diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ee9fd6..8b72c2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## Upcoming... +* New LDAP auth adapter (Thanks @ahaenggli) + ## 7.4.5 - 2020-10-12 * New config: 'download_inline' #141 (download configured extensions inline in the browser) diff --git a/backend/Services/Auth/Adapters/LDAP.php b/backend/Services/Auth/Adapters/LDAP.php index 40d0ff3..5aa9f24 100644 --- a/backend/Services/Auth/Adapters/LDAP.php +++ b/backend/Services/Auth/Adapters/LDAP.php @@ -1,7 +1,7 @@ * @@ -26,9 +26,9 @@ class LDAP implements Service, AuthInterface protected $ldap_bindDN; protected $ldap_bindPass; protected $ldap_baseDN; - protected $ldap_filter; + protected $ldap_filter; protected $ldap_userFieldMapping; - + public function __construct(Session $session) { $this->session = $session; @@ -39,23 +39,23 @@ class LDAP implements Service, AuthInterface if(!isset($config['ldap_server']) || empty($config['ldap_server'])) throw new \Exception('config ldap_server missing'); - if (!extension_loaded('ldap')) throw new \Exception('ldap extension missing'); - + if (!extension_loaded('ldap')) throw new \Exception('ldap extension missing'); + if($connect=ldap_connect($config['ldap_server'])){ ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); - $this->private_repos = $config['private_repos']; - $this->ldap_server = $config['ldap_server']; - $this->ldap_bindDN = $config['ldap_bindDN']; - $this->ldap_bindPass = $config['ldap_bindPass']; - $this->ldap_baseDN = $config['ldap_baseDN']; - $this->ldap_filter = $config['ldap_filter']; - $this->ldap_userFieldMapping = $config['ldap_userFieldMapping']; - }else { + $this->private_repos = $config['private_repos']; + $this->ldap_server = $config['ldap_server']; + $this->ldap_bindDN = $config['ldap_bindDN']; + $this->ldap_bindPass = $config['ldap_bindPass']; + $this->ldap_baseDN = $config['ldap_baseDN']; + $this->ldap_filter = $config['ldap_filter']; + $this->ldap_userFieldMapping = $config['ldap_userFieldMapping']; + }else { @ldap_close($connect); throw new \Exception('could not connect to domain'); } - - @ldap_close($connect); + + @ldap_close($connect); } public function user(): ?User @@ -118,13 +118,13 @@ class LDAP implements Service, AuthInterface { $guest = $this->find(self::GUEST_USERNAME); - if (!$guest || !$guest->isGuest()) { + if (!$guest || !$guest->isGuest()) { $guest = new User(); $guest->setUsername('guest'); $guest->setName('Guest'); $guest->setRole('guest'); $guest->setHomedir('/'); - $guest->setPermissions([]); + $guest->setPermissions([]); return $guest; } @@ -156,34 +156,34 @@ class LDAP implements Service, AuthInterface protected function getUsers(): array { $ldapConn = @ldap_connect($this->ldap_server); - if (!$ldapConn) throw new \Exception('Cannot Connect to LDAP server'); + if (!$ldapConn) throw new \Exception('Cannot Connect to LDAP server'); @ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3); - + $ldapBind = @ldap_bind($ldapConn, $this->ldap_bindDN,$this->ldap_bindPass); if (!$ldapBind) throw new \Exception('Cannot Bind to LDAP server: Wrong credentials?'); - + // search the LDAP server for users $ldapSearch = @ldap_search($ldapConn, $this->ldap_baseDN, $this->ldap_filter, ['*']); $ldapResults = @ldap_get_entries($ldapConn, $ldapSearch); @ldap_close($ldapConn); $users = []; - + for ($item = 0; $item < $ldapResults['count']; $item++) - { - $user = []; + { + $user = []; $user['username'] = $ldapResults[$item][$this->ldap_userFieldMapping['username']][0]; - $user['name'] = $ldapResults[$item][$this->ldap_userFieldMapping['name']][0]; + $user['name'] = $ldapResults[$item][$this->ldap_userFieldMapping['name']][0]; $user['role'] = 'user'; $user['homedir'] = '/'; $user['permissions']=$this->ldap_userFieldMapping['default_permissions']; - $user['userDN'] = $ldapResults[$item][$this->ldap_userFieldMapping['userDN']]; - + $user['userDN'] = $ldapResults[$item][$this->ldap_userFieldMapping['userDN']]; + if(is_array($this->ldap_userFieldMapping['admin_usernames'])) { if(in_array($user['username'], $this->ldap_userFieldMapping['admin_usernames'])) $user['role'] = 'admin'; } - + // private repositories for each user? if ($this->private_repos) { $user->setHomedir('/'.$user['username']); @@ -193,7 +193,7 @@ class LDAP implements Service, AuthInterface if ($user['role'] == 'admin'){ $user['homedir'] = '/'; $user['permissions'] = 'read|write|upload|download|batchdownload|zip'; - } + } if(is_array($user) && !empty($user)) $users[] = $user; } @@ -201,14 +201,14 @@ class LDAP implements Service, AuthInterface } private function verifyPassword($auth_user, $password) - { + { if(!isset($this->ldap_server) || empty($this->ldap_server)) return false; if(!extension_loaded('ldap')) return false; - + if($connect=ldap_connect($this->ldap_server)) - { + { ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); - if($bind=ldap_bind($connect, $auth_user, $password)){ + if($bind=ldap_bind($connect, $auth_user, $password)){ @ldap_close($connect); return true; } else { @@ -216,8 +216,8 @@ class LDAP implements Service, AuthInterface return false; } } - + @ldap_close($connect); return false; - } + } } diff --git a/docs/configuration/auth.md b/docs/configuration/auth.md index 63a1122..f06843a 100644 --- a/docs/configuration/auth.md +++ b/docs/configuration/auth.md @@ -86,6 +86,44 @@ Note: With more recent versions of FileGator you can set `guest_redirection` in ] ``` +## Configuring Auth service to use LDAP + +Replace your current Auth handler in `configuration.php` file like this: + +``` + 'Filegator\Services\Auth\AuthInterface' => [ + 'handler' => '\Filegator\Services\Auth\Adapters\LDAP', + 'config' => [ + 'private_repos' => false, + 'ldap_server'=>'ldap://192.168.1.1', + 'ldap_bindDN'=>'uid=ldapbinduser,cn=users,dc=ldap,dc=example,dc=com', + 'ldap_bindPass'=>'ldapbinduser-password', + 'ldap_baseDN'=>'cn=users,dc=ldap,dc=example,dc=com', + 'ldap_filter'=>'(uid=*)', //ex: 'ldap_filter'=>'(&(uid=*)(memberOf=cn=administrators,cn=groups,dc=ldap,dc=example,dc=com))', + 'ldap_userFieldMapping'=> [ + 'username' =>'uid', + 'name' =>'cn', + 'userDN' =>'dn', + 'default_permissions' => 'read|write|upload|download|batchdownload|zip', + 'admin_usernames' =>['user1', 'user2'], + ], + ], + ], +``` +Adjust in the config above: +- `wp_dir` should be the directory path of your wordpress installation +- `permissions` is the array of permissions given to each user +- `private_repos` each user will have its own sub folder, admin will see everything (false/true) + +Note: With more recent versions of FileGator you can set `guest_redirection` in your `configuration.php` to redirect logged-out users back to your WP site: +``` +'frontend_config' => [ + ... + 'guest_redirection' => 'http://example.com/wp-admin/', + ... +] +``` + ## Custom Authentication using 3rd party If you want to use FileGator as a part of another application, you probably already have users stored somewhere else. What you need in this case is to build a new custom Auth adapter that matches the [AuthInterface](https://github.com/filegator/filegator/blob/master/backend/Services/Auth/AuthInterface.php) to connect those two. This new adapter will try to authenticate users in your application and translate each user into filegator [User](https://github.com/filegator/filegator/blob/master/backend/Services/Auth/User.php) object.