diff options
| author | Elias Probst <mail@eliasprobst.eu> | 2010-12-07 20:22:16 -0500 |
|---|---|---|
| committer | Paul Arthur <flowerysong00@yahoo.com> | 2010-12-07 20:22:16 -0500 |
| commit | 77311f6f0efcd3c8b28211ea12a47b75f149e86f (patch) | |
| tree | 52394fc6764ab43e1f3b76099589bd7466aacb20 /lib/class/vauth.class.php | |
| parent | 070dcfa6fd8585163a1465c716dc62771402facf (diff) | |
| download | ampache-77311f6f0efcd3c8b28211ea12a47b75f149e86f.tar.gz ampache-77311f6f0efcd3c8b28211ea12a47b75f149e86f.tar.bz2 ampache-77311f6f0efcd3c8b28211ea12a47b75f149e86f.zip | |
Implement ldap_require_group
Squashed commit of the following:
commit 4cba31ed7a607cf955b39131ca598d4f8b7553b6
Author: Elias Probst <mail@eliasprobst.eu>
Date: Tue Dec 7 23:08:47 2010 +0100
Improved LDAP group matching regex to make sure, the whole string is matched.
commit 1a056e6fdac3c3c3f141283dad25a407a4c897a1
Author: Elias Probst <mail@eliasprobst.eu>
Date: Tue Dec 7 23:08:02 2010 +0100
Implementation for the still missing 'ldap_require_group' feature. Including changes suggested in http://ampache.org/bugs/task/150#comment103
Diffstat (limited to 'lib/class/vauth.class.php')
| -rw-r--r-- | lib/class/vauth.class.php | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php index 3e034f55..74f2bc54 100644 --- a/lib/class/vauth.class.php +++ b/lib/class/vauth.class.php @@ -679,6 +679,43 @@ class vauth { $retval = ldap_bind($ldap_link, $user_dn, $password); if ($retval) { + // When the current user needs to be in a specific group to access Ampache, + // check whether the 'member' list of this group contains the current user's DN + if ($require_group) { + + // read all 'member' entries of the required LDAP group + $group_result = ldap_read($ldap_link, $require_group, 'objectclass=*', array('member')); + // return failure when ldap_search didn't succeed + if (!$group_result) { + debug_event('LDAP_GROUP_AUTH',"Reading the LDAP group $require_group didn't succeed",'1'); + $results['success'] = false; + $results['error'] = "The LDAP group $require_group couldn't be read."; + return $results; + } + + // extract the single member entries from the queried group DN + $group_info = ldap_get_entries($ldap_link, $group_result); + + // return when no member at all is defined in the specified LDAP group + if ($group_info['count'] < 1) { + debug_event('LDAP_GROUP_AUTH',"No members found in the specified LDAP group $require_group",'3'); + $results['success'] = false; + $results['error'] = "The specified LDAP group $require_group doesn't contain any members."; + return $results; + } + + // grep the list of 'member' entries for the current user's DN + $group_match = preg_grep("/^$user_dn\$/i", $group_info[0]['member']); + + // when the current user's DN isn't listed in the 'member' attributes + // of the group, do not return success + if (!$group_match) { + debug_event('LDAP_GROUP_AUTH',"User $user_dn is not a member of the group $require_group",'1'); + $results['success'] = false; + $results['error'] = "User $user_dn is not authorized, as this user is not a member of the LDAP group $require_group"; + return $results; + } + } ldap_close($ldap_link); $results['success'] = true; $results['type'] = "ldap"; |