LDAP login: Make it possible to look up the DN of a user by searching for an attribute.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@603 44740490-163a-0410-bde0-09ae8108e29a

LDAP login: Make it possible to look up the DN of a user by searching for an attribute.
1a729595 · Olav Morken · 4c5a372b · 1a729595 · 1a729595
Commit 1a729595 authored 16 years ago by Olav Morken
--- a/config-templates/ldap.php
+++ b/config-templates/ldap.php
@@ -18,6 +18,29 @@ $config = array (
 	'auth.ldap.attributes' => null,
 	'auth.ldap.enable_tls' => false,
 	
+	/*
+	 * Searching the DN of the user.
+	 */
+
+	/* Set this to TRUE to enable searching. */
+	'auth.ldap.search.enable' => FALSE,
+
+	/* The base DN for the search. */
+	'auth.ldap.search.base' => NULL,
+
+	/* The attribute(s) to search for.
+	 *
+	 * This may be a single string, or an array of string. If this is an array, then any of the attributes
+	 * in the array may match the value the user supplied as the username.
+	 */
+	'auth.ldap.search.attributes' => NULL,
+
+	/* The username & password the simpleSAMLphp should bind as before searching. If this is left
+	 * as NULL, no bind will be performed before searching.
+	 */
+	'auth.ldap.search.username' => NULL,
+	'auth.ldap.search.password' => NULL,
+
 );

 ?>
--- a/www/auth/login.php
+++ b/www/auth/login.php
@@ -64,18 +64,44 @@ if (isset($_POST['username'])) {
 		 */
 		$ldap = new SimpleSAML_Auth_LDAP($ldapconfig->getValue('auth.ldap.hostname'),
                                         $ldapconfig->getValue('auth.ldap.enable_tls'));
-	
-		
-		
-		
-		/** 
-		 * Insert the LDAP username into the pattern configured in the 'auth.ldap.dnpattern' option.
-		 */
-		$dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern'));
-	
+
+		if($ldapconfig->getValue('auth.ldap.search.enable', FALSE)) {
+			/* We are configured to search for the users dn. */
+
+			$searchUsername = $ldapconfig->getValue('auth.ldap.search.username', NULL);
+
+			if($searchUsername !== NULL) {
+				/* Log in with username & password for searching. */
+
+				$searchPassword = $ldapconfig->getValue('auth.ldap.search.password', NULL);
+				if($searchPassword === NULL) {
+					throw new Exception('"auth.ldap.search.username" is configured, but not' .
+						' "auth.ldap.search.password".');
+				}
+
+				if(!$ldap->bind($searchUsername, $searchPassword)) {
+					throw new Exception('Error authenticating using search username & password.');
+				}
+			}
+
+			$searchBase = $ldapconfig->getValue('auth.ldap.search.base', NULL);
+			$searchAttributes = $ldapconfig->getValue('auth.ldap.search.attributes', NULL);
+			if($searchBase === NULL || $searchAttributes === NULL) {
+				throw new Exception('"auth.ldap.search.base" and "auth.ldap.search.attributes"' .
+					' must be configured before LDAP search can be enabled.');
+			}
+
+			/* Search for the dn. */
+			$dn = $ldap->searchfordn($searchBase, $searchAttributes, $username);
+		} else {
+			/* We aren't configured to search for the dn. Insert the LDAP username into the pattern
+			 * configured in the 'auth.ldap.dnpattern' option.
+			 */
+			$dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern'));
+		}
 		
 		/*
-		 * Do LDAP bind using DN found from the the dnpattern
+		 * Do LDAP bind using DN.
 		 */
 		if (!$ldap->bind($dn, $password)) {
 			SimpleSAML_Logger::info('AUTH - ldap: '. $username . ' failed to authenticate. DN=' . $dn);