Implement LdapRule to limit user logins by objectclass.
Now logins are allowed by any objectclass unless LDAP_LOGIN_OBJECTCLASS is defined, we should be an array of allowed objectClass (any match). Improvement for #245
This commit is contained in:
parent
18f9f1a9b3
commit
ef355e8193
27
app/Ldap/Rules/LoginObjectclassRule.php
Normal file
27
app/Ldap/Rules/LoginObjectclassRule.php
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Ldap\Rules;
|
||||||
|
|
||||||
|
use Illuminate\Database\Eloquent\Model as Eloquent;
|
||||||
|
use LdapRecord\Laravel\Auth\Rule;
|
||||||
|
use LdapRecord\Models\Model as LdapRecord;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* User must have this objectClass to login
|
||||||
|
*
|
||||||
|
* This is overridden by LDAP_LOGIN_OBJECTCLASS
|
||||||
|
* @see User::$objectClasses
|
||||||
|
*/
|
||||||
|
class LoginObjectclassRule implements Rule
|
||||||
|
{
|
||||||
|
public function passes(LdapRecord $user, Eloquent $model = null): bool
|
||||||
|
{
|
||||||
|
if ($x=config('ldap.login.objectclass')) {
|
||||||
|
return count(array_intersect($user->objectclass,$x));
|
||||||
|
|
||||||
|
// Otherwise allow the user to login
|
||||||
|
} else {
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -5,15 +5,19 @@ namespace App\Ldap;
|
|||||||
use Laravel\Passport\HasApiTokens;
|
use Laravel\Passport\HasApiTokens;
|
||||||
use LdapRecord\Models\OpenLDAP\User as Model;
|
use LdapRecord\Models\OpenLDAP\User as Model;
|
||||||
|
|
||||||
|
use App\Ldap\Rules\LoginObjectclassRule;
|
||||||
|
|
||||||
class User extends Model
|
class User extends Model
|
||||||
{
|
{
|
||||||
use HasApiTokens;
|
use HasApiTokens;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The object classes of the LDAP model.
|
* The object classes of the LDAP model.
|
||||||
|
*
|
||||||
|
* @note We set this to an empty array so that any objectclass can login
|
||||||
|
* @see LoginObjectclassRule::class
|
||||||
*/
|
*/
|
||||||
public static array $objectClasses = [
|
public static array $objectClasses = [
|
||||||
'posixAccount',
|
|
||||||
];
|
];
|
||||||
|
|
||||||
/* METHODS */
|
/* METHODS */
|
||||||
|
|||||||
211
config/auth.php
211
config/auth.php
@ -2,121 +2,124 @@
|
|||||||
|
|
||||||
return [
|
return [
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Authentication Defaults
|
| Authentication Defaults
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| This option controls the default authentication "guard" and password
|
| This option controls the default authentication "guard" and password
|
||||||
| reset options for your application. You may change these defaults
|
| reset options for your application. You may change these defaults
|
||||||
| as required, but they're a perfect start for most applications.
|
| as required, but they're a perfect start for most applications.
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'defaults' => [
|
'defaults' => [
|
||||||
'guard' => 'web',
|
'guard' => 'web',
|
||||||
'passwords' => 'users',
|
'passwords' => 'users',
|
||||||
],
|
],
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Authentication Guards
|
| Authentication Guards
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| Next, you may define every authentication guard for your application.
|
| Next, you may define every authentication guard for your application.
|
||||||
| Of course, a great default configuration has been defined for you
|
| Of course, a great default configuration has been defined for you
|
||||||
| here which uses session storage and the Eloquent user provider.
|
| here which uses session storage and the Eloquent user provider.
|
||||||
|
|
|
|
||||||
| All authentication drivers have a user provider. This defines how the
|
| All authentication drivers have a user provider. This defines how the
|
||||||
| users are actually retrieved out of your database or other storage
|
| users are actually retrieved out of your database or other storage
|
||||||
| mechanisms used by this application to persist your user's data.
|
| mechanisms used by this application to persist your user's data.
|
||||||
|
|
|
|
||||||
| Supported: "session", "token"
|
| Supported: "session", "token"
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'guards' => [
|
'guards' => [
|
||||||
'web' => [
|
'web' => [
|
||||||
'driver' => 'session',
|
'driver' => 'session',
|
||||||
'provider' => 'ldap',
|
'provider' => 'ldap',
|
||||||
],
|
],
|
||||||
|
|
||||||
'api' => [
|
'api' => [
|
||||||
'driver' => 'passport',
|
'driver' => 'passport',
|
||||||
'provider' => 'users',
|
'provider' => 'users',
|
||||||
'hash' => false,
|
'hash' => false,
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| User Providers
|
| User Providers
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| All authentication drivers have a user provider. This defines how the
|
| All authentication drivers have a user provider. This defines how the
|
||||||
| users are actually retrieved out of your database or other storage
|
| users are actually retrieved out of your database or other storage
|
||||||
| mechanisms used by this application to persist your user's data.
|
| mechanisms used by this application to persist your user's data.
|
||||||
|
|
|
|
||||||
| If you have multiple user tables or models you may configure multiple
|
| If you have multiple user tables or models you may configure multiple
|
||||||
| sources which represent each model / table. These sources may then
|
| sources which represent each model / table. These sources may then
|
||||||
| be assigned to any extra authentication guards you have defined.
|
| be assigned to any extra authentication guards you have defined.
|
||||||
|
|
|
|
||||||
| Supported: "database", "eloquent"
|
| Supported: "database", "eloquent"
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'providers' => [
|
'providers' => [
|
||||||
'users' => [
|
'users' => [
|
||||||
'driver' => 'ldap',
|
'driver' => 'ldap',
|
||||||
'model' => App\Ldap\User::class,
|
'model' => App\Ldap\User::class,
|
||||||
],
|
],
|
||||||
|
|
||||||
// 'users' => [
|
// 'users' => [
|
||||||
// 'driver' => 'database',
|
// 'driver' => 'database',
|
||||||
// 'table' => 'users',
|
// 'table' => 'users',
|
||||||
// ],
|
// ],
|
||||||
|
|
||||||
'ldap' => [
|
'ldap' => [
|
||||||
'driver' => 'ldap',
|
'driver' => 'ldap',
|
||||||
'model' => App\Ldap\User::class,
|
'model' => App\Ldap\User::class,
|
||||||
],
|
'rules' => [
|
||||||
],
|
App\Ldap\Rules\LoginObjectclassRule::class,
|
||||||
|
],
|
||||||
|
],
|
||||||
|
],
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Resetting Passwords
|
| Resetting Passwords
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| You may specify multiple password reset configurations if you have more
|
| You may specify multiple password reset configurations if you have more
|
||||||
| than one user table or model in the application and you want to have
|
| than one user table or model in the application and you want to have
|
||||||
| separate password reset settings based on the specific user types.
|
| separate password reset settings based on the specific user types.
|
||||||
|
|
|
|
||||||
| The expire time is the number of minutes that the reset token should be
|
| The expire time is the number of minutes that the reset token should be
|
||||||
| considered valid. This security feature keeps tokens short-lived so
|
| considered valid. This security feature keeps tokens short-lived so
|
||||||
| they have less time to be guessed. You may change this as needed.
|
| they have less time to be guessed. You may change this as needed.
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'passwords' => [
|
'passwords' => [
|
||||||
'users' => [
|
'users' => [
|
||||||
'provider' => 'users',
|
'provider' => 'users',
|
||||||
'table' => 'password_resets',
|
'table' => 'password_resets',
|
||||||
'expire' => 60,
|
'expire' => 60,
|
||||||
'throttle' => 60,
|
'throttle' => 60,
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Password Confirmation Timeout
|
| Password Confirmation Timeout
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| Here you may define the amount of seconds before a password confirmation
|
| Here you may define the amount of seconds before a password confirmation
|
||||||
| times out and the user is prompted to re-enter their password via the
|
| times out and the user is prompted to re-enter their password via the
|
||||||
| confirmation screen. By default, the timeout lasts for three hours.
|
| confirmation screen. By default, the timeout lasts for three hours.
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'password_timeout' => 10800,
|
'password_timeout' => 10800,
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|||||||
@ -377,12 +377,6 @@ $servers->setValue('server','name','My LDAP Server');
|
|||||||
Base DNs are used. */
|
Base DNs are used. */
|
||||||
// $servers->setValue('login','base',array());
|
// $servers->setValue('login','base',array());
|
||||||
|
|
||||||
/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
|
|
||||||
at login, you may restrict the search to a specific objectClasses. EG, set this
|
|
||||||
to array('posixAccount') or array('inetOrgPerson',..), depending upon your
|
|
||||||
setup. */
|
|
||||||
// $servers->setValue('login','class',array());
|
|
||||||
|
|
||||||
/* If login_attr was set to 'dn', it is possible to specify a template string to
|
/* If login_attr was set to 'dn', it is possible to specify a template string to
|
||||||
build the DN from. Use '%s' where user input should be inserted. A user may
|
build the DN from. Use '%s' where user input should be inserted. A user may
|
||||||
still enter the complete DN. In this case the template will not be used. */
|
still enter the complete DN. In this case the template will not be used. */
|
||||||
|
|||||||
@ -102,6 +102,16 @@ return [
|
|||||||
],
|
],
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
|
||||||
|
* at login, you may restrict the search to a specific objectClasses. EG, set this
|
||||||
|
* to array('posixAccount') or array('inetOrgPerson',..), depending upon your
|
||||||
|
* setup.
|
||||||
|
*/
|
||||||
|
'login' => [
|
||||||
|
'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')), // Objectclass that users must contain to login
|
||||||
|
],
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| Custom Date Format
|
| Custom Date Format
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user