03-26-2015, 11:21 AM
Hi All,
I posted to the devs mailing list, but then looking through the archives it looks like it's been dead a while.
Anyway, I wrote "users from LDAP" support. It works fine here, but obviously I'd like to get someone else to test it.
Here's what I posted to the devs list:
Hi Devs,
I just wrote in support for getting user accounts from LDAP. Basically, if this option is enabled, it will check LDAP for the user who is being logged in. If the username and password match, it'll then check the opendocman database to see if the user already exists there. If it does, it synchronizes the password field with the LDAP password. If not, it adds a new user with defaults. All of this is against version 1.3.2.
To test this out, you need the following in config.php:
-----8<-----
$GLOBALS['CONFIG']['ldap_enable'] = TRUE;
$GLOBALS['CONFIG']['ldap_host'] = 'my.ldaphost.com';
$GLOBALS['CONFIG']['ldap_port'] = '389';
$GLOBALS['CONFIG']['base_dn'] = "ou=People,dc=mydomain,dc=com";
$GLOBALS['CONFIG']['searchfilter'] = "(&(uid=%uid))";
$GLOBALS['CONFIG']['bind_dn'] = "cn=Manager,dc=mydomain,dc=com";
$GLOBALS['CONFIG']['bind_pw'] = "managers_password";
-----8<-----
...and then patch index.php with this patch:
-----8<-----
--- index.php 2015-03-26 13:42:01.781054000 -0400
+++ index.php-orig 2015-03-26 13:49:07.721054000 -0400
@@ -78,15 +78,6 @@
$frmuser = $_POST['frmuser'];
$frmpass = $_POST['frmpass'];
- // JEPH - Check for LDAP users enabled
- if($GLOBALS['CONFIG']['ldap_enable']) {
- require 'ldap-users.inc';
- $ldap_success = ldap_login($frmuser, $frmpass);
- if(!empty($ldap_success)) {
- add_or_modify($frmuser, $frmpass);
- }
- }
-
// check login and md5()
// connect and execute query
$query = "
@@ -134,11 +125,11 @@
// if row exists - login/pass is correct
if (count($result) == 1)
- {
+ {
// register the user's ID
$id = $result[0]['id'];
- $username = $result[0]['username'];
- $password = $result[0]['password'];
+ $username = $result['username'];
+ $password = $result['password'];
// initiate a session
$_SESSION['uid'] = $id;
-----8<-----
...and add my routines to ldap-users.inc (all of this attached) but in case this list strips attachments, test follows:
-----8<-----
<?php
// ldap-users.inc
//
// Authenticate users against LDAP
// John E.P. Hynes/HyTronix [03/25/2015]
//
// Takes username/password and tries to bind.
// Return user name on success, FALSE on failure.
function ldap_login($user, $pass) {
$ldap_host = $GLOBALS['CONFIG']['ldap_host'];
$ldap_port = $GLOBALS['CONFIG']['ldap_port'];
$base_dn = $GLOBALS['CONFIG']['base_dn'];
$searchfilter = $GLOBALS['CONFIG']['searchfilter'];
$bind_dn = $GLOBALS['CONFIG']['bind_dn'];
$bind_pw = $GLOBALS['CONFIG']['bind_pw'];
$ldap_conn = ldap_connect($ldap_host, $ldap_port)
or error_log("ldap_connect() failed.");
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($ldap_conn, $bind_dn, $bind_pw)
or error_log("ldap_bind() failed.");
$match_count = 1;
$this_filter = str_replace("%uid", $user, $searchfilter, $match_count);
if(empty($this_filter)) {
error_log("Error in searchfilter with str_replace(), got $this_filter");
return FALSE;
}
$attribute = array("uid");
$search_results = @ldap_search($ldap_conn, $base_dn, $this_filter, $attribute, 0, 2);
if (!$search_results) {
error_log("Something went wrong in ldap_search.");
}
if (ldap_count_entries($ldap_conn, $search_results) != 1) {
error_log("ldap_search() returned $search_results in error.");
return FALSE;
}
$user_entry = ldap_first_entry($ldap_conn, $search_results);
$this_dn = ldap_get_dn($ldap_conn, $user_entry);
$user_bind = ldap_bind($ldap_conn, $this_dn, $pass);
if (!$user_bind) {
return FALSE;
}
ldap_close($ldap_conn);
return $user;
}
function add_or_modify($username, $password) {
// Check to make sure user does not already exist
$pdo = $GLOBALS['pdo'];
$query = "SELECT COUNT(*) FROM {$GLOBALS['CONFIG']['db_prefix']}user WHERE username = '$username'";
if ($count = $pdo->query($query)) {
if ($count->fetchColumn() == 1) {
update_password($username, $password);
return;
} elseif ($count->fetchColumn() == 0) {
create_user($username, $password);
return;
}
else {
error_log("Database error - username not unique.");
}
}
return;
}
function update_password($username, $password) {
$pdo = $GLOBALS['pdo'];
$query = "UPDATE {$GLOBALS['CONFIG']['db_prefix']}user
SET password=md5(:password) WHERE username=:username";
$stmt = $pdo->prepare($query);
$stmt->execute(array(':username' => $username, ':password' => $password));
return;
}
function create_user($username, $password) {
$pdo = $GLOBALS['pdo'];
$department = 1;
$phonenumber = "000-000-0000";
$email = "";
$lastname = "";
$firstname = "";
$can_add = 0;
$can_checkin = 0;
$query = "INSERT INTO {$GLOBALS['CONFIG']['db_prefix']}user
(username, password, department, phone, Email,last_name, first_name, can_add, can_checkin)
VALUES(
:username,
md5(:password),
:department,
:phonenumber,
:email,
:lastname,
:firstname,
:can_add,
:can_checkin
)";
$stmt = $pdo->prepare($query);
$stmt->execute(array(
':username' => $username,
':password' => $password,
':department' => $department,
':phonenumber' => $phonenumber,
':email' => $email,
':lastname' => $lastname,
':firstname' => $firstname,
':can_add' => $can_add,
':can_checkin' => $can_checkin
));
$user_id = $pdo->lastInsertId();;
$admin = 0;
$query = "INSERT INTO {$GLOBALS['CONFIG']['db_prefix']}admin (id, admin) VALUES(:user_id, :admin)";
$stmt = $pdo->prepare($query);
$stmt->execute(array(':user_id' => $user_id, ':admin' => $admin));
return;
}
?>
-----8<-----
opendocman-1.3.2-ldap-options.config.php (Size: 435 bytes / Downloads: 3)
opendocman-1.3.2-ldap.patch.txt (Size: 962 bytes / Downloads: 4)
ldap-users.inc.txt (Size: 3.5 KB / Downloads: 3)
I posted to the devs mailing list, but then looking through the archives it looks like it's been dead a while.
Anyway, I wrote "users from LDAP" support. It works fine here, but obviously I'd like to get someone else to test it.
Here's what I posted to the devs list:
Hi Devs,
I just wrote in support for getting user accounts from LDAP. Basically, if this option is enabled, it will check LDAP for the user who is being logged in. If the username and password match, it'll then check the opendocman database to see if the user already exists there. If it does, it synchronizes the password field with the LDAP password. If not, it adds a new user with defaults. All of this is against version 1.3.2.
To test this out, you need the following in config.php:
-----8<-----
$GLOBALS['CONFIG']['ldap_enable'] = TRUE;
$GLOBALS['CONFIG']['ldap_host'] = 'my.ldaphost.com';
$GLOBALS['CONFIG']['ldap_port'] = '389';
$GLOBALS['CONFIG']['base_dn'] = "ou=People,dc=mydomain,dc=com";
$GLOBALS['CONFIG']['searchfilter'] = "(&(uid=%uid))";
$GLOBALS['CONFIG']['bind_dn'] = "cn=Manager,dc=mydomain,dc=com";
$GLOBALS['CONFIG']['bind_pw'] = "managers_password";
-----8<-----
...and then patch index.php with this patch:
-----8<-----
--- index.php 2015-03-26 13:42:01.781054000 -0400
+++ index.php-orig 2015-03-26 13:49:07.721054000 -0400
@@ -78,15 +78,6 @@
$frmuser = $_POST['frmuser'];
$frmpass = $_POST['frmpass'];
- // JEPH - Check for LDAP users enabled
- if($GLOBALS['CONFIG']['ldap_enable']) {
- require 'ldap-users.inc';
- $ldap_success = ldap_login($frmuser, $frmpass);
- if(!empty($ldap_success)) {
- add_or_modify($frmuser, $frmpass);
- }
- }
-
// check login and md5()
// connect and execute query
$query = "
@@ -134,11 +125,11 @@
// if row exists - login/pass is correct
if (count($result) == 1)
- {
+ {
// register the user's ID
$id = $result[0]['id'];
- $username = $result[0]['username'];
- $password = $result[0]['password'];
+ $username = $result['username'];
+ $password = $result['password'];
// initiate a session
$_SESSION['uid'] = $id;
-----8<-----
...and add my routines to ldap-users.inc (all of this attached) but in case this list strips attachments, test follows:
-----8<-----
<?php
// ldap-users.inc
//
// Authenticate users against LDAP
// John E.P. Hynes/HyTronix [03/25/2015]
//
// Takes username/password and tries to bind.
// Return user name on success, FALSE on failure.
function ldap_login($user, $pass) {
$ldap_host = $GLOBALS['CONFIG']['ldap_host'];
$ldap_port = $GLOBALS['CONFIG']['ldap_port'];
$base_dn = $GLOBALS['CONFIG']['base_dn'];
$searchfilter = $GLOBALS['CONFIG']['searchfilter'];
$bind_dn = $GLOBALS['CONFIG']['bind_dn'];
$bind_pw = $GLOBALS['CONFIG']['bind_pw'];
$ldap_conn = ldap_connect($ldap_host, $ldap_port)
or error_log("ldap_connect() failed.");
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($ldap_conn, $bind_dn, $bind_pw)
or error_log("ldap_bind() failed.");
$match_count = 1;
$this_filter = str_replace("%uid", $user, $searchfilter, $match_count);
if(empty($this_filter)) {
error_log("Error in searchfilter with str_replace(), got $this_filter");
return FALSE;
}
$attribute = array("uid");
$search_results = @ldap_search($ldap_conn, $base_dn, $this_filter, $attribute, 0, 2);
if (!$search_results) {
error_log("Something went wrong in ldap_search.");
}
if (ldap_count_entries($ldap_conn, $search_results) != 1) {
error_log("ldap_search() returned $search_results in error.");
return FALSE;
}
$user_entry = ldap_first_entry($ldap_conn, $search_results);
$this_dn = ldap_get_dn($ldap_conn, $user_entry);
$user_bind = ldap_bind($ldap_conn, $this_dn, $pass);
if (!$user_bind) {
return FALSE;
}
ldap_close($ldap_conn);
return $user;
}
function add_or_modify($username, $password) {
// Check to make sure user does not already exist
$pdo = $GLOBALS['pdo'];
$query = "SELECT COUNT(*) FROM {$GLOBALS['CONFIG']['db_prefix']}user WHERE username = '$username'";
if ($count = $pdo->query($query)) {
if ($count->fetchColumn() == 1) {
update_password($username, $password);
return;
} elseif ($count->fetchColumn() == 0) {
create_user($username, $password);
return;
}
else {
error_log("Database error - username not unique.");
}
}
return;
}
function update_password($username, $password) {
$pdo = $GLOBALS['pdo'];
$query = "UPDATE {$GLOBALS['CONFIG']['db_prefix']}user
SET password=md5(:password) WHERE username=:username";
$stmt = $pdo->prepare($query);
$stmt->execute(array(':username' => $username, ':password' => $password));
return;
}
function create_user($username, $password) {
$pdo = $GLOBALS['pdo'];
$department = 1;
$phonenumber = "000-000-0000";
$email = "";
$lastname = "";
$firstname = "";
$can_add = 0;
$can_checkin = 0;
$query = "INSERT INTO {$GLOBALS['CONFIG']['db_prefix']}user
(username, password, department, phone, Email,last_name, first_name, can_add, can_checkin)
VALUES(
:username,
md5(:password),
:department,
:phonenumber,
:email,
:lastname,
:firstname,
:can_add,
:can_checkin
)";
$stmt = $pdo->prepare($query);
$stmt->execute(array(
':username' => $username,
':password' => $password,
':department' => $department,
':phonenumber' => $phonenumber,
':email' => $email,
':lastname' => $lastname,
':firstname' => $firstname,
':can_add' => $can_add,
':can_checkin' => $can_checkin
));
$user_id = $pdo->lastInsertId();;
$admin = 0;
$query = "INSERT INTO {$GLOBALS['CONFIG']['db_prefix']}admin (id, admin) VALUES(:user_id, :admin)";
$stmt = $pdo->prepare($query);
$stmt->execute(array(':user_id' => $user_id, ':admin' => $admin));
return;
}
?>
-----8<-----
opendocman-1.3.2-ldap-options.config.php (Size: 435 bytes / Downloads: 3)
opendocman-1.3.2-ldap.patch.txt (Size: 962 bytes / Downloads: 4)
ldap-users.inc.txt (Size: 3.5 KB / Downloads: 3)