[icinga-checkins] icinga.org: icinga-web/mfrosch/ldapchanges: Removing authid requirement from LDAP Auth

git at icinga.org git at icinga.org
Fri Nov 30 12:02:14 CET 2012


Module: icinga-web
Branch: mfrosch/ldapchanges
Commit: 9864421abaa048f293e9bba8c1f9edc364033e4f
URL:    https://git.icinga.org/?p=icinga-web.git;a=commit;h=9864421abaa048f293e9bba8c1f9edc364033e4f

Author: Markus Frosch <markus.frosch at netways.de>
Date:   Fri Nov 30 12:01:37 2012 +0100

Removing authid requirement from LDAP Auth

The LDAP Module relayed in many parts on the correct content of "authid", which held the full DN of a user inside LDAP.

This will be changed to work with the default filters and settings specified in the XML configuration.

A admin should make sure that if multiple LDAP trees are used no overlapping in terms of the usernames exists.
(refs #3473)

---

 .../models/Auth/Provider/LDAPModel.class.php       |   27 ++++++++++---------
 1 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php b/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php
index e8f2d73..40fb1c8 100644
--- a/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php
+++ b/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php
@@ -43,15 +43,16 @@ class AppKit_Auth_Provider_LDAPModel extends AppKitAuthProviderBaseModel impleme
 
         try {
             // Check if user always is available
-            $search_record = $this->getLdaprecord($this->getSearchFilter($user->user_name), $authid);
+            $search_record = $this->getLdaprecord($this->getSearchFilter($user->user_name));
 
-            if (isset($search_record['dn']) && $search_record['dn'] === $authid) {
+            if (isset($search_record['dn']) && $search_record[$this->getParameter('ldap_userattr', 'uid')] === $username) {
                 // Check bind
+                $this->log('Auth.Provider.LDAP Trying bind with dn=%s', $search_record['dn'], AgaviLogger::DEBUG);
                 $conn = $this->getLdapConnection(false);
-                $re = @ldap_bind($conn, $authid, $password);
+                $re = @ldap_bind($conn, $search_record['dn'], $password);
 
                 if ($this->isLdapError($conn)==false && $re === true && ldap_errno($conn) === 0) {
-                    $this->log('Auth.Provider.LDAP Successfull bind (authkey=%s,user=%s)', $authid, $username, AgaviLogger::DEBUG);
+                    $this->log('Auth.Provider.LDAP Successfull bind (dn=%s,user=%s)', $search_record['dn'], $username, AgaviLogger::DEBUG);
                     return true;
                 }
             }
@@ -69,10 +70,16 @@ class AppKit_Auth_Provider_LDAPModel extends AppKitAuthProviderBaseModel impleme
      * @see app/modules/AppKit/lib/auth/AppKitIAuthProvider#isAvailable()
      */
     public function isAvailable($uid, $authid=null) {
-        $record = $this->getLdaprecord('(objectClass=*)', $authid);
+        // checking if this user is inside LDAP
+        $this->log('Availability lookup in LDAP for username=%s', $uid, AgaviLogger::DEBUG);
+
+        // searching via user filter
+        $record = $this->getLdaprecord($this->getSearchFilter($uid));
 
         if (is_array($record)) {
-            if ($record['dn'] === $authid) {
+            $userattr = $this->getParameter('ldap_userattr', 'uid');
+            if ($record[$userattr] === $uid) {
+                $this->log("Availability lookup in LDAP for username=%s found dn: %s", $uid, $record['dn'], AgaviLogger::DEBUG);
                 return true;
             }
         }
@@ -92,13 +99,7 @@ class AppKit_Auth_Provider_LDAPModel extends AppKitAuthProviderBaseModel impleme
 
         $this->log('Auth.Provider.LDAP Try import (user=%s, authid=%s)', $uid, $authid, AgaviLogger::DEBUG);
 
-        if ($authid == $uid || $authid==false) {
-            $data = $this->getLdaprecord($this->getSearchFilter($uid));
-        }
-
-        elseif(strlen($authid) > strlen($uid)) {
-            $data = $this->getLdaprecord('(objectClass=*)', $authid);
-        }
+        $data = $this->getLdaprecord($this->getSearchFilter($uid));
 
         if (is_array($data)) {
             $re = (array)$this->mapUserdata($data);





More information about the icinga-checkins mailing list