Added LDAP auth

1 year ago · b144555e46
parent 7d6450706f
commit b144555e46
11 changed files with 89 additions and 16 deletions
--- a/lang/de.php
+++ b/lang/de.php
@ -144,6 +144,7 @@ $lang = array(
    'lang_user_name' => 'Benutzername',
    'lang_user_password' => 'Kennwort',
    'lang_user_language' => 'Sprache',
+    'lang_user_realm' => 'Realm',

    'lang_zone_add' => 'Zone hinzufügen',
    'lang_zone_del' => 'Zone löschen',
--- a/lang/en.php
+++ b/lang/en.php
@ -143,6 +143,7 @@ $lang = array(
    'lang_user_edit' => 'Mofidy user',
    'lang_user_name' => 'Username',
    'lang_user_password' => 'Password',
+    'lang_user_realm' => 'Realm',

    'lang_zone_add' => 'Add zone',
    'lang_zone_del' => 'Delete zone',
--- a/lib/db.class.php
+++ b/lib/db.class.php
@ -35,7 +35,6 @@

        function db_insert($query) {
            // run query
-            echo "<pre>$query</pre>";
            $sql = mysqli_query($this->dblink, $query) or die(mysqli_error($this->dblink));

            // return result
--- a/lib/user.class.php
+++ b/lib/user.class.php
@ -30,6 +30,36 @@
            }
        }

+        function check_ldap_bind($user_name, $user_pass) {
+            global $config_ldap_host;
+            global $config_ldap_port;
+            global $config_ldap_base_dn;
+            global $config_ldap_bind_dn;
+            global $config_ldap_bind_pass;
+            global $config_ldap_login_attr;
+            $ldap_conn = NULL;
+            foreach ($config_ldap_host as $server) {
+                if ($ldap_conn = ldap_connect($server, $config_ldap_port)) {
+                    if ($res = ldap_bind($ldap_conn, $config_ldap_bind_dn, $config_ldap_bind_pass)) {
+                        ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0);
+                        ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
+                        $filter = "(&(objectClass=user)($config_ldap_login_attr=$user_name))";
+                        $res = ldap_search($ldap_conn, $config_ldap_base_dn, $filter, ['dn']);
+                        if ($res) {
+                            $info = ldap_get_entries($ldap_conn, $res);
+                            $user_dn = $info[0]['dn'];
+                            $res = ldap_bind($ldap_conn, $user_dn, $user_pass);
+                            if ($res) {
+                                return TRUE;
+                            }
+                        }
+                    }
+                    return FALSE;
+                }
+            }
+            return FALSE;
+        }
+
        function user_login($user_name, $user_pass) {
            global $dblink;
            // check user_name length
@ -50,6 +80,7 @@
                $query = "SELECT
                    user.user_id,
                    user.user_pass,
+                    user.user_realm,
                    user.user_displayname,
                    user.user_language,
                    user.user_imagesize,
@ -81,19 +112,27 @@

                // any users?
                if ($user_counter>0) {
-                    // compare passwords
-                    if(!strcmp(md5($user_pass), rtrim($users[0]['user_pass']))) {
-                        // all ok: user is logged in
-
-                        // md5 match but outdated. rewrite with new algo
-                        $newhash = password_hash($user_pass, PASSWORD_BCRYPT);
-                        $query = "UPDATE user SET user_pass='" . $newhash. "' WHERE user_id=" . $users[0]['user_id'];
-                        $db->db_update($query);
-
-                    } else {
-                        if (! password_verify($user_pass, $users[0]['user_pass'])) {
+                    if ($users[0]['user_realm'] == 'ldap') {
+                        // check LDAP auth
+                        if (! $this->check_ldap_bind($user_name, $user_pass)) {
                            return FALSE;
                        }
+                        // TODO sync LDAP data to local
+                    } else {
+                        // compare local passwords
+                        if(!strcmp(md5($user_pass), rtrim($users[0]['user_pass']))) {
+                            // all ok: user is logged in
+
+                            // md5 match but outdated. rewrite with new algo
+                            $newhash = password_hash($user_pass, PASSWORD_BCRYPT);
+                            $query = "UPDATE user SET user_pass='" . $newhash. "' WHERE user_id=" . $users[0]['user_id'];
+                            $db->db_update($query);
+
+                        } else {
+                            if (! password_verify($user_pass, $users[0]['user_pass'])) {
+                                return FALSE;
+                            }
+                        }
                    }
                } else {
                    return FALSE;
--- a/submit.php
+++ b/submit.php
@ -1000,12 +1000,14 @@ if (isset($_POST['edit'])) {
            $user_id = sanitize($_POST['user_id']);
            $user_name = sanitize($_POST['user_name']);
            $user_displayname = sanitize($_POST['user_displayname']);
+            $user_realm = sanitize($_POST['user_realm']);

            $query = "UPDATE
                    user
                SET
                    user_name='" . $user_name . "',
-                    user_displayname='" . $user_displayname . "'
+                    user_displayname='" . $user_displayname . "',
+                    user_realm='" . $user_realm . "'
                WHERE
                    user_id=" . $user_id;

--- a/tpl/user.tpl
+++ b/tpl/user.tpl
@ -15,6 +15,9 @@
    <td class="header">
        {$lang_user_name}
    </td>
+    <td class="header">
+        {$lang_user_realm}
+    </td>
    <td class="header">
        {$lang_user_displayname}
    </td>
@ -24,6 +27,9 @@
    <td class="label">
        <a href="userview.php?user_id={$user.user_id}">{$user.user_name}</a>
    </td>
+    <td class="value">
+        {$user.user_realm}
+    </td>
    <td class="value">
        {$user.user_displayname}
    </td>
--- a/tpl/useredit.tpl
+++ b/tpl/useredit.tpl
@ -40,6 +40,14 @@
        <input type="text" name="user_displayname" value="{$user_displayname}">
    </td>
 </tr>
+<tr>
+    <td class="label">
+        {$lang_user_realm}
+    </td>
+    <td class="value">
+{html_radios name=user_realm values=$realm_ids output=$realm_names selected=$realm_selected}
+    </td>
+</tr>
 </table>

 </form>
--- a/tpl/userview.tpl
+++ b/tpl/userview.tpl
@ -36,4 +36,12 @@
        {$user_displayname}
    </td>
 </tr>
+<tr>
+    <td class="label">
+        {$lang_user_realm}
+    </td>
+    <td class="value">
+        {$user_realm}
+    </td>
+</tr>
 </table>
--- a/user.php
+++ b/user.php
@ -13,7 +13,8 @@ include("header.php");
 $query = "SELECT
 		user_id,
 		user_name,
-		user_displayname
+		user_displayname,
+		user_realm
 	FROM
 		user
 	ORDER BY
--- a/useredit.php
+++ b/useredit.php
@ -15,7 +15,8 @@ include("header.php");

 $query = "SELECT
 	user_name,
-	user_displayname
+	user_displayname,
+	user_realm
 FROM
 	user
 WHERE
@ -26,6 +27,11 @@ $user = $db->db_select($query);
 $smarty->assign("user_id", $user_id);
 $smarty->assign("user_name", $user[0]['user_name']);
 $smarty->assign("user_displayname", $user[0]['user_displayname']);
+
+// auth realms
+$smarty->assign("realm_ids", ['local', 'ldap']);
+$smarty->assign("realm_names", ['Local', 'LDAP']);
+$smarty->assign("realm_selected", $user[0]['user_realm']);
 	
 $smarty->display("useredit.tpl");
 		
--- a/userview.php
+++ b/userview.php
@ -15,7 +15,8 @@ include("header.php");

 $query = "SELECT
 		user_name,
-		user_displayname
+		user_displayname,
+		user_realm
 	FROM
 		user
 	WHERE
@ -28,6 +29,7 @@ $user = $db->db_select($query);
 $smarty->assign("user_id", $user_id);
 $smarty->assign("user_name", $user[0]['user_name']);
 $smarty->assign("user_displayname", $user[0]['user_displayname']);
+$smarty->assign("user_realm", $user[0]['user_realm']);

 $smarty->display("userview.tpl");