ldap: Privilege separation for LDAP attribute retrieval

Allow simpleSAMLphp to use a different LDAP user for retrieving the users attributes. Patch by Victoriano Giralt <victoriano@uma.es>. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1679 44740490-163a-0410-bde0-09ae8108e29a

ldap: Privilege separation for LDAP attribute retrieval
Allow simpleSAMLphp to use a different LDAP user for retrieving the users attributes. Patch by Victoriano Giralt <victoriano@uma.es>. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1679 44740490-163a-0410-bde0-09ae8108e29a
c6156658 · Olav Morken · c089030f · c6156658 · c6156658
Commit c6156658 authored 15 years ago by Olav Morken
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -137,6 +137,23 @@ $config = array(
 		 */
 		'search.username' => NULL,
 		'search.password' => NULL,
+		/*
+		 * If the directory uses privilege separation,
+		 * the authenticated user may not be able to retrieve
+		 * all required attribures, a privileged entity is required
+		 * to get them. This is enabled with this option.
+		 */
+		'priv.read' => FALSE,
+		/*
+		 * The DN & password the simpleSAMLphp should bind to before
+		 * retrieving attributes. These options are required if
+		 * 'priv.read' is set to TRUE.
+		 */
+		'priv.username' => NULL,
+		'priv.password' => NULL,
 	),
 	/* Example of an LDAPMulti authentication source. */

--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -73,6 +73,23 @@ class sspmod_ldap_ConfigHelper {
 	private $attributes;
+	/**
+	 * The user cannot get all attributes, privileged reader required
+	 */
+	private $privRead;
+	/**
+	 * The DN we should bind with before we can get the attributes.
+	 */
+	private $privUsername;
+	/**
+	 * The password we should bind with before we can get the attributes.
+	 */
+	private $privPassword;
 	/**
 	 * Constructor for this configuration parser.
@@ -92,6 +109,7 @@ class sspmod_ldap_ConfigHelper {
 		$this->hostname = $config->getString('hostname');
 		$this->enableTLS = $config->getBoolean('enable_tls', FALSE);
 		$this->searchEnable = $config->getBoolean('search.enable', FALSE);
+		$this->privRead = $config->getBoolean('priv.read', FALSE);
 		if ($this->searchEnable) {
 			$this->searchUsername = $config->getString('search.username', NULL);
@@ -106,6 +124,12 @@ class sspmod_ldap_ConfigHelper {
 			$this->dnPattern = $config->getString('dnpattern');
 		}
+		/* Are privs needed to get to the attributes? */
+		if ($this->privRead) {
+			$this->privUsername = $config->getString('priv.username');
+			$this->privPassword = $config->getString('priv.password');
+		}
 		$this->attributes = $config->getArray('attributes', NULL);
 	}
@@ -149,6 +173,14 @@ class sspmod_ldap_ConfigHelper {
 			throw new SimpleSAML_Error_Error('WRONGUSERPASS');
 		}
+		/* Are privs needed to get the attributes? */
+		if ($this->privRead) {
+			/* Yes, rebind with privs */
+			if(!$ldap->bind($this->privUsername, $this->privPassword)) {
+				throw new Exception('Error authenticating using privileged DN & password.');
+			}
+		}
 		return $ldap->getAttributes($dn, $this->attributes);
 	}