changed ldap_insider_attribute_name to ldap_insider_attribute_names
fixed some permissions issues in file and code
This commit is contained in:
parent
330cdb4996
commit
a9d04235ac
@ -65,6 +65,9 @@ database_store_gmt = "yes"
|
||||
; after having bound with ldap_admin_binddn and ldap_admin_password.
|
||||
; The binddn found is used for subsequent binding for authentication.
|
||||
; ldap_userid_format is unused in this mode.
|
||||
;
|
||||
; if you want to specify multiple attributes in ldap_insider_attribute_names
|
||||
; separate them with a space.
|
||||
;------------------------------------------------------------------------------
|
||||
ldap_server_uri = "ldap://127.0.0.1:389"
|
||||
ldap_server_protocol_version = "3"
|
||||
@ -76,7 +79,7 @@ ldap_admin_password = "admin-password"
|
||||
ldap_userid_search_filter = "(uid=${userid})"
|
||||
ldap_userid_search_base = "ou=users,dc=codepot,dc=org"
|
||||
ldap_mail_attribute_name = ""
|
||||
ldap_insider_attribute_name = ""
|
||||
ldap_insider_attribute_names = "mssfu30posixmemberof memberof"
|
||||
ldap_insider_attribute_value = ""
|
||||
|
||||
;------------------------------------------------------------------------------
|
||||
|
@ -65,7 +65,7 @@ sub get_config
|
||||
ldap_admin_password => $cfg->param ('ldap_admin_password'),
|
||||
ldap_userid_search_base => $cfg->param ('ldap_userid_search_base'),
|
||||
ldap_userid_search_filter => $cfg->param ('ldap_userid_search_filter'),
|
||||
ldap_insider_attribute_name => $cfg->param ('ldap_insider_attribute_name'),
|
||||
ldap_insider_attribute_names => $cfg->param ('ldap_insider_attribute_names'),
|
||||
ldap_insider_attribute_value => $cfg->param ('ldap_insider_attribute_value'),
|
||||
|
||||
database_hostname => $cfg->param ('database_hostname'),
|
||||
@ -159,23 +159,38 @@ sub authenticate_ldap
|
||||
}
|
||||
|
||||
my $authenticated = 1;
|
||||
if ($cfg->{ldap_insider_attribute_name} ne '' && $cfg->{ldap_insider_attribute_value} ne '')
|
||||
if ($cfg->{ldap_insider_attribute_names} ne '' && $cfg->{ldap_insider_attribute_value} ne '')
|
||||
{
|
||||
my $f_filter = '(' . $cfg->{ldap_insider_attribute_name} . '=*)';
|
||||
$res = $ldap->search (base => $binddn, scope => 'base', filter => $f_filter, [ $cfg->{ldap_insider_attribute_name} ]);
|
||||
my $attr_str = $cfg->{ldap_insider_attribute_names};
|
||||
$attr_str =~ s/^\s+|\s+$//g;
|
||||
my @attrs = split (/\s+/, $attr_str);
|
||||
|
||||
if (scalar(@attrs) > 0)
|
||||
{
|
||||
#my $f_filter = '(' . $cfg->{ldap_insider_attribute_name} . '=*)';
|
||||
my $f_filter = '(objectClass=*)';
|
||||
|
||||
$res = $ldap->search (base => $binddn, scope => 'base', filter => $f_filter, @attrs);
|
||||
if ($res->code == LDAP_SUCCESS)
|
||||
{
|
||||
search_loop:
|
||||
foreach my $entry ($res->entries)
|
||||
{
|
||||
my @va = $entry->get_value($cfg->{ldap_insider_attribute_name});
|
||||
foreach my $a (@attrs)
|
||||
{
|
||||
my @va = $entry->get_value($a);
|
||||
foreach my $v (@va)
|
||||
{
|
||||
if (lc($v) eq lc($cfg->{ldap_insider_attribute_value}))
|
||||
{
|
||||
$authenticated = 2;
|
||||
last;
|
||||
last search_loop;
|
||||
}
|
||||
}
|
||||
if ($authenticated >= 2) last;
|
||||
}
|
||||
}
|
||||
$res->abandon();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -30,11 +30,18 @@ class Code extends Controller
|
||||
{
|
||||
$userid = $login['id'];
|
||||
|
||||
if ($userid != '' && $login['sysadmin?']) return TRUE;
|
||||
if ($userid != '')
|
||||
{
|
||||
if ($login['sysadmin?']) return TRUE;
|
||||
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
}
|
||||
|
||||
if ($pm->projectIsPublic($projectid))
|
||||
{
|
||||
if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE;
|
||||
if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated') == 0)
|
||||
{
|
||||
if ($userid != '') return TRUE;
|
||||
@ -43,15 +50,10 @@ class Code extends Controller
|
||||
{
|
||||
if ($userid != '' && $login['insider?']) return TRUE;
|
||||
}
|
||||
else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0)
|
||||
{
|
||||
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// non-public project.
|
||||
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
//else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0)
|
||||
//{
|
||||
// if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
//}
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
@ -59,10 +61,13 @@ class Code extends Controller
|
||||
|
||||
private function _can_write ($pm, $projectid, $login)
|
||||
{
|
||||
if ($login['sysadmin?']) return TRUE;
|
||||
|
||||
$userid = $login['id'];
|
||||
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
if ($userid != '')
|
||||
{
|
||||
if ($login['sysadmin?']) return TRUE;
|
||||
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -22,12 +22,18 @@ class File extends Controller
|
||||
private function _can_read ($pm, $projectid, $login)
|
||||
{
|
||||
$userid = $login['id'];
|
||||
|
||||
if ($userid != '' && $login['sysadmin?']) return TRUE;
|
||||
if ($userid != '')
|
||||
{
|
||||
if ($login['sysadmin?']) return TRUE;
|
||||
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
}
|
||||
|
||||
if ($pm->projectIsPublic($projectid))
|
||||
{
|
||||
if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE;
|
||||
if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0)
|
||||
{
|
||||
return TRUE;
|
||||
}
|
||||
else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated') == 0)
|
||||
{
|
||||
if ($userid != '') return TRUE;
|
||||
@ -36,15 +42,10 @@ class File extends Controller
|
||||
{
|
||||
if ($userid != '' && $login['insider?']) return TRUE;
|
||||
}
|
||||
else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0)
|
||||
{
|
||||
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// non-public project.
|
||||
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
//else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0)
|
||||
//{
|
||||
// if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
//}
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
@ -52,10 +53,13 @@ class File extends Controller
|
||||
|
||||
private function _can_write ($pm, $projectid, $login)
|
||||
{
|
||||
if ($login['sysadmin?']) return TRUE;
|
||||
|
||||
$userid = $login['id'];
|
||||
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
if ($userid != '')
|
||||
{
|
||||
if ($login['sysadmin?']) return TRUE;
|
||||
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -88,8 +88,9 @@ class LdapLoginModel extends LoginModel
|
||||
$email = '';
|
||||
if (CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME != '')
|
||||
{
|
||||
$filter = '(' . CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME . '=*)';
|
||||
$r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME));
|
||||
//$filter = '(' . CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME . '=*)';
|
||||
$filter = '(objectClass=*)';
|
||||
$r = @ldap_read ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME));
|
||||
if ($r !== FALSE)
|
||||
{
|
||||
$e = @ldap_get_entries($ldap, $r);
|
||||
@ -103,13 +104,17 @@ class LdapLoginModel extends LoginModel
|
||||
}
|
||||
|
||||
$insider = FALSE;
|
||||
if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '')
|
||||
if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAMES != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '')
|
||||
{
|
||||
$filter = '(' . CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME . '=*)';
|
||||
$r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME));
|
||||
$attr_str = trim(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAMES);
|
||||
$attrs = preg_split ("/[[:space:]]+/", $attr_str);
|
||||
|
||||
if (count($attrs) > 0)
|
||||
{
|
||||
$filter = '(objectClass=*)';
|
||||
$r = @ldap_read ($ldap, $f_userid, $filter, $attrs);
|
||||
if ($r !== FALSE)
|
||||
{
|
||||
|
||||
/* SAMPLE LDAP RESULT
|
||||
array(2) {
|
||||
["count"]=> int(1)
|
||||
@ -140,11 +145,11 @@ class LdapLoginModel extends LoginModel
|
||||
{
|
||||
for ($i = 0; $i < $ec; $i++)
|
||||
{
|
||||
if (array_key_exists($i, $e) &&
|
||||
array_key_exists(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME, $e[$i]))
|
||||
foreach ($attrs as $a)
|
||||
{
|
||||
$va = $e[$i][CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME];
|
||||
|
||||
if (array_key_exists($i, $e) && array_key_exists($a, $e[$i]))
|
||||
{
|
||||
$va = $e[$i][$a];
|
||||
if (array_key_exists('count', $va) && ($vac = $va['count']) > 0)
|
||||
{
|
||||
for ($j = 0; $j < $vac; $j++)
|
||||
@ -152,12 +157,13 @@ class LdapLoginModel extends LoginModel
|
||||
if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0)
|
||||
{
|
||||
$insider = TRUE;
|
||||
break;
|
||||
break 3;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($insider) break;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -165,9 +171,6 @@ class LdapLoginModel extends LoginModel
|
||||
|
||||
//@ldap_unbind ($ldap);
|
||||
@ldap_close ($ldap);
|
||||
if ($insider) error_log ("$userid is insider");
|
||||
else error_log ("$userid is NOT insider");
|
||||
|
||||
return parent::authenticate ($userid, $password, $email, $insider);
|
||||
}
|
||||
|
||||
|
@ -80,7 +80,7 @@ function load_ini ($file)
|
||||
array ('ldap_userid_search_filter', 'string', '(uid=${userid})'),
|
||||
array ('ldap_userid_search_base', 'string', ''),
|
||||
array ('ldap_mail_attribute_name', 'string', ''),
|
||||
array ('ldap_insider_attribute_name', 'string', ''),
|
||||
array ('ldap_insider_attribute_names', 'string', ''),
|
||||
array ('ldap_insider_attribute_value', 'string', ''),
|
||||
|
||||
array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'),
|
||||
|
Loading…
Reference in New Issue
Block a user