Made groups work on OpenDirectory (Apple's OpenLDAP shipped with OS X Server),

which is like standard POSIX. Existing AD group support should also still work (but has not been tested as I don't have a working AD setup). Added support for the group check to the login code (which was still missing) Improved the user experience by only dumping a newly created user on the profile page when the e-mail address was missing.

Made groups work on OpenDirectory (Apple's OpenLDAP shipped with OS X Server),
which is like standard POSIX. Existing AD group support should also still work (but has not been tested as I don't have a working AD setup). Added support for the group check to the login code (which was still missing) Improved the user experience by only dumping a newly created user on the profile page when the e-mail address was missing.
Frederik Lindenaar
1 parent b6323e66
Showing 3 changed files with 36 additions and 45 deletions
admin/configuration.php
class.ldap.php
main.inc.php
@@ -53,7 +53,7 @@ if (isset($_POST[&#39;check_ldap&#39;])){
 	$error=$me->check_ldap();
 	if($error==1 && $username) {
 		if ($me->ldap_bind_as($username,$_POST['PASSWORD'])){
-			if($me->check_ldap_group_membership($username,$me->config['ld_group'])){
+			if($me->check_ldap_group_membership($username,$_POST['USERNAME'])){
 	                        $template->assign('LD_CHECK_LDAP','<p style="color:green;">Configuration LDAP OK : '.$username.'</p>');
 			} else {
 				$template->assign('LD_CHECK_LDAP','<p style="color:orange;">Credentials OK, Check GroupMembership for: '.$username.'</p>');
@@ -125,11 +125,6 @@ class Ldap {
                 return ldap_err2str(ldap_errno($this->cnx));
         }
-	// return the name ldap understand
-	public function ldap_name($name){
-		return $this->config['ld_attr'].'='.$name.','.$this->config['basedn'];
-	}
-	
 	// authentication public
 	public function ldap_bind_as($user,$user_passwd){
 		$this->write_log("[function]> ldap_bind_as");
@@ -152,18 +147,20 @@ class Ldap {
 		return false;
 	}
-	public function ldap_mail($name){
-		//echo $this->cnx;
-		//echo $this->ldap_name($name);
-		$sr=@ldap_read($this->cnx, $this->ldap_name($name), "(objectclass=*)", array('mail'));
+	public function ldap_get_email($user_dn){
+		$sr=@ldap_read($this->cnx, $user_dn, "(objectclass=*)", array('mail'));
 		$entry = @ldap_get_entries($this->cnx, $sr);
 		if (!empty($entry[0]['mail'])) {
 			return $entry[0]['mail'][0];
-			}
-		return False;
+		}
+		return null;
 	}
+	public function ldap_get_user_email($username) {
+		return $this->ldap_email($this->ldap_get_dn($username));
+	}
+
 	// return userdn (and username) for authentication
 	public function ldap_search_dn($value_to_search){
 		$this->write_log("[function]> ldap_search_dn(".$value_to_search.")");
@@ -205,8 +202,9 @@ class Ldap {
 	}
 	// look for LDAP group membership
-	public function check_ldap_group_membership($user_dn,$group_dn){
-		$this->write_log("[function]> check_ldap_group_membership(".$user_dn."   ,   ".$group_dn.")");
+	public function check_ldap_group_membership($user_dn, $user_login){
+		$group_dn = $this->config['ld_group'];
+		$this->write_log("[function]> check_ldap_group_membership('$user_dn', '$group_dn', '$user_login')");
 		//if no group specified return true
 		if(!$group_dn){
 			return true;	
@@ -219,22 +217,17 @@ class Ldap {
                         $this->write_log("[check_ldap_group_membership]> Cannot bind to server!");
                         return false;
                 }
-		// search for all memberOf-attributes for a given user_dn
-		$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,\"".$user_dn."\",\"(objectClass=*)\", array(\"memberOf\"),0,1)");
-		if($search = @ldap_search($this->cnx, $user_dn, "(objectClass=*)", array("memberOf"),0,1)){
+		// search for all member and memberUid attributes for a group_dn
+		$search_filter = "(|(&(objectClass=posixGroup)(memberUid=$user_login))(&(objectClass=group)(member=$user_dn)))";
+		$this->write_log("[check_ldap_group_membership]> @ldap_search(\$this->cnx,'$group_dn', '$search_filter', array('memberOf'),0,1)");
+		if($search = @ldap_search($this->cnx, $group_dn, $search_filter, array("dn"),0,1)){
 			$entry = @ldap_get_entries($this->cnx, $search);
-			//check if there are memberof-attributes
-			if(isset($entry[0]["memberof"])){
-				$this->write_log("[check_ldap_group_membership]> Found ". $entry[0]["memberof"]["count"] ." memberOf-attributes");
-       		        	for($i=0; $i < $entry["0"]["memberof"]["count"]; $i++){
-        	        	        $this->write_log("[check_ldap_group_membership]> checking: ". $entry["0"]["memberof"][$i]);
-					if(strcmp($group_dn,$entry["0"]["memberof"][$i]) == 0){
-						$this->write_log("[check_ldap_group_membership]> Match found for \"". $group_dn ."\" AND \"".$entry["0"]["memberof"][$i]."\"");
-						return true;
-					}
-				}
+			//check if there are dn-attributes
+			if (!empty($entry[0]["dn"])) {
+				$this->write_log("[check_ldap_group_membership]> match found: ".$entry[0]["dn"]);
+				return true;
 			} else {
-				$this->write_log("[check_ldap_group_membership]> No groups found for given user, check on ldap side");
+				$this->write_log("[check_ldap_group_membership]> no group membership for user found for given group and user, check on ldap side");
 			}
 		} else {
 			$this->write_log("[check_ldap_group_membership]> ldap_search NOT successfull: " .$this->getErrorString());
@@ -61,10 +61,13 @@ function login($success, $username, $password, $remember_me){
 	$obj->load_config();
 	$obj->ldap_conn() or die("Unable to connect LDAP server : ".$ldap->getErrorString());
-	//if (!$obj->ldap_bind_as($username,$password)){ // bind with userdn
-	if (!$obj->ldap_search_dn($username) || !$obj->ldap_bind_as($obj->ldap_search_dn($username),$password)){ // bind with userdn
+	$user_dn = $obj->ldap_search_dn($username);	// retrieve the userdn
+
+	// If we have userdn, attempt to login an check user's group access
+	if (!($user_dn && !$obj->ldap_bind_as($user_dn,$password) &&
+		check_ldap_group_membership($user_dn, $username))) {
 		trigger_notify('login_failure', stripslashes($username));
-		return false; // wrong password
+		return false; // wrong user/password or no group access
 	}
 	// search user in piwigo database
@@ -84,24 +87,19 @@ function login($success, $username, $password, $remember_me){
 		// this is where we check we are allowed to create new users upon that.
 		if ($obj->config['allow_newusers']) {
-			// we got the email address
-			if ($obj->ldap_mail($username)) {
-				$mail = $obj->ldap_mail($username);
-			}
-			else {
-				$mail = NULL;
-			}
-			
-			// we actually register the new user
+			// retrieve LDAP e-mail address and create a new user
+			$mail = $obj->ldap_get_email($user_dn);
 			$new_id = register_user($username,random_password(8),$mail);
-                        
-			// now we fetch again his id in the piwigo db, and we get them, as we just created him !
-			//$query = 'SELECT '.$conf['user_fields']['id'].' AS id FROM '.USERS_TABLE.' WHERE '.$conf['user_fields']['username'].' = \''.pwg_db_real_escape_string($username).'\' ;';
-			//$row = pwg_db_fetch_assoc(pwg_query($query));
+			// Login user
 			log_user($new_id, False);
 			trigger_notify('login_success', stripslashes($username));
-			redirect('profile.php');
+
+			// in case the e-mail address is empty, redirect to profile page
+			if($mail==NULL) {
+				redirect('profile.php');
+			}
+
 			return true;
 		}
 		// else : this is the normal behavior ! user is not created.