Etienne Pallier / labinvent

Commit 2050f6d1a3a86c22f4fd5fe583dae432ad62c054

Authored by Etienne Pallier
1 parent 6e1638fb
Exists in master and in 3 other branches dev, dev-IRAP, dev-LATMOS

mis à jour LDAP connexion 

(pour autoriser une connexion authentifiée)
+ ajout d'une doc générale
Showing 3 changed files with 57 additions and 14 deletions   Show diff stats
Inline Side-by-side
doc/Labinvent Documentation.pdf 0 → 100644
View file @2050f6d
No preview for this file type
src/Controller/Component/LdapAuthComponent.php
  Diff comments   View file @2050f6d
... ... @@ -11,6 +11,7 @@ class LdapAuthComponent extends AuthComponent
11 11 public function connection()
12 12 {
13 13 try {
  14 + // Get login and password entered by the current user (who is trying to connect)
14 15 $login = $this->request->getData('ldap');
15 16 $password = $this->request->getData('password');
16 17 $resp = TableRegistry::get('LdapConnections')->ldapAuthentication($login, $password);
... ...
src/Model/Table/LdapConnectionsTable.php
  Diff comments   View file @2050f6d
... ... @@ -187,16 +187,23 @@ class LdapConnectionsTable extends AppTable
187 187 }
188 188  
189 189 // $userName = login
190   - public function getUserAttributes($userName)
  190 + public function getUserAttributes($userName, $LDAP_ANONYMOUS=true, $filter='', $just_these=[])
191 191 {
192 192 try {
193 193  
194 194 if ($this->checkConfiguration()) {
195 195 if ($this->USE_LDAP) {
  196 + /*
196 197 $ldapConnection = ldap_connect($this->host, $this->port);
197 198 ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
198   - $results = ldap_search($ldapConnection, $this->baseDn, '(' . $this->authenticationType . '=' . $userName . ')');
199   - return ldap_get_entries($ldapConnection, $results);
  199 + */
  200 + /* CRAL
  201 + */
  202 + //$results = ldap_search($ldapConnection, $this->baseDn, $filter);
  203 + $results = ldap_search($ldapConnection, $this->baseDn, $filter, $just_these) or die("Could not search to LDAP server response was: " . ldap_error($ldapconn) );
  204 + $info = ldap_get_entries($ldapConnection, $results);
  205 + //echo $info["count"]." entries returned\n";
  206 + return $info;
200 207 } else
201 208 return array(
202 209 $this->getFakeLdapUser($userName)
... ... @@ -314,23 +321,58 @@ class LdapConnectionsTable extends AppTable
314 321 ];
315 322 }
316 323  
317   - public function ldapAuthentication($login, $password)
  324 + public function ldapAuthentication($login, $user_password)
318 325 {
319 326 try {
320 327 if ($this->checkConfiguration()) {
321 328  
  329 + // We are using LDAP
322 330 if ($this->USE_LDAP) {
323   - if (strlen(trim($password)) == 0)
324   - return FALSE;
  331 + $LDAP_ANONYMOUS = true;
  332 +
  333 + // No connexion allowed without password
  334 + if (strlen(trim($user_password)) == 0) return FALSE;
  335 +
  336 + // Set LDAP parameters
  337 + // - Anonymous connection (IRAP, IAS, LATMOS)
  338 + if ($LDAP_ANONYMOUS) {
  339 + //$dn = "ou=users,dc=irap,dc=omp,dc=eu";
  340 + //$dn = $this->baseDn;
  341 + $binddn = $this->authenticationType . '=' . $login;
  342 + $ldappass = $user_password;
  343 + $filter = '('.$binddn.')';
  344 + $just_these = array("cn");
  345 + }
  346 + // - Authentified connection (CRAL)
  347 + else {
  348 + //$dn = "dc=univ-lyon1,dc=fr";
  349 + //$binddn="CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1,DC=univ-lyon1,DC=fr";
  350 + //$binddn = "CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1,".$dn;
  351 + $binddn = "CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1";
  352 + $ldappass = "lemotdepasse";
  353 + $filter = "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=ucbl.osu.cral,ou=groups,ou=27,ou=sim,ou=univ-lyon1,dc=univ-lyon1,dc=fr))";
  354 + //$just_these = array();
  355 + $just_these = [];
  356 + }
  357 + $binddn .= ','.$this->baseDn;
  358 +
  359 + // Connection
325 360 $ldapConnection = ldap_connect($this->host, $this->port);
326   - ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
327   - if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) {
328   - return $this->getUserAttributes($login)[0];
329   - /*
330   - * } else {
331   - * return false;
332   - */
  361 + if ($ldapConnection) {
  362 + ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
  363 + // Binding
  364 + //if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) {
  365 + $ldapbind = ldap_bind($ldapConnection, $binddn, $ldappass);
  366 + if ($ldapbind) {
  367 + return $this->getUserAttributes($login, $LDAP_ANONYMOUS, $filter, $just_these)[0];
  368 + /*
  369 + * } else {
  370 + * return false;
  371 + */
  372 + }
333 373 }
  374 +
  375 + // We are not using LDAP (use FAKE LDAP instead)
334 376 } else {
335 377 $user = $this->getFakeLdapUser($login);
336 378 // debug($user);
... ... @@ -341,7 +383,7 @@ class LdapConnectionsTable extends AppTable
341 383 // if ($user[$this->authenticationType][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user;
342 384 if ($user[$this->authenticationType][0] == $this->getTheFakeLdapUser()['login'] && $user['userpassword'][0] == $this->getTheFakeLdapUser()['pass'])
343 385 return $user;
344   - if ((new DefaultPasswordHasher())->check($password, $user['userpassword'][0]))
  386 + if ((new DefaultPasswordHasher())->check($user_password, $user['userpassword'][0]))
345 387 return $user;
346 388 // if ($user != false && $user['userpassword'][0] == $password) {
347 389 }
... ...