From ef355e8193dcf290aa19b2ccda4586757164a775 Mon Sep 17 00:00:00 2001 From: Deon George Date: Mon, 8 Jan 2024 12:54:58 +1100 Subject: [PATCH] Implement LdapRule to limit user logins by objectclass. Now logins are allowed by any objectclass unless LDAP_LOGIN_OBJECTCLASS is defined, we should be an array of allowed objectClass (any match). Improvement for #245 --- app/Ldap/Rules/LoginObjectclassRule.php | 27 +++ app/Ldap/User.php | 6 +- config/auth.php | 211 ++++++++++++------------ config/config.php.example | 6 - config/ldap.php | 10 ++ 5 files changed, 149 insertions(+), 111 deletions(-) create mode 100644 app/Ldap/Rules/LoginObjectclassRule.php diff --git a/app/Ldap/Rules/LoginObjectclassRule.php b/app/Ldap/Rules/LoginObjectclassRule.php new file mode 100644 index 0000000..e7e1eec --- /dev/null +++ b/app/Ldap/Rules/LoginObjectclassRule.php @@ -0,0 +1,27 @@ +objectclass,$x)); + + // Otherwise allow the user to login + } else { + return TRUE; + } + } +} diff --git a/app/Ldap/User.php b/app/Ldap/User.php index cea7e28..f1e4e41 100644 --- a/app/Ldap/User.php +++ b/app/Ldap/User.php @@ -5,15 +5,19 @@ namespace App\Ldap; use Laravel\Passport\HasApiTokens; use LdapRecord\Models\OpenLDAP\User as Model; +use App\Ldap\Rules\LoginObjectclassRule; + class User extends Model { use HasApiTokens; /** * The object classes of the LDAP model. + * + * @note We set this to an empty array so that any objectclass can login + * @see LoginObjectclassRule::class */ public static array $objectClasses = [ - 'posixAccount', ]; /* METHODS */ diff --git a/config/auth.php b/config/auth.php index 4cb9951..292371e 100644 --- a/config/auth.php +++ b/config/auth.php @@ -2,121 +2,124 @@ return [ - /* - |-------------------------------------------------------------------------- - | Authentication Defaults - |-------------------------------------------------------------------------- - | - | This option controls the default authentication "guard" and password - | reset options for your application. You may change these defaults - | as required, but they're a perfect start for most applications. - | - */ + /* + |-------------------------------------------------------------------------- + | Authentication Defaults + |-------------------------------------------------------------------------- + | + | This option controls the default authentication "guard" and password + | reset options for your application. You may change these defaults + | as required, but they're a perfect start for most applications. + | + */ - 'defaults' => [ - 'guard' => 'web', - 'passwords' => 'users', - ], + 'defaults' => [ + 'guard' => 'web', + 'passwords' => 'users', + ], - /* - |-------------------------------------------------------------------------- - | Authentication Guards - |-------------------------------------------------------------------------- - | - | Next, you may define every authentication guard for your application. - | Of course, a great default configuration has been defined for you - | here which uses session storage and the Eloquent user provider. - | - | All authentication drivers have a user provider. This defines how the - | users are actually retrieved out of your database or other storage - | mechanisms used by this application to persist your user's data. - | - | Supported: "session", "token" - | - */ + /* + |-------------------------------------------------------------------------- + | Authentication Guards + |-------------------------------------------------------------------------- + | + | Next, you may define every authentication guard for your application. + | Of course, a great default configuration has been defined for you + | here which uses session storage and the Eloquent user provider. + | + | All authentication drivers have a user provider. This defines how the + | users are actually retrieved out of your database or other storage + | mechanisms used by this application to persist your user's data. + | + | Supported: "session", "token" + | + */ - 'guards' => [ - 'web' => [ - 'driver' => 'session', - 'provider' => 'ldap', - ], + 'guards' => [ + 'web' => [ + 'driver' => 'session', + 'provider' => 'ldap', + ], - 'api' => [ - 'driver' => 'passport', - 'provider' => 'users', - 'hash' => false, - ], - ], + 'api' => [ + 'driver' => 'passport', + 'provider' => 'users', + 'hash' => false, + ], + ], - /* - |-------------------------------------------------------------------------- - | User Providers - |-------------------------------------------------------------------------- - | - | All authentication drivers have a user provider. This defines how the - | users are actually retrieved out of your database or other storage - | mechanisms used by this application to persist your user's data. - | - | If you have multiple user tables or models you may configure multiple - | sources which represent each model / table. These sources may then - | be assigned to any extra authentication guards you have defined. - | - | Supported: "database", "eloquent" - | - */ + /* + |-------------------------------------------------------------------------- + | User Providers + |-------------------------------------------------------------------------- + | + | All authentication drivers have a user provider. This defines how the + | users are actually retrieved out of your database or other storage + | mechanisms used by this application to persist your user's data. + | + | If you have multiple user tables or models you may configure multiple + | sources which represent each model / table. These sources may then + | be assigned to any extra authentication guards you have defined. + | + | Supported: "database", "eloquent" + | + */ - 'providers' => [ - 'users' => [ - 'driver' => 'ldap', - 'model' => App\Ldap\User::class, - ], + 'providers' => [ + 'users' => [ + 'driver' => 'ldap', + 'model' => App\Ldap\User::class, + ], - // 'users' => [ - // 'driver' => 'database', - // 'table' => 'users', - // ], + // 'users' => [ + // 'driver' => 'database', + // 'table' => 'users', + // ], - 'ldap' => [ - 'driver' => 'ldap', - 'model' => App\Ldap\User::class, - ], - ], + 'ldap' => [ + 'driver' => 'ldap', + 'model' => App\Ldap\User::class, + 'rules' => [ + App\Ldap\Rules\LoginObjectclassRule::class, + ], + ], + ], - /* - |-------------------------------------------------------------------------- - | Resetting Passwords - |-------------------------------------------------------------------------- - | - | You may specify multiple password reset configurations if you have more - | than one user table or model in the application and you want to have - | separate password reset settings based on the specific user types. - | - | The expire time is the number of minutes that the reset token should be - | considered valid. This security feature keeps tokens short-lived so - | they have less time to be guessed. You may change this as needed. - | - */ + /* + |-------------------------------------------------------------------------- + | Resetting Passwords + |-------------------------------------------------------------------------- + | + | You may specify multiple password reset configurations if you have more + | than one user table or model in the application and you want to have + | separate password reset settings based on the specific user types. + | + | The expire time is the number of minutes that the reset token should be + | considered valid. This security feature keeps tokens short-lived so + | they have less time to be guessed. You may change this as needed. + | + */ - 'passwords' => [ - 'users' => [ - 'provider' => 'users', - 'table' => 'password_resets', - 'expire' => 60, - 'throttle' => 60, - ], - ], + 'passwords' => [ + 'users' => [ + 'provider' => 'users', + 'table' => 'password_resets', + 'expire' => 60, + 'throttle' => 60, + ], + ], - /* - |-------------------------------------------------------------------------- - | Password Confirmation Timeout - |-------------------------------------------------------------------------- - | - | Here you may define the amount of seconds before a password confirmation - | times out and the user is prompted to re-enter their password via the - | confirmation screen. By default, the timeout lasts for three hours. - | - */ + /* + |-------------------------------------------------------------------------- + | Password Confirmation Timeout + |-------------------------------------------------------------------------- + | + | Here you may define the amount of seconds before a password confirmation + | times out and the user is prompted to re-enter their password via the + | confirmation screen. By default, the timeout lasts for three hours. + | + */ - 'password_timeout' => 10800, + 'password_timeout' => 10800, ]; diff --git a/config/config.php.example b/config/config.php.example index bb38466..f19408a 100644 --- a/config/config.php.example +++ b/config/config.php.example @@ -377,12 +377,6 @@ $servers->setValue('server','name','My LDAP Server'); Base DNs are used. */ // $servers->setValue('login','base',array()); -/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN - at login, you may restrict the search to a specific objectClasses. EG, set this - to array('posixAccount') or array('inetOrgPerson',..), depending upon your - setup. */ -// $servers->setValue('login','class',array()); - /* If login_attr was set to 'dn', it is possible to specify a template string to build the DN from. Use '%s' where user input should be inserted. A user may still enter the complete DN. In this case the template will not be used. */ diff --git a/config/ldap.php b/config/ldap.php index feaf538..c0d0e38 100644 --- a/config/ldap.php +++ b/config/ldap.php @@ -102,6 +102,16 @@ return [ ], */ + /* + * If 'login,attr' is used above such that phpLDAPadmin will search for your DN + * at login, you may restrict the search to a specific objectClasses. EG, set this + * to array('posixAccount') or array('inetOrgPerson',..), depending upon your + * setup. + */ + 'login' => [ + 'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')), // Objectclass that users must contain to login + ], + /* |-------------------------------------------------------------------------- | Custom Date Format