Commit 3a7a969e428d8c876f8a317255f0499d616a3ea1
1 parent
55b13eb1
Merged in from DEV trunk...
KTS-2772 "CLONE -LDAP / Active Directory Authentication incorrect fields returned(SUP-521)" Fixed. Rearranged the attributes retrieved from either directory to match the user's fields correctly. Committed by: Megan Watson Reviewed by: Conrad Vermeulen git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/branches/3.4.6-Release-Branch@7917 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
4 changed files
with
99 additions
and
29 deletions
plugins/ktstandard/ldap/activedirectoryauthenticationprovider.inc.php
| ... | ... | @@ -34,20 +34,21 @@ require_once(KT_LIB_DIR . '/authentication/Authenticator.inc'); |
| 34 | 34 | require_once(KT_DIR . '/plugins/ktstandard/ldap/ldapbaseauthenticationprovider.inc.php'); |
| 35 | 35 | |
| 36 | 36 | class KTActiveDirectoryAuthenticationProvider extends KTLDAPBaseAuthenticationProvider { |
| 37 | - var $sNamespace = "ktstandard.authentication.adprovider"; | |
| 37 | + var $sNamespace = 'ktstandard.authentication.adprovider'; | |
| 38 | 38 | |
| 39 | 39 | var $bGroupSource = true; |
| 40 | 40 | |
| 41 | - var $sAuthenticatorClass = "KTActiveDirectoryAuthenticator"; | |
| 42 | - var $aAttributes = array ("cn", "samaccountname", "givenname", "sn", "userprincipalname", "telephonenumber"); | |
| 41 | + var $sAuthenticatorClass = 'KTActiveDirectoryAuthenticator'; | |
| 42 | + var $aAttributes = array ('cn', 'samaccountname', 'givenname', 'sn', 'mail', 'telephonenumber', 'userprincipalname'); | |
| 43 | 43 | |
| 44 | 44 | function KTActiveDirectoryAuthenticationProvider() { |
| 45 | - $this->sName = _kt("ActiveDirectory authentication provider"); | |
| 45 | + $this->sName = _kt('ActiveDirectory authentication provider'); | |
| 46 | 46 | parent::KTLDAPBaseAuthenticationProvider(); |
| 47 | 47 | } |
| 48 | 48 | } |
| 49 | 49 | |
| 50 | 50 | class KTActiveDirectoryAuthenticator extends KTLDAPBaseAuthenticator { |
| 51 | - var $aAttributes = array ("cn", "samaccountname", "givenname", "sn", "userprincipalname", "telephonenumber"); | |
| 51 | + var $aAttributes = array ('cn', 'samaccountname', 'givenname', 'sn', 'mail', 'telephonenumber', 'userprincipalname'); | |
| 52 | 52 | } |
| 53 | 53 | |
| 54 | +?> | |
| 54 | 55 | \ No newline at end of file | ... | ... |
plugins/ktstandard/ldap/ldapauthenticationprovider.inc.php
| ... | ... | @@ -35,19 +35,20 @@ require_once('Net/LDAP.php'); |
| 35 | 35 | require_once(KT_DIR . '/plugins/ktstandard/ldap/ldapbaseauthenticationprovider.inc.php'); |
| 36 | 36 | |
| 37 | 37 | class KTLDAPAuthenticationProvider extends KTLDAPBaseAuthenticationProvider { |
| 38 | - var $sNamespace = "ktstandard.authentication.ldapprovider"; | |
| 38 | + var $sNamespace = 'ktstandard.authentication.ldapprovider'; | |
| 39 | 39 | |
| 40 | - var $aAttributes = array ("cn", "uid", "givenname", "sn", "mail", "mobile"); | |
| 41 | - var $sAuthenticatorClass = "KTLDAPAuthenticator"; | |
| 40 | + var $aAttributes = array ('cn', 'samaccountname', 'givenname', 'sn', 'mail', 'mobile', 'userprincipalname', 'uid'); | |
| 41 | + var $sAuthenticatorClass = 'KTLDAPAuthenticator'; | |
| 42 | 42 | |
| 43 | 43 | function KTLDAPAuthenticationProvider() { |
| 44 | - $this->sName = _kt("LDAP authentication provider"); | |
| 44 | + $this->sName = _kt('LDAP authentication provider'); | |
| 45 | 45 | parent::KTLDAPBaseAuthenticationProvider(); |
| 46 | 46 | } |
| 47 | 47 | |
| 48 | 48 | } |
| 49 | 49 | |
| 50 | 50 | class KTLDAPAuthenticator extends KTLDAPBaseAuthenticator { |
| 51 | - var $aAttributes = array ("cn", "uid", "givenname", "sn", "mail", "mobile"); | |
| 51 | + var $aAttributes = array ('cn', 'samaccountname', 'givenname', 'sn', 'mail', 'mobile', 'userprincipalname', 'uid'); | |
| 52 | 52 | } |
| 53 | 53 | |
| 54 | +?> | |
| 54 | 55 | \ No newline at end of file | ... | ... |
plugins/ktstandard/ldap/ldapbaseauthenticationprovider.inc.php
| ... | ... | @@ -33,11 +33,11 @@ require_once(KT_LIB_DIR . '/authentication/authenticationprovider.inc.php'); |
| 33 | 33 | require_once(KT_LIB_DIR . '/authentication/Authenticator.inc'); |
| 34 | 34 | |
| 35 | 35 | class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 36 | - var $sName = "LDAP authentication provider"; | |
| 37 | - var $sNamespace = "ktstandard.authentication.ldapprovider"; | |
| 36 | + var $sName = 'LDAP authentication provider'; | |
| 37 | + var $sNamespace = 'ktstandard.authentication.ldapprovider'; | |
| 38 | 38 | |
| 39 | - var $aAttributes = array ("cn", "uid", "givenname", "sn", "mail", "mobile"); | |
| 40 | - var $aMembershipAttributes = array ("memberOf"); | |
| 39 | + var $aAttributes = array ('cn', 'samaccountname', 'givenname', 'sn', 'mail', 'mobile', 'userprincipalname', 'uid'); | |
| 40 | + var $aMembershipAttributes = array ('memberOf'); | |
| 41 | 41 | |
| 42 | 42 | // {{{ KTLDAPBaseAuthenticationProvider |
| 43 | 43 | function KTLDAPBaseAuthenticationProvider() { |
| ... | ... | @@ -146,6 +146,7 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 146 | 146 | if (empty($aConfig)) { |
| 147 | 147 | $aConfig = array('serverport'=>389); |
| 148 | 148 | } |
| 149 | + | |
| 149 | 150 | $aConfig['searchattributes'] = KTUtil::arrayGet($aConfig, 'searchattributes', split(',', 'cn,mail,sAMAccountName')); |
| 150 | 151 | $aConfig['objectclasses'] = KTUtil::arrayGet($aConfig, 'objectclasses', split(',', 'user,inetOrgPerson,posixAccount')); |
| 151 | 152 | $fields = array(); |
| ... | ... | @@ -210,6 +211,44 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 210 | 211 | } |
| 211 | 212 | $oSource->setConfig(serialize($aConfig)); |
| 212 | 213 | $res = $oSource->update(); |
| 214 | + | |
| 215 | + //force a commit here to keep any data entered into the fields | |
| 216 | + //when redirected to the do_editSourceProvider function above the $oSource object will | |
| 217 | + //now contain the information entered by the user. | |
| 218 | + if ($this->bTransactionStarted) { | |
| 219 | + $this->commitTransaction(); | |
| 220 | + } | |
| 221 | + | |
| 222 | + $aErrorOptions = array( | |
| 223 | + 'redirect_to' => array('editSourceProvider', sprintf('source_id=%d', $oSource->getId())), | |
| 224 | + ); | |
| 225 | + $aErrorOptions['message'] = _kt("No server name provided"); | |
| 226 | + $sName = KTUtil::arrayGet($_REQUEST, 'servername'); | |
| 227 | + $sName = $this->oValidator->validateString($sName, $aErrorOptions); | |
| 228 | + | |
| 229 | + $aErrorOptions['message'] = _kt("No Base DN provided"); | |
| 230 | + $sName = KTUtil::arrayGet($_REQUEST, 'basedn'); | |
| 231 | + $sName = $this->oValidator->validateString($sName, $aErrorOptions); | |
| 232 | + | |
| 233 | + $aErrorOptions['message'] = _kt("No Search User provided"); | |
| 234 | + $sName = KTUtil::arrayGet($_REQUEST, 'searchuser'); | |
| 235 | + $sName = $this->oValidator->validateString($sName, $aErrorOptions); | |
| 236 | + | |
| 237 | + $aErrorOptions['message'] = _kt("No Search Password provided"); | |
| 238 | + $sName = KTUtil::arrayGet($_REQUEST, 'searchpassword'); | |
| 239 | + $sName = $this->oValidator->validateString($sName, $aErrorOptions); | |
| 240 | + | |
| 241 | + $aErrorOptions['message'] = _kt("No Search Attributes provided"); | |
| 242 | + $sName = KTUtil::arrayGet($_REQUEST, 'searchattributes_nls'); | |
| 243 | + $sName = $this->oValidator->validateString($sName, $aErrorOptions); | |
| 244 | + | |
| 245 | + $aErrorOptions['message'] = _kt("No Object Classes provided"); | |
| 246 | + $sName = KTUtil::arrayGet($_REQUEST, 'objectclasses_nls'); | |
| 247 | + $sName = $this->oValidator->validateString($sName, $aErrorOptions); | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 213 | 252 | $this->successRedirectTo('viewsource', _kt("Configuration updated"), 'source_id=' . $oSource->getId()); |
| 214 | 253 | } |
| 215 | 254 | // }}} |
| ... | ... | @@ -236,10 +275,13 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 236 | 275 | $this->oValidator->notError($aResults); |
| 237 | 276 | |
| 238 | 277 | $sUserName = $aResults[$this->aAttributes[1]]; |
| 239 | - // With LDAP, if the 'uid' is null then try using the 'givenname' instead. | |
| 240 | - // See activedirectoryauthenticationprovider.inc.php and ldapauthenticationprovider.inc.php for details. | |
| 241 | - if($this->sAuthenticatorClass == "KTLDAPAuthenticator" && empty($sUserName)) { | |
| 242 | - $sUserName = strtolower($aResults[$this->aAttributes[2]]); | |
| 278 | + | |
| 279 | + // If the SAMAccountName is empty then use the UserPrincipalName (UPN) to find the username. | |
| 280 | + // The UPN is normally the username @ the internet domain | |
| 281 | + if(empty($sUserName)) { | |
| 282 | + $sUpn = $aResults[$this->aAttributes[6]]; | |
| 283 | + $aUpn = explode('@', $sUpn); | |
| 284 | + $sUserName = $aUpn[0]; | |
| 243 | 285 | } |
| 244 | 286 | |
| 245 | 287 | $fields = array(); |
| ... | ... | @@ -272,7 +314,7 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 272 | 314 | if (empty($name)) { $this->errorRedirectToMain(_kt('You must specify a name for the user.')); } |
| 273 | 315 | $username = KTUtil::arrayGet($_REQUEST, 'ldap_username'); |
| 274 | 316 | if (empty($username)) { $this->errorRedirectToMain(_kt('You must specify a new username.')); } |
| 275 | - | |
| 317 | + | |
| 276 | 318 | $dupUser =& User::getByUserName($username); |
| 277 | 319 | if(!PEAR::isError($dupUser)) { |
| 278 | 320 | $this->errorRedirectToMain(_kt("A user with that username already exists")); |
| ... | ... | @@ -297,7 +339,7 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 297 | 339 | "authenticationdetails2" => $samaccountname, |
| 298 | 340 | "password" => "", |
| 299 | 341 | )); |
| 300 | - | |
| 342 | + | |
| 301 | 343 | if (PEAR::isError($oUser) || ($oUser == false)) { |
| 302 | 344 | $this->errorRedirectToMain(_kt("failed to create user") . ": " . $oUser->message); |
| 303 | 345 | exit(0); |
| ... | ... | @@ -314,7 +356,7 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 314 | 356 | $oSource =& KTAuthenticationSource::get($_REQUEST['source_id']); |
| 315 | 357 | $oAuthenticator = $this->getAuthenticator($oSource); |
| 316 | 358 | $aNames = array(); |
| 317 | - | |
| 359 | + | |
| 318 | 360 | foreach ($aIds as $sId) { |
| 319 | 361 | $aResults = $oAuthenticator->getUser($sId); |
| 320 | 362 | $dn = $sId; |
| ... | ... | @@ -394,16 +436,33 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 394 | 436 | } |
| 395 | 437 | |
| 396 | 438 | if (is_array($aSearchResults)) { |
| 397 | - foreach (array_keys($aSearchResults) as $k) { | |
| 439 | + $aSearchResultsKeys = array_keys($aSearchResults); | |
| 440 | + $aSearchDNs = array(); | |
| 441 | + foreach ($aSearchResultsKeys as $k) { | |
| 398 | 442 | if (is_array($aSearchResults[$k]['cn'])) { |
| 399 | 443 | $aSearchResults[$k]['cn'] = $aSearchResults[$k]['cn'][0]; |
| 400 | 444 | } |
| 445 | + $aSearchDNs[$k] = "'".$aSearchResults[$k]['dn']."'"; | |
| 446 | + } | |
| 447 | + | |
| 448 | + $sDNs = implode(',', $aSearchDNs); | |
| 449 | + $query = "SELECT id, authentication_details_s1 AS dn FROM users | |
| 450 | + WHERE authentication_details_s1 IN ($sDNs)"; | |
| 451 | + $aCurUsers = DBUtil::getResultArray($query); | |
| 452 | + | |
| 453 | + // If the user has already been added, then remove from the list | |
| 454 | + if(!PEAR::isError($aCurUsers) && !empty($aCurUsers)){ | |
| 455 | + foreach($aCurUsers as $item){ | |
| 456 | + $key = array_search("'".$item['dn']."'", $aSearchDNs); | |
| 457 | + $aKeys[] = $key; | |
| 458 | + unset($aSearchResults[$key]); | |
| 459 | + } | |
| 401 | 460 | } |
| 402 | 461 | } |
| 403 | 462 | } |
| 404 | 463 | |
| 405 | 464 | $massimport = KTUtil::arrayGet($_REQUEST, 'massimport'); |
| 406 | - | |
| 465 | + | |
| 407 | 466 | $aTemplateData = array( |
| 408 | 467 | 'context' => &$this, |
| 409 | 468 | 'fields' => $fields, |
| ... | ... | @@ -445,7 +504,7 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 445 | 504 | $oAuthenticator = $this->getAuthenticator($oSource); |
| 446 | 505 | $aSearchResults = $oAuthenticator->searchGroups($name); |
| 447 | 506 | } |
| 448 | - | |
| 507 | + | |
| 449 | 508 | $aTemplateData = array( |
| 450 | 509 | 'context' => &$this, |
| 451 | 510 | 'fields' => $fields, |
| ... | ... | @@ -467,7 +526,7 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 467 | 526 | |
| 468 | 527 | $oAuthenticator = $this->getAuthenticator($oSource); |
| 469 | 528 | $aAttributes = $oAuthenticator->getGroup($id); |
| 470 | - | |
| 529 | + | |
| 471 | 530 | $fields = array(); |
| 472 | 531 | $fields[] = new KTStaticTextWidget(_kt('LDAP DN'), _kt('The location of the group within the LDAP directory.'), 'dn', $aAttributes['dn'], $this->oPage); |
| 473 | 532 | $fields[] = new KTStringWidget(_kt('Group Name'), sprintf(_kt('The name the group will enter to gain access to %s. e.g. <strong>accountants</strong>'), APP_NAME), 'ldap_groupname', $aAttributes['cn'], $this->oPage, true); |
| ... | ... | @@ -565,10 +624,18 @@ class KTLDAPBaseAuthenticationProvider extends KTAuthenticationProvider { |
| 565 | 624 | } |
| 566 | 625 | |
| 567 | 626 | function _createSignupGroups($dn, $oSource) { |
| 627 | + | |
| 628 | + $config = KTConfig::getSingleton(); | |
| 629 | + $createGroups = $config->get('ldapAuthentication/autoGroupCreation', true); | |
| 630 | + if (!$createGroups) | |
| 631 | + { | |
| 632 | + return; | |
| 633 | + } | |
| 634 | + | |
| 568 | 635 | $oAuthenticator =& $this->getAuthenticator($oSource); |
| 569 | 636 | $aGroupDNs = $oAuthenticator->getGroups($dn); |
| 570 | 637 | if(PEAR::isError($aGroupDNs) || empty($aGroupDNs)) return; |
| 571 | - | |
| 638 | + | |
| 572 | 639 | foreach ($aGroupDNs as $sGroupDN) { |
| 573 | 640 | $oGroup = Group::getByAuthenticationSourceAndDetails($oSource, $sGroupDN); |
| 574 | 641 | if (PEAR::isError($oGroup)) { |
| ... | ... | @@ -630,7 +697,7 @@ class KTLDAPBaseAuthenticator extends Authenticator { |
| 630 | 697 | $this->bTls = KTUtil::arrayGet($aConfig, 'tls', false); |
| 631 | 698 | |
| 632 | 699 | if ($this->iLdapPort + 0 == 0) $this->iLdapPort=389; // some basic validation in case port is blank or 0 |
| 633 | - | |
| 700 | + | |
| 634 | 701 | require_once('Net/LDAP.php'); |
| 635 | 702 | $config = array( |
| 636 | 703 | 'dn' => $this->sSearchUser, |
| ... | ... | @@ -672,7 +739,7 @@ class KTLDAPBaseAuthenticator extends Authenticator { |
| 672 | 739 | } |
| 673 | 740 | |
| 674 | 741 | function checkSignupPassword($sUsername, $sPassword) { |
| 675 | - | |
| 742 | + | |
| 676 | 743 | if(empty($sPassword) || empty($sUsername)) { |
| 677 | 744 | return false; |
| 678 | 745 | } |
| ... | ... | @@ -891,3 +958,4 @@ class KTLDAPBaseAuthenticator extends Authenticator { |
| 891 | 958 | } |
| 892 | 959 | } |
| 893 | 960 | |
| 961 | +?> | |
| 894 | 962 | \ No newline at end of file | ... | ... |
templates/ktstandard/authentication/ldapadduser.smarty
| ... | ... | @@ -10,7 +10,7 @@ |
| 10 | 10 | <input type="hidden" name="dn" value="{$dn}" /> |
| 11 | 11 | <input type="hidden" name="samaccountname" value="{$samaccountname}" /> |
| 12 | 12 | <div class="form_actions"> |
| 13 | - <input type="submit" name="submit[create]" value="{i18n}create user{/i18n}" /> | |
| 13 | + <input type="submit" name="submit[create]" value="{i18n}Create user{/i18n}" /> | |
| 14 | 14 | <input type="submit" name="kt_cancel[]" value="{i18n}Cancel{/i18n}" /> |
| 15 | 15 | </div> |
| 16 | 16 | </fieldset> | ... | ... |