summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRaphael Michel <mail@raphaelmichel.de>2018-07-22 12:23:49 +0200
committerRaphael Michel <mail@raphaelmichel.de>2018-07-23 09:11:55 +0200
commitfef3ac527c398d179de57361bf27476c504cc061 (patch)
tree9076229158b18a7e5a05610abd2701bbc268c2ff
parentf494eee4a3f9b0eb09f6f9d46fb2e6be40a116e6 (diff)
LDAP: Allow optional filtering of allowed users
-rw-r--r--application/config/config.php3
-rw-r--r--application/libraries/Duser/drivers/Duser_ldap.php13
2 files changed, 13 insertions, 3 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 03f3cb74b..e120beaf6 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -600,6 +600,9 @@ if (extension_loaded("ldap")) {
// Optional parameters
// "bind_rdn" => "uid=search-user,cn=users,dc=example,dc=com", // This is the user used to authenticate for searches
// "bind_password" => "***", // This is the password for the search user
+ // You can optionally filter the LDAP users who are allowed to log in using any valid LDAP filter. %s will be replaced
+ // by the user name.
+ // "filter" => "(&(uid=%s)(memberOf=cn=FileBinUsers,cn=groups,dc=example,dc=com))",
);
}
diff --git a/application/libraries/Duser/drivers/Duser_ldap.php b/application/libraries/Duser/drivers/Duser_ldap.php
index f30257364..9481397d0 100644
--- a/application/libraries/Duser/drivers/Duser_ldap.php
+++ b/application/libraries/Duser/drivers/Duser_ldap.php
@@ -30,15 +30,22 @@ class Duser_ldap extends Duser_Driver {
ldap_bind($ds, $config['bind_rdn'], $config['bind_password']);
}
+ if (isset($config['filter'])) {
+ $filter = sprintf($config['filter'], $username);
+ } else {
+ $filter = $config["username_field"].'='.$username;
+ }
+
+
switch ($config["scope"]) {
case "base":
- $r = ldap_read($ds, $config['basedn'], $config["username_field"].'='.$username);
+ $r = ldap_read($ds, $config['basedn'], $filter);
break;
case "one":
- $r = ldap_list($ds, $config['basedn'], $config["username_field"].'='.$username);
+ $r = ldap_list($ds, $config['basedn'], $filter);
break;
case "subtree":
- $r = ldap_search($ds, $config['basedn'], $config["username_field"].'='.$username);
+ $r = ldap_search($ds, $config['basedn'], $filter);
break;
default:
throw new \exceptions\ApiException("libraries/duser/ldap/invalid-ldap-scope", "Invalid LDAP scope");