From 2050f6d1a3a86c22f4fd5fe583dae432ad62c054 Mon Sep 17 00:00:00 2001 From: Etienne Pallier Date: Thu, 13 Dec 2018 23:49:15 +0100 Subject: [PATCH] mis à jour LDAP connexion --- doc/Labinvent Documentation.pdf | Bin 0 -> 484534 bytes src/Controller/Component/LdapAuthComponent.php | 1 + src/Model/Table/LdapConnectionsTable.php | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------- 3 files changed, 57 insertions(+), 14 deletions(-) create mode 100644 doc/Labinvent Documentation.pdf diff --git a/doc/Labinvent Documentation.pdf b/doc/Labinvent Documentation.pdf new file mode 100644 index 0000000..9ace925 Binary files /dev/null and b/doc/Labinvent Documentation.pdf differ diff --git a/src/Controller/Component/LdapAuthComponent.php b/src/Controller/Component/LdapAuthComponent.php index 105e912..5c4000a 100755 --- a/src/Controller/Component/LdapAuthComponent.php +++ b/src/Controller/Component/LdapAuthComponent.php @@ -11,6 +11,7 @@ class LdapAuthComponent extends AuthComponent public function connection() { try { + // Get login and password entered by the current user (who is trying to connect) $login = $this->request->getData('ldap'); $password = $this->request->getData('password'); $resp = TableRegistry::get('LdapConnections')->ldapAuthentication($login, $password); diff --git a/src/Model/Table/LdapConnectionsTable.php b/src/Model/Table/LdapConnectionsTable.php index f83ed42..9853cd1 100755 --- a/src/Model/Table/LdapConnectionsTable.php +++ b/src/Model/Table/LdapConnectionsTable.php @@ -187,16 +187,23 @@ class LdapConnectionsTable extends AppTable } // $userName = login - public function getUserAttributes($userName) + public function getUserAttributes($userName, $LDAP_ANONYMOUS=true, $filter='', $just_these=[]) { try { if ($this->checkConfiguration()) { if ($this->USE_LDAP) { + /* $ldapConnection = ldap_connect($this->host, $this->port); ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); - $results = ldap_search($ldapConnection, $this->baseDn, '(' . $this->authenticationType . '=' . $userName . ')'); - return ldap_get_entries($ldapConnection, $results); + */ + /* CRAL + */ + //$results = ldap_search($ldapConnection, $this->baseDn, $filter); + $results = ldap_search($ldapConnection, $this->baseDn, $filter, $just_these) or die("Could not search to LDAP server response was: " . ldap_error($ldapconn) ); + $info = ldap_get_entries($ldapConnection, $results); + //echo $info["count"]." entries returned\n"; + return $info; } else return array( $this->getFakeLdapUser($userName) @@ -314,23 +321,58 @@ class LdapConnectionsTable extends AppTable ]; } - public function ldapAuthentication($login, $password) + public function ldapAuthentication($login, $user_password) { try { if ($this->checkConfiguration()) { + // We are using LDAP if ($this->USE_LDAP) { - if (strlen(trim($password)) == 0) - return FALSE; + $LDAP_ANONYMOUS = true; + + // No connexion allowed without password + if (strlen(trim($user_password)) == 0) return FALSE; + + // Set LDAP parameters + // - Anonymous connection (IRAP, IAS, LATMOS) + if ($LDAP_ANONYMOUS) { + //$dn = "ou=users,dc=irap,dc=omp,dc=eu"; + //$dn = $this->baseDn; + $binddn = $this->authenticationType . '=' . $login; + $ldappass = $user_password; + $filter = '('.$binddn.')'; + $just_these = array("cn"); + } + // - Authentified connection (CRAL) + else { + //$dn = "dc=univ-lyon1,dc=fr"; + //$binddn="CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1,DC=univ-lyon1,DC=fr"; + //$binddn = "CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1,".$dn; + $binddn = "CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1"; + $ldappass = "lemotdepasse"; + $filter = "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=ucbl.osu.cral,ou=groups,ou=27,ou=sim,ou=univ-lyon1,dc=univ-lyon1,dc=fr))"; + //$just_these = array(); + $just_these = []; + } + $binddn .= ','.$this->baseDn; + + // Connection $ldapConnection = ldap_connect($this->host, $this->port); - ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); - if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) { - return $this->getUserAttributes($login)[0]; - /* - * } else { - * return false; - */ + if ($ldapConnection) { + ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); + // Binding + //if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) { + $ldapbind = ldap_bind($ldapConnection, $binddn, $ldappass); + if ($ldapbind) { + return $this->getUserAttributes($login, $LDAP_ANONYMOUS, $filter, $just_these)[0]; + /* + * } else { + * return false; + */ + } } + + // We are not using LDAP (use FAKE LDAP instead) } else { $user = $this->getFakeLdapUser($login); // debug($user); @@ -341,7 +383,7 @@ class LdapConnectionsTable extends AppTable // if ($user[$this->authenticationType][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; if ($user[$this->authenticationType][0] == $this->getTheFakeLdapUser()['login'] && $user['userpassword'][0] == $this->getTheFakeLdapUser()['pass']) return $user; - if ((new DefaultPasswordHasher())->check($password, $user['userpassword'][0])) + if ((new DefaultPasswordHasher())->check($user_password, $user['userpassword'][0])) return $user; // if ($user != false && $user['userpassword'][0] == $password) { } -- libgit2 0.21.2