $email Email address + * @access public + * @param string $username Username + * @param string $email Email address + * @return boolean|array */ public function lookup($username = null, $email = null) { $query = $this->getQuery($username, $email); - if ($query === false) { + if ($query === '') { return false; } // Connect and attempt anonymous bind $ldap = $this->connect(); - if (! is_resource($ldap) || ! $this->bind($ldap, null, null)) { + if ($ldap === false || ! $this->bind($ldap, null, null, 'anonymous')) { return false; } // Try to find user - $sr = @ldap_search($ldap, LDAP_ACCOUNT_BASE, $query, array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_ID)); + $sr = ldap_search($ldap, LDAP_ACCOUNT_BASE, $query, array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_ID)); if ($sr === false) { return false; } @@ -250,17 +256,19 @@ class Ldap extends Base } return array( - 'username' => $this->getFromInfo($info, LDAP_ACCOUNT_ID, $username), - 'name' => $this->getFromInfo($info, LDAP_ACCOUNT_FULLNAME), - 'email' => $this->getFromInfo($info, LDAP_ACCOUNT_EMAIL, $email), + 'username' => $this->getEntry($info, LDAP_ACCOUNT_ID, $username), + 'name' => $this->getEntry($info, LDAP_ACCOUNT_FULLNAME), + 'email' => $this->getEntry($info, LDAP_ACCOUNT_EMAIL, $email), ); } /** * Get the LDAP query to find a user * - * @param string $username Username - * @param string $email Email address + * @access private + * @param string $username Username + * @param string $email Email address + * @return string */ private function getQuery($username, $email) { @@ -273,21 +281,21 @@ class Ldap extends Base else if ($email) { return '('.LDAP_ACCOUNT_EMAIL.'='.$email.')'; } - else { - return false; - } + + return ''; } /** * Return a value from the LDAP info * - * @param array $info LDAP info - * @param string $key Key - * @param string $default Default value if key not set in entry + * @access private + * @param array $entries LDAP entries + * @param string $key Key + * @param string $default Default value if key not set in entry * @return string */ - private function getFromInfo($info, $key, $default = '') + private function getEntry(array $entries, $key, $default = '') { - return isset($info[0][$key][0]) ? $info[0][$key][0] : $default; + return isset($entries[0][$key][0]) ? $entries[0][$key][0] : $default; } } diff --git a/app/Auth/ReverseProxy.php b/app/Auth/ReverseProxy.php index c8fd5eec..7818254c 100644 --- a/app/Auth/ReverseProxy.php +++ b/app/Auth/ReverseProxy.php @@ -28,7 +28,6 @@ class ReverseProxy extends Base public function authenticate() { if (isset($_SERVER[REVERSE_PROXY_USER_HEADER])) { - $login = $_SERVER[REVERSE_PROXY_USER_HEADER]; $user = $this->user->getByUsername($login); |