diff --git a/config-templates/ldap.php b/config-templates/ldap.php index 81bb93f8b824c968bbb6d230eacab355a3bab74f..192278eaf25a405a7ab4d3c5a0ce26d21891066b 100644 --- a/config-templates/ldap.php +++ b/config-templates/ldap.php @@ -18,6 +18,29 @@ $config = array ( 'auth.ldap.attributes' => null, 'auth.ldap.enable_tls' => false, + /* + * Searching the DN of the user. + */ + + /* Set this to TRUE to enable searching. */ + 'auth.ldap.search.enable' => FALSE, + + /* The base DN for the search. */ + 'auth.ldap.search.base' => NULL, + + /* The attribute(s) to search for. + * + * This may be a single string, or an array of string. If this is an array, then any of the attributes + * in the array may match the value the user supplied as the username. + */ + 'auth.ldap.search.attributes' => NULL, + + /* The username & password the simpleSAMLphp should bind as before searching. If this is left + * as NULL, no bind will be performed before searching. + */ + 'auth.ldap.search.username' => NULL, + 'auth.ldap.search.password' => NULL, + ); ?> diff --git a/www/auth/login.php b/www/auth/login.php index dcefc91304751b7d3e6407c11fe22ee8ae0bb8fe..a4e1235f389eaf4410e7e662276031a64d6c3884 100644 --- a/www/auth/login.php +++ b/www/auth/login.php @@ -64,18 +64,44 @@ if (isset($_POST['username'])) { */ $ldap = new SimpleSAML_Auth_LDAP($ldapconfig->getValue('auth.ldap.hostname'), $ldapconfig->getValue('auth.ldap.enable_tls')); - - - - - /** - * Insert the LDAP username into the pattern configured in the 'auth.ldap.dnpattern' option. - */ - $dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern')); - + + if($ldapconfig->getValue('auth.ldap.search.enable', FALSE)) { + /* We are configured to search for the users dn. */ + + $searchUsername = $ldapconfig->getValue('auth.ldap.search.username', NULL); + + if($searchUsername !== NULL) { + /* Log in with username & password for searching. */ + + $searchPassword = $ldapconfig->getValue('auth.ldap.search.password', NULL); + if($searchPassword === NULL) { + throw new Exception('"auth.ldap.search.username" is configured, but not' . + ' "auth.ldap.search.password".'); + } + + if(!$ldap->bind($searchUsername, $searchPassword)) { + throw new Exception('Error authenticating using search username & password.'); + } + } + + $searchBase = $ldapconfig->getValue('auth.ldap.search.base', NULL); + $searchAttributes = $ldapconfig->getValue('auth.ldap.search.attributes', NULL); + if($searchBase === NULL || $searchAttributes === NULL) { + throw new Exception('"auth.ldap.search.base" and "auth.ldap.search.attributes"' . + ' must be configured before LDAP search can be enabled.'); + } + + /* Search for the dn. */ + $dn = $ldap->searchfordn($searchBase, $searchAttributes, $username); + } else { + /* We aren't configured to search for the dn. Insert the LDAP username into the pattern + * configured in the 'auth.ldap.dnpattern' option. + */ + $dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern')); + } /* - * Do LDAP bind using DN found from the the dnpattern + * Do LDAP bind using DN. */ if (!$ldap->bind($dn, $password)) { SimpleSAML_Logger::info('AUTH - ldap: '. $username . ' failed to authenticate. DN=' . $dn);