Menu
▾
▴
[Wpmu-ldap-commits] SF.net SVN: wpmu-ldap:[105] trunk/ldap/lib
|
From: <axe...@us...> - 2010-02-19 14:35:48
|
Revision: 105
http://wpmu-ldap.svn.sourceforge.net/wpmu-ldap/?rev=105&view=rev
Author: axelseaa
Date: 2010-02-19 14:35:41 +0000 (Fri, 19 Feb 2010)
Log Message:
-----------
global allow and deny groups implemented - nested group support
Modified Paths:
--------------
trunk/ldap/lib/defines.php
trunk/ldap/lib/ldap_core.php
trunk/ldap/lib/ldap_ro.php
trunk/ldap/lib/wpmu_ldap.functions.php
trunk/ldap/lib/wpmu_ldap_admin.functions.php
Modified: trunk/ldap/lib/defines.php
===================================================================
--- trunk/ldap/lib/defines.php 2010-01-31 18:35:00 UTC (rev 104)
+++ trunk/ldap/lib/defines.php 2010-02-19 14:35:41 UTC (rev 105)
@@ -1,12 +1,17 @@
<?php
-define ('LDAP_OK', '0');
-define ('LDAP_ERROR_NO_PASSWORD', '-1');
-define ('LDAP_ERROR_NO_NOVELL_ID', '-2');
-define ('LDAP_ERROR_USER_NOT_FOUND', '-3');
-define ('LDAP_ERROR_NO_EMAIL_IN_NDS', '-4');
-define ('LDAP_ERROR_CONNECTION', '-5');
-define ('LDAP_ERROR_WRONG_PASSWORD', '-6');
-define ('LDAP_ERROR_EMPTY_PARAM', '-7');
+define ('LDAP_OK', '0');
+define ('LDAP_IN_GROUP', '1');
+define ('LDAP_GROUP_NOT_SET', '2');
+define ('LDAP_ERROR_NO_PASSWORD', '-1');
+define ('LDAP_ERROR_NO_NOVELL_ID', '-2');
+define ('LDAP_ERROR_USER_NOT_FOUND', '-3');
+define ('LDAP_ERROR_NO_EMAIL_IN_NDS', '-4');
+define ('LDAP_ERROR_CONNECTION', '-5');
+define ('LDAP_ERROR_WRONG_PASSWORD', '-6');
+define ('LDAP_ERROR_EMPTY_PARAM', '-7');
+define ('LDAP_ERROR_ACCESS_GROUP', '-8');
+define ('LDAP_ERROR_DENIED_GROUP', '-9');
+define ('LDAP_ERROR_NOT_IN_GROUP', '-10');
define ('LDAP_INDEX_EMAIL', '0');
define ('LDAP_INDEX_NAME', '1');
@@ -36,6 +41,7 @@
define ('LDAP_DEFAULT_ATTRIBUTE_DN', 'dn');
define ('LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH', 'uid');
define ('LDAP_DEFAULT_ATTRIBUTE_WINSEARCH', 'samaccountname');
+define ('LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS','group');
define ('LDAP_DELIM', ",");
define ('LDAP_USER_SEARCH_FULLNAME', '0');
Modified: trunk/ldap/lib/ldap_core.php
===================================================================
--- trunk/ldap/lib/ldap_core.php 2010-01-31 18:35:00 UTC (rev 104)
+++ trunk/ldap/lib/ldap_core.php 2010-02-19 14:35:41 UTC (rev 105)
@@ -196,5 +196,69 @@
if ($type == LDAP_INDEX_DN) return $this->info[0][$dn];
if ($type == LDAP_INDEX_NICKNAME) return empty($nickname) ? false : $this->info[0][$nickname][0];
}
+
+ function checkGroup($userDN,$groups){
+ //Make sure we're connected - we're not when this is called from the admin side
+ if (!$this->connection_handle) {
+ $this->connect();
+ }
+
+ if (empty($groups)) return LDAP_GROUP_NOT_SET;
+
+ // Get Groups
+ $this->SetSearchCriteria("(&(".get_site_option('ldapAttributeMember',LDAP_DEFAULT_ATTRIBUTE_MEMBER)."=$userDN)(objectclass=".get_site_option('ldapAttributeGroupObjectclass',LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS)."))", array(get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN)));
+ $this->Search();
+ $results = ldap_get_entries($this->connection_handle, $this->search_result);
+ // Check Groups
+ $userGroups = array();
+ for ($i = 0; $i < $results['count']; $i++) {
+ $userGroups[$i] = strtolower($results[$i][get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN)]);
+ if (in_array($userGroups[$i],$groups)) return LDAP_IN_GROUP;
+ }
+
+ if ($this->checkGroupNested($groups,$userGroups)) {
+ return LDAP_IN_GROUP;
+ }
+
+ // Check for nested groups
+ return LDAP_ERROR_NOT_IN_GROUP;
+ }
+
+ /* Recursive function used to check nested groups */
+ function checkGroupNested($reqgroups,$groups,$checkedgroups = array()) {
+ if (!$groups) return false; //no more groups left to check
+
+ #print "Checking Groups ".implode(",",$groups)." <br/>";
+
+ $groupstocheck = array();
+ foreach ($groups as $group) {
+ // Get User Groups
+ $attributes_to_get = array(get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN));
+ $this->SetSearchCriteria("(&(".get_site_option('ldapAttributeMember',LDAP_DEFAULT_ATTRIBUTE_MEMBER)."=$group)(objectclass=".get_site_option('ldapAttributeGroupObjectclass',LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS)."))", $attributes_to_get);
+ $this->Search();
+ $results = ldap_get_entries($this->connection_handle, $this->search_result);
+ $returnedgroups = array();
+ for ($i = 0; $i < $results['count']; $i++) {
+ array_push($returnedgroups,strtolower($results[$i][get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN)]));
+ }
+
+ #print "Group $group is a member of: ".implode(",",$returnedgroups)."<br/>";
+
+ foreach ($returnedgroups as $checkgroup) {
+ if (in_array($checkgroup, $checkedgroups)) {
+ continue;
+ }
+
+ #print "Checking membership for $checkgroup<br/>";
+
+ if (in_array($checkgroup, $reqgroups)) {
+ return true;
+ } else {
+ array_push($groupstocheck,$checkgroup);
+ }
+ }
+ }
+ $checkedgroups = array_unique(array_merge($groups,$checkedgroups));
+ return $this->checkGroupNested($reqgroups,$groupstocheck,$checkedgroups);
+ }
}
-?>
Modified: trunk/ldap/lib/ldap_ro.php
===================================================================
--- trunk/ldap/lib/ldap_ro.php 2010-01-31 18:35:00 UTC (rev 104)
+++ trunk/ldap/lib/ldap_ro.php 2010-02-19 14:35:41 UTC (rev 105)
@@ -33,6 +33,7 @@
get_site_option('ldapAttributeGivenname',LDAP_DEFAULT_ATTRIBUTE_GIVENNAME),
get_site_option('ldapAttributeSn',LDAP_DEFAULT_ATTRIBUTE_SN),
get_site_option('ldapAttributePhone',LDAP_DEFAULT_ATTRIBUTE_PHONE));
+
if (get_site_option('ldapLinuxWindows'))
$uid = get_site_option('ldapAttributeNixSearch',LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH); //Linux
else
@@ -62,8 +63,18 @@
$user_data[LDAP_INDEX_GIVEN_NAME] = $this->GetLDAPInfo (LDAP_INDEX_GIVEN_NAME);
$user_data[LDAP_INDEX_SURNAME] = $this->GetLDAPInfo (LDAP_INDEX_SURNAME);
$user_data[LDAP_INDEX_PHONE] = $this->GetLDAPInfo (LDAP_INDEX_PHONE);
-
- // Success!
+ $user_data[LDAP_INDEX_MEMBER] = $this->GetLDAPInfo (LDAP_INDEX_MEMBER);
+
+ // If deny group set and user found, return
+ $deny = $this->checkGroup($user_data[LDAP_INDEX_DN],wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupDenyLogin')));
+ if ($deny == LDAP_IN_GROUP) return LDAP_ERROR_DENIED_GROUP;
+
+ // If allow group set and user found,
+ $allow = $this->checkGroup($user_data[LDAP_INDEX_DN],wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupAllowLogin')));
+ if ($allow == LDAP_IN_GROUP) return LDAP_OK; // found in group
+ if ($allow == LDAP_ERROR_NOT_IN_GROUP) return LDAP_ERROR_ACCESS_GROUP; // not in group
+
+ // Default Catch
$return = LDAP_OK;
}
else {
Modified: trunk/ldap/lib/wpmu_ldap.functions.php
===================================================================
--- trunk/ldap/lib/wpmu_ldap.functions.php 2010-01-31 18:35:00 UTC (rev 104)
+++ trunk/ldap/lib/wpmu_ldap.functions.php 2010-02-19 14:35:41 UTC (rev 105)
@@ -87,13 +87,20 @@
if ($result == LDAP_OK) {
return array('result' => true,'userdata' => $userDataArray);
}
-
// handle both at once, for security
else if ( ($result == LDAP_ERROR_USER_NOT_FOUND || $result == LDAP_ERROR_WRONG_PASSWORD) ) {
$errors->add('invalid_userpass',__('<strong>ERROR</strong>: Wrong username / password combination.'));
return array('result' => false,'errors' => $errors);
}
-
+ // check security group
+ else if ( $result == LDAP_ERROR_ACCESS_GROUP ){
+ $errors->add('wrong_group',__('<strong>ERROR</strong>: Access denied - user not found in security access group(s).'));
+ return array('result' => false,'errors' => $errors);
+ }
+ elseif ($result == LDAP_ERROR_DENIED_GROUP) {
+ $errors->add('deny_group',__('<strong>ERROR</strong>: Access denied - user found in security deny group(s).'));
+ return array('result' => false,'errors' => $errors);
+ }
// the trickle-through catch-all
else {
$errors->add('unknown_error',__('<strong>ERROR</strong>: Unknown error in LDAP Authentication.'));
@@ -182,12 +189,16 @@
get_site_option('ldapAttributeGivenname',LDAP_DEFAULT_ATTRIBUTE_GIVENNAME),
get_site_option('ldapAttributeSn',LDAP_DEFAULT_ATTRIBUTE_SN),
get_site_option('ldapAttributePhone',LDAP_DEFAULT_ATTRIBUTE_PHONE));
-
$userDataArray = null;
if ($server->DoSearchUsername($in_username, $attributes_to_get, $userDataArray) == LDAP_OK) {
- if (!empty($userDataArray))
- return true;
+ if (!empty($userDataArray)) {
+ if ($server->checkGroup($userDataArray[LDAP_INDEX_DN]) == 0) {
+ return true;
+ } else {
+ return false;
+ }
+ }
}
return false;
}
@@ -366,3 +377,13 @@
return $username;
}
+
+/**/
+function wpmuLdapGroupsGet($opts = array()) {
+ if (empty($opts['siteoption'])) return;
+ if (empty($opts['display'])) $opts['display'] = 'array';
+ $groups = unserialize(get_site_option($opts['siteoption']));
+ if (empty($groups)) return;
+ if ($opts['display'] == 'array') return array_filter(array_map('strtolower', $groups));
+ elseif ($opts['display'] == 'web') return implode("\n",$groups);
+}
Modified: trunk/ldap/lib/wpmu_ldap_admin.functions.php
===================================================================
--- trunk/ldap/lib/wpmu_ldap_admin.functions.php 2010-01-31 18:35:00 UTC (rev 104)
+++ trunk/ldap/lib/wpmu_ldap_admin.functions.php 2010-02-19 14:35:41 UTC (rev 105)
@@ -42,6 +42,8 @@
ldapOptionsPanelUpdates();
} elseif ($tab == 'general') {
ldapOptionsPanelGeneral();
+ } elseif ($tab == 'group') {
+ ldapOptionsPanelGroup();
} else {
ldapOptionsPanelConnection();
}
@@ -56,6 +58,7 @@
echo '<a href="?page=wpmu_ldap_admin.functions.php"'.((empty($tab) || $tab == 'connection') ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Connection Settings</a> | ';
echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=general"'.($tab == 'general' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>General Settings</a> | ';
echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=attributes"'.($tab == 'attributes' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Attribute Mapping</a> | ';
+ echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=group"'.($tab == 'group' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Group Settings</a> | ';
echo '<a href="?page=wpmu_ldap_admin.functions.php&ldaptab=upgrade"'.($tab == 'upgrade' ? ' class="wpmuLdapOptionMenuSelected"' : '').'>Upgrade</a>';
echo '</p><hr/>';
}
@@ -76,6 +79,20 @@
}
echo "<div id='message' class='updated fade'><p>Saved Options!</p></div>";
+ } else if ($_POST['ldapGroupsSave']) {
+ $allow = explode("\n", $_POST['ldapGroupAllowLogin']);
+ $allow = array_filter(array_map('trim', $allow));
+ update_site_option('ldapGroupAllowLogin',serialize($allow));
+
+ #$allowCreate = explode("\n", $_POST['ldapGroupAllowLoginCreate']);
+ #$allowCreate = array_filter(array_map('trim', $allowCreate));
+ #update_site_option('ldapGroupAllowLoginCreate',serialize($allowCreate));
+
+ $deny = explode("\n", $_POST['ldapGroupDenyLogin']);
+ $deny = array_filter(array_map('trim', $deny));
+ update_site_option('ldapGroupDenyLogin',serialize($deny));
+
+ echo "<div id='message' class='updated fade'><p>Saved Options!</p></div>";
} else if ($_POST['ldapFixMeta']) {
wpmuLdapFixMeta();
update_site_option('ldapfixmetafor15','true');
@@ -162,6 +179,12 @@
$ret['ldapAttributeDn'] = get_site_option('ldapAttributeDN',LDAP_DEFAULT_ATTRIBUTE_DN);
$ret['ldapAttributeNixSearch'] = get_site_option('ldapAttributeNixSearch',LDAP_DEFAULT_ATTRIBUTE_NIXSEARCH);
$ret['ldapAttributeWinSearch'] = get_site_option('ldapAttributeWinSearch',LDAP_DEFAULT_ATTRIBUTE_WINSEARCH);
+ $ret['ldapAttributeGroupObjectclass'] = get_site_option('ldapAttributeGroupObjectclass',LDAP_DEFAULT_ATTRIBUTE_GROUP_OBJECTCLASS);
+
+ $ret['ldapGroupAllowLogin'] = wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupAllowLogin','display' => 'web'));
+ $ret['ldapGroupAllowLoginCreate'] = wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupAllowLoginCreate','display' => 'web'));
+ $ret['ldapGroupDenyLogin'] = wpmuLdapGroupsGet(array('siteoption' => 'ldapGroupDenyLogin','display' => 'web'));
+
return $ret;
}
@@ -537,13 +560,20 @@
</td>
</tr>
<tr valign="top">
- <th scope="row"><label for="ldapAttributeMember">Member:</label></th>
+ <th scope="row"><label for="ldapAttributeMember">Group Attribute:</label></th>
<td>
<input type="text" name="ldapAttributeMember" id="ldapAttributeMember" value="<?php echo $ldapAttributeMember ?>" />
<br/>
</td>
</tr>
<tr valign="top">
+ <th scope="row"><label for="ldapAttributeGroupObjectclass">Group Objectclass:</label></th>
+ <td>
+ <input type="text" name="ldapAttributeGroupObjectclass" id="ldapAttributeGroupObjectclass" value="<?php echo $ldapAttributeGroupObjectclass ?>" />
+ <br/>
+ </td>
+ </tr>
+ <tr valign="top">
<th scope="row"><label for="ldapAttributeMacaddress">Mac Address:</label></th>
<td>
<input type="text" name="ldapAttributeMacaddress" id="ldapAttributeMacaddress" value="<?php echo $ldapAttributeMacaddress ?>" />
@@ -575,7 +605,41 @@
<p class="submit"><input type="submit" name="ldapOptionsSave" value="Save Attributes" /></p>
</form>
<?php
+}
+function ldapOptionsPanelGroup() {
+ extract(getWpmuLdapSiteOptions());
+?>
+ <form method="post" id="ldap_auth_groups">
+ <h3>LDAP Group Settings</h3>
+ <p>This page allows you to specify allow and deny groups for site wide blog access. In the boxes below, enter the
+ full dn to each group. For multiple groups, enter each group on a new line. Nested groups are supported.</p>
+ <table class="form-table">
+ <tr valign="top">
+ <th scope="row"><label for="ldap">Allow Login:</label></th>
+ <td>
+ <textarea rows="2" cols="70" name="ldapGroupAllowLogin" id="ldapGroupAllowLogin"><?php echo $ldapGroupAllowLogin ?></textarea>
+ <br/>
+ </td>
+ </tr>
+<!-- <tr valign="top">
+ <th scope="row"><label for="ldap">Allow Login w/automatic blog creation:</label></th>
+ <td>
+ <textarea rows="2" cols="70" name="ldapGroupAllowLoginCreate" id="ldapGroupAllowLoginCreate""><?php echo $ldapGroupAllowLoginCreate ?></textarea>
+ <br/>
+ </td>
+ </tr>-->
+ <tr valign="top">
+ <th scope="row"><label for="ldap">Deny Login:</label></th>
+ <td>
+ <textarea rows="2" cols="70" name="ldapGroupDenyLogin" id="ldapGroupDenyLogin"><?php echo $ldapGroupDenyLogin ?></textarea>
+ <br/>
+ </td>
+ </tr>
+ </table>
+ <p class="submit"><input type="submit" name="ldapGroupsSave" value="Save Groups" /></p>
+ </form>
+<?php
}
/**
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|