deon/phpldapadmin
1
0
Fork 0
Code Issues 36 Pull Requests Packages Projects Releases Wiki Activity

Implement LdapRule to limit user logins by objectclass.

Browse Source 
Now logins are allowed by any objectclass unless LDAP_LOGIN_OBJECTCLASS is defined, we should be an array of allowed objectClass (any match).
Improvement for #245
This commit is contained in:
Deon George 2024-01-08 12:54:58 +11:00
parent 18f9f1a9b3
commit ef355e8193
5 changed files with 149 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
app/Ldap/Rules/LoginObjectclassRule.php Normal file
View File

@ -0,0 +1,27 @@
<?php
namespace App\Ldap\Rules;
use Illuminate\Database\Eloquent\Model as Eloquent;
use LdapRecord\Laravel\Auth\Rule;
use LdapRecord\Models\Model as LdapRecord;
/**
* User must have this objectClass to login
*
* This is overridden by LDAP_LOGIN_OBJECTCLASS
* @see User::$objectClasses
*/
class LoginObjectclassRule implements Rule
{
public function passes(LdapRecord $user, Eloquent $model = null): bool
{
if ($x=config('ldap.login.objectclass')) {
return count(array_intersect($user->objectclass,$x));
// Otherwise allow the user to login
} else {
return TRUE;
}
}
}

6
app/Ldap/User.php
View File

@ -5,15 +5,19 @@ namespace App\Ldap;
use Laravel\Passport\HasApiTokens; use Laravel\Passport\HasApiTokens;
use LdapRecord\Models\OpenLDAP\User as Model; use LdapRecord\Models\OpenLDAP\User as Model;
use App\Ldap\Rules\LoginObjectclassRule;
class User extends Model class User extends Model
{ {
use HasApiTokens; use HasApiTokens;
/** /**
* The object classes of the LDAP model. * The object classes of the LDAP model.
*
* @note We set this to an empty array so that any objectclass can login
* @see LoginObjectclassRule::class
*/ */
public static array $objectClasses = [ public static array $objectClasses = [
'posixAccount',
]; ];
/* METHODS */ /* METHODS */

3
config/auth.php
View File

@ -79,6 +79,9 @@ return [
'ldap' => [ 'ldap' => [
'driver' => 'ldap', 'driver' => 'ldap',
'model' => App\Ldap\User::class, 'model' => App\Ldap\User::class,
'rules' => [
App\Ldap\Rules\LoginObjectclassRule::class,
],
], ],
], ],

6
config/config.php.example
View File

@ -377,12 +377,6 @@ $servers->setValue('server','name','My LDAP Server');
Base DNs are used. */ Base DNs are used. */
// $servers->setValue('login','base',array()); // $servers->setValue('login','base',array());
/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
at login, you may restrict the search to a specific objectClasses. EG, set this
to array('posixAccount') or array('inetOrgPerson',..), depending upon your
setup. */
// $servers->setValue('login','class',array());
/* If login_attr was set to 'dn', it is possible to specify a template string to /* If login_attr was set to 'dn', it is possible to specify a template string to
build the DN from. Use '%s' where user input should be inserted. A user may build the DN from. Use '%s' where user input should be inserted. A user may
still enter the complete DN. In this case the template will not be used. */ still enter the complete DN. In this case the template will not be used. */

10
config/ldap.php
View File

@ -102,6 +102,16 @@ return [
], ],
*/ */
/*
* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
* at login, you may restrict the search to a specific objectClasses. EG, set this
* to array('posixAccount') or array('inetOrgPerson',..), depending upon your
* setup.
*/
'login' => [
'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')), // Objectclass that users must contain to login
],
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| Custom Date Format | Custom Date Format