diff --git a/README.md b/README.md index e3cab66..f85a5a9 100644 --- a/README.md +++ b/README.md @@ -46,10 +46,10 @@ user_dn: 'uid=[username],dc=company,dc=com' search_dn: group_dn: group_query: '(&(cn=*)(memberUid=[username]))' +group_indentifier: cn map_username: uid map_fullname: givenName lastName map_email: mail - save_grav_user: false store_ldap_data: false default_access_levels: @@ -72,32 +72,33 @@ default_access_levels: |Key |Description | Values | |:---------------------|:---------------------------|:-------| -|enabled|Enables the plugin | [default: **true**] \| false| -|host|The DNS name or IP address of your LDAP server | e.g. ldap.yourcompany.com | -|port|The TCP port of the host that the LDAP server runs under | [default: **389**]| -|version|LDAP Version 3 is most popular (only change this if you know what you are doing) | [default: **3**] | -|ssl|Enable SSL for the connection (typically for port 636 or 3269) | true \| [default: **false**] | -|start_tls|Negotiate TLS encryption with the LDAP server (requires all traffic to be encrypted) | true \| [default: **false**] | -|opt_referrals|Sets the value of LDAP_OPT_REFERRALS (Set to "off" for Windows 2003 servers) | true \| [default: **false**] | +|enabled|Enables the plugin | [default: `true`] \| `false`| +|host|The DNS name or IP address of your LDAP server | e.g. `ldap.yourcompany.com` | +|port|The TCP port of the host that the LDAP server runs under | [default: `389`]| +|version|LDAP Version 3 is most popular (only change this if you know what you are doing) | [default: `3`] | +|ssl|Enable SSL for the connection (typically for port 636 or 3269) | `true` \| [default: `false`] | +|start_tls|Negotiate TLS encryption with the LDAP server (requires all traffic to be encrypted) | `true` \| [default: `false`] | +|opt_referrals|Sets the value of LDAP_OPT_REFERRALS (Set to "off" for Windows 2003 servers) | `true` \| [default: `false`] | ### LDAP Configuration |Key |Description | Values | |:---------------------|:---------------------------|:-------| -|user_dn|DN String used to authenticate a user, where `[username]` is replaced by username value entered via login | e.g. `uid=[username],dc=company,dc=com` | +|user_dn|DN String used to authenticate a user, where `[username]` is replaced by username value entered via login | [default: `uid=[username],dc=company,dc=com`] | |search_dn|DN String used to retrieve user data. If not provided, extra LDAP user data will not be stored in Grav user account file [OPTIONAL]| e.g. `ou=users,dc=company,dc=com` | |group_dn|DN String used to retrieve user group data. If not provided, extra LDAP group data will not be stored in Grav user account file [OPTIONAL] | e.g. `ou=groups,dc=company,dc=com` | -|group_query|The query used to search Groups. Only change this if you know what you are doing| e.g. `(&(cn=*)(memberUid=[username]))`| -|map_username|LDAP Attribute(s) that contains the user's username | [default: **uid**] | -|map_fullname|LDAP Attribute(s) that contains the user's full name | [default: **givenName lastName**] | -|map_email|LDAP Attribute(s) that contains the user's email address | [default: **mail**] | +|group_query|The query used to search Groups. Only change this if you know what you are doing| [default: `(&(cn=*)(memberUid=[username]))`] | +|group_indentifier|The Group identifier that will come back in the response, this is directly related to group query.| [default: `cn`] | +|map_username|LDAP Attribute(s) that contains the user's username | [default: `uid`] | +|map_fullname|LDAP Attribute(s) that contains the user's full name | [default: `givenName lastName`] | +|map_email|LDAP Attribute(s) that contains the user's email address | [default: `mail`] | ### Advanced Configuration |Key |Description | Values | |:---------------------|:---------------------------|:-------| -|save_grav_user|Store the grav user account as a local YAML account | true \| [default: **false**] | -|store_ldap_data|If storing a local Grav user, you can also store LDAP data so its available in Grav| true \| [default: **false**] | +|save_grav_user|Store the grav user account as a local YAML account | true \| [default: `false`] | +|store_ldap_data|If storing a local Grav user, you can also store LDAP data so its available in Grav| true \| [default: `false`] | |default_access_levels.groups|Set a default group for all users logging in via LDAP [OPTIONAL] | e.g. `ldap_users` | |default_access_levels.access.site|Set the default **site access** for all users logging in via LDAP (used if no `access.groups` mapping applies) | e.g. `[login: 'true']` | |default_access_levels.access.groups|The default **access to assign** to users logging in based on **LDAP group membership**| e.g. `user: [site: [login: 'true']]` | @@ -171,5 +172,22 @@ If either the `user_dn`, `search_dn`, `group_dn` or `group_query` are incorrect If you expect `fullname`, or `email` to be stored in the Grav user object, but they are not appearing, it's probably a problem with your field mappings. Double check with your LDAP administrator that these are the correct mappings. -Under the `example` folder you can find a `default.md` page that you can use to see the data collected during LDAP authentication. It's an useful way for configuring the plugin as well as tweaking the Blacklist. +To get a quick state of your LDAP configuration, you can simply dump out the Grav user on a temporary _secure_ page: + +```markdown +--- +title: LDAP Test +cache_enabled: false +process: + twig: true +access: + site.login: true +--- + +# Grav User + +{{ vardump(grav.user) }} +``` + +For a more detailed example, you can look in the `example.` folder of this plugin, where you can find a `default.md` page that you can use to see the data collected during LDAP authentication. It's an useful way for configuring the plugin as well as tweaking the Blacklist. diff --git a/blueprints.yaml b/blueprints.yaml index 0158e46..4b6b0f6 100644 --- a/blueprints.yaml +++ b/blueprints.yaml @@ -1,5 +1,5 @@ name: Login LDAP -version: 0.1.1 +version: 0.1.2 description: Allows for Grav user authentication against an LDAP Server such as OpenLDAP or ActiveDirectory icon: user-circle-o author: @@ -145,6 +145,13 @@ form: placeholder: '(&(cn=*)(memberUid=[username]))' help: PLUGIN_LOGIN_LDAP.GROUP_QUERY_DESC + group_indentifier: + type: text + label: PLUGIN_LOGIN_LDAP.GROUP_IDENTIFIER + size: large + placeholder: 'cn' + help: PLUGIN_LOGIN_LDAP.GROUP_IDENTIFIER_DESC + map_username: type: text label: PLUGIN_LOGIN_LDAP.USERNAME_MAPPING diff --git a/languages/en.yaml b/languages/en.yaml index 8366332..592d13d 100644 --- a/languages/en.yaml +++ b/languages/en.yaml @@ -9,6 +9,8 @@ PLUGIN_LOGIN_LDAP: GROUP_SEARCH_DN_DESC: 'String used to retrieve user group data. If not provided, extra LDAP group data will not be stored in Grav user account file' GROUP_QUERY: 'Group Query' GROUP_QUERY_DESC: 'The query used to search Groups. Only change this if you know what you are doing' + GROUP_IDENTIFIER: 'Group Identifier' + GROUP_IDENTIFIER_DESC: 'The Group identifier that will come back in the response, this is directly related to group query.' HOST: 'Host' HOST_DESC: 'Host name of the LDAP server' INSTRUCTIONS: 'Instructions' diff --git a/login-ldap.php b/login-ldap.php index 46bcc6c..6c08b3e 100644 --- a/login-ldap.php +++ b/login-ldap.php @@ -71,21 +71,22 @@ class LoginLDAPPlugin extends Plugin $credentials = $event->getCredentials(); // Get Proper username - $user_dn = $this->config->get('plugins.login-ldap.user_dn'); - $search_dn = $this->config->get('plugins.login-ldap.search_dn'); - $group_dn = $this->config->get('plugins.login-ldap.group_dn'); - $group_query = $this->config->get('plugins.login-ldap.group_query'); + $user_dn = $this->config->get('plugins.login-ldap.user_dn'); + $search_dn = $this->config->get('plugins.login-ldap.search_dn'); + $group_dn = $this->config->get('plugins.login-ldap.group_dn'); + $group_query = $this->config->get('plugins.login-ldap.group_query'); + $group_indentifier = $this->config->get('plugins.login-ldap.group_indentifier'); $username = str_replace('[username]', $credentials['username'], $user_dn); // Get Host info - $host = $this->config->get('plugins.login-ldap.host'); - $port = $this->config->get('plugins.login-ldap.port'); - $version = $this->config->get('plugins.login-ldap.version'); - $ssl = $this->config->get('plugins.login-ldap.ssl'); - $start_tls = $this->config->get('plugins.login-ldap.start_tls'); - $opt_referrals = $this->config->get('plugins.login-ldap.opt_referrals'); - $blacklist = $this->config->get('plugins.login-ldap.blacklist_ldap_fields', []); + $host = $this->config->get('plugins.login-ldap.host'); + $port = $this->config->get('plugins.login-ldap.port'); + $version = $this->config->get('plugins.login-ldap.version'); + $ssl = $this->config->get('plugins.login-ldap.ssl'); + $start_tls = $this->config->get('plugins.login-ldap.start_tls'); + $opt_referrals = $this->config->get('plugins.login-ldap.opt_referrals'); + $blacklist = $this->config->get('plugins.login-ldap.blacklist_ldap_fields', []); if (is_null($host)) { throw new ConnectionException('FATAL: LDAP host entry missing in plugin configuration...'); @@ -177,7 +178,7 @@ class LoginLDAPPlugin extends Plugin foreach ($groups as $group) { $attributes = $group->getAttributes(); - $user_group = array_shift($attributes['cn']); + $user_group = array_shift($attributes[$group_indentifier]); $user_groups[] = $user_group; if ($this->config->get('plugins.login-ldap.store_ldap_data', false)) { diff --git a/login-ldap.yaml b/login-ldap.yaml index c47fee8..421f4aa 100644 --- a/login-ldap.yaml +++ b/login-ldap.yaml @@ -9,6 +9,7 @@ user_dn: 'uid=[username],dc=company,dc=com' search_dn: group_dn: group_query: '(&(cn=*)(memberUid=[username]))' +group_indentifier: cn map_username: uid map_fullname: givenName lastName map_email: mail