jannik/grav-plugin-login-ldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added group_indentifier option

Browse Source
This commit is contained in:
Andy Miller
2018-05-17 15:28:32 -06:00
parent 52117ef793
commit 98205c1167
5 changed files with 58 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
README.md
View File

@@ -46,10 +46,10 @@ user_dn: 'uid=[username],dc=company,dc=com'
search_dn: search_dn:
group_dn: group_dn:
group_query: '(&(cn=*)(memberUid=[username]))' group_query: '(&(cn=*)(memberUid=[username]))'
group_indentifier: cn
map_username: uid map_username: uid
map_fullname: givenName lastName map_fullname: givenName lastName
map_email: mail map_email: mail
save_grav_user: false save_grav_user: false
store_ldap_data: false store_ldap_data: false
default_access_levels: default_access_levels:
@@ -72,32 +72,33 @@ default_access_levels:
|Key |Description | Values | |Key |Description | Values |
|:---------------------|:---------------------------|:-------| |:---------------------|:---------------------------|:-------|
|enabled|Enables the plugin | [default: **true**] \| false| |enabled|Enables the plugin | [default: `true`] \| `false`|
|host|The DNS name or IP address of your LDAP server | e.g. ldap.yourcompany.com | |host|The DNS name or IP address of your LDAP server | e.g. `ldap.yourcompany.com` |
|port|The TCP port of the host that the LDAP server runs under | [default: **389**]| |port|The TCP port of the host that the LDAP server runs under | [default: `389`]|
|version|LDAP Version 3 is most popular (only change this if you know what you are doing) | [default: **3**] | |version|LDAP Version 3 is most popular (only change this if you know what you are doing) | [default: `3`] |
|ssl|Enable SSL for the connection (typically for port 636 or 3269) | true \| [default: **false**] | |ssl|Enable SSL for the connection (typically for port 636 or 3269) | `true` \| [default: `false`] |
|start_tls|Negotiate TLS encryption with the LDAP server (requires all traffic to be encrypted) | true \| [default: **false**] | |start_tls|Negotiate TLS encryption with the LDAP server (requires all traffic to be encrypted) | `true` \| [default: `false`] |
|opt_referrals|Sets the value of LDAP_OPT_REFERRALS (Set to "off" for Windows 2003 servers) | true \| [default: **false**] | |opt_referrals|Sets the value of LDAP_OPT_REFERRALS (Set to "off" for Windows 2003 servers) | `true` \| [default: `false`] |
### LDAP Configuration ### LDAP Configuration
|Key |Description | Values | |Key |Description | Values |
|:---------------------|:---------------------------|:-------| |:---------------------|:---------------------------|:-------|
|user_dn|DN String used to authenticate a user, where `[username]` is replaced by username value entered via login | e.g. `uid=[username],dc=company,dc=com` | |user_dn|DN String used to authenticate a user, where `[username]` is replaced by username value entered via login | [default: `uid=[username],dc=company,dc=com`] |
|search_dn|DN String used to retrieve user data. If not provided, extra LDAP user data will not be stored in Grav user account file [OPTIONAL]| e.g. `ou=users,dc=company,dc=com` | |search_dn|DN String used to retrieve user data. If not provided, extra LDAP user data will not be stored in Grav user account file [OPTIONAL]| e.g. `ou=users,dc=company,dc=com` |
|group_dn|DN String used to retrieve user group data. If not provided, extra LDAP group data will not be stored in Grav user account file [OPTIONAL] | e.g. `ou=groups,dc=company,dc=com` | |group_dn|DN String used to retrieve user group data. If not provided, extra LDAP group data will not be stored in Grav user account file [OPTIONAL] | e.g. `ou=groups,dc=company,dc=com` |
|group_query|The query used to search Groups. Only change this if you know what you are doing| e.g. `(&(cn=*)(memberUid=[username]))`| |group_query|The query used to search Groups. Only change this if you know what you are doing| [default: `(&(cn=*)(memberUid=[username]))`] |
|map_username|LDAP Attribute(s) that contains the user's username | [default: **uid**] | |group_indentifier|The Group identifier that will come back in the response, this is directly related to group query.| [default: `cn`] |
|map_fullname|LDAP Attribute(s) that contains the user's full name | [default: **givenName lastName**] | |map_username|LDAP Attribute(s) that contains the user's username | [default: `uid`] |
|map_email|LDAP Attribute(s) that contains the user's email address | [default: **mail**] | |map_fullname|LDAP Attribute(s) that contains the user's full name | [default: `givenName lastName`] |
|map_email|LDAP Attribute(s) that contains the user's email address | [default: `mail`] |
### Advanced Configuration ### Advanced Configuration
|Key |Description | Values | |Key |Description | Values |
|:---------------------|:---------------------------|:-------| |:---------------------|:---------------------------|:-------|
|save_grav_user|Store the grav user account as a local YAML account | true \| [default: **false**] | |save_grav_user|Store the grav user account as a local YAML account | true \| [default: `false`] |
|store_ldap_data|If storing a local Grav user, you can also store LDAP data so its available in Grav| true \| [default: **false**] | |store_ldap_data|If storing a local Grav user, you can also store LDAP data so its available in Grav| true \| [default: `false`] |
|default_access_levels.groups|Set a default group for all users logging in via LDAP [OPTIONAL] | e.g. `ldap_users` | |default_access_levels.groups|Set a default group for all users logging in via LDAP [OPTIONAL] | e.g. `ldap_users` |
|default_access_levels.access.site|Set the default **site access** for all users logging in via LDAP (used if no `access.groups` mapping applies) | e.g. `[login: 'true']` | |default_access_levels.access.site|Set the default **site access** for all users logging in via LDAP (used if no `access.groups` mapping applies) | e.g. `[login: 'true']` |
|default_access_levels.access.groups|The default **access to assign** to users logging in based on **LDAP group membership**| e.g. `user: [site: [login: 'true']]` | |default_access_levels.access.groups|The default **access to assign** to users logging in based on **LDAP group membership**| e.g. `user: [site: [login: 'true']]` |
@@ -171,5 +172,22 @@ If either the `user_dn`, `search_dn`, `group_dn` or `group_query` are incorrect
If you expect `fullname`, or `email` to be stored in the Grav user object, but they are not appearing, it's probably a problem with your field mappings. Double check with your LDAP administrator that these are the correct mappings. If you expect `fullname`, or `email` to be stored in the Grav user object, but they are not appearing, it's probably a problem with your field mappings. Double check with your LDAP administrator that these are the correct mappings.
Under the `example` folder you can find a `default.md` page that you can use to see the data collected during LDAP authentication. It's an useful way for configuring the plugin as well as tweaking the Blacklist. To get a quick state of your LDAP configuration, you can simply dump out the Grav user on a temporary _secure_ page:
```markdown
---
title: LDAP Test
cache_enabled: false
process:
twig: true
access:
site.login: true
---
# Grav User
{{ vardump(grav.user) }}
```
For a more detailed example, you can look in the `example.` folder of this plugin, where you can find a `default.md` page that you can use to see the data collected during LDAP authentication. It's an useful way for configuring the plugin as well as tweaking the Blacklist.

9
blueprints.yaml
View File

@@ -1,5 +1,5 @@
name: Login LDAP name: Login LDAP
version: 0.1.1 version: 0.1.2
description: Allows for Grav user authentication against an LDAP Server such as OpenLDAP or ActiveDirectory description: Allows for Grav user authentication against an LDAP Server such as OpenLDAP or ActiveDirectory
icon: user-circle-o icon: user-circle-o
author: author:
@@ -145,6 +145,13 @@ form:
placeholder: '(&(cn=*)(memberUid=[username]))' placeholder: '(&(cn=*)(memberUid=[username]))'
help: PLUGIN_LOGIN_LDAP.GROUP_QUERY_DESC help: PLUGIN_LOGIN_LDAP.GROUP_QUERY_DESC
group_indentifier:
type: text
label: PLUGIN_LOGIN_LDAP.GROUP_IDENTIFIER
size: large
placeholder: 'cn'
help: PLUGIN_LOGIN_LDAP.GROUP_IDENTIFIER_DESC
map_username: map_username:
type: text type: text
label: PLUGIN_LOGIN_LDAP.USERNAME_MAPPING label: PLUGIN_LOGIN_LDAP.USERNAME_MAPPING

2
languages/en.yaml
View File

@@ -9,6 +9,8 @@ PLUGIN_LOGIN_LDAP:
GROUP_SEARCH_DN_DESC: 'String used to retrieve user group data. If not provided, extra LDAP group data will not be stored in Grav user account file' GROUP_SEARCH_DN_DESC: 'String used to retrieve user group data. If not provided, extra LDAP group data will not be stored in Grav user account file'
GROUP_QUERY: 'Group Query' GROUP_QUERY: 'Group Query'
GROUP_QUERY_DESC: 'The query used to search Groups. Only change this if you know what you are doing' GROUP_QUERY_DESC: 'The query used to search Groups. Only change this if you know what you are doing'
GROUP_IDENTIFIER: 'Group Identifier'
GROUP_IDENTIFIER_DESC: 'The Group identifier that will come back in the response, this is directly related to group query.'
HOST: 'Host' HOST: 'Host'
HOST_DESC: 'Host name of the LDAP server' HOST_DESC: 'Host name of the LDAP server'
INSTRUCTIONS: 'Instructions' INSTRUCTIONS: 'Instructions'

3
login-ldap.php
View File

@@ -75,6 +75,7 @@ class LoginLDAPPlugin extends Plugin
$search_dn = $this->config->get('plugins.login-ldap.search_dn'); $search_dn = $this->config->get('plugins.login-ldap.search_dn');
$group_dn = $this->config->get('plugins.login-ldap.group_dn'); $group_dn = $this->config->get('plugins.login-ldap.group_dn');
$group_query = $this->config->get('plugins.login-ldap.group_query'); $group_query = $this->config->get('plugins.login-ldap.group_query');
$group_indentifier = $this->config->get('plugins.login-ldap.group_indentifier');
$username = str_replace('[username]', $credentials['username'], $user_dn); $username = str_replace('[username]', $credentials['username'], $user_dn);
@@ -177,7 +178,7 @@ class LoginLDAPPlugin extends Plugin
foreach ($groups as $group) { foreach ($groups as $group) {
$attributes = $group->getAttributes(); $attributes = $group->getAttributes();
$user_group = array_shift($attributes['cn']); $user_group = array_shift($attributes[$group_indentifier]);
$user_groups[] = $user_group; $user_groups[] = $user_group;
if ($this->config->get('plugins.login-ldap.store_ldap_data', false)) { if ($this->config->get('plugins.login-ldap.store_ldap_data', false)) {

1
login-ldap.yaml
View File

@@ -9,6 +9,7 @@ user_dn: 'uid=[username],dc=company,dc=com'
search_dn: search_dn:
group_dn: group_dn:
group_query: '(&(cn=*)(memberUid=[username]))' group_query: '(&(cn=*)(memberUid=[username]))'
group_indentifier: cn
map_username: uid map_username: uid
map_fullname: givenName lastName map_fullname: givenName lastName
map_email: mail map_email: mail