Skip to content
Snippets Groups Projects
Commit 1a729595 authored by Olav Morken's avatar Olav Morken
Browse files

LDAP login: Make it possible to look up the DN of a user by searching for an attribute.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@603 44740490-163a-0410-bde0-09ae8108e29a
parent 4c5a372b
No related branches found
No related tags found
No related merge requests found
......@@ -18,6 +18,29 @@ $config = array (
'auth.ldap.attributes' => null,
'auth.ldap.enable_tls' => false,
/*
* Searching the DN of the user.
*/
/* Set this to TRUE to enable searching. */
'auth.ldap.search.enable' => FALSE,
/* The base DN for the search. */
'auth.ldap.search.base' => NULL,
/* The attribute(s) to search for.
*
* This may be a single string, or an array of string. If this is an array, then any of the attributes
* in the array may match the value the user supplied as the username.
*/
'auth.ldap.search.attributes' => NULL,
/* The username & password the simpleSAMLphp should bind as before searching. If this is left
* as NULL, no bind will be performed before searching.
*/
'auth.ldap.search.username' => NULL,
'auth.ldap.search.password' => NULL,
);
?>
......@@ -64,18 +64,44 @@ if (isset($_POST['username'])) {
*/
$ldap = new SimpleSAML_Auth_LDAP($ldapconfig->getValue('auth.ldap.hostname'),
$ldapconfig->getValue('auth.ldap.enable_tls'));
/**
* Insert the LDAP username into the pattern configured in the 'auth.ldap.dnpattern' option.
*/
$dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern'));
if($ldapconfig->getValue('auth.ldap.search.enable', FALSE)) {
/* We are configured to search for the users dn. */
$searchUsername = $ldapconfig->getValue('auth.ldap.search.username', NULL);
if($searchUsername !== NULL) {
/* Log in with username & password for searching. */
$searchPassword = $ldapconfig->getValue('auth.ldap.search.password', NULL);
if($searchPassword === NULL) {
throw new Exception('"auth.ldap.search.username" is configured, but not' .
' "auth.ldap.search.password".');
}
if(!$ldap->bind($searchUsername, $searchPassword)) {
throw new Exception('Error authenticating using search username & password.');
}
}
$searchBase = $ldapconfig->getValue('auth.ldap.search.base', NULL);
$searchAttributes = $ldapconfig->getValue('auth.ldap.search.attributes', NULL);
if($searchBase === NULL || $searchAttributes === NULL) {
throw new Exception('"auth.ldap.search.base" and "auth.ldap.search.attributes"' .
' must be configured before LDAP search can be enabled.');
}
/* Search for the dn. */
$dn = $ldap->searchfordn($searchBase, $searchAttributes, $username);
} else {
/* We aren't configured to search for the dn. Insert the LDAP username into the pattern
* configured in the 'auth.ldap.dnpattern' option.
*/
$dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern'));
}
/*
* Do LDAP bind using DN found from the the dnpattern
* Do LDAP bind using DN.
*/
if (!$ldap->bind($dn, $password)) {
SimpleSAML_Logger::info('AUTH - ldap: '. $username . ' failed to authenticate. DN=' . $dn);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment