Implement LdapRule to limit user logins by objectclass.

Now logins are allowed by any objectclass unless LDAP_LOGIN_OBJECTCLASS is defined, we should be an array of allowed objectClass (any match). Improvement for #245
2024-01-08 12:54:58 +11:00 · 2024-01-08 12:54:58 +11:00 · ef355e8193
commit ef355e8193
parent 18f9f1a9b3
5 changed files with 149 additions and 111 deletions
--- a/app/Ldap/Rules/LoginObjectclassRule.php
+++ b/app/Ldap/Rules/LoginObjectclassRule.php
@ -0,0 +1,27 @@
+<?php
+
+namespace App\Ldap\Rules;
+
+use Illuminate\Database\Eloquent\Model as Eloquent;
+use LdapRecord\Laravel\Auth\Rule;
+use LdapRecord\Models\Model as LdapRecord;
+
+/**
+ * User must have this objectClass to login
+ *
+ * This is overridden by LDAP_LOGIN_OBJECTCLASS
+ * @see User::$objectClasses
+ */
+class LoginObjectclassRule implements Rule
+{
+    public function passes(LdapRecord $user, Eloquent $model = null): bool
+    {
+		if ($x=config('ldap.login.objectclass')) {
+			return count(array_intersect($user->objectclass,$x));
+
+		// Otherwise allow the user to login
+		} else {
+			return TRUE;
+		}
+    }
+}
--- a/app/Ldap/User.php
+++ b/app/Ldap/User.php
@ -5,15 +5,19 @@ namespace App\Ldap;
 use Laravel\Passport\HasApiTokens;
 use LdapRecord\Models\OpenLDAP\User as Model;

+use App\Ldap\Rules\LoginObjectclassRule;
+
 class User extends Model
 {
 	use HasApiTokens;

 	/**
 	 * The object classes of the LDAP model.
+	 *
+	 * @note We set this to an empty array so that any objectclass can login
+	 * @see LoginObjectclassRule::class
 	 */
 	public static array $objectClasses = [
-		'posixAccount',
 	];

 	/* METHODS */
--- a/config/auth.php
+++ b/config/auth.php
@ -79,6 +79,9 @@ return [
 		'ldap' => [
 			'driver' => 'ldap',
 			'model' => App\Ldap\User::class,
+			'rules' => [
+				App\Ldap\Rules\LoginObjectclassRule::class,
+			],
 		],
 	],

--- a/config/config.php.example
+++ b/config/config.php.example
@ -377,12 +377,6 @@ $servers->setValue('server','name','My LDAP Server');
   Base DNs are used. */
 // $servers->setValue('login','base',array());

-/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
-   at login, you may restrict the search to a specific objectClasses. EG, set this
-   to array('posixAccount') or array('inetOrgPerson',..), depending upon your
-   setup. */
-// $servers->setValue('login','class',array());
-
 /* If login_attr was set to 'dn', it is possible to specify a template string to
   build the DN from. Use '%s' where user input should be inserted. A user may
   still enter the complete DN. In this case the template will not be used. */
--- a/config/ldap.php
+++ b/config/ldap.php
@ -102,6 +102,16 @@ return [
 	],
 	*/

+	/*
+	 * If 'login,attr' is used above such that phpLDAPadmin will search for your DN
+	 * at login, you may restrict the search to a specific objectClasses. EG, set this
+	 * to array('posixAccount') or array('inetOrgPerson',..), depending upon your
+	 * setup.
+	 */
+	'login' => [
+		'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')),		// Objectclass that users must contain to login
+	],
+
 	/*
 	 |--------------------------------------------------------------------------
 	 | Custom Date Format