diff --git a/doc/conf/srv-ldap.docbook b/doc/conf/srv-ldap.docbook
index 558edb93..8890317d 100644
--- a/doc/conf/srv-ldap.docbook
+++ b/doc/conf/srv-ldap.docbook
@@ -16,6 +16,7 @@ serveur LDAP.
'ldap_config'=> array(
// Définition des paramètres de connexion à l'annuaire
),
+ 'useUserCredentials' => [boolean],
'LSauth' => array (
'method' => [LSauth method]
),
@@ -71,6 +72,20 @@ serveur LDAP.
+
+ useUserCredentials
+
+ Booléen définissant si il faut utiliser les identifiants de l'utilisateur pour
+ se connecter à l'annuaire (false par défaut). Si cette option est
+ activée, la connexion à l'annuaire LDAP sera établie avec la configuration fournie dans
+ le paramètre ldap_config en écrasant les informations de connexion
+ (binddn et bindpwd) par ceux de l'utilisateur.
+ Si l'utilisateur n'est pas encore connecté, la connexion sera étalie sans modifier la
+ configuration fournie.
+
+
+
+
LSprofiles
diff --git a/public_html/includes/class/class.LSauth.php b/public_html/includes/class/class.LSauth.php
index dd16be5b..4bfd735f 100644
--- a/public_html/includes/class/class.LSauth.php
+++ b/public_html/includes/class/class.LSauth.php
@@ -85,6 +85,19 @@ class LSauth {
return;
}
+ /**
+ * Get LDAP credentials
+ *
+ * Return LDAP credentials or false
+ *
+ * @params[in] $user The LSldapObject of the user authificated
+ *
+ * @retval Array|false Array of LDAP credentials array('dn','pwd') or False
+ **/
+ public function getLDAPcredentials($user) {
+ return self :: $provider -> getLDAPcredentials($user);
+ }
+
/**
* Logout
*
diff --git a/public_html/includes/class/class.LSauthMethod.php b/public_html/includes/class/class.LSauthMethod.php
index 8c0ac211..745be780 100644
--- a/public_html/includes/class/class.LSauthMethod.php
+++ b/public_html/includes/class/class.LSauthMethod.php
@@ -93,7 +93,25 @@ class LSauthMethod {
// Do nothing in the standard LSauthMethod class
return true;
}
-
+
+ /**
+ * Get LDAP credentials
+ *
+ * Return LDAP credentials or false
+ *
+ * @params[in] $user The LSldapObject of the user authificated
+ *
+ * @retval Array|false Array of LDAP credentials array('dn','pwd') or False
+ **/
+ public function getLDAPcredentials($user) {
+ if (isset($this -> authData['password'])) {
+ return array(
+ 'dn' => $user -> getDn(),
+ 'pwd' => $this -> authData['password']
+ );
+ }
+ return false;
+ }
}
?>
diff --git a/public_html/includes/class/class.LSldap.php b/public_html/includes/class/class.LSldap.php
index 45247a85..8b3de809 100644
--- a/public_html/includes/class/class.LSldap.php
+++ b/public_html/includes/class/class.LSldap.php
@@ -39,7 +39,7 @@ class LSldap {
*
* @author Benjamin Renard
*
- * @param[in] $config array Tableau de configuration au formar Net_LDAP2
+ * @param[in] $config array Tableau de configuration au format Net_LDAP2
*
* @retval void
*/
@@ -48,15 +48,15 @@ class LSldap {
}
/**
- * Connection
+ * Connect to LDAP server
*
- * Cette methode établie la connexion à l'annuaire Ldap
+ * This method establish connection to LDAP server
*
* @author Benjamin Renard
*
- * @param[in] $config array Tableau de configuration au formar Net_LDAP2
+ * @param[in] $config array LDAP configuration array in format of Net_LDAP2
*
- * @retval boolean true si la connection est établie, false sinon
+ * @retval boolean true if connected, false instead
*/
public static function connect($config = null) {
if ($config) {
@@ -71,6 +71,36 @@ class LSldap {
return true;
}
+ /**
+ * Reconnect (or connect) with other credentials
+ *
+ * @author Benjamin Renard
+ *
+ * @param[in] $dn string Bind DN
+ * @param[in] $pwd array Bind password
+ * @param[in] $config array LDAP configuration array in format of Net_LDAP2
+ *
+ * @retval boolean true if connected, false instead
+ */
+ public static function reconnectAs($dn,$pwd,$config) {
+ if ($config) {
+ self :: setConfig($config);
+ }
+ if (self :: $cnx) {
+ self :: $cnx -> done();
+ }
+ $config=self :: $config;
+ $config['binddn']=$dn;
+ $config['bindpw']=$pwd;
+ self :: $cnx = Net_LDAP2::connect($config);
+ if (Net_LDAP2::isError(self :: $cnx)) {
+ LSerror :: addErrorCode('LSldap_01',self :: $cnx -> getMessage());
+ self :: $cnx = NULL;
+ return;
+ }
+ return true;
+ }
+
/**
* Déconnection
*
diff --git a/public_html/includes/class/class.LSsession.php b/public_html/includes/class/class.LSsession.php
index d581f572..2e0fe94f 100644
--- a/public_html/includes/class/class.LSsession.php
+++ b/public_html/includes/class/class.LSsession.php
@@ -84,6 +84,9 @@ class LSsession {
// The LSauht object of the session
private static $LSauthObject = false;
+ // User LDAP credentials
+ private static $userLDAPcreds = false;
+
/**
* Include un fichier PHP
*
@@ -475,11 +478,12 @@ class LSsession {
if(isset($_SESSION['LSsession']['dn']) && !isset($_GET['LSsession_recoverPassword'])) {
LSdebug('LSsession : Session existente');
// --------------------- Session existante --------------------- //
- self :: $topDn = $_SESSION['LSsession']['topDn'];
- self :: $dn = $_SESSION['LSsession']['dn'];
- self :: $rdn = $_SESSION['LSsession']['rdn'];
- self :: $ldapServerId = $_SESSION['LSsession']['ldapServerId'];
- self :: $tmp_file = $_SESSION['LSsession']['tmp_file'];
+ self :: $topDn = $_SESSION['LSsession']['topDn'];
+ self :: $dn = $_SESSION['LSsession']['dn'];
+ self :: $rdn = $_SESSION['LSsession']['rdn'];
+ self :: $ldapServerId = $_SESSION['LSsession']['ldapServerId'];
+ self :: $tmp_file = $_SESSION['LSsession']['tmp_file'];
+ self :: $userLDAPcreds = $_SESSION['LSsession']['userLDAPcreds'];
if ( self :: cacheLSprofiles() && !isset($_REQUEST['LSsession_refresh']) ) {
self :: setLdapServer(self :: $ldapServerId);
@@ -584,6 +588,18 @@ class LSsession {
self :: $LSuserObject = $LSuserObject;
self :: $dn = $LSuserObject->getValue('dn');
self :: $rdn = $LSuserObject->getValue('rdn');
+ if (isset(self :: $ldapServer['useUserCredentials']) && self :: $ldapServer['useUserCredentials']) {
+ self :: $userLDAPcreds = LSauth :: getLDAPcredentials($LSuserObject);
+ if (!is_array(self :: $userLDAPcreds)) {
+ LSerror :: addErrorCode('LSsession_14');
+ self :: $userLDAPcreds = false;
+ return;
+ }
+ if (!LSldap :: reconnectAs(self :: $userLDAPcreds['dn'],self :: $userLDAPcreds['pwd'])) {
+ LSerror :: addErrorCode('LSsession_15');
+ return;
+ }
+ }
self :: loadLSprofiles();
self :: loadLSaccess();
LStemplate :: assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
@@ -851,6 +867,7 @@ class LSsession {
'topDn' => self :: $topDn,
'dn' => self :: $dn,
'rdn' => self :: $rdn,
+ 'userLDAPcreds' => self :: $userLDAPcreds,
'ldapServerId' => self :: $ldapServerId,
'ldapServer' => self :: $ldapServer,
'LSprofiles' => self :: $LSprofiles,
@@ -955,7 +972,12 @@ class LSsession {
if (!self :: loadLSclass('LSldap')) {
return;
}
- LSldap :: connect(self :: $ldapServer['ldap_config']);
+ if (self :: $dn && isset(self :: $ldapServer['useUserCredentials']) && self :: $ldapServer['useUserCredentials']) {
+ LSldap :: reconnectAs(self :: $userLDAPcreds['dn'], self :: $userLDAPcreds['pwd'],self :: $ldapServer['ldap_config']);
+ }
+ else {
+ LSldap :: connect(self :: $ldapServer['ldap_config']);
+ }
if (LSldap :: isConnected()) {
return true;
}
@@ -2223,7 +2245,13 @@ class LSsession {
LSerror :: defineError('LSsession_13',
_("LSsession : The function of the custom action %{name} does not exists or is not configured.")
);
- // 14 -> 16 : not yet used
+ LSerror :: defineError('LSsession_14',
+ _("LSsession : Fail to retreive user's LDAP credentials from LSauth.")
+ );
+ LSerror :: defineError('LSsession_15',
+ _("LSsession : Fail to reconnect to LDAP server with user's LDAP credentials.")
+ );
+ // 16 : not yet used
LSerror :: defineError('LSsession_17',
_("LSsession : Error during creation of list of levels. Contact administrators. (Code : %{code})")
);