From f0ea8c5ba414c829edeaacf544918c46c351c54a Mon Sep 17 00:00:00 2001 From: Jonathan Creasy Date: Thu, 20 Sep 2012 22:38:33 -0700 Subject: [PATCH 1/5] adding LDAP authentication support --- application/config/rest.php | 9 +- application/libraries/REST_Controller.php | 103 ++++++++++++++++++++++ 2 files changed, 108 insertions(+), 4 deletions(-) diff --git a/application/config/rest.php b/application/config/rest.php index c170bfd3..be454733 100644 --- a/application/config/rest.php +++ b/application/config/rest.php @@ -44,7 +44,7 @@ | | Is login required and if so, which type of login? | -| '' = no login required, 'basic' = unsecure login, 'digest' = more secure login +| '' = no login required, 'basic' = unsecure login, 'digest' = more secure login, 'ldap' = digest with ldap | */ $config['rest_auth'] = false; @@ -65,19 +65,20 @@ | $config['auth_override_class_method']['accounts']['user'] = 'basic'; | | Here 'deals' and 'accounts' are controller names, 'view', 'insert' and 'user' are methods within. (NOTE: leave off the '_get' or '_post' from the end of the method name) -| Acceptable values are; 'none', 'digest' and 'basic'. +| Acceptable values are; 'none', 'digest', 'ldap', and 'basic' | */ // $config['auth_override_class_method']['deals']['view'] = 'none'; // $config['auth_override_class_method']['deals']['insert'] = 'digest'; // $config['auth_override_class_method']['accounts']['user'] = 'basic'; +// $config['auth_override_class_method']['accounts']['create'] = 'ldap'; /* |-------------------------------------------------------------------------- | REST Login usernames |-------------------------------------------------------------------------- | -| Array of usernames and passwords for login +| Array of usernames and passwords for login, if ldap is configured this is ignored | | array('admin' => '1234') | @@ -290,4 +291,4 @@ $config['rest_ajax_only'] = FALSE; /* End of file config.php */ -/* Location: ./system/application/config/rest.php */ \ No newline at end of file +/* Location: ./system/application/config/rest.php */ diff --git a/application/libraries/REST_Controller.php b/application/libraries/REST_Controller.php index b0fdfddc..80157df4 100644 --- a/application/libraries/REST_Controller.php +++ b/application/libraries/REST_Controller.php @@ -109,6 +109,13 @@ abstract class REST_Controller extends CI_Controller */ protected $_zlib_oc = FALSE; + /** + * The LDAP Distinguished Name of the User post authentication + * + * @var string + */ + protected $_user_ldap_dn = '' + /** * List all supported methods, the first will be the default format * @@ -909,6 +916,94 @@ public function validation_errors() // SECURITY FUNCTIONS --------------------------------------------------------- + /** + * Perform LDAP Authentication + * + * @param string $username The username to validate + * @param string $password The password to validate + * @return boolean + */ + protected function _perform_ldap_auth($username = '', $password = NULL) + { + if (empty($username)) + { + log_message('debug', 'LDAP Auth: failure, empty username'); + return false; + } + + log_message('debug', 'LDAP Auth: Loading Config'); + + $this->config->load('ldap.php', true); + + $ldaptimeout = $this->config->item('timeout', 'ldap'); + $ldaphost = $this->config->item('server', 'ldap'); + $ldapport = $this->config->item('port', 'ldap'); + $ldaprdn = $this->config->item('binduser', 'ldap'); + $ldappass = $this->config->item('bindpw', 'ldap'); + $ldapbasedn = $this->config->item('basedn', 'ldap'); + + log_message('debug', 'LDAP Auth: Connect to ' . $ldaphost); + + $ldapconfig['authrealm'] = $this->config->item('domain', 'ldap'); + + // connect to ldap server + $ldapconn = ldap_connect($ldaphost, $ldapport); + + if ($ldapconn) { + + log_message('debug', 'Setting timeout to ' . $ldaptimeout . ' seconds'); + + ldap_set_option($ldapconn, LDAP_OPT_NETWORK_TIMEOUT, $ldaptimeout); + + log_message('debug', 'LDAP Auth: Binding to ' . $ldaphost . ' with dn ' . $ldaprdn); + + // binding to ldap server + $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); + + // verify binding + if ($ldapbind) { + log_message('debug', 'LDAP Auth: bind successful'); + } else { + log_message('error', 'LDAP Auth: bind unsuccessful'); + return false; + } + + } + + // search for user + if (($res_id = ldap_search( $ldapconn, $ldapbasedn, "uid=$username")) == false) { + log_message('error', 'LDAP Auth: User ' . $username . ' not found in search'); + return false; + } + + if (ldap_count_entries($ldapconn, $res_id) != 1) { + log_message('error', 'LDAP Auth: failure, username ' . $username . 'found more than once'); + return false; + } + + if (( $entry_id = ldap_first_entry($ldapconn, $res_id))== false) { + log_message('error', 'LDAP Auth: failure, entry of searchresult could not be fetched'); + return false; + } + + if (( $user_dn = ldap_get_dn($ldapconn, $entry_id)) == false) { + log_message('error', 'LDAP Auth: failure, user-dn could not be fetched'); + return false; + } + + // User found, could not authenticate as user + if (($link_id = ldap_bind($ldapconn, $user_dn, $password)) == false) { + log_message('error', 'LDAP Auth: failure, username/password did not match: ' . $user_dn); + return false; + } + + log_message('debug', 'LDAP Auth: Success ' . $user_dn . ' authenticated successfully'); + + $this->_user_ldap_dn = $user_dn; + ldap_close($ldapconn); + return true; + } + /** * Check if the user is logged in. * @@ -923,6 +1018,14 @@ protected function _check_login($username = '', $password = NULL) return FALSE; } + $auth_source = strtolower($this-config->item('auth_source')); + + if ($auth_source == 'ldap') + { + log_message('debug', 'performing LDAP authentication for $username'); + return $this->_perform_ldap_auth($username, $password); + } + $valid_logins = & $this->config->item('rest_valid_logins'); if ( ! array_key_exists($username, $valid_logins)) From bcacdfde352d667557244315dd31ce8cf8b3e176 Mon Sep 17 00:00:00 2001 From: Jonathan Creasy Date: Thu, 20 Sep 2012 22:45:42 -0700 Subject: [PATCH 2/5] adding LDAP authentication support --- application/config/ldap.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100755 application/config/ldap.php diff --git a/application/config/ldap.php b/application/config/ldap.php new file mode 100755 index 00000000..2293c132 --- /dev/null +++ b/application/config/ldap.php @@ -0,0 +1,21 @@ + From 8957763012be5a3470305e45833c8b1a7f48a1da Mon Sep 17 00:00:00 2001 From: Jonathan Creasy Date: Thu, 20 Sep 2012 23:03:14 -0700 Subject: [PATCH 3/5] adding LDAP authentication support --- application/config/rest.php | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/application/config/rest.php b/application/config/rest.php index be454733..10efde4e 100644 --- a/application/config/rest.php +++ b/application/config/rest.php @@ -44,11 +44,23 @@ | | Is login required and if so, which type of login? | -| '' = no login required, 'basic' = unsecure login, 'digest' = more secure login, 'ldap' = digest with ldap +| '' = no login required, 'basic' = unsecure login, 'digest' = more secure login | */ $config['rest_auth'] = false; +/* +|-------------------------------------------------------------------------- +| REST Login +|-------------------------------------------------------------------------- +| +| Is login required and if so, which user store do we use? +| +| '' = use config based users, 'ldap' = use LDAP authencation +| +*/ +$config['auth_source'] = 'ldap'; + /* |-------------------------------------------------------------------------- | Override auth types for specific class/method @@ -65,13 +77,12 @@ | $config['auth_override_class_method']['accounts']['user'] = 'basic'; | | Here 'deals' and 'accounts' are controller names, 'view', 'insert' and 'user' are methods within. (NOTE: leave off the '_get' or '_post' from the end of the method name) -| Acceptable values are; 'none', 'digest', 'ldap', and 'basic' +| Acceptable values are; 'none', 'digest', and 'basic' | */ // $config['auth_override_class_method']['deals']['view'] = 'none'; // $config['auth_override_class_method']['deals']['insert'] = 'digest'; // $config['auth_override_class_method']['accounts']['user'] = 'basic'; -// $config['auth_override_class_method']['accounts']['create'] = 'ldap'; /* |-------------------------------------------------------------------------- From 9876980cb774a984664fb046c7398c5d4ab7011a Mon Sep 17 00:00:00 2001 From: Jonathan Creasy Date: Thu, 20 Sep 2012 23:04:04 -0700 Subject: [PATCH 4/5] adding LDAP authentication support --- application/config/rest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/config/rest.php b/application/config/rest.php index 10efde4e..36207f94 100644 --- a/application/config/rest.php +++ b/application/config/rest.php @@ -77,7 +77,7 @@ | $config['auth_override_class_method']['accounts']['user'] = 'basic'; | | Here 'deals' and 'accounts' are controller names, 'view', 'insert' and 'user' are methods within. (NOTE: leave off the '_get' or '_post' from the end of the method name) -| Acceptable values are; 'none', 'digest', and 'basic' +| Acceptable values are; 'none', 'digest' and 'basic' | */ // $config['auth_override_class_method']['deals']['view'] = 'none'; From 44f5959bef6c015e555b181016f8566ca24f2d73 Mon Sep 17 00:00:00 2001 From: Jonathan Creasy Date: Thu, 20 Sep 2012 23:05:49 -0700 Subject: [PATCH 5/5] adding LDAP authentication support --- application/config/rest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/config/rest.php b/application/config/rest.php index 36207f94..144ecfac 100644 --- a/application/config/rest.php +++ b/application/config/rest.php @@ -77,7 +77,7 @@ | $config['auth_override_class_method']['accounts']['user'] = 'basic'; | | Here 'deals' and 'accounts' are controller names, 'view', 'insert' and 'user' are methods within. (NOTE: leave off the '_get' or '_post' from the end of the method name) -| Acceptable values are; 'none', 'digest' and 'basic' +| Acceptable values are; 'none', 'digest' and 'basic'. | */ // $config['auth_override_class_method']['deals']['view'] = 'none';