Merge pull request chriskacerguis#149 from johann8384/master

adding LDAP support
yenkuan · Jan 7, 2013 · 1ac3c05 · 1ac3c05
2 parents 07ac2e6 + 44f5959
commit 1ac3c05
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 2 deletions.
diff --git a/application/config/ldap.php b/application/config/ldap.php
@@ -0,0 +1,21 @@
+<?php
+
+$config['binduser'] = 'cn=Authentication,ou=Services,dc=example,dc=org';
+$config['basedn'] = 'dc=example,dc=org';
+$config['bindpw'] = 'E984asdy2';
+
+/*
+ * The host name parameter can be a space separated list of host names.
+ * This means that the LDAP code will talk to a backup server if the main server is not operational.
+ * There will be a delay while the code times out trying to talk to the main server but things will still work.
+*/
+
+$config['server'] = 'ldapserver1.example.org ldapserver2.example.org';
+$config['port'] = NULL;
+
+/*
+ * Controls the LDAP_OPT_NETWORK_TIMEOUT option, this is how long the code will attempt to talk to the primary server if it is unreachable.
+ */
+
+$config['timeout'] = 5;
+?>
diff --git a/application/config/rest.php b/application/config/rest.php
@@ -61,6 +61,18 @@
 */
 $config['rest_auth'] = false;
 
+/*
+|--------------------------------------------------------------------------
+| REST Login
+|--------------------------------------------------------------------------
+|
+| Is login required and if so, which user store do we use?
+|
+| '' = use config based users, 'ldap' = use LDAP authencation
+|
+*/
+$config['auth_source'] = 'ldap';
+
 /*
 |--------------------------------------------------------------------------
 | Override auth types for specific class/method
@@ -89,7 +101,7 @@
 | REST Login usernames
 |--------------------------------------------------------------------------
 |
-| Array of usernames and passwords for login
+| Array of usernames and passwords for login, if ldap is configured this is ignored
 |
 |	array('admin' => '1234')
 |
@@ -315,4 +327,4 @@
 $config['rest_ajax_only'] = FALSE;
 
 /* End of file config.php */
-/* Location: ./system/application/config/rest.php */
+/* Location: ./system/application/config/rest.php */
diff --git a/application/libraries/REST_Controller.php b/application/libraries/REST_Controller.php
@@ -109,6 +109,13 @@ abstract class REST_Controller extends CI_Controller
 	 */
 	protected $_zlib_oc = FALSE;
 
+	/**
+	 * The LDAP Distinguished Name of the User post authentication
+	 *
+	 * @var string
+	*/
+	protected $_user_ldap_dn = ''
+
 	/**
 	 * List all supported methods, the first will be the default format
 	 *
@@ -963,6 +970,94 @@ public function validation_errors()
 
 	// SECURITY FUNCTIONS ---------------------------------------------------------
 
+	/**
+	 * Perform LDAP Authentication
+	 *
+	 * @param string $username The username to validate
+	 * @param string $password The password to validate
+	 * @return boolean
+	 */
+	protected function _perform_ldap_auth($username = '', $password = NULL)
+	{
+		if (empty($username))
+		{
+			log_message('debug', 'LDAP Auth: failure, empty username');
+			return false;
+		}
+
+		log_message('debug', 'LDAP Auth: Loading Config');
+
+		$this->config->load('ldap.php', true);
+
+		$ldaptimeout = $this->config->item('timeout', 'ldap');
+		$ldaphost = $this->config->item('server', 'ldap');
+		$ldapport = $this->config->item('port', 'ldap');
+		$ldaprdn = $this->config->item('binduser', 'ldap');
+		$ldappass = $this->config->item('bindpw', 'ldap');
+		$ldapbasedn = $this->config->item('basedn', 'ldap');
+
+		log_message('debug', 'LDAP Auth: Connect to ' . $ldaphost);
+
+		$ldapconfig['authrealm'] = $this->config->item('domain', 'ldap');
+
+		// connect to ldap server
+		$ldapconn = ldap_connect($ldaphost, $ldapport);
+
+		if ($ldapconn) {
+
+			log_message('debug', 'Setting timeout to ' . $ldaptimeout . ' seconds');
+
+			ldap_set_option($ldapconn, LDAP_OPT_NETWORK_TIMEOUT, $ldaptimeout);
+
+			log_message('debug', 'LDAP Auth: Binding to ' . $ldaphost . ' with dn ' . $ldaprdn);
+
+			// binding to ldap server
+			$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
+
+			// verify binding
+			if ($ldapbind) {
+				log_message('debug', 'LDAP Auth: bind successful');
+			} else {
+				log_message('error', 'LDAP Auth: bind unsuccessful');
+				return false;
+			}
+
+		}
+
+		// search for user
+		if (($res_id = ldap_search( $ldapconn, $ldapbasedn, "uid=$username")) == false) {
+			log_message('error', 'LDAP Auth: User ' . $username . ' not found in search');
+			return false;
+		}
+
+		if (ldap_count_entries($ldapconn, $res_id) != 1) {
+			log_message('error', 'LDAP Auth: failure, username ' . $username . 'found more than once');
+			return false;
+		}
+
+		if (( $entry_id = ldap_first_entry($ldapconn, $res_id))== false) {
+			log_message('error', 'LDAP Auth: failure, entry of searchresult could not be fetched');
+			return false;
+		}
+
+		if (( $user_dn = ldap_get_dn($ldapconn, $entry_id)) == false) {
+			log_message('error', 'LDAP Auth: failure, user-dn could not be fetched');
+			return false;
+		}
+
+		// User found, could not authenticate as user
+		if (($link_id = ldap_bind($ldapconn, $user_dn, $password)) == false) {
+			log_message('error', 'LDAP Auth: failure, username/password did not match: ' . $user_dn);
+			return false;
+		}
+
+		log_message('debug', 'LDAP Auth: Success ' . $user_dn . ' authenticated successfully');
+
+		$this->_user_ldap_dn = $user_dn;
+		ldap_close($ldapconn);
+		return true;
+	}
+
 	/**
 	 * Check if the user is logged in.
 	 *
@@ -977,6 +1072,14 @@ protected function _check_login($username = '', $password = NULL)
 			return FALSE;
 		}
 
+		$auth_source = strtolower($this-config->item('auth_source'));
+
+		if ($auth_source == 'ldap')
+		{
+			log_message('debug', 'performing LDAP authentication for $username');
+			return $this->_perform_ldap_auth($username, $password);
+		}
+
 		$valid_logins = & $this->config->item('rest_valid_logins');
 
 		if ( ! array_key_exists($username, $valid_logins))