Commit 1f28d43a70a927a9cd2877bda606d1e89437587a
1 parent
2cbf16a2
Exists in
master
and in
2 other branches
Bugfix LDAP anonyme et refactorisation
+ UPDATE chmod +x
Showing
3 changed files
with
125 additions
and
19 deletions
Show diff stats
README.md
| ... | ... | @@ -53,11 +53,12 @@ Logiciel testé et validé sur les configurations suivantes : |
| 53 | 53 | |
| 54 | 54 | VERSION ACTUELLE |
| 55 | 55 | |
| 56 | -Date: 12/02/2019 | |
| 57 | -Version: 2.10.8 | |
| 56 | +Date: 13/02/2019 | |
| 57 | +Version: 2.10.9 | |
| 58 | 58 | Author: EP |
| 59 | - Bugfix LDAP anonyme se faisait sans vérifier le mot de passe utilisateur !!! | |
| 59 | + Bugfix LDAP anonyme et refactorisation | |
| 60 | 60 | |
| 61 | + LDAP anonyme se faisait sans vérifier le mot de passe utilisateur !!! | |
| 61 | 62 | IMPORTANT: |
| 62 | 63 | - Pour connaitre la version actuelle, taper "./VERSION" |
| 63 | 64 | - Pour mettre à jour le code, utiliser ./UPDATE depuis la racine du projet (ne plus se contenter de faire "git pull") | ... | ... |
UPDATE
src/Model/Table/LdapConnectionsTable.php
| ... | ... | @@ -173,12 +173,16 @@ class LdapConnectionsTable extends AppTable |
| 173 | 173 | </ul>'); |
| 174 | 174 | } |
| 175 | 175 | |
| 176 | + // REAL or FAKE LDAP | |
| 176 | 177 | public function getAllLdapUsers() |
| 177 | 178 | { |
| 178 | 179 | try { |
| 179 | 180 | if ($this->checkConfiguration()) { |
| 181 | + | |
| 180 | 182 | // REAL LDAP |
| 181 | 183 | if ($this->LDAP_USED) { |
| 184 | + $res = $this->searchLdap($this->filter, []); | |
| 185 | + /* | |
| 182 | 186 | $ldapConnection = ldap_connect($this->host, $this->port); |
| 183 | 187 | ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); |
| 184 | 188 | |
| ... | ... | @@ -189,7 +193,9 @@ class LdapConnectionsTable extends AppTable |
| 189 | 193 | $results = ldap_search($ldapConnection, $this->baseDn, $this->filter); |
| 190 | 194 | |
| 191 | 195 | $res = ldap_get_entries($ldapConnection, $results); |
| 192 | - } | |
| 196 | + */ | |
| 197 | + } | |
| 198 | + | |
| 193 | 199 | // FAKE LDAP |
| 194 | 200 | else { |
| 195 | 201 | $res = $this->fakeLDAPUsers; |
| ... | ... | @@ -199,19 +205,25 @@ class LdapConnectionsTable extends AppTable |
| 199 | 205 | } catch (Exception $e) {} |
| 200 | 206 | return false; |
| 201 | 207 | } |
| 208 | + | |
| 202 | 209 | |
| 210 | + // REAL LDAP only | |
| 203 | 211 | /* |
| 204 | - * @param unknown $userName (= login) | |
| 205 | 212 | * @param string $ldapConnection |
| 206 | 213 | * @param string $filter |
| 207 | 214 | * @param array $just_these |
| 208 | - * @return $info = ldap search result (user attributes) or FALSE | |
| 215 | + * @param string $userName (= login) => for FAKE LDAP only | |
| 216 | + * @return $res = ldap search result (1 user or all users attributes) or FALSE | |
| 209 | 217 | */ |
| 210 | - public function getUserAttributes($userName, $ldapConnection='', $filter='', $just_these=[]) | |
| 218 | + //public function getUserAttributes($userName, $ldapConnection='', $filter='', $just_these=[]) | |
| 219 | + //public function getUserAttributes($ldapConnection='', $filter='', $just_these=[], $userName=NULL) | |
| 220 | + public function getLdapUsersAttributes($ldapConnection, $filter='', $just_these=[]) | |
| 211 | 221 | { |
| 212 | 222 | try { |
| 213 | 223 | if ($this->checkConfiguration()) { |
| 214 | - if ($this->LDAP_USED) { | |
| 224 | + | |
| 225 | + // LDAP mode | |
| 226 | + //if ($this->LDAP_USED) { | |
| 215 | 227 | /* (EP) |
| 216 | 228 | Fonction ldap_search ($link_identifier, $base_dn, $filter, array $attributes = null, $attrsonly = null, $sizelimit = null, $timelimit = null, $deref = null) |
| 217 | 229 | Concernant le paramètre $attributes (ici, $just_these) : |
| ... | ... | @@ -230,13 +242,21 @@ class LdapConnectionsTable extends AppTable |
| 230 | 242 | Quand on n'utilise pas $just_these, la fonction ldap_search() retourne TOUS les attributs disponibles, |
| 231 | 243 | donc c'est le comportement qu'on veut ici. |
| 232 | 244 | */ |
| 245 | + | |
| 246 | + //$search = $this->getUserAttributes($ldapConnection, $filter, $just_these, $user_login); | |
| 247 | + //$results = ldap_search($ldapConnection, $this->baseDn, $this->filter); | |
| 248 | + | |
| 233 | 249 | $results = ldap_search($ldapConnection, $this->baseDn, $filter, $just_these) |
| 234 | 250 | or die("Could not search to LDAP server response was: " . ldap_error($ldapConnection) ); |
| 235 | - $info = ldap_get_entries($ldapConnection, $results); | |
| 251 | + $res = ldap_get_entries($ldapConnection, $results); | |
| 236 | 252 | //echo $info["count"]." entries returned\n"; |
| 237 | - return $info; | |
| 238 | - } | |
| 239 | - else return array( $this->getFakeLdapUser($userName) ); | |
| 253 | + return $res; | |
| 254 | + //} | |
| 255 | + | |
| 256 | + // FAKE LDAP mode | |
| 257 | + //else return array( $this->getFakeLdapUser($userName) ); | |
| 258 | + //else return $this->fakeLDAPUsers; | |
| 259 | + | |
| 240 | 260 | } |
| 241 | 261 | } catch (Exception $e) { |
| 242 | 262 | echo 'Exception LDAP : ', $e->getMessage(), "\n"; |
| ... | ... | @@ -244,7 +264,8 @@ class LdapConnectionsTable extends AppTable |
| 244 | 264 | |
| 245 | 265 | return false; |
| 246 | 266 | } |
| 247 | - | |
| 267 | + | |
| 268 | + | |
| 248 | 269 | public function getAuthenticationType() |
| 249 | 270 | { |
| 250 | 271 | return $this->authenticationType; |
| ... | ... | @@ -266,20 +287,29 @@ class LdapConnectionsTable extends AppTable |
| 266 | 287 | public function getListUsers() |
| 267 | 288 | { |
| 268 | 289 | $u = $this->getAllLdapUsers(); |
| 290 | + //debug($u); | |
| 269 | 291 | $utilisateurs = []; |
| 270 | 292 | |
| 293 | + // (EP) Refactorisation pour éviter code redondant ci-dessous, c'était pourtant pas compliqué, poil dans la main... | |
| 294 | + $nb_users = $this->LDAP_USED ? $u['count'] : sizeof($u)-1; | |
| 295 | + for ($i = 0; $i < $nb_users; $i ++) | |
| 296 | + // $utilisateurs["Pallier Etienne"] = "Pallier Etienne" | |
| 297 | + $utilisateurs[ $u[$i]['sn'][0].' '.$u[$i]['givenname'][0] ] = $u[$i]['sn'][0].' '.$u[$i]['givenname'][0]; | |
| 298 | + /* | |
| 271 | 299 | if ($this->LDAP_USED) { |
| 272 | 300 | for ($i = 0; $i < $u['count']; $i ++) { |
| 273 | - $utilisateurs[$u[$i]['sn'][0] . ' ' . $u[$i]['givenname'][0]] = $u[$i]['sn'][0] . ' ' . $u[$i]['givenname'][0]; | |
| 301 | + $utilisateurs[ $u[$i]['sn'][0].' '.$u[$i]['givenname'][0] ] = $u[$i]['sn'][0].' '.$u[$i]['givenname'][0]; | |
| 274 | 302 | } |
| 275 | 303 | } else { |
| 276 | 304 | for ($i = 0; $i < sizeof($u) - 1; $i ++) { |
| 277 | - $utilisateurs[$u[$i]['sn'][0] . ' ' . $u[$i]['givenname'][0]] = $u[$i]['sn'][0] . ' ' . $u[$i]['givenname'][0]; | |
| 305 | + $utilisateurs[ $u[$i]['sn'][0].' '.$u[$i]['givenname'][0] ] = $u[$i]['sn'][0].' '.$u[$i]['givenname'][0]; | |
| 278 | 306 | } |
| 279 | 307 | } |
| 280 | - | |
| 308 | + */ | |
| 309 | + //debug($utilisateurs); | |
| 281 | 310 | return $utilisateurs; |
| 282 | 311 | } |
| 312 | + | |
| 283 | 313 | |
| 284 | 314 | /** |
| 285 | 315 | * Return a list of login ofUsers with key = username & value = login |
| ... | ... | @@ -352,13 +382,67 @@ class LdapConnectionsTable extends AppTable |
| 352 | 382 | ]; |
| 353 | 383 | } |
| 354 | 384 | |
| 385 | + | |
| 386 | + // TODO: implement | |
| 387 | + // REAL LDAP only | |
| 388 | + private function checkAndFetchUserFromDB($user_login, $user_password) { | |
| 389 | + // By default, user is not in DB | |
| 390 | + return FALSE; | |
| 391 | + } | |
| 392 | + | |
| 393 | + | |
| 394 | + // REAL LDAP only | |
| 395 | + private function searchLdap($filter, $just_these, $user_login=NULL, $user_password=NULL) { | |
| 396 | + | |
| 397 | + // CONNEXION | |
| 398 | + $ldapConnection = ldap_connect($this->host, $this->port) | |
| 399 | + or die("Could not connect to $this->host (port $this->port)"); | |
| 400 | + | |
| 401 | + if ($ldapConnection) { | |
| 402 | + | |
| 403 | + // OPTIONS | |
| 404 | + ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | |
| 405 | + | |
| 406 | + // BINDING | |
| 407 | + | |
| 408 | + // - Authentified | |
| 409 | + if ($this->ldap_authentified) | |
| 410 | + $ldapbind = ldap_bind($ldapConnection, $this->bindDn, $this->bindPass); // or die("Could not bind to LDAP server.". ldap_error($ldapConnection) ); | |
| 411 | + | |
| 412 | + // - Anonymous | |
| 413 | + // En cas de LDAP anonyme, binding quand même pour vérifier le mot de passe de l'utilisateur. | |
| 414 | + // Sans cette ligne, on passe avec n'importe quel password !!! | |
| 415 | + else { | |
| 416 | + $ldapbind = TRUE; | |
| 417 | + debug("log, pass= " . $user_login . ' ' . $user_password); | |
| 418 | + if ($user_login && $user_password) $ldapbind = ldap_bind($ldapConnection, $this->authenticationType.'='.$user_login, $user_password); | |
| 419 | + debug("ldapbind " . $ldapbind); | |
| 420 | + } | |
| 421 | + | |
| 422 | + // SEARCH | |
| 423 | + if ($ldapbind) { | |
| 424 | + //$search = $this->getLdapUserAttributes($ldapConnection, $filter, $just_these, $user_login); | |
| 425 | + $search = $this->getLdapUsersAttributes($ldapConnection, $filter, $just_these); | |
| 426 | + if ($search === false) die("Could not get user attributes from LDAP server, response was: " . ldap_error($ldapConnection) ); | |
| 427 | + //return $search[0]; | |
| 428 | + return $search; | |
| 429 | + } | |
| 430 | + | |
| 431 | + } | |
| 432 | + | |
| 433 | + // Il y a eu un pb, utilisateur non reconnu | |
| 434 | + return FALSE; | |
| 435 | + | |
| 436 | + } | |
| 437 | + | |
| 355 | 438 | |
| 356 | - private function checkAndGetLdapUser($user_login, $user_password) { | |
| 439 | + // REAL LDAP only | |
| 440 | + private function checkAndFetchUserFromLdap($user_login, $user_password) { | |
| 357 | 441 | // Set LDAP parameters |
| 358 | 442 | // - Liste des attributs à récupérer dans le ldap (vide = TOUS les attributs) |
| 359 | 443 | $just_these = []; |
| 360 | 444 | // TODO: vérifier si cette ligne est bien utile ou pas... (avant on faisait ça) |
| 361 | - //if ($this->ldap_authentified) $just_these = array("cn"); | |
| 445 | + if (! $this->ldap_authentified) $just_these = array("cn"); | |
| 362 | 446 | |
| 363 | 447 | /* Examples : |
| 364 | 448 | * |
| ... | ... | @@ -381,6 +465,10 @@ class LdapConnectionsTable extends AppTable |
| 381 | 465 | //TODO: optimisation, refactoriser si comportement général |
| 382 | 466 | //$binddn .= ','.$this->baseDn; |
| 383 | 467 | |
| 468 | + $res = $this->searchLdap($filter, $just_these, $user_login, $user_password); | |
| 469 | + if ($res != FALSE) return $res[0]; | |
| 470 | + | |
| 471 | + /* | |
| 384 | 472 | // CONNEXION |
| 385 | 473 | $ldapConnection = ldap_connect($this->host, $this->port) |
| 386 | 474 | or die("Could not connect to $this->host (port $this->port)"); |
| ... | ... | @@ -406,12 +494,19 @@ class LdapConnectionsTable extends AppTable |
| 406 | 494 | } |
| 407 | 495 | |
| 408 | 496 | } |
| 497 | + */ | |
| 409 | 498 | |
| 410 | 499 | // Il y a eu un pb, utilisateur non reconnu |
| 411 | 500 | return FALSE; |
| 412 | 501 | } |
| 413 | 502 | |
| 414 | 503 | |
| 504 | + // TODO: implement | |
| 505 | + private function saveNewUserInDB($user_fetched) { | |
| 506 | + // SAVE new user in DB | |
| 507 | + return TRUE; | |
| 508 | + } | |
| 509 | + | |
| 415 | 510 | |
| 416 | 511 | /* |
| 417 | 512 | * @param string $user_login |
| ... | ... | @@ -427,7 +522,16 @@ class LdapConnectionsTable extends AppTable |
| 427 | 522 | if ($this->LDAP_USED) { |
| 428 | 523 | // No connexion allowed without password |
| 429 | 524 | if (strlen(trim($user_password)) == 0) return FALSE; |
| 430 | - return $this->checkAndGetLdapUser($user_login, $user_password); | |
| 525 | + | |
| 526 | + // 1) Search user in CACHE (DB) | |
| 527 | + $user_fetched = $this->checkAndFetchUserFromDB($user_login, $user_password); | |
| 528 | + if ($user_fetched === FALSE) { | |
| 529 | + // 2) If not CACHED, search user in LDAP | |
| 530 | + $user_fetched = $this->checkAndFetchUserFromLdap($user_login, $user_password); | |
| 531 | + // CACHE the new user in DB for next time | |
| 532 | + if ($user_fetched != FALSE) $this->saveNewUserInDB($user_fetched); | |
| 533 | + } | |
| 534 | + return $user_fetched; // Noter que $user_fetched peut etre egal a FALSE (si pas trouvé) | |
| 431 | 535 | } |
| 432 | 536 | |
| 433 | 537 | // We are not using LDAP (so, use FAKE LDAP instead) | ... | ... |