/**
* StatusNet, the distributed open-source microblogging tool
*
- * Plugin to enable LDAP Authentication and Authorization
+ * Plugin to enable LDAP Authentication
*
* PHP version 5
*
* @category Plugin
* @package StatusNet
* @author Craig Andrews <candrews@integralblue.com>
- * @copyright 2009 Craig Andrews http://candrews.integralblue.com
+ * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
*/
exit(1);
}
-require_once INSTALLDIR.'/plugins/Authentication/AuthenticationPlugin.php';
-require_once 'Net/LDAP2.php';
-
class LdapAuthenticationPlugin extends AuthenticationPlugin
{
- public $host=null;
- public $port=null;
- public $version=null;
- public $starttls=null;
- public $binddn=null;
- public $bindpw=null;
- public $basedn=null;
- public $options=null;
- public $filter=null;
- public $scope=null;
- public $attributes=array();
-
- function __construct()
- {
- parent::__construct();
+ function onInitializePlugin(){
+ parent::onInitializePlugin();
+ if(!isset($this->attributes['nickname'])){
+ // TRANS: Exception thrown when initialising the LDAP Auth plugin fails because of an incorrect configuration.
+ throw new Exception(_m('You must specify a nickname attribute.'));
+ }
+ if($this->password_changeable && (! isset($this->attributes['password']) || !isset($this->password_encoding))){
+ // TRANS: Exception thrown when initialising the LDAP Auth plugin fails because of an incorrect configuration.
+ throw new Exception(_m('If password_changeable is set, the password attribute and password_encoding must also be specified.'));
+ }
+ $this->ldapCommon = new LdapCommon(get_object_vars($this));
}
-
- //---interface implementation---//
- function checkPassword($nickname, $password)
+ function onAutoload($cls)
{
- $ldap = $this->ldap_get_connection();
- if(!$ldap){
+ switch ($cls)
+ {
+ case 'LdapCommon':
+ require_once(INSTALLDIR.'/plugins/LdapCommon/LdapCommon.php');
return false;
}
- $entry = $this->ldap_get_user($nickname);
- if(!$entry){
- return false;
- }else{
- $config = $this->ldap_get_config();
- $config['binddn']=$entry->dn();
- $config['bindpw']=$password;
- if($this->ldap_get_connection($config)){
- return true;
- }else{
- return false;
+ }
+
+ function onEndShowPageNotice($action)
+ {
+ $name = $action->trimmed('action');
+ $instr = false;
+
+ switch ($name)
+ {
+ case 'register':
+ if($this->autoregistration) {
+ // TRANS: Instructions for LDAP authentication.
+ $instr = _m('Do you have an LDAP account? Use your standard username and password.');
}
+ break;
+ case 'login':
+ // TRANS: Instructions for LDAP authentication.
+ $instr = _m('Do you have an LDAP account? Use your standard username and password.');
+ break;
+ default:
+ return true;
}
+
+ if($instr) {
+ $output = common_markup_to_html($instr);
+ $action->raw($output);
+ }
+ return true;
}
- function autoRegister($nickname)
+ //---interface implementation---//
+
+ function checkPassword($username, $password)
{
- $attributes=array();
- $config_attributes = array('nickname','email','fullname','homepage','location');
- foreach($config_attributes as $config_attribute){
- $value = common_config('ldap', $config_attribute.'_attribute');
- if($value!==false){
- array_push($attributes,$value);
- }
+ return $this->ldapCommon->checkPassword($username,$password);
+ }
+
+ function autoRegister($username, $nickname)
+ {
+ if(is_null($nickname)){
+ $nickname = $username;
}
- $entry = $this->ldap_get_user($nickname,$attributes);
+ $entry = $this->ldapCommon->get_user($username,$this->attributes);
if($entry){
$registration_data = array();
- foreach($config_attributes as $config_attribute){
- $value = common_config('ldap', $config_attribute.'_attribute');
- if($value!==false){
- if($config_attribute=='email'){
- $registration_data[$config_attribute]=common_canonical_email($entry->getValue($value,'single'));
- }else if($config_attribute=='nickname'){
- $registration_data[$config_attribute]=common_canonical_nickname($entry->getValue($value,'single'));
- }else{
- $registration_data[$config_attribute]=$entry->getValue($value,'single');
- }
+ foreach($this->attributes as $sn_attribute=>$ldap_attribute){
+ //ldap won't let us read a user's password,
+ //and we're going to set the password to a random string later anyways,
+ //so don't bother trying to read it.
+ if($sn_attribute != 'password'){
+ $registration_data[$sn_attribute]=$entry->getValue($ldap_attribute,'single');
}
}
+ if(isset($registration_data['email']) && !empty($registration_data['email'])){
+ $registration_data['email_confirmed']=true;
+ }
+ $registration_data['nickname'] = $nickname;
//set the database saved password to a random string.
$registration_data['password']=common_good_rand(16);
- $user = User::register($registration_data);
- return true;
+ return User::register($registration_data);
}else{
//user isn't in ldap, so we cannot register him
- return null;
+ return false;
}
}
- function changePassword($nickname,$oldpassword,$newpassword)
+ function changePassword($username,$oldpassword,$newpassword)
{
- //TODO implement this
- throw new Exception(_('Sorry, changing LDAP passwords is not supported at this time'));
-
- return false;
+ return $this->ldapCommon->changePassword($username,$oldpassword,$newpassword);
}
- function canUserChangeField($nickname, $field)
+ function suggestNicknameForUsername($username)
{
- switch($field)
- {
- case 'password':
- case 'nickname':
- case 'email':
- return false;
- }
- }
-
- //---utility functions---//
- function ldap_get_config(){
- $config = array();
- $keys = array('host','port','version','starttls','binddn','bindpw','basedn','options','filter','scope');
- foreach($keys as $key){
- $value = $this->$key;
- if($value!==null){
- $config[$key]=$value;
+ $entry = $this->ldapCommon->get_user($username, $this->attributes);
+ if(!$entry){
+ //this really shouldn't happen
+ $nickname = $username;
+ }else{
+ $nickname = $entry->getValue($this->attributes['nickname'],'single');
+ if(!$nickname){
+ $nickname = $username;
}
}
- return $config;
+ return common_nicknamize($nickname);
}
-
- function ldap_get_connection($config = null){
- if($config == null){
- $config = $this->ldap_get_config();
- }
-
- //cannot use Net_LDAP2::connect() as StatusNet uses
- //PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'handleError');
- //PEAR handling can be overridden on instance objects, so we do that.
- $ldap = new Net_LDAP2($config);
- $ldap->setErrorHandling(PEAR_ERROR_RETURN);
- $err=$ldap->bind();
- if (Net_LDAP2::isError($err)) {
- common_log(LOG_WARNING, 'Could not connect to LDAP server: '.$err->getMessage());
- return false;
- }
- return $ldap;
- }
-
- /**
- * get an LDAP entry for a user with a given username
- *
- * @param string $username
- * $param array $attributes LDAP attributes to retrieve
- * @return string DN
- */
- function ldap_get_user($username,$attributes=array()){
- $ldap = $this->ldap_get_connection();
- $filter = Net_LDAP2_Filter::create(common_config('ldap','nickname_attribute'), 'equals', $username);
- $options = array(
- 'scope' => 'sub',
- 'attributes' => $attributes
- );
- $search = $ldap->search(null,$filter,$options);
-
- if (PEAR::isError($search)) {
- common_log(LOG_WARNING, 'Error while getting DN for user: '.$search->getMessage());
- return false;
- }
- if($search->count()==0){
- return false;
- }else if($search->count()==1){
- $entry = $search->shiftEntry();
- return $entry;
- }else{
- common_log(LOG_WARNING, 'Found ' . $search->count() . ' ldap user with the username: ' . $username);
- return false;
- }
+ function onPluginVersion(&$versions)
+ {
+ $versions[] = array('name' => 'LDAP Authentication',
+ 'version' => STATUSNET_VERSION,
+ 'author' => 'Craig Andrews',
+ 'homepage' => 'http://status.net/wiki/Plugin:LdapAuthentication',
+ 'rawdescription' =>
+ // TRANS: Plugin description.
+ _m('The LDAP Authentication plugin allows for StatusNet to handle authentication through LDAP.'));
+ return true;
}
}