revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-15 03:12:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/auth/ldap/PhabricatorLDAPProvider.php

246 lines
6.3 KiB
PHP
Raw Normal View History

Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
<?php
final class PhabricatorLDAPProvider {
Prevent the ability to scrape for valid usernames - return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
2012-07-26 23:32:51 +02:00
// http://www.php.net/manual/en/function.ldap-errno.php#20665 states
// that the number could be 31 or 49, in testing it has always been 49
const LDAP_INVALID_CREDENTIALS = 49;
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
private $userData;
private $connection;
public function __construct() {
}
public function __destruct() {
if (isset($this->connection)) {
ldap_unbind($this->connection);
}
}
public function isProviderEnabled() {
return PhabricatorEnv::getEnvConfig('ldap.auth-enabled');
}
public function getHostname() {
return PhabricatorEnv::getEnvConfig('ldap.hostname');
}
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
public function getPort() {
return PhabricatorEnv::getEnvConfig('ldap.port');
}
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
public function getBaseDN() {
return PhabricatorEnv::getEnvConfig('ldap.base_dn');
}
public function getSearchAttribute() {
return PhabricatorEnv::getEnvConfig('ldap.search_attribute');
}
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
public function getUsernameAttribute() {
Prevent the ability to scrape for valid usernames - return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
2012-07-26 23:32:51 +02:00
return PhabricatorEnv::getEnvConfig('ldap.username-attribute');
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
}
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
public function getLDAPVersion() {
return PhabricatorEnv::getEnvConfig('ldap.version');
}
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
Add LDAP Referrals Option Summary: In order to perform the searches on Windows 2003 Server Active Directory you have to set the LDAP_OPT_REFERRALS option to 0 Test Plan: Test if LDAP works with Windows 2003 AD Reviewers: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3004
2012-07-18 22:38:24 +02:00
public function getLDAPReferrals() {
return PhabricatorEnv::getEnvConfig('ldap.referrals');
}
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
public function retrieveUserEmail() {
return $this->userData['mail'][0];
}
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
public function retrieveUserRealName() {
Added ldap import controller
2012-07-04 04:10:38 +02:00
return $this->retrieveUserRealNameFromData($this->userData);
}
public function retrieveUserRealNameFromData($data) {
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
$name_attributes = PhabricatorEnv::getEnvConfig(
'ldap.real_name_attributes');
$real_name = '';
if (is_array($name_attributes)) {
foreach ($name_attributes AS $attribute) {
Added ldap import controller
2012-07-04 04:10:38 +02:00
if (isset($data[$attribute][0])) {
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
$real_name .= $data[$attribute][0].' ';
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
}
trim($real_name);
Added ldap import controller
2012-07-04 04:10:38 +02:00
} else if (isset($data[$name_attributes][0])) {
$real_name = $data[$name_attributes][0];
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
if ($real_name == '') {
return null;
}
return $real_name;
}
public function retrieveUsername() {
Fall back to LDAP search attribute if username attribute is not configured Summary: See discussion in D3340. Some configurations set only a search attribute because their records are indexed by username (this is probably not quite the correct LDAP terminology). Other configurations use one attribute to search and a different attribute to select usernames. After D3340, installs which set only a search attribute broke. Instead, fall back to the search attribute if no username attribute is present. Test Plan: Successfully logged in on my test slapd. Reviewers: yunake, voldern, briancline Reviewed By: voldern CC: aran Differential Revision: https://secure.phabricator.com/D3406
2012-09-03 15:41:49 +02:00
$key = nonempty(
$this->getUsernameAttribute(),
$this->getSearchAttribute());
return $this->userData[$key][0];
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
public function getConnection() {
if (!isset($this->connection)) {
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
$this->connection = ldap_connect($this->getHostname(), $this->getPort());
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
if (!$this->connection) {
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
throw new Exception('Could not connect to LDAP host at '.
$this->getHostname().':'.$this->getPort());
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION,
$this->getLDAPVersion());
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
ldap_set_option($this->connection, LDAP_OPT_REFERRALS,
Add LDAP Referrals Option Summary: In order to perform the searches on Windows 2003 Server Active Directory you have to set the LDAP_OPT_REFERRALS option to 0 Test Plan: Test if LDAP works with Windows 2003 AD Reviewers: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3004
2012-07-18 22:38:24 +02:00
$this->getLDAPReferrals());
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
return $this->connection;
}
public function getUserData() {
return $this->userData;
}
Prevent the ability to scrape for valid usernames - return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
2012-07-26 23:32:51 +02:00
private function invalidLDAPUserErrorMessage($errno, $errmsg) {
return "LDAP Error #".$errno.": ".$errmsg;
}
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
public function auth($username, PhutilOpaqueEnvelope $password) {
if (strlen(trim($username)) == 0) {
throw new Exception('Username can not be empty');
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
if (PhabricatorEnv::getEnvConfig('ldap.search-first')) {
Prevent the ability to scrape for valid usernames - return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
2012-07-26 23:32:51 +02:00
// To protect against people phishing for accounts we catch the
// exception and present the default exception that would be presented
// in the case of a failed bind.
try {
$user = $this->getUser($this->getUsernameAttribute(), $username);
$username = $user[$this->getSearchAttribute()][0];
} catch (PhabricatorLDAPUnknownUserException $e) {
throw new Exception(
$this->invalidLDAPUserErrorMessage(
self::LDAP_INVALID_CREDENTIALS,
ldap_err2str(self::LDAP_INVALID_CREDENTIALS)));
}
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
}
$conn = $this->getConnection();
Add active-directory domain-based ldap authentication support Summary: Add active-directory domain-based ldap authentication support Test Plan: Tested on a live install against Active Directory on a Windows Server Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T1496 Differential Revision: https://secure.phabricator.com/D2966
2012-07-13 14:16:16 +02:00
$activeDirectoryDomain =
PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain');
if ($activeDirectoryDomain) {
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
$dn = $username.'@'.$activeDirectoryDomain;
Add active-directory domain-based ldap authentication support Summary: Add active-directory domain-based ldap authentication support Test Plan: Tested on a live install against Active Directory on a Windows Server Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T1496 Differential Revision: https://secure.phabricator.com/D2966
2012-07-13 14:16:16 +02:00
} else {
Fix some more ldap issues Summary: - LDAP import needs to use envelopes. - Use ldap_sprintf(). Test Plan: Configured an LDAP server. Added an account. Imported it; logged in with it. Tried to login with accounts like ",", etc., got good errors. Reviewers: vrana, btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D2995
2012-07-17 23:05:26 +02:00
$dn = ldap_sprintf(
'%Q=%s,%Q',
$this->getSearchAttribute(),
$username,
$this->getBaseDN());
Add active-directory domain-based ldap authentication support Summary: Add active-directory domain-based ldap authentication support Test Plan: Tested on a live install against Active Directory on a Windows Server Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T1496 Differential Revision: https://secure.phabricator.com/D2966
2012-07-13 14:16:16 +02:00
}
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
// NOTE: It is very important we suppress any messages that occur here,
// because it logs passwords if it reaches an error log of any sort.
DarkConsoleErrorLogPluginAPI::enableDiscardMode();
$result = @ldap_bind($conn, $dn, $password->openEnvelope());
DarkConsoleErrorLogPluginAPI::disableDiscardMode();
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
if (!$result) {
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
throw new Exception(
Prevent the ability to scrape for valid usernames - return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
2012-07-26 23:32:51 +02:00
$this->invalidLDAPUserErrorMessage(
ldap_errno($conn),
ldap_error($conn)));
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
$this->userData = $this->getUser($this->getSearchAttribute(), $username);
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
return $this->userData;
}
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
private function getUser($attribute, $username) {
Fix some more ldap issues Summary: - LDAP import needs to use envelopes. - Use ldap_sprintf(). Test Plan: Configured an LDAP server. Added an account. Imported it; logged in with it. Tried to login with accounts like ",", etc., got good errors. Reviewers: vrana, btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D2995
2012-07-17 23:05:26 +02:00
$conn = $this->getConnection();
$query = ldap_sprintf(
'%Q=%S',
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
$attribute,
Fix some more ldap issues Summary: - LDAP import needs to use envelopes. - Use ldap_sprintf(). Test Plan: Configured an LDAP server. Added an account. Imported it; logged in with it. Tried to login with accounts like ",", etc., got good errors. Reviewers: vrana, btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D2995
2012-07-17 23:05:26 +02:00
$username);
$result = ldap_search($conn, $this->getBaseDN(), $query);
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
if (!$result) {
throw new Exception('Search failed. Please check your LDAP and HTTP '.
'logs for more information.');
}
Fix some more ldap issues Summary: - LDAP import needs to use envelopes. - Use ldap_sprintf(). Test Plan: Configured an LDAP server. Added an account. Imported it; logged in with it. Tried to login with accounts like ",", etc., got good errors. Reviewers: vrana, btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D2995
2012-07-17 23:05:26 +02:00
$entries = ldap_get_entries($conn, $result);
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
if ($entries === false) {
throw new Exception('Could not get entries');
}
if ($entries['count'] > 1) {
Allow custom LDAP port Summary: Allow custom LDAP port to be defined in config file Test Plan: Test login works by specifying a custom port Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D3153
2012-08-06 00:11:45 +02:00
throw new Exception('Found more then one user with this '.
Support searching for users to find their LDAP entry Summary: - the current LDAP auth flow expects a DN to look like cn=ossareh,ou=Users,dc=example,dc=com - however many LDAP setups have their dn look something like cn=Mike Ossareh,ou=Users,dc=example,dc=com Test Plan: Test if logins work with a LDAP setup which has cn=Full Name instead of cn=username. To test you should ensure you set the properties needed to trigger the search before login as detailed in conf/default.conf.php Reviewers: epriestley CC: mbeck, aran, Korvin Differential Revision: https://secure.phabricator.com/D3072
2012-07-26 03:55:48 +02:00
$attribute);
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
if ($entries['count'] == 0) {
Prevent the ability to scrape for valid usernames - return the same error message when either bind or the username search fails to find a user - config variables should use hypen and not underscore
2012-07-26 23:32:51 +02:00
throw new PhabricatorLDAPUnknownUserException('Could not find user');
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
return $entries[0];
}
Added ldap import controller
2012-07-04 04:10:38 +02:00
public function search($query) {
$result = ldap_search($this->getConnection(), $this->getBaseDN(),
$query);
if (!$result) {
throw new Exception('Search failed. Please check your LDAP and HTTP '.
'logs for more information.');
}
$entries = ldap_get_entries($this->getConnection(), $result);
if ($entries === false) {
throw new Exception('Could not get entries');
}
if ($entries['count'] == 0) {
throw new Exception('No results found');
}
$rows = array();
for($i = 0; $i < $entries['count']; $i++) {
$row = array();
$entry = $entries[$i];
Add active-directory domain-based ldap authentication support Summary: Add active-directory domain-based ldap authentication support Test Plan: Tested on a live install against Active Directory on a Windows Server Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T1496 Differential Revision: https://secure.phabricator.com/D2966
2012-07-13 14:16:16 +02:00
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
// Get username, email and realname
Added ldap import controller
2012-07-04 04:10:38 +02:00
$username = $entry[$this->getSearchAttribute()][0];
if(empty($username)) {
continue;
}
$row[] = $username;
$row[] = $entry['mail'][0];
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
$row[] = $this->retrieveUserRealNameFromData($entry);
Added ldap import controller
2012-07-04 04:10:38 +02:00
$rows[] = $row;
}
return $rows;
}
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722
2012-06-13 17:52:05 +02:00
}
Copy permalink