Support searching for users to find their LDAP entry
Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
This commit is contained in:
Michael Ossareh
@@ -46,6 +46,10 @@ final class PhabricatorLDAPProvider {
|
||||
return PhabricatorEnv::getEnvConfig('ldap.search_attribute');
|
||||
}
|
||||
|
||||
public function getUsernameAttribute() {
|
||||
return PhabricatorEnv::getEnvConfig('ldap.username_attribute');
|
||||
}
|
||||
|
||||
public function getLDAPVersion() {
|
||||
return PhabricatorEnv::getEnvConfig('ldap.version');
|
||||
}
|
||||
@@ -117,6 +121,13 @@ final class PhabricatorLDAPProvider {
|
||||
throw new Exception('Username can not be empty');
|
||||
}
|
||||
|
||||
if (PhabricatorEnv::getEnvConfig('ldap.search-first')) {
|
||||
$user = $this->getUser($this->getUsernameAttribute(), $username);
|
||||
$username = $user[($this->getSearchAttribute())][0];
|
||||
}
|
||||
|
||||
$conn = $this->getConnection();
|
||||
|
||||
$activeDirectoryDomain =
|
||||
PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain');
|
||||
|
||||
@@ -130,8 +141,6 @@ final class PhabricatorLDAPProvider {
|
||||
$this->getBaseDN());
|
||||
}
|
||||
|
||||
$conn = $this->getConnection();
|
||||
|
||||
// NOTE: It is very important we suppress any messages that occur here,
|
||||
// because it logs passwords if it reaches an error log of any sort.
|
||||
DarkConsoleErrorLogPluginAPI::enableDiscardMode();
|
||||
@@ -143,16 +152,16 @@ final class PhabricatorLDAPProvider {
|
||||
"LDAP Error #".ldap_errno($conn).": ".ldap_error($conn));
|
||||
}
|
||||
|
||||
$this->userData = $this->getUser($username);
|
||||
$this->userData = $this->getUser($this->getSearchAttribute(), $username);
|
||||
return $this->userData;
|
||||
}
|
||||
|
||||
private function getUser($username) {
|
||||
private function getUser($attribute, $username) {
|
||||
$conn = $this->getConnection();
|
||||
|
||||
$query = ldap_sprintf(
|
||||
'%Q=%S',
|
||||
$this->getSearchAttribute(),
|
||||
$attribute,
|
||||
$username);
|
||||
|
||||
$result = ldap_search($conn, $this->getBaseDN(), $query);
|
||||
@@ -170,7 +179,7 @@ final class PhabricatorLDAPProvider {
|
||||
|
||||
if ($entries['count'] > 1) {
|
||||
throw new Exception('Found more then one user with this ' .
|
||||
$this->getSearchAttribute());
|
||||
$attribute);
|
||||
}
|
||||
|
||||
if ($entries['count'] == 0) {
|
||||
|
||||
Reference in New Issue
Block a user