Implemented support for LDAP Blacklist Fields

2018-05-16 12:24:08 -07:00
parent b92c654aa1
commit ffe5f6a5a0
4 changed files with 24 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -159,6 +159,10 @@ If you want to be able to set user data (extra fields, or specific user access)
 >  
 > Also note that the password will never be stored in the Grav user under `accounts/`.

+### Blacklist LDAP Fields
+
+With the Blacklist Fields you have the option of ignoring fields. This is useful for skipping users sensitive data or fields that are stored as media. For example phone numbers, home addresses or images, videos, etc.
+
 ### Troubleshooting

 If a user is simply unable to authenticate against the LDAP server, an entry will be logged into the Grav log (`logs/grav.log`) file with the attempted `dn`. This can be used to ensure the `user_dn` entry is correct and can be tested against any other LDAP login system.
--- a/blueprints.yaml
+++ b/blueprints.yaml
@@ -204,6 +204,15 @@ form:
              validate:
                type: commalist

+            blacklist_ldap_fields:
+              type: array
+              type: array
+              value_only: true
+              label: PLUGIN_LOGIN_LDAP.BLACKLIST_FIELDS
+              help: PLUGIN_LOGIN_LDAP.BLACKLIST_FIELDS_HELP
+              placeholder_key: key
+              placeholder_value: PLUGIN_LOGIN_LDAP.BLACKLIST_FIELDS_PLACEHOLDER
+
            default_access_levels.access.site:
              type: array
              label: PLUGIN_LOGIN_LDAP.DEFAULT_ACCESS_LEVELS_SITE
--- a/languages/en.yaml
+++ b/languages/en.yaml
@@ -36,3 +36,6 @@ PLUGIN_LOGIN_LDAP:
  USER_SEARCH_DN_DESC: 'String used to retrieve user data. If not provided, extra LDAP user data will not be stored in Grav user account file'
  VERSION: 'Version'
  VERSION_DESC: 'LDAP Version 3 is most popular, only change this if you know what you are doing'
+  BLACKLIST_FIELDS: 'Blacklist Fields'
+  BLACKLIST_FIELDS_HELP: 'A list of LDAP fields to be skipped and ignored'
+  BLACKLIST_FIELDS_PLACEHOLDER: 'Field (ie, jpegPhoto, homePostalAddress)'
--- a/login-ldap.php
+++ b/login-ldap.php
@@ -84,6 +84,7 @@ class LoginLDAPPlugin extends Plugin
        $ssl            = $this->config->get('plugins.login-ldap.ssl');
        $start_tls      = $this->config->get('plugins.login-ldap.start_tls');
        $opt_referrals  = $this->config->get('plugins.login-ldap.opt_referrals');
+        $blacklist      = $this->config->get('plugins.login-ldap.blacklist_ldap_fields', []);

        if (is_null($host)) {
            throw new ConnectionException('FATAL: LDAP host entry missing in plugin configuration...');
@@ -128,7 +129,6 @@ class LoginLDAPPlugin extends Plugin

            // If search_dn is set we can try to get information from LDAP
            if ($search_dn) {
-
                $query = $ldap->query($search_dn, $map_username .'='. $credentials['username']);
                $results = $query->execute()->toArray();

@@ -149,6 +149,13 @@ class LoginLDAPPlugin extends Plugin
                    unset($userdata['ldap']['userPassword']);
                }

+                // Remove blacklisted fields
+                foreach ($blacklist as $fieldName) {
+                    if (isset($userdata['ldap'][$fieldName])) {
+                        unset($userdata['ldap'][$fieldName]);
+                    }
+                }
+
                // Get Groups if group_dn if set
                if ($group_dn) {
                    // retrieves all extra groups for user