Guwan
/
ldap-matter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #56 from Monogramm/feat/starttls 

 LDAP StartTLS
This commit is contained in:
Denis CLAVIER 2020-06-30 12:22:51 +02:00 committed by GitHub
parent 5dc2d428a6 f07f64bb46
commit 4f9b5e9f32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Demo/docker-compose.yaml
View File

@ -21,6 +21,7 @@ services:
ldap_host: ldap://ldap.company.com:389/ ldap_host: ldap://ldap.company.com:389/
ldap_port: 389 ldap_port: 389
ldap_version: 3 ldap_version: 3
ldap_start_tls: false
ldap_search_attribute: uid ldap_search_attribute: uid
ldap_base_dn: "ou=People,o=Company" ldap_base_dn: "ou=People,o=Company"
ldap_filter: "(objectClass=*)" ldap_filter: "(objectClass=*)"

1
Docker/README.md
View File

@ -58,6 +58,7 @@ Some image parameters can be changed, by specifying the desired parameters in co
| ldap_host | URL or IP to connect LDAP server | `ldap://ldap.company.com/` | | ldap_host | URL or IP to connect LDAP server | `ldap://ldap.company.com/` |
| ldap_port | Port used to connect LDAP server | `389` | | ldap_port | Port used to connect LDAP server | `389` |
| ldap_version | LDAP version or protocol version used by LDAP server | `3` | | ldap_version | LDAP version or protocol version used by LDAP server | `3` |
| ldap_start_tls | LDAP over STARTTLS | `false` |
| ldap_search_attribute | Attribute used to identify a user on the LDAP | `uid` | | ldap_search_attribute | Attribute used to identify a user on the LDAP | `uid` |
| ldap_filter | Additional filter for LDAP search | `objectClass=*` | | ldap_filter | Additional filter for LDAP search | `objectClass=*` |
| ldap_base_dn | The base directory name of your LDAP server | ` ou=People,o=Company` | | ldap_base_dn | The base directory name of your LDAP server | ` ou=People,o=Company` |

3
README.md
View File

@ -249,6 +249,7 @@ Edit `oauth/LDAP/config_ldap.php` and adapt prameters with your LDAP configurati
| ldap_host | URL or IP to connect LDAP server | `ldap://ldap.company.com/` | | ldap_host | URL or IP to connect LDAP server | `ldap://ldap.company.com/` |
| ldap_port | Port used to connect LDAP server | `389` | | ldap_port | Port used to connect LDAP server | `389` |
| ldap_version | LDAP version or protocol version used by LDAP server | `3` | | ldap_version | LDAP version or protocol version used by LDAP server | `3` |
| ldap_start_tls | LDAP over STARTTLS | `false` |
| ldap_search_attribute | Attribute used to identify a user on the LDAP | `uid` | | ldap_search_attribute | Attribute used to identify a user on the LDAP | `uid` |
| ldap_filter | Additional filter for LDAP search | `(objectClass=*)` | | ldap_filter | Additional filter for LDAP search | `(objectClass=*)` |
| ldap_base_dn | The base directory name of your LDAP server | `ou=People,o=Company` | | ldap_base_dn | The base directory name of your LDAP server | `ou=People,o=Company` |
@ -259,7 +260,7 @@ For openLDAP server, the 'ldap_search_attribute' should be `uid`, and for AD ser
Parameters 'ldap_bind_dn' and 'ldap_bind_pass' are required if your LDAP is restrictive, else put an empty string (""). Parameters 'ldap_bind_dn' and 'ldap_bind_pass' are required if your LDAP is restrictive, else put an empty string ("").
**Wraning** : Mattermost-LDAP V2 has changed 'ldap_filter' syntax. Now, the ldap filter must respect the LDAP syntax and need to be included into parenthesis. **Warning** : Mattermost-LDAP V2 has changed 'ldap_filter' syntax. Now, the ldap filter must respect the LDAP syntax and need to be included into parenthesis.
*Note* : 'ldap_version' avoid LDAP blind error with LDAP 3 (issue #14) *Note* : 'ldap_version' avoid LDAP blind error with LDAP 3 (issue #14)

1
docker-compose.yaml
View File

@ -11,6 +11,7 @@ services:
- ldap_host - ldap_host
- ldap_port - ldap_port
- ldap_version - ldap_version
- ldap_start_tls
- ldap_search_attribute - ldap_search_attribute
- ldap_base_dn - ldap_base_dn
- ldap_filter - ldap_filter

3
env.example
View File

@ -69,6 +69,9 @@ ldap_port = "389"
# LDAP protocol version # LDAP protocol version
ldap_version = "3" ldap_version = "3"
# LDAP STARTTLS
ldap_start_tls = "1"
# Unique identifier for entry in LDAP # Unique identifier for entry in LDAP
ldap_search_attribute = "uid" ldap_search_attribute = "uid"

3
ldap.php
View File

@ -10,6 +10,9 @@ $hostname = "ldap://company.com:389";
//LDAP version //LDAP version
$ldap_version = 3; $ldap_version = 3;
//LDAP STARTTLS
$ldap_start_tls = false;
//Unique identifier of user on LDAP //Unique identifier of user on LDAP
$uid = "username"; $uid = "username";
$email = "username@company.com"; $email = "username@company.com";

9
oauth/LDAP/LDAP.php
View File

@ -22,10 +22,12 @@ class LDAP implements LDAPInterface
* An optional int to specify ldap server port, by default : 389 * An optional int to specify ldap server port, by default : 389
* @param int @ldap_version * @param int @ldap_version
* An optional int to specify ldap version, by default LDAP V3 protocol is used * An optional int to specify ldap version, by default LDAP V3 protocol is used
* @param boolean @ldap_start_tls
* An optional boolean to use ldap over STARTTLS, by default LDAP STARTTLS is not used
* *
* Initiate LDAP connection by creating an associated resource * Initiate LDAP connection by creating an associated resource
*/ */
public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3) public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3, $ldap_start_tls = false)
{ {
if (!is_string($ldap_host)) { if (!is_string($ldap_host)) {
throw new InvalidArgumentException('First argument to LDAP must be the hostname of a ldap server (string). Ex: ldap//example.com/ '); throw new InvalidArgumentException('First argument to LDAP must be the hostname of a ldap server (string). Ex: ldap//example.com/ ');
@ -45,6 +47,11 @@ class LDAP implements LDAPInterface
throw new InvalidArgumentException('Third argument to LDAP must be the ldap version (int). Ex : 3'); throw new InvalidArgumentException('Third argument to LDAP must be the ldap version (int). Ex : 3');
} }
// Support LDAP over STARTTLS
if ($ldap_start_tls === true) {
ldap_start_tls($ldap);
}
$this->ldap_server = $ldap; $this->ldap_server = $ldap;
} }

1
oauth/LDAP/config_ldap.php.example
View File

@ -3,6 +3,7 @@
$ldap_host = getenv('ldap_host') ?: "ldap://ldap.company.com/"; $ldap_host = getenv('ldap_host') ?: "ldap://ldap.company.com/";
$ldap_port = intval(getenv('ldap_port')) ?: 389; $ldap_port = intval(getenv('ldap_port')) ?: 389;
$ldap_version = intval(getenv('ldap_version')) ?: 3; $ldap_version = intval(getenv('ldap_version')) ?: 3;
$ldap_start_tls = boolval(getenv('ldap_start_tls')) ?: false;
// Attribute use to identify user on LDAP - ex : uid, mail, sAMAccountName // Attribute use to identify user on LDAP - ex : uid, mail, sAMAccountName
$ldap_search_attribute = getenv('ldap_search_attribute') ?: "uid"; $ldap_search_attribute = getenv('ldap_search_attribute') ?: "uid";

2
oauth/index.php
View File

@ -52,7 +52,7 @@ else
$password=$_POST['password']; $password=$_POST['password'];
// Open a LDAP connection // Open a LDAP connection
$ldap = new LDAP($ldap_host,$ldap_port,$ldap_version); $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version,$ldap_start_tls);
// Check user credential on LDAP // Check user credential on LDAP
try{ try{

2
oauth/resource.php
View File

@ -27,7 +27,7 @@ $user = $info_oauth["user_id"];
$assoc_id = intval($info_oauth["assoc_id"]); $assoc_id = intval($info_oauth["assoc_id"]);
// Open a LDAP connection // Open a LDAP connection
$ldap = new LDAP($ldap_host, $ldap_port, $ldap_version); $ldap = new LDAP($ldap_host, $ldap_port, $ldap_version, $ldap_start_tls);
// Try to get user data on the LDAP // Try to get user data on the LDAP
try { try {