deon/phpldapadmin
1
0
Fork 0
Code Issues 36 Pull Requests Packages Projects Releases Wiki Activity

Added SASL EXTERNAL authentication support

Browse Source 
New auth_type 'sasl_external'.  Login is hard coded as 'external'
This commit is contained in:
Scott Shambarger 2019-11-03 20:14:12 +00:00 committed by Deon George
parent a8fe6f3274
commit da69ebf06a
4 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/config.php.example
View File

@ -314,6 +314,7 @@ $servers->setValue('server','name','My LDAP Server');
login will be required to use phpLDAPadmin for this server. login will be required to use phpLDAPadmin for this server.
5. 'sasl': login will be taken from the webserver's kerberos authentication. 5. 'sasl': login will be taken from the webserver's kerberos authentication.
Currently only GSSAPI has been tested (using mod_auth_kerb). Currently only GSSAPI has been tested (using mod_auth_kerb).
6. 'sasl_external': login will be taken from SASL external mechanism.
Choose wisely to protect your authentication information appropriately for Choose wisely to protect your authentication information appropriately for
your situation. If you choose 'cookie', your cookie contents will be your situation. If you choose 'cookie', your cookie contents will be
@ -355,6 +356,9 @@ $servers->setValue('server','name','My LDAP Server');
NOTE: auth_type must be simple auth compatible (ie not sasl) */ NOTE: auth_type must be simple auth compatible (ie not sasl) */
# $servers->setValue('sasl','mech','PLAIN'); # $servers->setValue('sasl','mech','PLAIN');
/* SASL EXTERNAL support... really a different auth_type */
# $servers->setValue('login','auth_type','sasl_external');
/* SASL authentication realm name */ /* SASL authentication realm name */
// $servers->setValue('sasl','realm',''); // $servers->setValue('sasl','realm','');
# $servers->setValue('sasl','realm','EXAMPLE.COM'); # $servers->setValue('sasl','realm','EXAMPLE.COM');

3
lib/HTMLTree.php
View File

@ -136,6 +136,7 @@ class HTMLTree extends Tree {
case 'config': case 'config':
case 'proxy': case 'proxy':
case 'sasl': case 'sasl':
case 'sasl_external':
break; break;
default: default:
@ -334,7 +335,7 @@ class HTMLTree extends Tree {
$server = $this->getServer(); $server = $this->getServer();
$href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex()); $href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex());
if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl'))) if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl','sasl_external')))
return ''; return '';
else else
return sprintf('<a href="%s" title="%s"><img src="%s/%s" alt="%s" /><br />%s</a>', return sprintf('<a href="%s" title="%s"><img src="%s/%s" alt="%s" /><br />%s</a>',

7
lib/ds.php
View File

@ -139,6 +139,7 @@ abstract class DS {
case 'proxy': case 'proxy':
case 'session': case 'session':
case 'sasl': case 'sasl':
case 'sasl_external':
return $this->getValue('login','auth_type'); return $this->getValue('login','auth_type');
default: default:
@ -194,6 +195,8 @@ abstract class DS {
else else
return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']); return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']);
case 'sasl_external':
return 'external';
default: default:
die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType())); die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
} }
@ -215,6 +218,7 @@ abstract class DS {
return true; return true;
case 'config': case 'config':
case 'sasl_external':
return true; return true;
case 'proxy': case 'proxy':
@ -274,6 +278,8 @@ abstract class DS {
else else
return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']); return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']);
case 'sasl_external':
return '';
default: default:
die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType())); die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
} }
@ -400,6 +406,7 @@ abstract class DS {
set_cookie($method.'-PASS','',time()-3600,'/'); set_cookie($method.'-PASS','',time()-3600,'/');
case 'config': case 'config':
case 'sasl_external':
return true; return true;
case 'http': case 'http':

11
lib/ds_ldap.php
View File

@ -590,6 +590,8 @@ class ldap extends DS {
* $servers->setValue('login','auth_type','sasl'); * $servers->setValue('login','auth_type','sasl');
* OR * OR
* $servers->setValue('sasl','mech','PLAIN'); * $servers->setValue('sasl','mech','PLAIN');
* OR
* $servers->setValue('login','auth_type','sasl_external');
* </code> * </code>
* *
* @return boolean * @return boolean
@ -598,7 +600,7 @@ class ldap extends DS {
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS')) if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs); debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
if (! in_array($this->getValue('login','auth_type'), array('sasl'))) { if (! in_array($this->getValue('login','auth_type'), array('sasl','sasl_external'))) {
// check if SASL mech uses login from other auth_types // check if SASL mech uses login from other auth_types
if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain'))) if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain')))
return false; return false;
@ -630,6 +632,13 @@ class ldap extends DS {
if ($method == 'anon') if ($method == 'anon')
return false; return false;
# EXTERNAL mech is really a different authType
if ($this->getAuthType() == 'sasl_external') {
return @ldap_sasl_bind($resource,NULL,NULL,
'EXTERNAL',NULL,NULL,
$this->getValue('sasl','props'));
}
# At the moment, we have only implemented GSSAPI and PLAIN # At the moment, we have only implemented GSSAPI and PLAIN
if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) { if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) {
system_message(array( system_message(array(