From c615665837a9b4beb71757f2e4cda3737fec1404 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 17 Aug 2009 09:05:48 +0000
Subject: [PATCH] ldap: Privilege separation for LDAP attribute retrieval
Allow simpleSAMLphp to use a different LDAP user for retrieving
the users attributes.
Patch by Victoriano Giralt <victoriano@uma.es>.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1679 44740490-163a-0410-bde0-09ae8108e29a
---
config-templates/authsources.php | 17 ++++++++++++++++
modules/ldap/lib/ConfigHelper.php | 32 +++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/config-templates/authsources.php b/config-templates/authsources.php
index e0b7ff473..fd16d4cf4 100644
--- a/config-templates/authsources.php
+++ b/config-templates/authsources.php
@@ -137,6 +137,23 @@ $config = array(
*/
'search.username' => NULL,
'search.password' => NULL,
+
+ /*
+ * If the directory uses privilege separation,
+ * the authenticated user may not be able to retrieve
+ * all required attribures, a privileged entity is required
+ * to get them. This is enabled with this option.
+ */
+ 'priv.read' => FALSE,
+
+ /*
+ * The DN & password the simpleSAMLphp should bind to before
+ * retrieving attributes. These options are required if
+ * 'priv.read' is set to TRUE.
+ */
+ 'priv.username' => NULL,
+ 'priv.password' => NULL,
+
),
/* Example of an LDAPMulti authentication source. */
diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php
index daf6b3de2..b7b514e86 100644
--- a/modules/ldap/lib/ConfigHelper.php
+++ b/modules/ldap/lib/ConfigHelper.php
@@ -73,6 +73,23 @@ class sspmod_ldap_ConfigHelper {
private $attributes;
+ /**
+ * The user cannot get all attributes, privileged reader required
+ */
+ private $privRead;
+
+
+ /**
+ * The DN we should bind with before we can get the attributes.
+ */
+ private $privUsername;
+
+
+ /**
+ * The password we should bind with before we can get the attributes.
+ */
+ private $privPassword;
+
/**
* Constructor for this configuration parser.
@@ -92,6 +109,7 @@ class sspmod_ldap_ConfigHelper {
$this->hostname = $config->getString('hostname');
$this->enableTLS = $config->getBoolean('enable_tls', FALSE);
$this->searchEnable = $config->getBoolean('search.enable', FALSE);
+ $this->privRead = $config->getBoolean('priv.read', FALSE);
if ($this->searchEnable) {
$this->searchUsername = $config->getString('search.username', NULL);
@@ -106,6 +124,12 @@ class sspmod_ldap_ConfigHelper {
$this->dnPattern = $config->getString('dnpattern');
}
+ /* Are privs needed to get to the attributes? */
+ if ($this->privRead) {
+ $this->privUsername = $config->getString('priv.username');
+ $this->privPassword = $config->getString('priv.password');
+ }
+
$this->attributes = $config->getArray('attributes', NULL);
}
@@ -149,6 +173,14 @@ class sspmod_ldap_ConfigHelper {
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
+ /* Are privs needed to get the attributes? */
+ if ($this->privRead) {
+ /* Yes, rebind with privs */
+ if(!$ldap->bind($this->privUsername, $this->privPassword)) {
+ throw new Exception('Error authenticating using privileged DN & password.');
+ }
+ }
+
return $ldap->getAttributes($dn, $this->attributes);
}
--
GitLab