Implemented support for LDAP Blacklist Fields

README.md

@@ -159,6 +159,10 @@ If you want to be able to set user data (extra fields, or specific user access)
 >  
 > Also note that the password will never be stored in the Grav user under `accounts/`.
 
+### Blacklist LDAP Fields
+
+With the Blacklist Fields you have the option of ignoring fields. This is useful for skipping users sensitive data or fields that are stored as media. For example phone numbers, home addresses or images, videos, etc.
+
 ### Troubleshooting
 
 If a user is simply unable to authenticate against the LDAP server, an entry will be logged into the Grav log (`logs/grav.log`) file with the attempted `dn`. This can be used to ensure the `user_dn` entry is correct and can be tested against any other LDAP login system.

blueprints.yaml

@@ -204,6 +204,15 @@ form:
               validate:
                 type: commalist
 
+            blacklist_ldap_fields:
+              type: array
+              type: array
+              value_only: true
+              label: PLUGIN_LOGIN_LDAP.BLACKLIST_FIELDS
+              help: PLUGIN_LOGIN_LDAP.BLACKLIST_FIELDS_HELP
+              placeholder_key: key
+              placeholder_value: PLUGIN_LOGIN_LDAP.BLACKLIST_FIELDS_PLACEHOLDER
+
             default_access_levels.access.site:
               type: array
               label: PLUGIN_LOGIN_LDAP.DEFAULT_ACCESS_LEVELS_SITE

languages/en.yaml

@@ -36,3 +36,6 @@ PLUGIN_LOGIN_LDAP:
   USER_SEARCH_DN_DESC: 'String used to retrieve user data. If not provided, extra LDAP user data will not be stored in Grav user account file'
   VERSION: 'Version'
   VERSION_DESC: 'LDAP Version 3 is most popular, only change this if you know what you are doing'
+  BLACKLIST_FIELDS: 'Blacklist Fields'
+  BLACKLIST_FIELDS_HELP: 'A list of LDAP fields to be skipped and ignored'
+  BLACKLIST_FIELDS_PLACEHOLDER: 'Field (ie, jpegPhoto, homePostalAddress)'

login-ldap.php

@@ -84,6 +84,7 @@ class LoginLDAPPlugin extends Plugin
         $ssl            = $this->config->get('plugins.login-ldap.ssl');
         $start_tls      = $this->config->get('plugins.login-ldap.start_tls');
         $opt_referrals  = $this->config->get('plugins.login-ldap.opt_referrals');
+        $blacklist      = $this->config->get('plugins.login-ldap.blacklist_ldap_fields', []);
 
         if (is_null($host)) {
             throw new ConnectionException('FATAL: LDAP host entry missing in plugin configuration...');
@@ -128,7 +129,6 @@ class LoginLDAPPlugin extends Plugin
 
             // If search_dn is set we can try to get information from LDAP
             if ($search_dn) {
-
                 $query = $ldap->query($search_dn, $map_username .'='. $credentials['username']);
                 $results = $query->execute()->toArray();
 
@@ -149,6 +149,13 @@ class LoginLDAPPlugin extends Plugin
                     unset($userdata['ldap']['userPassword']);
                 }
 
+                // Remove blacklisted fields
+                foreach ($blacklist as $fieldName) {
+                    if (isset($userdata['ldap'][$fieldName])) {
+                        unset($userdata['ldap'][$fieldName]);
+                    }
+                }
+
                 // Get Groups if group_dn if set
                 if ($group_dn) {
                     // retrieves all extra groups for user