diff options
Diffstat (limited to 'plugins/Ldap')
-rw-r--r-- | plugins/Ldap/LdapPlugin.php | 53 | ||||
-rw-r--r-- | plugins/Ldap/README | 7 | ||||
-rw-r--r-- | plugins/Ldap/ldap.php | 34 |
3 files changed, 78 insertions, 16 deletions
diff --git a/plugins/Ldap/LdapPlugin.php b/plugins/Ldap/LdapPlugin.php index ec2b7977d..755562f54 100644 --- a/plugins/Ldap/LdapPlugin.php +++ b/plugins/Ldap/LdapPlugin.php @@ -46,7 +46,60 @@ class LdapPlugin extends Plugin { if(ldap_check_password($nickname, $password)){ $authenticated = true; + //stop handling of other events, because we have an answer return false; } + if(common_config('ldap','authoritative')){ + //a false return stops handler processing + return false; + } + } + + function onAutoRegister($nickname) + { + $user = User::staticGet('nickname', $nickname); + if (! is_null($user) && $user !== false) { + common_log(LOG_WARNING, "An attempt was made to autoregister an existing user with nickname: $nickname"); + return; + } + + $attributes=array(); + $config_attributes = array('nickname','email','fullname','homepage','location'); + foreach($config_attributes as $config_attribute){ + $value = common_config('ldap', $config_attribute.'_attribute'); + if($value!==false){ + array_push($attributes,$value); + } + } + $entry = ldap_get_user($nickname,$attributes); + if($entry){ + $registration_data = array(); + foreach($config_attributes as $config_attribute){ + $value = common_config('ldap', $config_attribute.'_attribute'); + if($value!==false){ + if($config_attribute=='email'){ + $registration_data[$config_attribute]=common_canonical_email($entry->getValue($value,'single')); + }else if($config_attribute=='nickname'){ + $registration_data[$config_attribute]=common_canonical_nickname($entry->getValue($value,'single')); + }else{ + $registration_data[$config_attribute]=$entry->getValue($value,'single'); + } + } + } + //set the database saved password to a random string. + $registration_data['password']=common_good_rand(16); + $user = User::register($registration_data); + //prevent other handlers from running, as we have registered the user + return false; + } + } + + function onChangePassword($nickname,$oldpassword,$newpassword,&$errormsg) + { + //TODO implement this + $errormsg = _('Sorry, changing LDAP passwords is not supported at this time'); + + //return false, indicating that the event has been handled + return false; } } diff --git a/plugins/Ldap/README b/plugins/Ldap/README index 8a5095a5d..617738e0b 100644 --- a/plugins/Ldap/README +++ b/plugins/Ldap/README @@ -11,6 +11,13 @@ $config['ldap']['basedn'] $config['ldap']['host'] $config['ldap']['nickname_attribute'] Set this to the name of the ldap attribute that holds the username. For example, on Microsoft's Active Directory, this should be set to 'sAMAccountName' +$config['ldap']['nickname_email'] Set this to the name of the ldap attribute that holds the user's email address. For example, on Microsoft's Active Directory, this should be set to 'mail' +$config['ldap']['nickname_fullname'] Set this to the name of the ldap attribute that holds the user's full name. For example, on Microsoft's Active Directory, this should be set to 'displayName' +$config['ldap']['nickname_homepage'] Set this to the name of the ldap attribute that holds the the url of the user's home page. +$config['ldap']['nickname_location'] Set this to the name of the ldap attribute that holds the user's location. + +$config['ldap']['authoritative'] Set to true if LDAP's responses are authoritative (meaning if LDAP fails, do check the any other plugins or the internal password database) +$config['ldap']['autoregister'] Set to true if users should be automatically created when they attempt to login Finally, add "addPlugin('ldap');" to the bottom of your config.php diff --git a/plugins/Ldap/ldap.php b/plugins/Ldap/ldap.php index fcb84610a..d92a058fb 100644 --- a/plugins/Ldap/ldap.php +++ b/plugins/Ldap/ldap.php @@ -38,19 +38,20 @@ function ldap_get_config(){ function ldap_get_connection($config = null){ if($config == null){ - static $ldap = null; - if($ldap!=null){ - return $ldap; - } $config = ldap_get_config(); } - $ldap = Net_LDAP2::connect($config); - if (PEAR::isError($ldap)) { - common_log(LOG_WARNING, 'Could not connect to LDAP server: '.$ldap->getMessage()); + + //cannot use Net_LDAP2::connect() as StatusNet uses + //PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError'); + //PEAR handling can be overridden on instance objects, so we do that. + $ldap = new Net_LDAP2($config); + $ldap->setErrorHandling(PEAR_ERROR_RETURN); + $err=$ldap->bind(); + if (Net_LDAP2::isError($err)) { + common_log(LOG_WARNING, 'Could not connect to LDAP server: '.$err->getMessage()); return false; - }else{ - return $ldap; } + return $ldap; } function ldap_check_password($username, $password){ @@ -58,12 +59,12 @@ function ldap_check_password($username, $password){ if(!$ldap){ return false; } - $dn = ldap_get_user_dn($username); - if(!$dn){ + $entry = ldap_get_user($username); + if(!$entry){ return false; }else{ $config = ldap_get_config(); - $config['binddn']=$dn; + $config['binddn']=$entry->dn(); $config['bindpw']=$password; if(ldap_get_connection($config)){ return true; @@ -74,17 +75,18 @@ function ldap_check_password($username, $password){ } /** - * get an LDAP user's DN given the user's username + * get an LDAP entry for a user with a given username * * @param string $username + * $param array $attributes LDAP attributes to retrieve * @return string DN */ -function ldap_get_user_dn($username){ +function ldap_get_user($username,$attributes=array()){ $ldap = ldap_get_connection(); $filter = Net_LDAP2_Filter::create(common_config('ldap','nickname_attribute'), 'equals', $username); $options = array( 'scope' => 'sub', - 'attributes' => array() + 'attributes' => $attributes ); $search = $ldap->search(null,$filter,$options); @@ -97,7 +99,7 @@ function ldap_get_user_dn($username){ return false; }else if($search->count()==1){ $entry = $search->shiftEntry(); - return $entry->dn(); + return $entry; }else{ common_log(LOG_WARNING, 'Found ' . $search->count() . ' ldap user with the username: ' . $username); return false; |