Commit e24482e05f9564e5534f4dceb4f80b6762be3f98
1 parent
c062ad0c
Exists in
master
and in
2 other branches
ldap refactorisation (2)
Showing
3 changed files
with
215 additions
and
37 deletions
Show diff stats
README.md
... | ... | @@ -53,10 +53,12 @@ Logiciel testé et validé sur les configurations suivantes : |
53 | 53 | |
54 | 54 | VERSION ACTUELLE |
55 | 55 | |
56 | -Date: 14/02/2019 | |
57 | -Version: 2.10.14 | |
56 | +Date: 19/02/2019 | |
57 | +Version: 2.10.15 | |
58 | 58 | Author: EP |
59 | - (IRAP ONLY) LDAP refactorisation && optimisation (1) | |
59 | + (IRAP ONLY) LDAP refactorisation && optimisation (2) | |
60 | + - LDAP refactor pour ajouter mode LDAP authentifié | |
61 | + - Nouveau lien "What's New ?" en bas de page web (historique du projet) | |
60 | 62 | |
61 | 63 | IMPORTANT: |
62 | 64 | - Pour connaitre la version actuelle, taper "./VERSION" |
... | ... | @@ -86,7 +88,9 @@ Messages à copier/coller en cas de besoin : |
86 | 88 | |
87 | 89 | CHANGEMENTS IMPORTANTS (MILESTONES) |
88 | 90 | |
89 | -Liste complète des évolutions: https://gitlab.irap.omp.eu/epallier/labinvent/commits/master | |
91 | +(Liste complète des évolutions: https://gitlab.irap.omp.eu/epallier/labinvent/commits/master) | |
92 | + | |
93 | +La liste ci-dessous n'est plus à jour, elle est désormais en ligne ici : https://tinyurl.com/labinvent#heading=h.2r55bflctpt5 | |
90 | 94 | |
91 | 95 | ----------------------------------------------------------------------------------------------------------- |
92 | 96 | 23/01/2019 Version: 2.10.1, 2, 3, 4, et 6 (EP) | ... | ... |
src/Model/Table/LdapConnectionsTable.php
1 | 1 | <?php |
2 | 2 | namespace App\Model\Table; |
3 | 3 | |
4 | +/* TODO LIST | |
5 | + * | |
6 | +- 1) remplacer ldapAuthentication() par ldapAuthenticationNEW() | |
7 | +- 2) virer getUserAttributes() à virer, remplacé par getLdap1UserOrAllUsersAttributes() | |
8 | +- 3) getAllLdapUsersNEW() pour remplacer getAllLdapUsers() | |
9 | +- TableRegistry::get() à remplacer par TableRegistry::getTableLocator()->get() | |
10 | + * | |
11 | + */ | |
12 | + | |
13 | + | |
14 | + | |
15 | + | |
4 | 16 | use Cake\ORM\Table; |
5 | 17 | use Cake\ORM\TableRegistry; |
6 | 18 | use Cake\Auth\DefaultPasswordHasher; |
... | ... | @@ -57,7 +69,7 @@ class LdapConnectionsTable extends AppTable |
57 | 69 | |
58 | 70 | private function buildFakeLdapUsersFromDB() |
59 | 71 | { |
60 | - $users = TableRegistry::get('Users')->find(); | |
72 | + $users = TableRegistry::getTableLocator()->get('Users')->find(); | |
61 | 73 | |
62 | 74 | $ldapUsers = []; |
63 | 75 | |
... | ... | @@ -233,22 +245,75 @@ class LdapConnectionsTable extends AppTable |
233 | 245 | } |
234 | 246 | return $res; |
235 | 247 | } |
236 | - } catch (Exception $e) {} | |
248 | + } | |
249 | + catch (Exception $e) {} | |
250 | + | |
237 | 251 | return false; |
238 | 252 | } |
253 | + | |
254 | + /** | |
255 | + * @return $users_fetched or FALSE | |
256 | + */ | |
257 | + // REAL or FAKE LDAP | |
258 | + public function getAllLdapUsersNEW() | |
259 | + { | |
260 | + try { | |
261 | + if ($this->checkConfiguration()) { | |
262 | + | |
263 | + // REAL LDAP | |
264 | + if ($this->LDAP_USED) { | |
265 | + | |
266 | + // 1) Search users in CACHE (DB) | |
267 | + $users_fetched = $this->fetchAllUsersFromDB(); | |
268 | + | |
269 | + // 2) Not found in CACHE, so search users in LDAP | |
270 | + if ($users_fetched === FALSE) { | |
271 | + $users_fetched = $this->searchLdap($this->filter, []); | |
272 | + // CACHE the new user in DB for next time | |
273 | + if ($users_fetched != FALSE) $this->saveAllUsersInDB($users_fetched); | |
274 | + } | |
275 | + /* | |
276 | + $ldapConnection = ldap_connect($this->host, $this->port); | |
277 | + ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | |
278 | + | |
279 | + // Binding optionnel | |
280 | + if ($this->ldap_authentified) $ldapbind = ldap_bind($ldapConnection, $this->bindDn, $this->bindPass) | |
281 | + or die("Could not bind to LDAP server.". ldap_error($ldapConnection) ); | |
282 | + | |
283 | + $results = ldap_search($ldapConnection, $this->baseDn, $this->filter); | |
284 | + | |
285 | + $res = ldap_get_entries($ldapConnection, $results); | |
286 | + */ | |
287 | + } | |
288 | + | |
289 | + // FAKE LDAP | |
290 | + else { | |
291 | + $users_fetched = $this->fakeLDAPUsers; | |
292 | + } | |
293 | + | |
294 | + // Noter que $user_fetched peut etre egal a FALSE (si rien trouvé) | |
295 | + return $users_fetched; | |
296 | + } | |
297 | + } | |
298 | + catch (Exception $e) {} | |
299 | + | |
300 | + // Pb, rien trouvé | |
301 | + return FALSE; | |
302 | + } | |
303 | + | |
239 | 304 | |
240 | 305 | |
241 | 306 | |
242 | 307 | // TODO: avirer, VIEUX CODE, à remplacer par getLdap1UserOrAllUsersAttributes() |
243 | 308 | // $userName = login |
244 | - public function getUserAttributes($userName) | |
309 | + public function getUserAttributes($ldapConnection, $userName) | |
245 | 310 | { |
246 | 311 | try { |
247 | 312 | |
248 | 313 | if ($this->checkConfiguration()) { |
249 | 314 | if ($this->LDAP_USED) { |
250 | - $ldapConnection = ldap_connect($this->host, $this->port); | |
251 | - ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | |
315 | + //$ldapConnection = ldap_connect($this->host, $this->port); | |
316 | + //ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | |
252 | 317 | $results = ldap_search($ldapConnection, $this->baseDn, '(' . $this->authenticationType . '=' . $userName . ')'); |
253 | 318 | return ldap_get_entries($ldapConnection, $results); |
254 | 319 | } else |
... | ... | @@ -441,7 +506,6 @@ class LdapConnectionsTable extends AppTable |
441 | 506 | |
442 | 507 | /** |
443 | 508 | * Return size of list users |
444 | - */ | |
445 | 509 | public function getNbUsers() |
446 | 510 | { |
447 | 511 | $u = $this->getAllLdapUsers(); |
... | ... | @@ -453,6 +517,7 @@ class LdapConnectionsTable extends AppTable |
453 | 517 | } |
454 | 518 | return $nbUsers; |
455 | 519 | } |
520 | + */ | |
456 | 521 | |
457 | 522 | // Utilisateur du ldap qui n'est pas dans la table utilisateurs |
458 | 523 | // => il a donc le role "Utilisateur" PAR DEFAUT |
... | ... | @@ -476,9 +541,29 @@ class LdapConnectionsTable extends AppTable |
476 | 541 | } |
477 | 542 | |
478 | 543 | |
544 | + | |
545 | + /* | |
546 | + CALL | |
547 | + | |
548 | + $filter = "(&".$this->filter."(".$this->authenticationType . '=' . $user_login."))"; | |
549 | + //TODO: optimisation, refactoriser si comportement général | |
550 | + //$binddn .= ','.$this->baseDn; | |
551 | + $user_fetched = $this->searchLdap($filter, $just_these, $user_login, $user_password); | |
552 | + */ | |
553 | + | |
554 | + | |
555 | + | |
479 | 556 | // REAL LDAP only |
480 | 557 | private function searchLdap($filter, $just_these, $user_login=NULL, $user_password=NULL) { |
481 | 558 | |
559 | + /* | |
560 | + * OLD CODE QUI MARCHE | |
561 | + $ldapConnection = ldap_connect($this->host, $this->port); | |
562 | + ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | |
563 | + if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $user_login . ',' . $this->baseDn, $user_password)) | |
564 | + return $this->getUserAttributes($user_login)[0]; | |
565 | + */ | |
566 | + | |
482 | 567 | // CONNEXION |
483 | 568 | $ldapConnection = ldap_connect($this->host, $this->port) |
484 | 569 | or die("Could not connect to $this->host (port $this->port)"); |
... | ... | @@ -491,31 +576,33 @@ class LdapConnectionsTable extends AppTable |
491 | 576 | // BINDING |
492 | 577 | |
493 | 578 | // - Authentified |
494 | - if ($this->ldap_authentified) | |
495 | - $ldapbind = ldap_bind($ldapConnection, $this->bindDn, $this->bindPass); | |
579 | + if ($this->ldap_authentified) $ldapbind = ldap_bind($ldapConnection, $this->bindDn, $this->bindPass); | |
496 | 580 | // or die("Could not bind to LDAP server.". ldap_error($ldapConnection) ); |
497 | 581 | |
498 | - // - Anonymous | |
499 | - // En cas de LDAP anonyme, binding quand même pour vérifier le mot de passe de l'utilisateur. | |
500 | - // Sans cette ligne, on passe avec n'importe quel password !!! | |
501 | - else { | |
582 | + // - Anonymous | |
583 | + // En cas de LDAP anonyme, binding quand même pour vérifier le mot de passe de l'utilisateur. | |
584 | + // Sans cette ligne, on passe avec n'importe quel password !!! | |
585 | + else { | |
502 | 586 | $ldapbind = TRUE; |
503 | 587 | // function ldap_bind ($link_identifier, $bind_rdn = null, $bind_password = null) |
504 | 588 | //debug("log, pass= " . $user_login . ' ' . $user_password); |
505 | 589 | //if ($user_login && $user_password) $ldapbind = ldap_bind($ldapConnection, $this->authenticationType.'='.$user_login, $user_password); |
506 | - if ($user_login && $user_password) | |
507 | - $ldapbind = ldap_bind($ldapConnection, $this->authenticationType . '=' . $user_login . ',' . $this->baseDn, $user_password); | |
590 | + if ($user_login && $user_password) $ldapbind = ldap_bind($ldapConnection, $this->authenticationType . '=' . $user_login . ',' . $this->baseDn, $user_password); | |
508 | 591 | //debug("ldapbind " . $ldapbind); |
509 | - } | |
592 | + } | |
510 | 593 | |
511 | - // SEARCH | |
512 | - if ($ldapbind) { | |
513 | - //$search = $this->getLdapUserAttributes($ldapConnection, $filter, $just_these, $user_login); | |
514 | - $search = $this->getLdap1UserOrAllUsersAttributes($ldapConnection, $filter, $just_these); | |
515 | - if ($search === FALSE) die("Could not get user attributes from LDAP server, response was: " . ldap_error($ldapConnection) ); | |
516 | - //return $search[0]; | |
517 | - return $search; | |
518 | - } | |
594 | + // SEARCH | |
595 | + if ($ldapbind) { | |
596 | + | |
597 | + // OLD | |
598 | + $search = $this->getUserAttributes($ldapConnection, $user_login); | |
599 | + // NEW | |
600 | + //$search = $this->getLdap1UserOrAllUsersAttributes($ldapConnection, $filter, $just_these); | |
601 | + | |
602 | + if ($search === FALSE) die("Could not get user attributes from LDAP server, response was: " . ldap_error($ldapConnection) ); | |
603 | + //return $search[0]; | |
604 | + return $search; | |
605 | + } | |
519 | 606 | |
520 | 607 | } |
521 | 608 | |
... | ... | @@ -526,14 +613,14 @@ class LdapConnectionsTable extends AppTable |
526 | 613 | |
527 | 614 | |
528 | 615 | |
529 | - | |
530 | 616 | // REAL LDAP only |
617 | + /* | |
531 | 618 | private function checkAndFetchUserFromLdap($user_login, $user_password) { |
532 | 619 | // Set LDAP parameters |
533 | 620 | // - Liste des attributs à récupérer dans le ldap (vide = TOUS les attributs) |
534 | 621 | $just_these = []; |
535 | 622 | // TODO: vérifier si cette ligne est bien utile ou pas... (avant on faisait ça) |
536 | - if (! $this->ldap_authentified) $just_these = array("cn"); | |
623 | + //if (! $this->ldap_authentified) $just_these = array("cn"); | |
537 | 624 | |
538 | 625 | /* Examples : |
539 | 626 | * |
... | ... | @@ -547,7 +634,7 @@ class LdapConnectionsTable extends AppTable |
547 | 634 | * $binddn="CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1,DC=univ-lyon1,DC=fr"; |
548 | 635 | * ($binddn = "CN=svc_ldap_cral,OU=users,OU=27,OU=sim,OU=univ-lyon1,".$this->baseDn;) |
549 | 636 | * $filter = "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=ucbl.osu.cral,ou=groups,ou=27,ou=sim,ou=univ-lyon1,dc=univ-lyon1,dc=fr))"; |
550 | - */ | |
637 | + STAR/ | |
551 | 638 | // Construction du filtre avec le filtre de la base de données avec un & sur le login de l'utilisateur |
552 | 639 | // Si aucun filtre n'est défini dans la base de données on aura juste (& ($this->authenticationType=$user_login)) |
553 | 640 | // ex: "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=ucbl.osu.cral,ou=groups,ou=27,ou=sim,ou=univ-lyon1,dc=univ-lyon1,dc=fr)(sAMAccountName=$user_login))"; |
... | ... | @@ -585,11 +672,12 @@ class LdapConnectionsTable extends AppTable |
585 | 672 | } |
586 | 673 | |
587 | 674 | } |
588 | - */ | |
675 | + STAR/ | |
589 | 676 | |
590 | 677 | // Il y a eu un pb, utilisateur non reconnu |
591 | 678 | return FALSE; |
592 | 679 | } |
680 | + */ | |
593 | 681 | |
594 | 682 | |
595 | 683 | // TODO: implement |
... | ... | @@ -606,10 +694,10 @@ class LdapConnectionsTable extends AppTable |
606 | 694 | * @param string $user_password |
607 | 695 | * @return logged user LDAP attributes or FALSE if user not found in LDAP |
608 | 696 | */ |
609 | - public function ldapAuthentication($user_login, $user_password) { | |
697 | + /* | |
698 | + public function ldapAuthenticationOLD($user_login, $user_password) { | |
610 | 699 | try { |
611 | 700 | if ($this->checkConfiguration()) { |
612 | - | |
613 | 701 | if ($this->LDAP_USED) { |
614 | 702 | if (strlen(trim($user_password)) == 0) |
615 | 703 | return FALSE; |
... | ... | @@ -617,10 +705,10 @@ class LdapConnectionsTable extends AppTable |
617 | 705 | ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); |
618 | 706 | if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $user_login . ',' . $this->baseDn, $user_password)) { |
619 | 707 | return $this->getUserAttributes($user_login)[0]; |
620 | - /* | |
708 | + /STAR | |
621 | 709 | * } else { |
622 | 710 | * return false; |
623 | - */ | |
711 | + STAR/ | |
624 | 712 | } |
625 | 713 | } else { |
626 | 714 | $user = $this->getFakeLdapUser($user_login); |
... | ... | @@ -640,11 +728,97 @@ class LdapConnectionsTable extends AppTable |
640 | 728 | } catch (Exception $e) { |
641 | 729 | //echo 'Exception LDAP : ', $e->getMessage(), "\n"; |
642 | 730 | } |
643 | - | |
644 | 731 | // Il y a eu un problème, l'utilisateur n'est pas reconnu |
645 | 732 | return FALSE; |
646 | 733 | } // end ldapAuthentication() |
734 | + */ | |
647 | 735 | |
736 | + /* | |
737 | + * @param string $user_login | |
738 | + * @param string $user_password | |
739 | + * @return logged user LDAP attributes or FALSE if user not found in LDAP | |
740 | + */ | |
741 | + public function ldapAuthentication($user_login, $user_password) { | |
742 | + | |
743 | + try { | |
744 | + if ($this->checkConfiguration()) { | |
745 | + | |
746 | + // REAL LDAP | |
747 | + if ($this->LDAP_USED) { | |
748 | + | |
749 | + // No connexion allowed without password | |
750 | + if (strlen(trim($user_password)) == 0) return FALSE; | |
751 | + | |
752 | + /* | |
753 | + // VIEUX CODE QUI MARCHE !!! | |
754 | + $ldapConnection = ldap_connect($this->host, $this->port); | |
755 | + ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | |
756 | + if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $user_login . ',' . $this->baseDn, $user_password)) { | |
757 | + return $this->getUserAttributes($user_login)[0]; | |
758 | + /STAR | |
759 | + * } else { | |
760 | + * return false; | |
761 | + STAR/ | |
762 | + } | |
763 | + */ | |
764 | + | |
765 | + // TODO: optimisation possible | |
766 | + // 1) Search user in CACHE (DB) | |
767 | + $user_fetched = $this->checkAndFetchUserFromDB($user_login, $user_password); | |
768 | + // 2) If not CACHED, search user in LDAP | |
769 | + if ($user_fetched === FALSE) { | |
770 | + | |
771 | + //$user_fetched = $this->checkAndFetchUserFromLdap($user_login, $user_password); | |
772 | + | |
773 | + $just_these = []; | |
774 | + // TODO: vérifier si cette ligne est bien utile ou pas... (avant on faisait ça) | |
775 | + //if (! $this->ldap_authentified) $just_these = array("cn"); | |
776 | + // Construction du filtre avec le filtre de la base de données avec un & sur le login de l'utilisateur | |
777 | + // Si aucun filtre n'est défini dans la base de données on aura juste (& ($this->authenticationType=$user_login)) | |
778 | + // ex: "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=ucbl.osu.cral,ou=groups,ou=27,ou=sim,ou=univ-lyon1,dc=univ-lyon1,dc=fr)(sAMAccountName=$user_login))"; | |
779 | + $filter = "(&".$this->filter."(".$this->authenticationType . '=' . $user_login."))"; | |
780 | + //TODO: optimisation, refactoriser si comportement général | |
781 | + //$binddn .= ','.$this->baseDn; | |
782 | + $user_fetched = $this->searchLdap($filter, $just_these, $user_login, $user_password); | |
783 | + // CACHE the new user in DB for next time | |
784 | + if ($user_fetched != FALSE) { | |
785 | + $this->saveNewUserInDB($user_fetched[0]); | |
786 | + return $user_fetched[0]; | |
787 | + } | |
788 | + } | |
789 | + //return $user_fetched; // Noter que $user_fetched peut etre egal a FALSE (si pas trouvé) | |
790 | + } | |
791 | + | |
792 | + // FAKE LDAP | |
793 | + else { | |
794 | + //debug($this->USE_LDAP); | |
795 | + //debug($this->baseDn); | |
796 | + $user = $this->getFakeLdapUser($user_login); | |
797 | + // debug($user); | |
798 | + if ($user === false) | |
799 | + return FALSE; | |
800 | + // $this->authenticationType peut valoir "uid" ou "cn"... (par défaut "uid" pour le fake ldap, à confirmer...) | |
801 | + // if ($user['uid'][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; | |
802 | + // if ($user[$this->authenticationType][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; | |
803 | + if ($user[$this->authenticationType][0] == $this->getTheFakeLdapUser()['login'] && $user['userpassword'][0] == $this->getTheFakeLdapUser()['pass']) | |
804 | + return $user; | |
805 | + if ( (new DefaultPasswordHasher())->check($user_password,$user['userpassword'][0]) ) | |
806 | + return $user; | |
807 | + // if ($user != false && $user['userpassword'][0] == $password) { | |
808 | + } | |
809 | + | |
810 | + } | |
811 | + | |
812 | + } catch (Exception $e) { | |
813 | + //echo 'Exception LDAP : ', $e->getMessage(), "\n"; | |
814 | + } | |
815 | + // Il y a eu un problème, l'utilisateur n'est pas reconnu | |
816 | + return FALSE; | |
817 | + | |
818 | + } // end ldapAuthentication() | |
819 | + | |
820 | + | |
821 | + | |
648 | 822 | |
649 | 823 | |
650 | 824 | } | ... | ... |
src/Template/Layout/default.ctp
... | ... | @@ -110,7 +110,7 @@ $cakeDescription = 'Labinvent 2'; |
110 | 110 | <?php |
111 | 111 | echo ' |
112 | 112 | <p> |
113 | - (<a href="https://projects.irap.omp.eu/projects/inventirap/activity">Activité récente sur le projet</a>) | |
113 | + <a href="https://tinyurl.com/labinvent#heading=h.2r55bflctpt5">WHAT\'s NEW ?</a> | |
114 | 114 |   |
115 | 115 | (<a href="https://projects.irap.omp.eu/projects/inventirap/roadmap?tracker_ids[]=1&tracker_ids[]=2&tracker_ids[]=4&tracker_ids[]=5&tracker_ids[]=6&tracker_ids[]=7&tracker_ids[]=8&tracker_ids[]=9#version_2.04_-_Impl%C3%A9mentation_des_ACL_%28droits%29">ROADMAP : Activité restant à réaliser</a>) |
116 | 116 | </p> | ... | ... |