mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

LDAP Add option to authenticate user independtly of OU (#10873)

Browse Source 
* Add option to authenticate user independtly of OU
* Set config option in webui
* Compatibility with bind username option
* ran ./lnms translation:generate
* update doc
This commit is contained in:
louis-oui
2019-11-22 19:29:47 +01:00
committed by PipoCanaja
parent 09088f4885
commit ef562f607e
5 changed files with 52 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
LibreNMS/Authentication/LdapAuthorizer.php
View File

@@ -18,6 +18,10 @@ class LdapAuthorizer extends AuthorizerBase
if (!empty($credentials['username'])) {
$username = $credentials['username'];
$this->userloginname = $username;
if (Config::get('auth_ldap_wildcard_ou', false)) {
$this->setAuthLdapSuffixOu($username);
}
if (!empty($credentials['password']) && ldap_bind($connection, $this->getFullDn($username), $credentials['password'])) {
// ldap_bind has done a bind with the user credentials. If binduser is configured, rebind with the auth_ldap_binduser
// normal user has restricted right to search in ldap. auth_ldap_binduser has full search rights
@@ -276,6 +280,32 @@ class LdapAuthorizer extends AuthorizerBase
return Config::get('auth_ldap_prefix', '') . $username . Config::get('auth_ldap_suffix', '');
}
/**
* Set auth_ldap_suffix ou according to $username dn
* useful if Config::get('auth_ldap_wildcard_ou) is set
* @internal
*
* @return false|true
*/
protected function setAuthLdapSuffixOu($username)
{
$connection = $this->getLdapConnection();
$filter = '(' . Config::get('auth_ldap_attr.uid') . '=' . $username . ')';
$base_dn = preg_replace("/,ou=[^,]+,/", ",", Config::get('auth_ldap_suffix'));
$base_dn = trim($base_dn, ',');
$search = ldap_search($connection, $base_dn, $filter);
foreach (ldap_get_entries($connection, $search) as $entry) {
if ($entry['uid'][0] == $username) {
preg_match('~,ou=([^,]+),~', $entry['dn'], $matches);
$user_ou = $matches[1];
$new_auth_ldap_suffix = preg_replace("/,ou=[^,]+,/", ",ou=" . $user_ou . ",", Config::get('auth_ldap_suffix'));
Config::set('auth_ldap_suffix', $new_auth_ldap_suffix);
return true;
}
}
return false;
}
/**
* Get the ldap connection. If it hasn't been established yet, connect and try to bind.
* @internal
@@ -356,7 +386,10 @@ class LdapAuthorizer extends AuthorizerBase
$password = $credentials['password'] ?? null;
if ((Config::has('auth_ldap_binduser') || Config::has('auth_ldap_binddn')) && Config::has('auth_ldap_bindpassword')) {
$username = Config::get('auth_ldap_binddn', $this->getFullDn(Config::get('auth_ldap_binduser')));
if (Config::get('auth_ldap_binddn') == null) {
Config::set('auth_ldap_binddn', $this->getFullDn(Config::get('auth_ldap_binduser')));
}
$username = Config::get('auth_ldap_binddn');
$password = Config::get('auth_ldap_bindpassword');
} elseif (!empty($credentials['username'])) {
$username = $this->getFullDn($credentials['username']);

1
doc/Extensions/Authentication.md
View File

@@ -195,6 +195,7 @@ $config['auth_ldap_uid_attribute'] = 'uidnumber'; // attribute for unique id
$config['auth_ldap_debug'] = false; // enable for verbose debug messages
$config['auth_ldap_userdn'] = true; // Uses a users full DN as the value of the member attribute in a group instead of member: username. (its member: uid=username,ou=groups,dc=domain,dc=com)
$config['auth_ldap_userlist_filter'] = 'service=informatique'; // Replace 'service=informatique' by your ldap filter to limit the number of responses if you have an ldap directory with thousand of users
$config['auth_ldap_wildcard_ou'] = false; // Search for user matching user name independently of OU set in auth_ldap_suffix. Useful if your users are in different OU. Bind username, if set, still user auth_ldap_suffix
```
## LDAP bind user (optional)

12
html/mix-manifest.json
View File

@@ -3,10 +3,10 @@
"/css/app.css": "/css/app.css?id=17e56994706c74ee9663",
"/js/manifest.js": "/js/manifest.js?id=3c768977c2574a34506e",
"/js/vendor.js": "/js/vendor.js?id=00c1d21ecfea78860e09",
"/js/lang/de.js": "/js/lang/de.js?id=e0623715e8df0895188b",
"/js/lang/en.js": "/js/lang/en.js?id=dce9919ef5fa35e3073a",
"/js/lang/fr.js": "/js/lang/fr.js?id=2d1159debd99a1909f12",
"/js/lang/ru.js": "/js/lang/ru.js?id=b007ddce75134acbe635",
"/js/lang/uk.js": "/js/lang/uk.js?id=146819d3cf1dfb16672d",
"/js/lang/zh-TW.js": "/js/lang/zh-TW.js?id=f57574a3892e5990ecbc"
"/js/lang/de.js": "/js/lang/de.js?id=02ee8c9e8d8bc19b0d22",
"/js/lang/en.js": "/js/lang/en.js?id=82df0ce96032b77cc049",
"/js/lang/fr.js": "/js/lang/fr.js?id=51f0ee3b59a7dace8913",
"/js/lang/ru.js": "/js/lang/ru.js?id=dc6cb9314c4903b00501",
"/js/lang/uk.js": "/js/lang/uk.js?id=669c4652f87dfd31ce7a",
"/js/lang/zh-TW.js": "/js/lang/zh-TW.js?id=b1e12788f52d49174cbc"
}

7
misc/config_definitions.json
View File

@@ -455,6 +455,13 @@
"order": 5,
"type": "boolean"
},
"auth_ldap_wildcard_ou": {
"default": false,
"group": "auth",
"section": "ldap",
"order": 5,
"type": "boolean"
},
"auth_ldap_version": {
"default": 3,
"group": "auth",

4
resources/lang/en/settings.php
View File

@@ -282,6 +282,10 @@ return [
'description' => 'Use full user DN',
'help' => "Uses a user's full DN as the value of the member attribute in a group instead of member: username using the prefix and suffix. (its member: uid=username,ou=groups,dc=domain,dc=com)"
],
'auth_ldap_wildcard_ou' => [
'description' => 'Wildcard user OU',
'help' => "Search for user matching user name independently of OU set in user suffix. Useful if your users are in different OU. Bind username, if set, still user suffix"
],
'auth_ldap_version' => [
'description' => 'LDAP version',
'help' => 'LDAP version to use to talk to the server. Usually this should be v3',