Skip to content

Commit

Permalink
implement LDAP for club1 server only see #237
Browse files Browse the repository at this point in the history 
+ Config param to enable club1 local LDAP auth
+ if user exist in database, will try to auth using LDAP
  • Loading branch information
@vincent-peugnet
vincent-peugnet committed Oct 29, 2024
1 parent 7cbb532 commit 1d8ab29
Show file tree
Hide file tree
Showing 3 changed files with 143 additions and 54 deletions.
13 changes: 13 additions & 0 deletions app/class/Config.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ abstract class Config
/** Indicate if img should have loading="lazy" attribute */
protected static bool $lazyloadimg = true;

/** Use club1 LDAP auth */
protected static bool $club1ldap = false;

public const LANG_MIN = 2;
public const LANG_MAX = 16;

Expand Down Expand Up @@ -349,6 +352,11 @@ public static function lazyloadimg(): bool
return self::$lazyloadimg;
}

public static function club1ldap(): bool
{
return self::$club1ldap;
}


// __________________________________________ S E T ______________________________________

Expand Down Expand Up @@ -592,4 +600,9 @@ public static function setlazyloadimg($lazyloadimg): bool
{
return self::$lazyloadimg = boolval($lazyloadimg);
}

public static function setclub1ldap($club1ldap): void
{
self::$club1ldap = boolval($club1ldap);
}
}
122 changes: 68 additions & 54 deletions app/class/Controllerconnect.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace Wcms;

use RuntimeException;
use Wcms\Exception\Database\Notfoundexception;

class Controllerconnect extends Controller
{
Expand All @@ -16,9 +15,14 @@ public function log(): void
$id = $_POST['id'] ?? null;
$route = $_POST['route'] ?? 'home';
if ($_POST['log'] === 'login') {
$this->login($route, $id);
$this->login();
} elseif ($_POST['log'] === 'logout') {
$this->logout($route, $id);
$this->logout();
}
if (is_string($id)) {
$this->routedirect($route, ['page' => $id]);
} else {
$this->routedirect($route);
}
}
}
Expand All @@ -39,74 +43,84 @@ public function connect(): void


/**
* Will login an user using POST datas and redirect
*
* @param string $route For redirection
* @param ?string $paramid For redirection (optionnal, can be used for pages redirection)
* Will try to login an user using POST datas
*/
protected function login(string $route, ?string $paramid = null): void
protected function login(): void
{
if (!empty($_POST['pass']) && !empty($_POST['user'])) {
$this->modelconnect = new Modelconnect();
$userid = $_POST['user'];
$pass = false;

try {
$this->user = $this->usermanager->get($userid); // May throw DatabaseException
if (!$this->usermanager->passwordcheck($this->user, $_POST['pass'])) {
$userid = $this->user->id();
$this->sendflashmessage("Wrong credentials", self::FLASH_ERROR);
Logger::error("wrong credential for user : '$userid' when attempting to loggin");
} elseif (
$this->user->expiredate() !== false &&
$this->user->expiredate('date') < $this->now &&
$this->user->level() < 10
) {
$this->sendflashmessage("Account expired", self::FLASH_ERROR);
} else {
$this->user->connectcounter();
$this->usermanager->add($this->user);
$this->servicesession->setuser($this->user->id());
$this->sendflashmessage("Successfully logged in as " . $this->user->id(), self::FLASH_SUCCESS);

if (!empty($_POST['rememberme'])) {
if ($this->user->cookie() > 0) {
$this->modelconnect = new Modelconnect();
$wsessionid = $this->user->newsession();
$this->modelconnect->createauthcookie(
$this->user->id(),
$wsessionid,
$this->user->cookie()
);
$this->usermanager->add($this->user);
$this->servicesession->setwsessionid($wsessionid);
} else {
$message = "Can't remember you beccause user cookie conservation time is set to 0 days";
$this->sendflashmessage($message, self::FLASH_WARNING);
}
}
} catch (RuntimeException $e) {
$this->sendflashmessage('Wrong credentials', self::FLASH_ERROR);
Logger::errorex($e);
return;
}

if (Config::club1ldap()) {
// use ldap for password
try {
$ldap = new Modelclub1ldap();
$pass = $ldap->auth($userid, $_POST['pass']);
$ldap->disconnect();
} catch (RuntimeException $e) {
$this->sendflashmessage('Error with LDAP connection', self::FLASH_ERROR);
Logger::errorex($e);
return;
}
} catch (Notfoundexception $e) {
} else {
// compare password
$pass = $this->usermanager->passwordcheck($this->user, $_POST['pass']);
}

if (!$pass) {
$this->sendflashmessage("Wrong credentials", self::FLASH_ERROR);
Logger::errorex($e);
return;
}

if (
$this->user->expiredate() !== false &&
$this->user->expiredate('date') < $this->now &&
$this->user->level() < 10
) {
$this->sendflashmessage("Account expired", self::FLASH_ERROR);
return;
}

try {
$this->user->connectcounter();
$this->usermanager->add($this->user);
$this->servicesession->setuser($this->user->id());
$this->sendflashmessage("Successfully logged in as " . $this->user->id(), self::FLASH_SUCCESS);

if (!empty($_POST['rememberme'])) {
if ($this->user->cookie() > 0) {
$wsessionid = $this->user->newsession();
$this->modelconnect->createauthcookie(
$this->user->id(),
$wsessionid,
$this->user->cookie()
);
$this->usermanager->add($this->user);
$this->servicesession->setwsessionid($wsessionid);
} else {
$message = "Can't remember you beccause user cookie conservation time is set to 0 days";
$this->sendflashmessage($message, self::FLASH_WARNING);
}
}
} catch (RuntimeException $e) {
$message = "Can't create authentification cookie : $e";
$this->sendflashmessage($message, self::FLASH_WARNING);
Logger::error($message);
}
}
if (is_string($paramid)) {
$this->routedirect($route, ['page' => $paramid]);
} else {
$this->routedirect($route);
}
}

public function logout($route, $id = null): void
protected function logout(): void
{
$this->disconnect();

if ($id !== null && $route !== 'home') {
$this->routedirect($route, ['page' => $id]);
} else {
$this->routedirect($route);
}
}
}
62 changes: 62 additions & 0 deletions app/class/Modelclub1ldap.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
<?php

namespace Wcms;

use RuntimeException;

class Modelclub1ldap extends Model
{
protected string $ldapserver = 'ldap://localhost:389';

protected string $d = 'ou=People,dc=club1,dc=fr';
protected string $u = 'uid';


/** @var mixed $connection resource (PHP 7) or LDAPConnection (PHP 8)*/
protected $connection;

private const LDAP_INVALID_CREDENTIALS = 0x31;

/**
* @throws RuntimeException
*/
public function __construct()
{
$this->connection = @ldap_connect($this->ldapserver);
if ($this->connection === false) {
throw new RuntimeException('bad LDAP server syntax');
}
ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, 3);
}

/**
* Try to authenticate user against CLUB1 local LDAP server
*
* @param string $username
* @param string $password
*
* @return bool indicating if auth is a success
*
* @throws RuntimeException If LDAP connection failed
*/
public function auth(string $username, string $password): bool
{
$binddn = "$this->u=$username,$this->d";

$ldapbind = @ldap_bind($this->connection, $binddn, $password);
if ($ldapbind === false) {
$errno = ldap_errno($this->connection);
switch ($errno) {
case self::LDAP_INVALID_CREDENTIALS:
return false;
}
throw new RuntimeException(ldap_err2str($errno));
}
return true;
}

public function disconnect(): void
{
ldap_close($this->connection);
}
}

0 comments on commit 1d8ab29

Please sign in to comment.