From: <axe...@us...> - 2010-02-19 14:35:48
|
Revision: 105 http://wpmu-ldap.svn.sourceforge.net/wpmu-ldap/?rev=105&view=rev Author: axelseaa Date: 2010-02-19 14:35:41 +0000 (Fri, 19 Feb 2010) Log Message: ----------- global allow and deny groups implemented - nested group support Modified Paths: -------------- trunk/ldap/lib/defines.php trunk/ldap/lib/ldap_core.php trunk/ldap/lib/ldap_ro.php trunk/ldap/lib/wpmu_ldap.functions.php trunk/ldap/lib/wpmu_ldap_admin.functions.php Modified: trunk/ldap/lib/defines.php =================================================================== --- trunk/ldap/lib/defines.php 2010-01-31 18:35:00 UTC (rev 104) +++ trunk/ldap/lib/defines.php 2010-02-19 14:35:41 UTC (rev 105) @@ -1,12 +1,17 @@ <?php -define ('LDAP_OK', '0'); -define ('LDAP_ERROR_NO_PASSWORD', '-1'); -define ('LDAP_ERROR_NO_NOVELL_ID', '-2'); -define ('LDAP_ERROR_USER_NOT_FOUND', '-3'); -define ('LDAP_ERROR_NO_EMAIL_IN_NDS', '-4'); -define ('LDAP_ERROR_CONNECTION', '-5'); -define ('LDAP_ERROR_WRONG_PASSWORD', '-6'); -define ('LDAP_ERROR_EMPTY_PARAM', '-7'); +define ('LDAP_OK', '0'); +define ('LDAP_IN_GROUP', '1'); +define ('LDAP_GROUP_NOT_SET', '2'); +define ('LDAP_ERROR_NO_PASSWORD', '-1'); +define ('LDAP_ERROR_NO_NOVELL_ID', '-2'); +define ('LDAP_ERROR_USER_NOT_FOUND', '-3'); +define ('LDAP_ERROR_NO_EMAIL_IN_NDS', '-4'); +define ('LDAP_ERROR_CONNECTION', '-5'); +define ('LDAP_ERROR_WRONG_PASSWORD', '-6'); +define ('LDAP_ERROR_EMPTY_PARAM', '-7'); +define ('LDAP_ERROR_ACCESS_GROUP', '-8'); +define ('LDAP_ERROR_DENIED_GROUP', '-9'); +define ('LDAP_ERROR_NOT_IN_GROUP', '-10'); define ('LDAP_INDEX_EMAIL', '0'); define ('LDAP_INDEX_NAME', '1'); @@ -36,6 +41,7 @@ define ('LDAP_DEFAULT_ATTRIBUTE_DN', 'dn'); define ('LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH', 'uid'); define ('LDAP_DEFAULT_ATTRIBUTE_WINSEARCH', 'samaccountname'); +define ('LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS','group'); define ('LDAP_DELIM', ","); define ('LDAP_USER_SEARCH_FULLNAME', '0'); Modified: trunk/ldap/lib/ldap_core.php =================================================================== --- trunk/ldap/lib/ldap_core.php 2010-01-31 18:35:00 UTC (rev 104) +++ trunk/ldap/lib/ldap_core.php 2010-02-19 14:35:41 UTC (rev 105) @@ -196,5 +196,69 @@ if ($type == LDAP_INDEX_DN) return $this->info[0][$dn]; if ($type == LDAP_INDEX_NICKNAME) return empty($nickname) ? false : $this->info[0][$nickname][0]; } + + function checkGroup($userDN,$groups){ + //Make sure we're connected - we're not when this is called from the admin side + if (!$this->connection_handle) { + $this->connect(); + } + + if (empty($groups)) return LDAP_GROUP_NOT_SET; + + // Get Groups + $this->SetSearchCriteria("(&(".get_site_option('ldapAttributeMember',LDAP_DEFAULT_ATTRIBUTE_MEMBER)."=$userDN)(objectclass=".get_site_option('ldapAttributeGroupObjectclass',LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS)."))", array(get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN))); + $this->Search(); + $results = ldap_get_entries($this->connection_handle, $this->search_result); + // Check Groups + $userGroups = array(); + for ($i = 0; $i < $results['count']; $i++) { + $userGroups[$i] = strtolower($results[$i][get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN)]); + if (in_array($userGroups[$i],$groups)) return LDAP_IN_GROUP; + } + + if ($this->checkGroupNested($groups,$userGroups)) { + return LDAP_IN_GROUP; + } + + // Check for nested groups + return LDAP_ERROR_NOT_IN_GROUP; + } + + /* Recursive function used to check nested groups */ + function checkGroupNested($reqgroups,$groups,$checkedgroups = array()) { + if (!$groups) return false; //no more groups left to check + + #print "Checking Groups ".implode(",",$groups)." <br/>"; + + $groupstocheck = array(); + foreach ($groups as $group) { + // Get User Groups + $attributes_to_get = array(get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN)); + $this->SetSearchCriteria("(&(".get_site_option('ldapAttributeMember',LDAP_DEFAULT_ATTRIBUTE_MEMBER)."=$group)(objectclass=".get_site_option('ldapAttributeGroupObjectclass',LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS)."))", $attributes_to_get); + $this->Search(); + $results = ldap_get_entries($this->connection_handle, $this->search_result); + $returnedgroups = array(); + for ($i = 0; $i < $results['count']; $i++) { + array_push($returnedgroups,strtolower($results[$i][get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN)])); + } + + #print "Group $group is a member of: ".implode(",",$returnedgroups)."<br/>"; + + foreach ($returnedgroups as $checkgroup) { + if (in_array($checkgroup, $checkedgroups)) { + continue; + } + + #print "Checking membership for $checkgroup<br/>"; + + if (in_array($checkgroup, $reqgroups)) { + return true; + } else { + array_push($groupstocheck,$checkgroup); + } + } + } + $checkedgroups = array_unique(array_merge($groups,$checkedgroups)); + return $this->checkGroupNested($reqgroups,$groupstocheck,$checkedgroups); + } } -?> Modified: trunk/ldap/lib/ldap_ro.php =================================================================== --- trunk/ldap/lib/ldap_ro.php 2010-01-31 18:35:00 UTC (rev 104) +++ trunk/ldap/lib/ldap_ro.php 2010-02-19 14:35:41 UTC (rev 105) @@ -33,6 +33,7 @@ get_site_option('ldapAttributeGivenname',LDAP_DEFAULT_ATTRIBUTE_GIVENNAME), get_site_option('ldapAttributeSn',LDAP_DEFAULT_ATTRIBUTE_SN), get_site_option('ldapAttributePhone',LDAP_DEFAULT_ATTRIBUTE_PHONE)); + if (get_site_option('ldapLinuxWindows')) $uid = get_site_option('ldapAttributeNixSearch',LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH); //Linux else @@ -62,8 +63,18 @@ $user_data[LDAP_INDEX_GIVEN_NAME] = $this->GetLDAPInfo (LDAP_INDEX_GIVEN_NAME); $user_data[LDAP_INDEX_SURNAME] = $this->GetLDAPInfo (LDAP_INDEX_SURNAME); $user_data[LDAP_INDEX_PHONE] = $this->GetLDAPInfo (LDAP_INDEX_PHONE); - - // Success! + $user_data[LDAP_INDEX_MEMBER] = $this->GetLDAPInfo (LDAP_INDEX_MEMBER); + + // If deny group set and user found, return + $deny = $this->checkGroup($user_data[LDAP_INDEX_DN],wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupDenyLogin'))); + if ($deny == LDAP_IN_GROUP) return LDAP_ERROR_DENIED_GROUP; + + // If allow group set and user found, + $allow = $this->checkGroup($user_data[LDAP_INDEX_DN],wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupAllowLogin'))); + if ($allow == LDAP_IN_GROUP) return LDAP_OK; // found in group + if ($allow == LDAP_ERROR_NOT_IN_GROUP) return LDAP_ERROR_ACCESS_GROUP; // not in group + + // Default Catch $return = LDAP_OK; } else { Modified: trunk/ldap/lib/wpmu_ldap.functions.php =================================================================== --- trunk/ldap/lib/wpmu_ldap.functions.php 2010-01-31 18:35:00 UTC (rev 104) +++ trunk/ldap/lib/wpmu_ldap.functions.php 2010-02-19 14:35:41 UTC (rev 105) @@ -87,13 +87,20 @@ if ($result == LDAP_OK) { return array('result' => true,'userdata' => $userDataArray); } - // handle both at once, for security else if ( ($result == LDAP_ERROR_USER_NOT_FOUND || $result == LDAP_ERROR_WRONG_PASSWORD) ) { $errors->add('invalid_userpass',__('<strong>ERROR</strong>: Wrong username / password combination.')); return array('result' => false,'errors' => $errors); } - + // check security group + else if ( $result == LDAP_ERROR_ACCESS_GROUP ){ + $errors->add('wrong_group',__('<strong>ERROR</strong>: Access denied - user not found in security access group(s).')); + return array('result' => false,'errors' => $errors); + } + elseif ($result == LDAP_ERROR_DENIED_GROUP) { + $errors->add('deny_group',__('<strong>ERROR</strong>: Access denied - user found in security deny group(s).')); + return array('result' => false,'errors' => $errors); + } // the trickle-through catch-all else { $errors->add('unknown_error',__('<strong>ERROR</strong>: Unknown error in LDAP Authentication.')); @@ -182,12 +189,16 @@ get_site_option('ldapAttributeGivenname',LDAP_DEFAULT_ATTRIBUTE_GIVENNAME), get_site_option('ldapAttributeSn',LDAP_DEFAULT_ATTRIBUTE_SN), get_site_option('ldapAttributePhone',LDAP_DEFAULT_ATTRIBUTE_PHONE)); - $userDataArray = null; if ($server->DoSearchUsername($in_username, $attributes_to_get, $userDataArray) == LDAP_OK) { - if (!empty($userDataArray)) - return true; + if (!empty($userDataArray)) { + if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]) == 0) { + return true; + } else { + return false; + } + } } return false; } @@ -366,3 +377,13 @@ return $username; } + +/**/ +function wpmuLdapGroupsGet($opts = array()) { + if (empty($opts['siteoption'])) return; + if (empty($opts['display'])) $opts['display'] = 'array'; + $groups = unserialize(get_site_option($opts['siteoption'])); + if (empty($groups)) return; + if ($opts['display'] == 'array') return array_filter(array_map('strtolower', $groups)); + elseif ($opts['display'] == 'web') return implode("\n",$groups); +} Modified: trunk/ldap/lib/wpmu_ldap_admin.functions.php =================================================================== --- trunk/ldap/lib/wpmu_ldap_admin.functions.php 2010-01-31 18:35:00 UTC (rev 104) +++ trunk/ldap/lib/wpmu_ldap_admin.functions.php 2010-02-19 14:35:41 UTC (rev 105) @@ -42,6 +42,8 @@ ldapOptionsPanelUpdates(); } elseif ($tab == 'general') { ldapOptionsPanelGeneral(); + } elseif ($tab == 'group') { + ldapOptionsPanelGroup(); } else { ldapOptionsPanelConnection(); } @@ -56,6 +58,7 @@ echo '<a href="?page=wpmu_ldap_admin.functions.php"'.((empty($tab) || $tab == 'connection') ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Connection Settings</a> | '; echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=general"'.($tab == 'general' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>General Settings</a> | '; echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=attributes"'.($tab == 'attributes' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Attribute Mapping</a> | '; + echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=group"'.($tab == 'group' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Group Settings</a> | '; echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=upgrade"'.($tab == 'upgrade' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Upgrade</a>'; echo '</p><hr/>'; } @@ -76,6 +79,20 @@ } echo "<div id='message' class='updated fade'><p>Saved Options!</p></div>"; + } else if ($_POST['ldapGroupsSave']) { + $allow = explode("\n", $_POST['ldapGroupAllowLogin']); + $allow = array_filter(array_map('trim', $allow)); + update_site_option('ldapGroupAllowLogin',serialize($allow)); + + #$allowCreate = explode("\n", $_POST['ldapGroupAllowLoginCreate']); + #$allowCreate = array_filter(array_map('trim', $allowCreate)); + #update_site_option('ldapGroupAllowLoginCreate',serialize($allowCreate)); + + $deny = explode("\n", $_POST['ldapGroupDenyLogin']); + $deny = array_filter(array_map('trim', $deny)); + update_site_option('ldapGroupDenyLogin',serialize($deny)); + + echo "<div id='message' class='updated fade'><p>Saved Options!</p></div>"; } else if ($_POST['ldapFixMeta']) { wpmuLdapFixMeta(); update_site_option('ldapfixmetafor15','true'); @@ -162,6 +179,12 @@ $ret['ldapAttributeDn'] = get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN); $ret['ldapAttributeNixSearch'] = get_site_option('ldapAttributeNixSearch',LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH); $ret['ldapAttributeWinSearch'] = get_site_option('ldapAttributeWinSearch',LDAP_DEFAULT_ATTRIBUTE_WINSEARCH); + $ret['ldapAttributeGroupObjectclass'] = get_site_option('ldapAttributeGroupObjectclass',LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS); + + $ret['ldapGroupAllowLogin'] = wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupAllowLogin','display' => 'web')); + $ret['ldapGroupAllowLoginCreate'] = wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupAllowLoginCreate','display' => 'web')); + $ret['ldapGroupDenyLogin'] = wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupDenyLogin','display' => 'web')); + return $ret; } @@ -537,13 +560,20 @@ </td> </tr> <tr valign="top"> - <th scope="row"><label for="ldapAttributeMember">Member:</label></th> + <th scope="row"><label for="ldapAttributeMember">Group Attribute:</label></th> <td> <input type="text" name="ldapAttributeMember" id="ldapAttributeMember" value="<?php echo $ldapAttributeMember ?>" /> <br/> </td> </tr> <tr valign="top"> + <th scope="row"><label for="ldapAttributeGroupObjectclass">Group Objectclass:</label></th> + <td> + <input type="text" name="ldapAttributeGroupObjectclass" id="ldapAttributeGroupObjectclass" value="<?php echo $ldapAttributeGroupObjectclass ?>" /> + <br/> + </td> + </tr> + <tr valign="top"> <th scope="row"><label for="ldapAttributeMacaddress">Mac Address:</label></th> <td> <input type="text" name="ldapAttributeMacaddress" id="ldapAttributeMacaddress" value="<?php echo $ldapAttributeMacaddress ?>" /> @@ -575,7 +605,41 @@ <p class="submit"><input type="submit" name="ldapOptionsSave" value="Save Attributes" /></p> </form> <?php +} +function ldapOptionsPanelGroup() { + extract(getWpmuLdapSiteOptions()); +?> + <form method="post" id="ldap_auth_groups"> + <h3>LDAP Group Settings</h3> + <p>This page allows you to specify allow and deny groups for site wide blog access. In the boxes below, enter the + full dn to each group. For multiple groups, enter each group on a new line. Nested groups are supported.</p> + <table class="form-table"> + <tr valign="top"> + <th scope="row"><label for="ldap">Allow Login:</label></th> + <td> + <textarea rows="2" cols="70" name="ldapGroupAllowLogin" id="ldapGroupAllowLogin"><?php echo $ldapGroupAllowLogin ?></textarea> + <br/> + </td> + </tr> +<!-- <tr valign="top"> + <th scope="row"><label for="ldap">Allow Login w/automatic blog creation:</label></th> + <td> + <textarea rows="2" cols="70" name="ldapGroupAllowLoginCreate" id="ldapGroupAllowLoginCreate""><?php echo $ldapGroupAllowLoginCreate ?></textarea> + <br/> + </td> + </tr>--> + <tr valign="top"> + <th scope="row"><label for="ldap">Deny Login:</label></th> + <td> + <textarea rows="2" cols="70" name="ldapGroupDenyLogin" id="ldapGroupDenyLogin"><?php echo $ldapGroupDenyLogin ?></textarea> + <br/> + </td> + </tr> + </table> + <p class="submit"><input type="submit" name="ldapGroupsSave" value="Save Groups" /></p> + </form> +<?php } /** This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |