LSsession : Add useUserCredentials parameter

This commit is contained in:
Benjamin Renard 2014-11-18 13:16:38 +01:00
parent a956658923
commit a73103a576
5 changed files with 117 additions and 13 deletions

View file

@ -16,6 +16,7 @@ serveur LDAP.</para>
'ldap_config'=> array( 'ldap_config'=> array(
// Définition des paramètres de connexion à l'annuaire // Définition des paramètres de connexion à l'annuaire
), ),
'useUserCredentials' => [boolean],
'LSauth' => array ( 'LSauth' => array (
'method' => [LSauth method] 'method' => [LSauth method]
), ),
@ -71,6 +72,20 @@ serveur LDAP.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>useUserCredentials</term>
<listitem>
<simpara>Booléen définissant si il faut utiliser les identifiants de l'utilisateur pour
se connecter à l'annuaire (<emphasis>false</emphasis> par défaut). Si cette option est
activée, la connexion à l'annuaire LDAP sera établie avec la configuration fournie dans
le paramètre <emphasis>ldap_config</emphasis> en écrasant les informations de connexion
(<emphasis>binddn</emphasis> et <emphasis>bindpwd</emphasis>) par ceux de l'utilisateur.
Si l'utilisateur n'est pas encore connecté, la connexion sera étalie sans modifier la
configuration fournie.
</simpara>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>LSprofiles</term> <term>LSprofiles</term>

View file

@ -85,6 +85,19 @@ class LSauth {
return; return;
} }
/**
* Get LDAP credentials
*
* Return LDAP credentials or false
*
* @params[in] $user The LSldapObject of the user authificated
*
* @retval Array|false Array of LDAP credentials array('dn','pwd') or False
**/
public function getLDAPcredentials($user) {
return self :: $provider -> getLDAPcredentials($user);
}
/** /**
* Logout * Logout
* *

View file

@ -94,6 +94,24 @@ class LSauthMethod {
return true; return true;
} }
/**
* Get LDAP credentials
*
* Return LDAP credentials or false
*
* @params[in] $user The LSldapObject of the user authificated
*
* @retval Array|false Array of LDAP credentials array('dn','pwd') or False
**/
public function getLDAPcredentials($user) {
if (isset($this -> authData['password'])) {
return array(
'dn' => $user -> getDn(),
'pwd' => $this -> authData['password']
);
}
return false;
}
} }
?> ?>

View file

@ -39,7 +39,7 @@ class LSldap {
* *
* @author Benjamin Renard <brenard@easter-eggs.com> * @author Benjamin Renard <brenard@easter-eggs.com>
* *
* @param[in] $config array Tableau de configuration au formar Net_LDAP2 * @param[in] $config array Tableau de configuration au format Net_LDAP2
* *
* @retval void * @retval void
*/ */
@ -48,15 +48,15 @@ class LSldap {
} }
/** /**
* Connection * Connect to LDAP server
* *
* Cette methode établie la connexion à l'annuaire Ldap * This method establish connection to LDAP server
* *
* @author Benjamin Renard <brenard@easter-eggs.com> * @author Benjamin Renard <brenard@easter-eggs.com>
* *
* @param[in] $config array Tableau de configuration au formar Net_LDAP2 * @param[in] $config array LDAP configuration array in format of Net_LDAP2
* *
* @retval boolean true si la connection est établie, false sinon * @retval boolean true if connected, false instead
*/ */
public static function connect($config = null) { public static function connect($config = null) {
if ($config) { if ($config) {
@ -71,6 +71,36 @@ class LSldap {
return true; return true;
} }
/**
* Reconnect (or connect) with other credentials
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*
* @param[in] $dn string Bind DN
* @param[in] $pwd array Bind password
* @param[in] $config array LDAP configuration array in format of Net_LDAP2
*
* @retval boolean true if connected, false instead
*/
public static function reconnectAs($dn,$pwd,$config) {
if ($config) {
self :: setConfig($config);
}
if (self :: $cnx) {
self :: $cnx -> done();
}
$config=self :: $config;
$config['binddn']=$dn;
$config['bindpw']=$pwd;
self :: $cnx = Net_LDAP2::connect($config);
if (Net_LDAP2::isError(self :: $cnx)) {
LSerror :: addErrorCode('LSldap_01',self :: $cnx -> getMessage());
self :: $cnx = NULL;
return;
}
return true;
}
/** /**
* Déconnection * Déconnection
* *

View file

@ -84,6 +84,9 @@ class LSsession {
// The LSauht object of the session // The LSauht object of the session
private static $LSauthObject = false; private static $LSauthObject = false;
// User LDAP credentials
private static $userLDAPcreds = false;
/** /**
* Include un fichier PHP * Include un fichier PHP
* *
@ -480,6 +483,7 @@ class LSsession {
self :: $rdn = $_SESSION['LSsession']['rdn']; self :: $rdn = $_SESSION['LSsession']['rdn'];
self :: $ldapServerId = $_SESSION['LSsession']['ldapServerId']; self :: $ldapServerId = $_SESSION['LSsession']['ldapServerId'];
self :: $tmp_file = $_SESSION['LSsession']['tmp_file']; self :: $tmp_file = $_SESSION['LSsession']['tmp_file'];
self :: $userLDAPcreds = $_SESSION['LSsession']['userLDAPcreds'];
if ( self :: cacheLSprofiles() && !isset($_REQUEST['LSsession_refresh']) ) { if ( self :: cacheLSprofiles() && !isset($_REQUEST['LSsession_refresh']) ) {
self :: setLdapServer(self :: $ldapServerId); self :: setLdapServer(self :: $ldapServerId);
@ -584,6 +588,18 @@ class LSsession {
self :: $LSuserObject = $LSuserObject; self :: $LSuserObject = $LSuserObject;
self :: $dn = $LSuserObject->getValue('dn'); self :: $dn = $LSuserObject->getValue('dn');
self :: $rdn = $LSuserObject->getValue('rdn'); self :: $rdn = $LSuserObject->getValue('rdn');
if (isset(self :: $ldapServer['useUserCredentials']) && self :: $ldapServer['useUserCredentials']) {
self :: $userLDAPcreds = LSauth :: getLDAPcredentials($LSuserObject);
if (!is_array(self :: $userLDAPcreds)) {
LSerror :: addErrorCode('LSsession_14');
self :: $userLDAPcreds = false;
return;
}
if (!LSldap :: reconnectAs(self :: $userLDAPcreds['dn'],self :: $userLDAPcreds['pwd'])) {
LSerror :: addErrorCode('LSsession_15');
return;
}
}
self :: loadLSprofiles(); self :: loadLSprofiles();
self :: loadLSaccess(); self :: loadLSaccess();
LStemplate :: assign('LSsession_username',self :: getLSuserObject() -> getDisplayName()); LStemplate :: assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
@ -851,6 +867,7 @@ class LSsession {
'topDn' => self :: $topDn, 'topDn' => self :: $topDn,
'dn' => self :: $dn, 'dn' => self :: $dn,
'rdn' => self :: $rdn, 'rdn' => self :: $rdn,
'userLDAPcreds' => self :: $userLDAPcreds,
'ldapServerId' => self :: $ldapServerId, 'ldapServerId' => self :: $ldapServerId,
'ldapServer' => self :: $ldapServer, 'ldapServer' => self :: $ldapServer,
'LSprofiles' => self :: $LSprofiles, 'LSprofiles' => self :: $LSprofiles,
@ -955,7 +972,12 @@ class LSsession {
if (!self :: loadLSclass('LSldap')) { if (!self :: loadLSclass('LSldap')) {
return; return;
} }
if (self :: $dn && isset(self :: $ldapServer['useUserCredentials']) && self :: $ldapServer['useUserCredentials']) {
LSldap :: reconnectAs(self :: $userLDAPcreds['dn'], self :: $userLDAPcreds['pwd'],self :: $ldapServer['ldap_config']);
}
else {
LSldap :: connect(self :: $ldapServer['ldap_config']); LSldap :: connect(self :: $ldapServer['ldap_config']);
}
if (LSldap :: isConnected()) { if (LSldap :: isConnected()) {
return true; return true;
} }
@ -2223,7 +2245,13 @@ class LSsession {
LSerror :: defineError('LSsession_13', LSerror :: defineError('LSsession_13',
_("LSsession : The function of the custom action %{name} does not exists or is not configured.") _("LSsession : The function of the custom action %{name} does not exists or is not configured.")
); );
// 14 -> 16 : not yet used LSerror :: defineError('LSsession_14',
_("LSsession : Fail to retreive user's LDAP credentials from LSauth.")
);
LSerror :: defineError('LSsession_15',
_("LSsession : Fail to reconnect to LDAP server with user's LDAP credentials.")
);
// 16 : not yet used
LSerror :: defineError('LSsession_17', LSerror :: defineError('LSsession_17',
_("LSsession : Error during creation of list of levels. Contact administrators. (Code : %{code})") _("LSsession : Error during creation of list of levels. Contact administrators. (Code : %{code})")
); );