Add SASL PLAIN authentication support (#92)
Adds a new sasl mech 'plain' which converts all simple authentication methods to SASL PLAIN. NOTE: doesn't use auth_type 'sasl' as credentials may come from login form, stored in cookies etc...
This commit is contained in:
parent
4eb3737d31
commit
0fe1758572
@ -341,11 +341,16 @@ $servers->setValue('server','name','My LDAP Server');
|
|||||||
/* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
|
/* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
|
||||||
configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
|
configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
|
||||||
false), then all other sasl options are ignored. */
|
false), then all other sasl options are ignored. */
|
||||||
// $servers->setValue('login','auth_type','sasl');
|
# $servers->setValue('login','auth_type','sasl');
|
||||||
|
|
||||||
/* SASL auth mechanism */
|
/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
|
||||||
// $servers->setValue('sasl','mech','GSSAPI');
|
// $servers->setValue('sasl','mech','GSSAPI');
|
||||||
|
|
||||||
|
/* SASL PLAIN support... this mech converts simple binds to SASL
|
||||||
|
PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
|
||||||
|
NOTE: auth_type must be simple auth compatible (ie not sasl) */
|
||||||
|
# $servers->setValue('sasl','mech','PLAIN');
|
||||||
|
|
||||||
/* SASL authentication realm name */
|
/* SASL authentication realm name */
|
||||||
// $servers->setValue('sasl','realm','');
|
// $servers->setValue('sasl','realm','');
|
||||||
# $servers->setValue('sasl','realm','EXAMPLE.COM');
|
# $servers->setValue('sasl','realm','EXAMPLE.COM');
|
||||||
|
@ -195,7 +195,7 @@ class ldap extends DS {
|
|||||||
|
|
||||||
# If SASL has been configured for binding, then start it now.
|
# If SASL has been configured for binding, then start it now.
|
||||||
if ($this->isSASLEnabled())
|
if ($this->isSASLEnabled())
|
||||||
$bind['result'] = $this->startSASL($resource,$method);
|
$bind['result'] = $this->startSASL($resource,$method,$bind['id'],$bind['pass']);
|
||||||
|
|
||||||
# Normal bind...
|
# Normal bind...
|
||||||
else
|
else
|
||||||
@ -588,6 +588,8 @@ class ldap extends DS {
|
|||||||
* Users may configure phpLDAPadmin to use SASL in config,php thus:
|
* Users may configure phpLDAPadmin to use SASL in config,php thus:
|
||||||
* <code>
|
* <code>
|
||||||
* $servers->setValue('login','auth_type','sasl');
|
* $servers->setValue('login','auth_type','sasl');
|
||||||
|
* OR
|
||||||
|
* $servers->setValue('sasl','mech','PLAIN');
|
||||||
* </code>
|
* </code>
|
||||||
*
|
*
|
||||||
* @return boolean
|
* @return boolean
|
||||||
@ -596,8 +598,11 @@ class ldap extends DS {
|
|||||||
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
|
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
|
||||||
debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
|
debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
|
||||||
|
|
||||||
if ($this->getValue('login','auth_type') != 'sasl')
|
if (! in_array($this->getValue('login','auth_type'), array('sasl'))) {
|
||||||
return false;
|
// check if SASL mech uses login from other auth_types
|
||||||
|
if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain')))
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (! function_exists('ldap_sasl_bind')) {
|
if (! function_exists('ldap_sasl_bind')) {
|
||||||
error(_('SASL has been enabled in your config, but your PHP install does not support SASL. SASL will be disabled.'),'warn');
|
error(_('SASL has been enabled in your config, but your PHP install does not support SASL. SASL will be disabled.'),'warn');
|
||||||
@ -615,7 +620,7 @@ class ldap extends DS {
|
|||||||
*
|
*
|
||||||
* @todo This has not been tested, please let the developers know if this function works as expected.
|
* @todo This has not been tested, please let the developers know if this function works as expected.
|
||||||
*/
|
*/
|
||||||
private function startSASL($resource,$method) {
|
private function startSASL($resource,$method,$login,$pass) {
|
||||||
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
|
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
|
||||||
debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
|
debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
|
||||||
|
|
||||||
@ -625,8 +630,8 @@ class ldap extends DS {
|
|||||||
if ($method == 'anon')
|
if ($method == 'anon')
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
# At the moment, we have only implemented GSSAPI
|
# At the moment, we have only implemented GSSAPI and PLAIN
|
||||||
if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi'))) {
|
if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) {
|
||||||
system_message(array(
|
system_message(array(
|
||||||
'title'=>_('SASL Method not implemented'),
|
'title'=>_('SASL Method not implemented'),
|
||||||
'body'=>sprintf('<b>%s</b>: %s %s',_('Error'),$this->getValue('sasl','mech'),_('has not been implemented yet')),
|
'body'=>sprintf('<b>%s</b>: %s %s',_('Error'),$this->getValue('sasl','mech'),_('has not been implemented yet')),
|
||||||
@ -635,8 +640,15 @@ class ldap extends DS {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (strtolower($this->getValue('sasl','mech')) == 'plain') {
|
||||||
|
return @ldap_sasl_bind($resource,NULL,$pass,'PLAIN',
|
||||||
|
$this->getValue('sasl','realm'),
|
||||||
|
$login,
|
||||||
|
$this->getValue('sasl','props'));
|
||||||
|
}
|
||||||
|
|
||||||
if (! isset($CACHE['login_dn']))
|
if (! isset($CACHE['login_dn']))
|
||||||
$CACHE['login_dn'] = is_null($this->getLogin($method)) ? $this->getLogin('user') : $this->getLogin($method);
|
$CACHE['login_dn'] = $login;
|
||||||
|
|
||||||
$CACHE['authz_id'] = '';
|
$CACHE['authz_id'] = '';
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user