gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-06-18 02:59:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

Browse Source
This commit is contained in:
Uwe Steinmann 2023-08-25 20:18:48 +02:00
commit c3094ce87f
3 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -272,6 +272,8 @@
- show errors of none activated extensions and do not allow to activate it, - show errors of none activated extensions and do not allow to activate it,
if there are errors (e.g. missing php extensions) if there are errors (e.g. missing php extensions)
- move Approve/ReviewDocument in a controller - move Approve/ReviewDocument in a controller
- setting password by user can be disabled
- groups from ldap can be synced with seeddms groups
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
Changes in version 5.1.31 Changes in version 5.1.31

10
doc/README.Ldap
View File

@ -2,14 +2,14 @@ Ldap configuration
=================== ===================
The configuration for authentication against an ldap server needs to be done The configuration for authentication against an ldap server needs to be done
the settings.xml file using a text editor. It cannot be edited from within the in the `settings.xml` file using a text editor. It cannot be edited from within the
web gui. web gui.
SeedDMS supports ldap authentication using an Active Directory (AD) or a SeedDMS supports ldap authentication using an Active Directory (AD) or a
regular ldap server, e.g. openldap regular ldap server, e.g. openldap
The location of the ldap server is specified in two parameters: 'host' and The location of the ldap server is specified in two parameters: `host` and
'port'. 'host' can be either a plain hostname or an ldap URI, including the `port`. `host` can be either a plain hostname or an ldap URI, including the
protocol, the host and optionally the port, e.g. ldap://localhost:389. In case protocol, the host and optionally the port, e.g. ldap://localhost:389. In case
of an URI the port in the configuration must remain empty. of an URI the port in the configuration must remain empty.
@ -31,8 +31,8 @@ If the second bind succeeds the user could be successfully authenticated.
The data from the ldap server can be used to create an account in SeedDMS The data from the ldap server can be used to create an account in SeedDMS
if the user trying to login does not exist yet, but was able to authenticate. if the user trying to login does not exist yet, but was able to authenticate.
This will only be done if 'authentication->restricted' in the configuration This will only be done if 'authentication->restricted' in the configuration
is set to true. In that case the common name (cn) and email address is taken is set to false. In that case the common name (cn) and email address is taken
from ldap. Existing accounts in SeedDMS will not be updated with data from from ldap. An already existing account in SeedDMS will be updated with data from
ldap. ldap.
Examples Examples

17
inc/inc.ClassLdapAuthentication.php
View File

@ -153,7 +153,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
* address. * address.
*/ */
if ($bind) { if ($bind) {
if (isset($settings->_ldapFilter) && strlen($settings->_ldapFilter) > 0) { if (!empty($settings->_ldapFilter)) {
$search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")"); $search = ldap_search($ds, $settings->_ldapBaseDN, "(&(".$ldapSearchAttribut.$username.")".$settings->_ldapFilter.")");
} else { } else {
$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username); $search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut.$username);
@ -168,18 +168,25 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
/* If the previous bind failed, try it with the users creditionals /* If the previous bind failed, try it with the users creditionals
* by simply setting $dn to a guessed dn (see above) * by simply setting $dn to a guessed dn (see above)
* FIXME: This is probably a bad idea because users filtered out * Don't do this if a filter is set because users filtered out
* may still be able to authenticate, because $tmpDN could be a * may still be able to authenticate, because $tmpDN could be a
* valid DN. Example: if baseDN is 'dc=seeddms,dc=org' and the * valid DN which do not match the filter criteria.
* Example: if baseDN is 'dc=seeddms,dc=org' and the
* user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org' * user 'test' logs in, then $tmpDN will be 'uid=test,dc=seeddms,dc=org'
* If that user was filtered out, because filter was set to '(mail=*)' * If that user was filtered out, because filter was set to '(mail=*)'
* and the user doesn't have a mail address, then $dn will not be * and the user doesn't have a mail address, then $dn will not be
* set and $tmpDN will be used instead, allowing a successfull bind. * set and $tmpDN will be used instead, allowing a successfull bind.
*/ */
if (is_bool($dn)) { if (is_bool($dn) && empty($settings->_ldapFilter)) {
$dn = $tmpDN; $dn = $tmpDN;
} }
/* Without a dn don't even try to bind. It won't work anyway */
if(!$dn) {
ldap_close($ds);
return null;
}
/* Check if user already exists in the database. Return with an error /* Check if user already exists in the database. Return with an error
* only if the sql statements fails, but not if no user was found. * only if the sql statements fails, but not if no user was found.
*/ */
@ -193,7 +200,7 @@ class SeedDMS_LdapAuthentication extends SeedDMS_Authentication {
$bind = @ldap_bind($ds, $dn, $password); $bind = @ldap_bind($ds, $dn, $password);
if (!$bind) { if (!$bind) {
ldap_close($ds); ldap_close($ds);
return false; return null;
} }
// Successfully authenticated. Now check to see if the user exists within // Successfully authenticated. Now check to see if the user exists within