ldap/LDAPMulti: Allow organization to be part of the username.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1408 44740490-163a-0410-bde0-09ae8108e29a

config-templates/authsources.php

@@ -121,8 +121,27 @@ $config = array(
 		'ldap:LDAPMulti',
 
 		/*
-		 * A list of available LDAP servers / user groups. The value of each element is
-		 * an array in the same format as an LDAP authentication source.
+		 * The way the organization as part of the username should be handled.
+		 * Three possible values:
+		 * - 'none':   No handling of the organization. Allows '@' to be part
+		 *             of the username.
+		 * - 'allow':  Will allow users to type 'username@organization'.
+		 * - 'force':  Force users to type 'username@organization'. The dropdown
+		 *             list will be hidden.
+		 *
+		 * The default is 'none'.
+		 */
+		'username_organization_method' => 'none',
+
+		/*
+		 * A list of available LDAP servers.
+		 *
+		 * The index is an identifier for the organization/group. When
+		 * 'username_organization_method' is set to something other than 'none',
+		 * the organization-part of the username is matched against the index.
+		 *
+		 * The value of each element is an array in the same format as an LDAP
+		 * authentication source.
 		 */
 		'employees' => array(
 			/*

modules/ldap/docs/ldap.txt

@@ -119,9 +119,27 @@ and add an entry which uses this module:
 		'ldap:LDAPMulti',
 
 		/*
-		 * A list of available LDAP servers. The index is only an identifier,
-		 * and can be any string. The value of each element is an array in the
-		 * same format as an LDAP authentication source.
+		 * The way the organization as part of the username should be handled.
+		 * Three possible values:
+		 * - 'none':   No handling of the organization. Allows '@' to be part
+		 *             of the username.
+		 * - 'allow':  Will allow users to type 'username@organization'.
+		 * - 'force':  Force users to type 'username@organization'. The dropdown
+		 *             list will be hidden.
+		 *
+		 * The default is 'none'.
+		 */
+		'username_organization_method' => 'none',
+
+		/*
+		 * A list of available LDAP servers.
+		 *
+		 * The index is an identifier for the organization/group. When
+		 * 'username_organization_method' is set to something other than 'none',
+		 * the organization-part of the username is matched against the index.
+		 *
+		 * The value of each element is an array in the same format as an LDAP
+		 * authentication source.
 		 */
 		'employees' => array(
 			/*
@@ -167,4 +185,3 @@ All options from the `ldap:LDAP` configuration can be used in each
 group, and you should refer to the documentation for that module for
 more information about available options.
 
-

modules/ldap/lib/Auth/Source/LDAPMulti.php

@@ -37,9 +37,25 @@ class sspmod_ldap_Auth_Source_LDAPMulti extends sspmod_core_Auth_UserPassOrgBase
 		/* Call the parent constructor first, as required by the interface. */
 		parent::__construct($info, $config);
 
+		$cfgHelper = SimpleSAML_Configuration::loadFromArray($config,
+			'Authentication source ' . var_export($this->authId, TRUE));
+
+
 		$this->orgs = array();
 		$this->ldapOrgs = array();
-		foreach ($config as $orgId => $orgCfg) {
+		foreach ($config as $name => $value) {
+
+			if ($name === 'username_organization_method') {
+				$usernameOrgMethod = $cfgHelper->getValueValidate(
+					'username_organization_method',
+					array('none', 'allow', 'force'));
+				$this->setUsernameOrgMethod($usernameOrgMethod);
+				continue;
+			}
+
+			$orgCfg = $cfgHelper->getArray($name);
+			$orgId = $name;
+
 			if (array_key_exists('description', $orgCfg)) {
 				$this->orgs[$orgId] = $orgCfg['description'];
 			} else {
@@ -65,6 +81,7 @@ class sspmod_ldap_Auth_Source_LDAPMulti extends sspmod_core_Auth_UserPassOrgBase
 	protected function login($username, $password, $org) {
 		assert('is_string($username)');
 		assert('is_string($password)');
+		assert('is_string($org)');
 
 		if (!array_key_exists($org, $this->ldapOrgs)) {
 			/* The user has selected an organization which doesn't exist anymore. */