support login by email

inc/inc.ClassLdapAuthentication.php

@@ -126,7 +126,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			 * look like if searching for that user didn't return a dn.
 			 */
 			if (isset($settings->_ldapBaseDN)) {
-				$ldapSearchAttribut = "uid=";
+				$ldapSearchAttribut = "uid";
 				/* $tmpDN will only be used as a last resort if searching for the user failed */
 				$tmpDN = "uid=".$username.",".$settings->_ldapBaseDN;
 			}
@@ -134,7 +134,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			/* Active directory has a different base dn */
 			if (isset($settings->_ldapType)) {
 				if ($settings->_ldapType==1) {
-					$ldapSearchAttribut = "sAMAccountName=";
+					$ldapSearchAttribut = "sAMAccountName";
 					/* $tmpDN will only be used as a last resort if searching for the user failed */
 					$tmpDN = $username.'@'.$settings->_ldapAccountDomainName;
 					// Add the following if authentication with an Active Dir doesn't work
@@ -157,7 +157,21 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			} else {
 				$bind = @ldap_bind($ds);
 			}
+
 			$dn = false;
+
+			/* The simplest search is just the username */
+			$ldapsearchterm = $ldapSearchAttribut.'='.$username;
+			/* If login by email is allowed, the search for user name is ored with
+			 * the search for the email.
+			 */
+			if($settings->_enableLoginByEmail) {
+				$ldapsearchterm = "|(".$ldapsearchterm.")(mail=".$username.")";
+			}
+			/* If a ldap filter is set, it will be anded */
+			if($settings->_ldapFilter) {
+				$ldapsearchterm = "&(".$ldapsearchterm.")".$settings->_ldapFilter;
+			}
 			/* If bind succeed, then get the dn of the user. If a filter
 			 * is set, it will be used to allow only those users to log in
 			 * matching the filter criteria. Depending on the type of server, 
@@ -165,19 +179,32 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			 * 'sAMAccountName=' or 'uid='. All other filters are ANDed.
 			 * A common filter is '(mail=*)' to ensure a user has an email
 			 * address.
+			 * If the previous bind failed, we could try later to bind with
+			 * the user's credentials (this was until 6.0.26 and 5.1.33 the case),
+			 * but if login by email is allowed, it makes no sense to try it. The
+			 * only way to bind is by using a correct dn and that cannot be
+			 * formed with an email.
 			 */
 			if ($bind) {
+				/*
 				if (!empty($settings->_ldapFilter)) {
-					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
+					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.'='.$username.")".$settings->_ldapFilter.")");
 				} else {
-					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
+					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.'='.$username);
 				}
+				*/
+				$search = ldap_search($ds, $settings->_ldapBaseDN, "(".$ldapsearchterm.")");
 				if (!is_bool($search)) {
 					$info = ldap_get_entries($ds, $search);
 					if (!is_bool($info) && $info["count"]>0) {
 						$dn = $info[0]['dn'];
+						/* Set username to login name in case the email was used for authentication */
+						$username = $info[0][$ldapSearchAttribut][0];
 					}
 				}
+			} elseif(!empty($settings->_enableLoginByEmail)) {
+				ldap_close($ds);
+				return null;
 			}
 
 			/* If the previous bind failed, try it with the users creditionals
@@ -190,8 +217,10 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 			 * If that user was filtered out, because filter was set to '(mail=*)'
 			 * and the user doesn't have a mail address, then $dn will not be
 			 * set and $tmpDN will be used instead, allowing a successfull bind.
+			 * Also do not take the $tmpDN if login by email is allowed, because
+			 * the username could be the email and that doesn't form a valid dn.
 			 */
-			if (is_bool($dn) && empty($settings->_ldapFilter)) {
+			if (is_bool($dn) && empty($settings->_ldapFilter) && empty($settings->_enableLoginByEmail)) {
 				$dn = $tmpDN;
 			}
 
@@ -203,6 +232,9 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
 			/* Check if user already exists in the database. Return with an error
 			 * only if the sql statements fails, but not if no user was found.
+			 * The username may not be the one passed to this function anymore. It
+			 * could have been overwritten by uid (or sAMAccountName) derived from
+			 * the above ldap search.
 			 */
 			$user = $dms->getUserByLogin($username);
 			if($user === false) {
@@ -219,13 +251,15 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
 
 			// Successfully authenticated. Now check to see if the user exists within
 			// the database. If not, add them in if _restricted is not set,
-			// but do not add their password.
+			// but do not set the password of the user.
 			if (!$settings->_restricted) {
-				// Retrieve the user's LDAP information.
+				/* Retrieve the user's LDAP information. At this time the username is
+				 * the uid or sAMAccountName, even if the email was used for login.
+				 */
 				if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) {
-					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
+					$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.'='.$username.")".$settings->_ldapFilter.")");
 				} else {
-					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
+					$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.'='.$username);
 				}
 
 				if (!is_bool($search)) {