From 0a0607d2f7065c76bae3ea3f5e10480f7633097f Mon Sep 17 00:00:00 2001 From: Michael Ossareh Date: Wed, 25 Jul 2012 18:55:48 -0700 Subject: [PATCH] Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072 --- conf/default.conf.php | 8 +++++++ .../auth/ldap/PhabricatorLDAPProvider.php | 21 +++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/conf/default.conf.php b/conf/default.conf.php index 45b6eaa42e..3f6c4078d7 100644 --- a/conf/default.conf.php +++ b/conf/default.conf.php @@ -642,6 +642,14 @@ return array( // The attribute to be regarded as 'username'. Has to be unique 'ldap.search_attribute' => '', + // Perform a search to find a user + // Many LDAP installations do not have the username in the dn, if this is + // true for you set this to true and configure the username_attribute below + 'ldap.search-first' => false, + + // The attribute to search for if you have to search for a user + 'ldap.username_attribute' => '', + // The attribute(s) to be regarded as 'real name'. // If more then one attribute is supplied the values of the attributes in // the array will be joined diff --git a/src/applications/auth/ldap/PhabricatorLDAPProvider.php b/src/applications/auth/ldap/PhabricatorLDAPProvider.php index b1e703016e..fa1fcda724 100644 --- a/src/applications/auth/ldap/PhabricatorLDAPProvider.php +++ b/src/applications/auth/ldap/PhabricatorLDAPProvider.php @@ -46,6 +46,10 @@ final class PhabricatorLDAPProvider { return PhabricatorEnv::getEnvConfig('ldap.search_attribute'); } + public function getUsernameAttribute() { + return PhabricatorEnv::getEnvConfig('ldap.username_attribute'); + } + public function getLDAPVersion() { return PhabricatorEnv::getEnvConfig('ldap.version'); } @@ -117,6 +121,13 @@ final class PhabricatorLDAPProvider { throw new Exception('Username can not be empty'); } + if (PhabricatorEnv::getEnvConfig('ldap.search-first')) { + $user = $this->getUser($this->getUsernameAttribute(), $username); + $username = $user[($this->getSearchAttribute())][0]; + } + + $conn = $this->getConnection(); + $activeDirectoryDomain = PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain'); @@ -130,8 +141,6 @@ final class PhabricatorLDAPProvider { $this->getBaseDN()); } - $conn = $this->getConnection(); - // NOTE: It is very important we suppress any messages that occur here, // because it logs passwords if it reaches an error log of any sort. DarkConsoleErrorLogPluginAPI::enableDiscardMode(); @@ -143,16 +152,16 @@ final class PhabricatorLDAPProvider { "LDAP Error #".ldap_errno($conn).": ".ldap_error($conn)); } - $this->userData = $this->getUser($username); + $this->userData = $this->getUser($this->getSearchAttribute(), $username); return $this->userData; } - private function getUser($username) { + private function getUser($attribute, $username) { $conn = $this->getConnection(); $query = ldap_sprintf( '%Q=%S', - $this->getSearchAttribute(), + $attribute, $username); $result = ldap_search($conn, $this->getBaseDN(), $query); @@ -170,7 +179,7 @@ final class PhabricatorLDAPProvider { if ($entries['count'] > 1) { throw new Exception('Found more then one user with this ' . - $this->getSearchAttribute()); + $attribute); } if ($entries['count'] == 0) {