From 40c8b0474bb4204ee1c843398c86b8adecaedb14 Mon Sep 17 00:00:00 2001 From: anuko Date: Wed, 12 Apr 2017 21:06:57 +0000 Subject: [PATCH] Fixed LDAP authentication against Active Directory when group membership is required. --- WEB-INF/config.php.dist | 4 ++++ WEB-INF/lib/auth/Auth_ldap.class.php | 30 +++++++++++++++------------- WEB-INF/templates/footer.tpl | 2 +- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/WEB-INF/config.php.dist b/WEB-INF/config.php.dist index 9f53f9df..55f34749 100644 --- a/WEB-INF/config.php.dist +++ b/WEB-INF/config.php.dist @@ -212,6 +212,10 @@ define('AUTH_MODULE', 'db'); // 'base_dn' => 'DC=example,DC=com', // Base distinguished name in LDAP catalog. // 'default_domain' => 'example.com', // Default domain. // 'member_of' => array()); // List of groups, membership in which is required for user to be authenticated. + // Leave it empty if membership is not necessary. Otherwise list CN parts only. + // For example: + // array('Ldap Testers') means that the user must be a member Ldap Testers group. + // array('Ldap Testers', 'Ldap Users') means the user must be a member of both Ldap Testers and Ldap Users groups. // define('AUTH_DEBUG', false); // Note: enabling AUTH_DEBUG breaks redirects as debug output is printed before setting redirect header. Do not enable on production systems. diff --git a/WEB-INF/lib/auth/Auth_ldap.class.php b/WEB-INF/lib/auth/Auth_ldap.class.php index 37101678..0001f296 100644 --- a/WEB-INF/lib/auth/Auth_ldap.class.php +++ b/WEB-INF/lib/auth/Auth_ldap.class.php @@ -65,7 +65,7 @@ class Auth_ldap extends Auth { foreach ($illegal as $id => $char) { $legal[$id] = "\\".$char; } - $str = str_replace($illegal, $legal,$str); //replace them + $str = str_replace($illegal, $legal, $str); //replace them return $str; } @@ -112,15 +112,14 @@ class Auth_ldap extends Auth { } // We need to handle Windows AD and OpenLDAP differently. - if ($this->params['type'] != 'openldap') { + if ($this->params['type'] == 'ad') { - // check if the user specified full login + // Check if user specified full login. if (strpos($login, '@') === false) { - // append default domain + // Append default domain. $login .= '@' . $this->params['default_domain']; } - if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) { echo '$login='; var_dump($login); echo '
'; } @@ -138,9 +137,9 @@ class Auth_ldap extends Auth { } if ($member_of) { - // get groups + // Get groups the user is a member of from AD LDAP server. - $filter = 'samaccountname='.Auth_ldap::ldap_escape($login); + $filter = 'userPrincipalName='.Auth_ldap::ldap_escape($login); $fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid'); $sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields); @@ -149,7 +148,6 @@ class Auth_ldap extends Auth { echo 'ldap_error()='; echo ldap_error($lc); echo '
'; } - // if search failed it's likely that account is disabled if (!$sr) { ldap_unbind($lc); return false; @@ -169,8 +167,7 @@ class Auth_ldap extends Auth { $groups = array(); - // extract group names from - // assuming the groups are in format: CN=,... + // Extract group names. Assume the groups are in format: CN=,... for ($i = 0; $i < @$entries[0]['memberof']['count']; $i++) { $grp = $entries[0]['memberof'][$i]; $grp_fields = explode(',', $grp); @@ -181,8 +178,8 @@ class Auth_ldap extends Auth { echo '$member_of'; var_dump($member_of); echo '
'; }; - // check for group membership - foreach ($member_of as $check_grp) { + // Check for group membership. + foreach ($member_of as $check_grp) { if (!in_array($check_grp, $groups)) { ldap_unbind($lc); return false; @@ -191,9 +188,10 @@ class Auth_ldap extends Auth { } ldap_unbind($lc); - return array('login' => $login, 'data' => $entries, 'member_of' => $groups); - } else { + } + + if ($this->params['type'] == 'openldap') { // Assuming OpenLDAP server. $login_oldap = 'uid='.$login.','.$this->params['base_dn']; @@ -221,6 +219,7 @@ class Auth_ldap extends Auth { } if ($member_of) { + // TODO: Fix this for OpenLDAP, as samaccountname has nothing to do with it. // get groups $filter = 'samaccountname='.Auth_ldap::ldap_escape($login_oldap); @@ -277,6 +276,9 @@ class Auth_ldap extends Auth { return array('login' => $login, 'data' => $entries, 'member_of' => $groups); } + + // Server type is neither 'ad' or 'openldap'. + return false; } function isPasswordExternal() { diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index 0863ec42..2ed44e26 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
-
 Anuko Time Tracker 1.10.40.3624 | Copyright © Anuko | +  Anuko Time Tracker 1.10.41.3625 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} -- 2.20.1