// 'base_dn' => 'DC=example,DC=com', // Base distinguished name in LDAP catalog.
// 'default_domain' => 'example.com', // Default domain.
// 'member_of' => array()); // List of groups, membership in which is required for user to be authenticated.
+ // Leave it empty if membership is not necessary. Otherwise list CN parts only.
+ // For example:
+ // array('Ldap Testers') means that the user must be a member Ldap Testers group.
+ // array('Ldap Testers', 'Ldap Users') means the user must be a member of both Ldap Testers and Ldap Users groups.
// define('AUTH_DEBUG', false); // Note: enabling AUTH_DEBUG breaks redirects as debug output is printed before setting redirect header. Do not enable on production systems.
foreach ($illegal as $id => $char) {
$legal[$id] = "\\".$char;
}
- $str = str_replace($illegal, $legal,$str); //replace them
+ $str = str_replace($illegal, $legal, $str); //replace them
return $str;
}
}
// We need to handle Windows AD and OpenLDAP differently.
- if ($this->params['type'] != 'openldap') {
+ if ($this->params['type'] == 'ad') {
- // check if the user specified full login
+ // Check if user specified full login.
if (strpos($login, '@') === false) {
- // append default domain
+ // Append default domain.
$login .= '@' . $this->params['default_domain'];
}
-
if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
echo '$login='; var_dump($login); echo '<br />';
}
}
if ($member_of) {
- // get groups
+ // Get groups the user is a member of from AD LDAP server.
- $filter = 'samaccountname='.Auth_ldap::ldap_escape($login);
+ $filter = 'userPrincipalName='.Auth_ldap::ldap_escape($login);
$fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid');
$sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields);
echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
}
- // if search failed it's likely that account is disabled
if (!$sr) {
ldap_unbind($lc);
return false;
$groups = array();
- // extract group names from
- // assuming the groups are in format: CN=<group_name>,...
+ // Extract group names. Assume the groups are in format: CN=<group_name>,...
for ($i = 0; $i < @$entries[0]['memberof']['count']; $i++) {
$grp = $entries[0]['memberof'][$i];
$grp_fields = explode(',', $grp);
echo '$member_of'; var_dump($member_of); echo '<br />';
};
- // check for group membership
- foreach ($member_of as $check_grp) {
+ // Check for group membership.
+ foreach ($member_of as $check_grp) {
if (!in_array($check_grp, $groups)) {
ldap_unbind($lc);
return false;
}
ldap_unbind($lc);
-
return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
- } else {
+ }
+
+ if ($this->params['type'] == 'openldap') {
// Assuming OpenLDAP server.
$login_oldap = 'uid='.$login.','.$this->params['base_dn'];
}
if ($member_of) {
+ // TODO: Fix this for OpenLDAP, as samaccountname has nothing to do with it.
// get groups
$filter = 'samaccountname='.Auth_ldap::ldap_escape($login_oldap);
return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
}
+
+ // Server type is neither 'ad' or 'openldap'.
+ return false;
}
function isPasswordExternal() {
projects / timetracker.git / commitdiff