diff --git a/codepot/etc/codepot.ini.in b/codepot/etc/codepot.ini.in index f27997f7..72bb8d30 100644 --- a/codepot/etc/codepot.ini.in +++ b/codepot/etc/codepot.ini.in @@ -24,14 +24,27 @@ database_prefix = "" ; The userid format and the password format can contain ; ${userid} and ${password} to represent the actual user ID ; and the password respectively. +; +; If ldap_auth_mode is 1, authentication is performed by binding to +; a LDAP server specified using ldap_userid_format as a binddn and +; ldap_password_format as a password. +; +; If ldap_auth_mode is 2, it finds a binddn by searching a subtree +; under ldap_userid_search_base using ldap_userid_search_filter +; after having bound with ldap_admin_binddn and ldap_admin_password. +; The binddn found is used for subsequent binding for authentication. +; ldap_userid_format is unused in this mode. ;------------------------------------------------------------------------------ ldap_server_uri = "ldap://127.0.0.1:389" ldap_server_protocol_version = "3" -ldap_userid_format = "${userid}" +ldap_auth_mode 1 +ldap_userid_format = "cn=${userid},ou=users,dc=codepot,dc=org" ldap_password_format = "${password}" +ldap_admin_binddn = "cn=admin,dc=codepot,dc=org" +ldap_admin_password = "admin-password" +ldap_userid_search_filter = "(uid=${userid})" +ldap_userid_search_base = "ou=users,dc=codepot,dc=org" ldap_mail_attribute_name = "" -ldap_admin_binddn = "" -ldap_admin_password = "" ;------------------------------------------------------------------------------ ; default langage to use. set it to 'auto' to detect it automatically. @@ -40,7 +53,6 @@ ldap_admin_password = "" ;------------------------------------------------------------------------------ language = "auto" - ;------------------------------------------------------------------------------ ; Name of the index page. If you want to hide the index page name from ; the URL by rewriting it (e.g. mod_rewrite), you have to change this diff --git a/codepot/src/codepot/models/ldaploginmodel.php b/codepot/src/codepot/models/ldaploginmodel.php index 47a07d3c..402e9ed7 100644 --- a/codepot/src/codepot/models/ldaploginmodel.php +++ b/codepot/src/codepot/models/ldaploginmodel.php @@ -24,7 +24,57 @@ class LdapLoginModel extends LoginModel ldap_set_option ($ldap, LDAP_OPT_PROTOCOL_VERSION, CODEPOT_LDAP_SERVER_PROTOCOL_VERSION); } - $f_userid = $this->formatString (CODEPOT_LDAP_USERID_FORMAT, $userid, $password); + if (CODEPOT_LDAP_AUTH_MODE == 2) + { + $f_rootdn = $this->formatString (CODEPOT_LDAP_ADMIN_BINDDN, $userid, $password); + $f_rootpw = $this->formatString (CODEPOT_LDAP_ADMIN_PASSWORD, $userid, $password); + $f_basedn = $this->formatString (CODEPOT_LDAP_USERID_SEARCH_BASE, $userid, $password); + $f_filter = $this->formatString (CODEPOT_LDAP_USERID_SEARCH_FILTER, $userid, $password); + + $bind = @ldap_bind ($ldap, $f_userid, $f_password); + if ($bind === FALSE) + { + $this->setErrorMessage (ldap_error ($ldap)); + ldap_close ($ldap); + return FALSE; + } + + $sr = @ldap_search ($ldap, $f_basedn, $f_filter, array("dn")); + if ($sr === FALSE) + { + $this->setErrorMessage (ldap_error ($ldap)); + ldap_close ($ldap); + return FALSE; + } + + $ec = @ldap_count_entries ($ldap, $sr); + if ($ec === FALSE) + { + $this->setErrorMessage (ldap_error ($ldap)); + ldap_close ($ldap); + return FALSE; + } + + if ($ec <= 0) + { + $this->setErrorMessage ('No such user'); + ldap_close ($ldap); + return FALSE; + } + + if (($fe = @ldap_first_entry ($ldap, $sr)) === FALSE || + ($f_userid = ldap_get_dn ($ldap, $fe)) === FALSE) + { + $this->setErrorMessage (ldap_error ($ldap)); + ldap_close ($ldap); + return FALSE; + } + } + else + { + $f_userid = $this->formatString (CODEPOT_LDAP_USERID_FORMAT, $userid, $password); + } + $f_password = $this->formatString (CODEPOT_LDAP_PASSWORD_FORMAT, $userid, $password); $bind = @ldap_bind ($ldap, $f_userid, $f_password); diff --git a/codepot/src/config.php.in b/codepot/src/config.php.in index 8e88da94..c8547571 100644 --- a/codepot/src/config.php.in +++ b/codepot/src/config.php.in @@ -58,11 +58,14 @@ function load_ini ($file) array ('ldap_server_uri', 'string', 'ldap://127.0.0.1:389'), array ('ldap_server_protocol_version', 'integer', 3), + array ('ldap_auth_mode', 'integer', 1), array ('ldap_userid_format', 'string', '${userid}'), array ('ldap_password_format', 'string', '${password}'), - array ('ldap_mail_attribute_name', 'string', ''), array ('ldap_admin_binddn', 'string', ''), array ('ldap_admin_password', 'string', ''), + array ('ldap_userid_search_filter', 'string', '(uid=${userid})'), + array ('ldap_userid_search_base', 'string', ''), + array ('ldap_mail_attribute_name', 'string', ''), array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'), array ('file_dir', 'string', CODEPOT_DEPOT_DIR.'/files'),