Menu
▾
▴
#1939 UserLDAP auto create User
not-a-bug
None
Data model
Critical
2.7.0
defect
2021-02-23
2021-01-22
No
OK, I have more than 30.000 ldap users and it's a non sense to import all of them because probably only 5% will ever open a ticket for support. So I manged to implement auto creation of ldap users. The first attempt was to make a new external authentication extension. But I'm not familiar with PHP and I've not an IDE installed. So I managed on modifying some files. Probably not the best solution but it's functional, so.....
Here are the files modified. I've tested on env-production but they must be in the datamodel, of course.
It requires some new config:
'authent-ldap' => array ( 'host' => 'ldap server', 'port' => 389, 'default_user' => 'ldap search user', 'default_pwd' => 'password', 'base_dn' => 'base dn', 'user_query' => '(&(objectCategory=person)(objectClass=user)(sAMAccountName=%1$s))', 'options' => array ( 17 => 3, 8 => 0, ), 'start_tls' => true, 'create_user' => true, 'default_organization' => 'default organization name', 'default_profile' => array ( 0 => 'Portal user', ), 'debug' => false, ),
and here the snip of modification made:
/var/www/html/application# vi loginform.class.inc.php protected function OnCheckCredentials(&$iErrorCode) { if ($_SESSION['login_mode'] == 'form') { $sAuthUser = utils::ReadPostedParam('auth_user', '', 'raw_data'); $sAuthPwd = utils::ReadPostedParam('auth_pwd', null, 'raw_data'); if (!UserRights::CheckCredentials($sAuthUser, $sAuthPwd, $_SESSION['login_mode'], 'internal')) { IssueLog::Error("QUAT '$sAuthUser'"); if (!UserLDAP::CheckCredentialsAndCreateUser($sAuthUser, $sAuthPwd, $_SESSION['login_mode'], 'internal')) { $iErrorCode = LoginWebPage::EXIT_CODE_WRONGCREDENTIALS; return LoginWebPage::LOGIN_FSM_ERROR; } } } return LoginWebPage::LOGIN_FSM_CONTINUE; } ------------------------------------------------------------------------------------- /var/www/html/env-production/authent-ldap# vi model.authent-ldap.php class UserLDAP extends UserInternal implements iSelfRegister { .... public function CheckCredentials($sPassword) { $sLDAPHost = MetaModel::GetModuleSetting('authent-ldap', 'host', 'localhost'); $iLDAPPort = MetaModel::GetModuleSetting('authent-ldap', 'port', 389); $sDefaultLDAPUser = MetaModel::GetModuleSetting('authent-ldap', 'default_user', ''); $sDefaultLDAPPwd = MetaModel::GetModuleSetting('authent-ldap', 'default_pwd', ''); $bLDAPStartTLS = MetaModel::GetModuleSetting('authent-ldap', 'start_tls', false); $bCreateUser = MetaModel::GetModuleSetting('authent-ldap', 'create_user', false); $sDefaultOrganization = MetaModel::GetModuleSetting('authent-ldap', 'default_organization', ''); $aRequestedProfiles = MetaModel::GetModuleSetting('authent-ldap', 'default_profile', ''); $aOptions = MetaModel::GetModuleSetting('authent-ldap', 'options', array()); if (array_key_exists(LDAP_OPT_DEBUG_LEVEL, $aOptions)) { // Set debug level before trying to connect, so that debug info appear in the PHP error log if ldap_connect goes wrong $bRet = ldap_set_option($hDS, LDAP_OPT_DEBUG_LEVEL, $aOptions[LDAP_OPT_DEBUG_LEVEL]); $this->LogMessage("ldap_set_option('$name', '$value') returned ".($bRet ? 'true' : 'false')); } $hDS = @ldap_connect($sLDAPHost, $iLDAPPort); if ($hDS === false) { $this->LogMessage("ldap_authentication: can not connect to the LDAP server '$sLDAPHost' (port: $iLDAPPort). Check the configuration file config-itop.php."); return false; } foreach($aOptions as $name => $value) { $bRet = ldap_set_option($hDS, $name, $value); $this->LogMessage("ldap_set_option('$name', '$value') returned ".($bRet ? 'true' : 'false')); } if ($bLDAPStartTLS) { $this->LogMessage("ldap_authentication: start tls required."); $hStartTLS = ldap_start_tls($hDS); //$this->LogMessage("ldap_authentication: hStartTLS = '$hStartTLS'"); if (!$hStartTLS) { $this->LogMessage("ldap_authentication: start tls failed."); return false; } } if ($bind = @ldap_bind($hDS, $sDefaultLDAPUser, $sDefaultLDAPPwd)) { // Search for the person, using the specified query expression $sLDAPUserQuery = MetaModel::GetModuleSetting('authent-ldap', 'user_query', ''); $sBaseDN = MetaModel::GetModuleSetting('authent-ldap', 'base_dn', ''); $sLogin = $this->Get('login'); $iContactId = $this->Get('contactid'); $sFirstName = ''; $sLastName = ''; $sEMail = ''; if ($iContactId > 0) { $oPerson = MetaModel::GetObject('Person', $iContactId); if (is_object($oPerson)) { $sFirstName = $oPerson->Get('first_name'); $sLastName = $oPerson->Get('name'); $sEMail = $oPerson->Get('email'); } } // %1$s => login // %2$s => first name // %3$s => last name // %4$s => email $sQuery = sprintf($sLDAPUserQuery, $sLogin, $sFirstName, $sLastName, $sEMail); $hSearchResult = @ldap_search($hDS, $sBaseDN, $sQuery); $iCountEntries = ($hSearchResult !== false) ? @ldap_count_entries($hDS, $hSearchResult) : 0; switch($iCountEntries) { case 1: // Exactly one entry found, let's check the password by trying to bind with this user $aEntry = ldap_get_entries($hDS, $hSearchResult); $sUserDN = $aEntry[0]['dn']; $bUserBind = @ldap_bind($hDS, $sUserDN, $sPassword); if (($bUserBind !== false) && !empty($sPassword)) { $sFirstName = $aEntry[0]['sn'][0]; $sLastName = $aEntry[0]['givenname'][0]; $sEMail = $aEntry[0]['mail'][0]; ldap_unbind($hDS); $sAuthentication = 'internal'; $oUser = LoginWebPage::FindUser($sLogin, true, ucfirst(strtolower($sAuthentication))); if($bCreateUser && is_null($oUser)) { $oPerson=LoginWebPage::ProvisionPerson($sFirstName, $sLastName, $sEMail, $sDefaultOrganization); LoginWebPage::ProvisionUser($sLogin, $oPerson, $aRequestedProfiles, 'UserLDAP'); } return true; // Password Ok } $this->LogMessage("ldap_authentication: wrong password for user: '$sUserDN'."); return false; // Wrong password break; case 0: // User not found... $this->LogMessage("ldap_authentication: no entry found with the query '$sQuery', base_dn = '$sBaseDN'. User not found in LDAP."); break; default: // More than one entry... maybe the query is not specific enough... $this->LogMessage("ldap_authentication: several (".ldap_count_entries($hDS, $hSearchResult).") entries match the query '$sQuery', base_dn = '$sBaseDN', check that the query defined in config-itop.php is specific enough."); } return false; } else { // Trace: invalid default user for LDAP initial binding $this->LogMessage("ldap_authentication: can not bind to the LDAP server '$sLDAPHost' (port: $iLDAPPort), user='$sDefaultLDAPUser', pwd='$sDefaultLDAPPwd'. Error: '".ldap_error($hDS)."'. Check the configuration file config-itop.php."); return false; } } /** * Called when no user is found in iTop for the corresponding 'name'. This method * can create/synchronize the User in iTop with an external source (such as AD/LDAP) on the fly * @param string $sName The typed-in user name * @param string $sPassword The typed-in password * @param string $sLoginMode The login method used (cas|form|basic|url) * @param string $sAuthentication The authentication method used (any|internal|external) * @return bool true if the user is a valid one, false otherwise */ public static function CheckCredentialsAndCreateUser($sName, $sPassword, $sLoginMode, $sAuthentication) { IssueLog::Error("TRE '$sName'"); $oUser = MetaModel::NewObject('UserLDAP'); $oUser->Set('login', $sName); $oUser->Set('language', MetaModel::GetConfig()->GetDefaultLanguage()); return $oUser->CheckCredentials($sPassword); } /** * Called after the user has been authenticated and found in iTop. This method can * Update the user's definition on the fly (profiles...) to keep it in sync with an external source * @param User $oUser The user to update/synchronize * @param string $sLoginMode The login mode used (cas|form|basic|url) * @param string $sAuthentication The authentication method used * @return void */ public static function UpdateUser(User $oUser, $sLoginMode, $sAuthentication) { return false; } ------------------------------------------------------------------------------------------------------------------------------- /var/www/html/application# vi loginwebpage.class.inc.php /** * Provisioning API: Create or update a User * * @api * * @param string $sAuthUser * @param Person $oPerson * @param array $aRequestedProfiles profiles to add to the new user * * @return \UserExternal|\UserLdap|null */ public static function ProvisionUser($sAuthUser, $oPerson, $aRequestedProfiles, $sUserType = 'UserExternal') { if (!MetaModel::IsValidClass('URP_Profiles')) { IssueLog::Error("URP_Profiles is not a valid class. Automatic creation of Users is not supported in this context, sorry."); return null; } /** @var UserExternal $oUser */ $oUser = null; try { CMDBObject::SetTrackOrigin('custom-extension'); $sInfo = 'External User provisioning'; if (isset($_SESSION['login_mode'])) { $sInfo .= " ({$_SESSION['login_mode']})"; } CMDBObject::SetTrackInfo($sInfo); $oUser = MetaModel::GetObjectByName($sUserType, $sAuthUser, false); if (is_null($oUser)) { $oUser = MetaModel::NewObject($sUserType); $oUser->Set('login', $sAuthUser); $oUser->Set('contactid', $oPerson->GetKey()); $oUser->Set('language', MetaModel::GetConfig()->GetDefaultLanguage()); } // read all the existing profiles $oProfilesSearch = new DBObjectSearch('URP_Profiles'); $oProfilesSet = new DBObjectSet($oProfilesSearch); $aAllProfiles = array(); while ($oProfile = $oProfilesSet->Fetch()) { $aAllProfiles[strtolower($oProfile->GetName())] = $oProfile->GetKey(); } $aProfiles = array(); foreach ($aRequestedProfiles as $sRequestedProfile) { $sRequestedProfile = strtolower($sRequestedProfile); if (isset($aAllProfiles[$sRequestedProfile])) { $aProfiles[] = $aAllProfiles[$sRequestedProfile]; } } if (empty($aProfiles)) { throw new Exception(Dict::S('UI:Login:Error:NoValidProfiles')); } // Now synchronize the profiles $oProfilesSet = DBObjectSet::FromScratch('URP_UserProfile'); $sOrigin = 'External User provisioning'; if (isset($_SESSION['login_mode'])) { $sOrigin .= " ({$_SESSION['login_mode']})"; } foreach ($aProfiles as $iProfileId) { $oLink = new URP_UserProfile(); $oLink->Set('profileid', $iProfileId); $oLink->Set('reason', $sOrigin); $oProfilesSet->AddObject($oLink); } $oUser->Set('profile_list', $oProfilesSet); if ($oUser->IsModified()) { $oUser->DBWrite(); } } catch (Exception $e) { IssueLog::Error($e->getMessage()); } return $oUser; } ----------------------------------------------------------------------------------------------------------
Hello Romano,
Thanks for sharing !
But... Are you asking something ?
Next time please use the forums ("discussion" tab, then "new topic" button on the top left) : we prefer tickets to be used only for qualified bug reports and enhancements requests.
In consequence I'm closing this.
Also, we strongly advise against modifying iTop core code : that will complicate a lot iTop upgrades, cause you'll have to report all of those modifications each times !
iTop provides a complete customization system that should be used instead !
About user provisionning, all is explained here : Login and User Provisioning API
This custom code can be added to iTop using modules, see Customizing iTop [iTop Documentation]
Last edit: Romano Trampus 2021-01-25
Hello Romano, I've received an email with your answer but when opening this ticket your message is blank ?!??
In the email I received you were asking if it's ok to contribute and yes of course it is ! See the CONTRIBUTING.md files in our public repos.
Last edit: Pierre Goiffon 2021-02-24
Hi Pierre, I moved to a discussion, and probably it's still there :-) Thank
you,
romano
Last edit: Pierre Goiffon 2021-02-24