Implement LdapRule to limit user logins by objectclass.

Now logins are allowed by any objectclass unless LDAP_LOGIN_OBJECTCLASS is defined, we should be an array of allowed objectClass (any match).
Improvement for #245
This commit is contained in:
Deon George 2024-01-08 12:54:58 +11:00
parent 18f9f1a9b3
commit ef355e8193
5 changed files with 149 additions and 111 deletions

View File

@ -0,0 +1,27 @@
<?php
namespace App\Ldap\Rules;
use Illuminate\Database\Eloquent\Model as Eloquent;
use LdapRecord\Laravel\Auth\Rule;
use LdapRecord\Models\Model as LdapRecord;
/**
* User must have this objectClass to login
*
* This is overridden by LDAP_LOGIN_OBJECTCLASS
* @see User::$objectClasses
*/
class LoginObjectclassRule implements Rule
{
public function passes(LdapRecord $user, Eloquent $model = null): bool
{
if ($x=config('ldap.login.objectclass')) {
return count(array_intersect($user->objectclass,$x));
// Otherwise allow the user to login
} else {
return TRUE;
}
}
}

View File

@ -5,15 +5,19 @@ namespace App\Ldap;
use Laravel\Passport\HasApiTokens;
use LdapRecord\Models\OpenLDAP\User as Model;
use App\Ldap\Rules\LoginObjectclassRule;
class User extends Model
{
use HasApiTokens;
/**
* The object classes of the LDAP model.
*
* @note We set this to an empty array so that any objectclass can login
* @see LoginObjectclassRule::class
*/
public static array $objectClasses = [
'posixAccount',
];
/* METHODS */

View File

@ -79,6 +79,9 @@ return [
'ldap' => [
'driver' => 'ldap',
'model' => App\Ldap\User::class,
'rules' => [
App\Ldap\Rules\LoginObjectclassRule::class,
],
],
],

View File

@ -377,12 +377,6 @@ $servers->setValue('server','name','My LDAP Server');
Base DNs are used. */
// $servers->setValue('login','base',array());
/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
at login, you may restrict the search to a specific objectClasses. EG, set this
to array('posixAccount') or array('inetOrgPerson',..), depending upon your
setup. */
// $servers->setValue('login','class',array());
/* If login_attr was set to 'dn', it is possible to specify a template string to
build the DN from. Use '%s' where user input should be inserted. A user may
still enter the complete DN. In this case the template will not be used. */

View File

@ -102,6 +102,16 @@ return [
],
*/
/*
* If 'login,attr' is used above such that phpLDAPadmin will search for your DN
* at login, you may restrict the search to a specific objectClasses. EG, set this
* to array('posixAccount') or array('inetOrgPerson',..), depending upon your
* setup.
*/
'login' => [
'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')), // Objectclass that users must contain to login
],
/*
|--------------------------------------------------------------------------
| Custom Date Format