From 4020bf861e96fb0db58bcd8428f38058b9b3e910 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9veloppeur=20=C3=A9gar=C3=A9?= Date: Wed, 4 Feb 2015 00:35:24 +0100 Subject: [PATCH 1/2] automated creation of Friendica basic account --- ldapauth.tgz | Bin 1514 -> 1941 bytes ldapauth/ldapauth.php | 59 +++++++++++++++++++++++++++++++++--------- 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/ldapauth.tgz b/ldapauth.tgz index 7dd3d6c427335979974f62e0cf6539bd60cd3ec8..62ff161abc5b090d3e32cdd9c22521b41e0b0354 100755 GIT binary patch literal 1941 zcmV;G2Wt2qiwFqhSs5boFYR~*$KEed_x3#etl zfFh89p)%kDLM2VyHX^l)oiHZEf9KAQ^U}3jfx!ou#Y*bjJ@?%C?wq($;4Qo)p0z4} zZnSaSzP(rJ?(N?0c6Tf7z5VX~ZU^VHQR#HsJNsP}>+Dt9o$lW4b_Mn-e_~wLey|at*?aI~o)8p=aT<>b@=FKYHgqPl&_2BvA!&h*Ksla#~`d-ZF)?=o887|^b z@LuUAc#tS2!JB#^S21|p00g0Aek|lEX}@JsY0XZvgWolPkUe-2eq!*#Rvz4)#qpxo zYGt+9^u@fjkYW->tTjjBdqr*UbUyQmU8@S#g(os(JV0jP1%co+MSm|ukVI>I!+$^T z(Hq4kNdyxi;a$iBaiZYRkHaqv9$PU~3_u{R)cUu^o?2Gb-=asS&&Gk$UZuV%wl11y%G}MKw>E2f-f*Se(dUirrFRWw5Q^PePPmtFm@Cy zFi_z*VuqE6@H#k%Pq7hmjEm;xOJ)d(Ny#RzPv~R7eUb3kM&qSGtrHBaaZY2eUGW~A ziUe2l6gXo68CEQYCQFJtOkou^WZ+!Ca3FC+7nkfHM;+ZnCf5d=W7!UZ+p$&1RFuej3tNwVE;> z3GTDH6LLRF0@k86Ck9TVU#(Ur3HP-h*4~JU5i`BsfN#|;n}nm85TEK!G5H-A99{ga zm75#gw%@h(sHjZFzppf(@DhQ9|9uK)MC;q0dt-a735Aoo6EZ$ry@o3MyP|gzSFA3 ziR9#7?%f*F*0#HC$r6Ps;Mgvt9ezE4DT_xYJ?nXTx~1%F^b4wEtlxlNsA|N{sxD48 zQeB)F)ts;={aL^-By7aW$`lSSj^(+^xma1*H2e!mYcbN?GHTQ{b+cq?Qk<`UR{lJ! z5yM?CBCg>$iP_IWFR7nviPGrT4W-(-9bIbI0Qa?s@%m=&H5%2e%_C8xiCTX%L&R@0 zJIisX>Bj+j=p$P?U$nt`JvEt^UIXuDgIY%2*01Rt%0!aF%5g7r&MH{UV(~T_OLC?^ zz{HCb>!-z@LL%P>MH6Kp6t?s;4TN3~`ykbhM`oX_TP;^_w4!nqvNATN6$xZ z2gBFTj$XPujsC{U!@-lmaCrFqwF_-jOWD;QWbGkWDmEpz*k-Wn9vmDP-q`(C`=e*S zYp--K)`7|!Np7axh1})F(gf$g!OyJo7K5shH=_^+8G}hE6{a_j;hTGvqA6yut5es;xhzQm)mzlMjC^DyyL zvv2`<+Yg8bM;_F-=@nolUFR40UC2kTQx9~L!Rwzep+EB=$WmLpU?IC%64vJrvdk%P1<&rWc8$$-`e(cWorNH z`5VN+JuT=uJoG=MGr2R4hQ_JXm+S=vr*cOf-08zf$Y{3H=##bd&k({myhA&I1>IR7SLqd%$T(_QyqBz?8UQV z=+xZYs(Ji1T&(%@HFSBK*(#MbdRDm_8;yvz{iWZ3c6Rr6 zEAUs&|Nryfe}3-Z`;tz*fAPq>da0+~)#FP&+`hzbX)!#W| bP7j!``u^3p8du|LY&?DdvmUf603-ka(dys( literal 1514 zcmV?dm0sy&{xQFeBEwQg@~ zr`z4CwR_v$?X8YkPo>uBwl}xCsMhJ#+MRB1r(J{IBXY_mk;)eUwYeWmsrX9SEqd{^ zx7~U9^5s)-dP0e^{0|3v2Sf2^(f6=F;Y#I@WeJQWF2*D2oml6=7WY%uLuUUOcgcoDg4@1uMlKwq1(`WTbGWS2k|AFp3MEc3A&+>lI z`_Do?>?MeR4|oq+hL3m|BKptYhiR=n)~$%p_F}YA_&2vBnr9cJ0c$xZlY|9^WrjA= z<&U-HZNT5oT2=z18RwUtTP!!X0j_Dc*2>F6Z|9iWdQ>vrc;(!zbf2&ifrLFhh3{0o zy5D$K9~(k+;^m5Eo$+T^S2M%u>7F2`G&Dwt7AVTk&>99FW&m;;Bc^irsvo2 zN$4Mw&tO+95wpWElJa;4(&ty)KK-Z=V4 z5S0jaTZqe%%jh-gS;RCK2TpWm8Ff5zNr($6dw z&?{iyrq*g?r?Qt>HOyEaoqRYOeHfmco$Q|+jy?{Cr|(aW8=Gl>?_)e1yc-OMdxxhD zXs2e#&U>3z%EG8vpN(S0VJGhH?pofu5mui^uiT`;(%0;6&QI6WvYV{Z8p}1-1b5fP zzj+gugNn%aqd>!)!GsE_M%dosxDApYCd^kfTztd*DpH7Sk#GFpyD$ZIc92V zwHPmIF}_MGr515Xire|VAz_e^#%8xjLrcV`QzE?eY<~3d<1`@najL)71dr11$^(uS zh@WUM&|_h};D2>)ZGN*Sg6kz7o$XtAxCH3W<2Tds#SE| zpWt^VACsp(m|nu?A8=v+=0OmvyZ@F%-tHjnpHj)*RR0^Pq>@T1sicxhDygKBN-C+O Ql3!N-0WfY{a{wp+0LAb0O8@`> diff --git a/ldapauth/ldapauth.php b/ldapauth/ldapauth.php index b87f669d..2c8f3eff 100755 --- a/ldapauth/ldapauth.php +++ b/ldapauth/ldapauth.php @@ -2,8 +2,9 @@ /** * Name: LDAP Authenticate * Description: Authenticate a user against an LDAP directory - * Version: 1.0 + * Version: 1.1 * Author: Mike Macgirvin + * Author: aymhce */ /** @@ -17,8 +18,9 @@ * * Optionally authenticates only if a member of a given group in the directory. * - * The person must have registered with Friendica using the normal registration + * By default, the person must have registered with Friendica using the normal registration * procedures in order to have a Friendica user record, contact, and profile. + * However, it's possible with an option to automate the creation of a Friendica basic account. * * Note when using with Windows Active Directory: you may need to set TLS_CACERT in your site * ldap.conf file to the signing cert for your LDAP server. @@ -31,6 +33,7 @@ * */ +require_once('include/user.php'); function ldapauth_install() { @@ -44,19 +47,13 @@ function ldapauth_uninstall() { function ldapauth_hook_authenticate($a,&$b) { - if(ldapauth_authenticate($b['username'],$b['password'])) { - $results = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 AND `verified` = 1 LIMIT 1", - dbesc($b['username']) - ); - if(count($results)) { - $b['user_record'] = $results[0]; - $b['authenticated'] = 1; - } + if(ldapauth_authenticate($b['username'],$b['password']) && is_existing_account($b['username'])) { + $b['user_record'] = $results[0]; + $b['authenticated'] = 1; } return; } - function ldapauth_authenticate($username,$password) { $ldap_server = get_config('ldapauth','ldap_server'); @@ -65,7 +62,15 @@ function ldapauth_authenticate($username,$password) { $ldap_searchdn = get_config('ldapauth','ldap_searchdn'); $ldap_userattr = get_config('ldapauth','ldap_userattr'); $ldap_group = get_config('ldapauth','ldap_group'); + $ldap_autocreateaccount = get_config('ldapauth','ldap_autocreateaccount'); + $ldap_autocreateaccount_emailattribute = get_config('ldapauth','ldap_autocreateaccount_emailattribute'); + $ldap_autocreateaccount_nameattribute = get_config('ldapauth','ldap_autocreateaccount_nameattribute'); + if(! strlen($ldap_autocreateaccount_emailattribute)) + $ldap_autocreateaccount_emailattribute = "mail"; + if(! strlen($ldap_autocreateaccount_nameattribute)) + $ldap_autocreateaccount_nameattribute = "givenName"; + if(! ((strlen($password)) && (function_exists('ldap_connect')) && (strlen($ldap_server)))) @@ -98,9 +103,14 @@ function ldapauth_authenticate($username,$password) { if(! @ldap_bind($connect,$dn,$password)) return false; + + $emailarray = @ldap_get_values($connect, $id, $ldap_autocreateaccount_emailattribute); + $namearray = @ldap_get_values($connect, $id, $ldap_autocreateaccount_nameattribute); - if(! strlen($ldap_group)) + if(! strlen($ldap_group)){ + ldap_autocreateaccount($ldap_autocreateaccount,$username,$password,$emailarray[0],$namearray[0]); return true; + } $r = @ldap_compare($connect,$ldap_group,'member',$dn); if ($r === -1) { @@ -126,5 +136,30 @@ function ldapauth_authenticate($username,$password) { return false; } + ldap_autocreateaccount($ldap_autocreateaccount,$username,$password,$emailarray[0],$namearray[0]); return true; } + +function ldap_autocreateaccount($ldap_autocreateaccount,$username,$password,$email,$name) { + if($ldap_autocreateaccount == "true" && !is_existing_account($username)){ + if (strlen($email) > 0 && strlen($name) > 0){ + $arr = array('username'=>$name,'nickname'=>$username,'email'=>$email,'password'=>$password,'verified'=>1); + $result = create_user($arr); + if ($result['success']){ + logger("ldapauth: account " . $username . " created"); + }else{ + logger("ldapauth: account " . $username . " was not created ! : " . implode($result)); + } + }else{ + logger("ldapauth: unable to create account, no email or nickname found"); + } + } +} + +function is_existing_account($username){ + $results = q("SELECT * FROM `user` WHERE `nickname` = '%s' AND `blocked` = 0 AND `verified` = 1 LIMIT 1",$username); + if(count($results)) { + return true; + } + return false; +} From 31456b2f43daa3516300c69c4ad54d5468dece0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9veloppeur=20=C3=A9gar=C3=A9?= <97802n@mac97802n.maif.local> Date: Wed, 4 Feb 2015 16:55:07 +0100 Subject: [PATCH 2/2] update readme --- ldapauth.tgz | Bin 1941 -> 2357 bytes ldapauth/README | 26 +++++++++++++++++++++++--- ldapauth/ldapauth.php | 23 +++++++++++++++++++++-- 3 files changed, 44 insertions(+), 5 deletions(-) mode change 100755 => 100644 ldapauth.tgz diff --git a/ldapauth.tgz b/ldapauth.tgz old mode 100755 new mode 100644 index 62ff161abc5b090d3e32cdd9c22521b41e0b0354..aa3da0a902264720046eda40dc97e2c67c32c251 GIT binary patch literal 2357 zcmV-53Ci{#iwFQFK+;qI1MOPtQ`<-q&sY3cOkBRmP6@wo;11TgaNw;?6^|5QcR!>k zBTHjj8+pb%BZZ}|_}{mC9eKOb!#W<1f2-4J?q%w~ z1@V6eiSUXvH;iK;{h!DGr+-7dOO3a0OXMv%^ConkoE#s1B8QL)l*OU%#S||cQ|XIv z8i$oDiz3jLF+mc}U@07e#0i}Y z00PJFBLK+ANbqDzKpjd=t+FEjb4vm`^pYrc)rKj=jx#cWLLp-h3>0(}%9si;<|d5C z8J8!BUNJE)CSGK=3I$ok0b=RXAQ6BN^n-zb3>={3dO1mO0f4~{m-rmK;{zOYsL2LI zOMc-u^cxi}31df+DL5(|fb$e8h#FVULHXbtKEco;HeXN;NV#OD6XFy4;BcQOEVkY_ z((^0|L>c+|VNM4MrUfGF##!lny3&V~eS zLIwmV!x2MWJ{7UbFvX*C5ZnR=*NM&ROSA|0!%l2RA0c>iB^;9fC82fx^s=N(EqC9%9)m_?Bjz!pk7mno~~l6K5Y*<2bq=# zjg8Tz=3~3j<{6>d6R}8W8V!<9!x7Y_HfEvPed6FnXMNRuB{kKhktkV@AW8l95Eylk z;O)Xw5TWEbKr?wZOX~GHjs3bh-Ag9qea?JZbwcJxNkAJIQS4n#?VwaD4HM?8xLE{! zJiXy)tk%eXOI!BT>W?}9T6MCgrQ;Gu-7Pd0-VNjBR3>uwbIhRpZlU^wGlHV9LDv*5yH4-EPH#MF=JA7?sRX1b=oh$NM^A ztFwf4b0-$~bjGSX?NV0LkngchZ&qT3j+tY%2isD>=KRYs+v8~ob9##9nDrgvQqXD} za&A=?m--U^`+f2eS#ynSUD5M>@G(uf2DP@Le0#&*gr)YHz>RQ3S#>q@YBem4RXtJ0 zh4R5_igNfK)idvha@wX*m&zBVuv)b$)6%P{tCpZ;RBiq0&LOoY(X9*)V`l+F&J10Z zwc6Z1-56QgxHvrd?2@Ko19a67X?vJ4Wt)N$% z%+&5=>IpiZlM1Wr=vNyK1}d!>Qbl$sg6&o|Nh(y#q{4SDQkfYz70P&a7vqa|8E6rg zGIAX4 zEj|#)hZR7AzEE-G3S<86cO&YxTKgpM;0+v{`Us+oNAl~1_x)-6SG@!MZTpJSQzP$5 z6S?iGRtt-2|5n9Qm8tBn&YmE;@6|@vvCpEok{aVE(YT~-nLVJuQfjCJCw({!DXzA# zpMp01@Bs?7o$5HNA_je3r;FP2#gU21baS=5>EHpiNNYw(DXZwdo`iV={g%gd~Imz^~90aMu%Oc=bLkFaLDzn6Ry%T4!52@ z*(z;#rlkj3r4?pb-!sTsI>p-52y5l})!M_W(x&ECn;BYdc4GCEaaHMQld27msh&8a z`i=qB)2CCL8%=%xTxzpJsgj*X{n+Dr<1`yL;s5^~J3M#0ef(k0Apn?i2 bsGx!hDyX1>3M#0ef|k+WGvPs&08jt`==G%! literal 1941 zcmV;G2Wt2qiwFqhSs5boFYR~*$KEed_x3#etl zfFh89p)%kDLM2VyHX^l)oiHZEf9KAQ^U}3jfx!ou#Y*bjJ@?%C?wq($;4Qo)p0z4} zZnSaSzP(rJ?(N?0c6Tf7z5VX~ZU^VHQR#HsJNsP}>+Dt9o$lW4b_Mn-e_~wLey|at*?aI~o)8p=aT<>b@=FKYHgqPl&_2BvA!&h*Ksla#~`d-ZF)?=o887|^b z@LuUAc#tS2!JB#^S21|p00g0Aek|lEX}@JsY0XZvgWolPkUe-2eq!*#Rvz4)#qpxo zYGt+9^u@fjkYW->tTjjBdqr*UbUyQmU8@S#g(os(JV0jP1%co+MSm|ukVI>I!+$^T z(Hq4kNdyxi;a$iBaiZYRkHaqv9$PU~3_u{R)cUu^o?2Gb-=asS&&Gk$UZuV%wl11y%G}MKw>E2f-f*Se(dUirrFRWw5Q^PePPmtFm@Cy zFi_z*VuqE6@H#k%Pq7hmjEm;xOJ)d(Ny#RzPv~R7eUb3kM&qSGtrHBaaZY2eUGW~A ziUe2l6gXo68CEQYCQFJtOkou^WZ+!Ca3FC+7nkfHM;+ZnCf5d=W7!UZ+p$&1RFuej3tNwVE;> z3GTDH6LLRF0@k86Ck9TVU#(Ur3HP-h*4~JU5i`BsfN#|;n}nm85TEK!G5H-A99{ga zm75#gw%@h(sHjZFzppf(@DhQ9|9uK)MC;q0dt-a735Aoo6EZ$ry@o3MyP|gzSFA3 ziR9#7?%f*F*0#HC$r6Ps;Mgvt9ezE4DT_xYJ?nXTx~1%F^b4wEtlxlNsA|N{sxD48 zQeB)F)ts;={aL^-By7aW$`lSSj^(+^xma1*H2e!mYcbN?GHTQ{b+cq?Qk<`UR{lJ! z5yM?CBCg>$iP_IWFR7nviPGrT4W-(-9bIbI0Qa?s@%m=&H5%2e%_C8xiCTX%L&R@0 zJIisX>Bj+j=p$P?U$nt`JvEt^UIXuDgIY%2*01Rt%0!aF%5g7r&MH{UV(~T_OLC?^ zz{HCb>!-z@LL%P>MH6Kp6t?s;4TN3~`ykbhM`oX_TP;^_w4!nqvNATN6$xZ z2gBFTj$XPujsC{U!@-lmaCrFqwF_-jOWD;QWbGkWDmEpz*k-Wn9vmDP-q`(C`=e*S zYp--K)`7|!Np7axh1})F(gf$g!OyJo7K5shH=_^+8G}hE6{a_j;hTGvqA6yut5es;xhzQm)mzlMjC^DyyL zvv2`<+Yg8bM;_F-=@nolUFR40UC2kTQx9~L!Rwzep+EB=$WmLpU?IC%64vJrvdk%P1<&rWc8$$-`e(cWorNH z`5VN+JuT=uJoG=MGr2R4hQ_JXm+S=vr*cOf-08zf$Y{3H=##bd&k({myhA&I1>IR7SLqd%$T(_QyqBz?8UQV z=+xZYs(Ji1T&(%@HFSBK*(#MbdRDm_8;yvz{iWZ3c6Rr6 zEAUs&|Nryfe}3-Z`;tz*fAPq>da0+~)#FP&+`hzbX)!#W| bP7j!``u^3p8du|LY&?DdvmUf603-ka(dys( diff --git a/ldapauth/README b/ldapauth/README index 90ee2595..ee09e94d 100755 --- a/ldapauth/README +++ b/ldapauth/README @@ -1,17 +1,37 @@ Authenticate a user against an LDAP directory Useful for Windows Active Directory and other LDAP-based organisations to maintain a single password across the organisation. - Optionally authenticates only if a member of a given group in the directory. -The person must have registered with Friendica using the normal registration +By default, the person must have registered with Friendica using the normal registration procedures in order to have a Friendica user record, contact, and profile. +However, it's possible with an option to automate the creation of a Friendica basic account. Note when using with Windows Active Directory: you may need to set TLS_CACERT in your site ldap.conf file to the signing cert for your LDAP server. -The required configuration options for this module may be set in the .htconfig.php file +The configuration options for this module may be set in the .htconfig.php file e.g.: +// ldap hostname server - required $a->config['ldapauth']['ldap_server'] = 'host.example.com'; +// dn to search users - required +$a->config['ldapauth']['ldap_searchdn'] = 'ou=users,dc=example,dc=com'; +// attribute to find username - required +$a->config['ldapauth']['ldap_userattr'] = 'uid'; + +// admin dn - optional - only if ldap server dont have anonymous access +$a->config['ldapauth']['ldap_binddn'] = 'cn=admin,dc=example,dc=com'; +// admin password - optional - only if ldap server dont have anonymous access +$a->config['ldapauth']['ldap_bindpw'] = 'password'; + +// for create Friendica account if user exist in ldap +// required an email and a simple (beautiful) nickname on user ldap object +// active account creation - optional - default none +$a->config['ldapauth']['ldap_autocreateaccount'] = 'true'; +// attribute to get email - optional - default : 'mail' +$a->config['ldapauth']['ldap_autocreateaccount_emailattribute'] = 'mail'; +// attribute to get nickname - optional - default : 'givenName' +$a->config['ldapauth']['ldap_autocreateaccount_nameattribute'] = 'givenName'; + ...etc. diff --git a/ldapauth/ldapauth.php b/ldapauth/ldapauth.php index 2c8f3eff..62f4b003 100755 --- a/ldapauth/ldapauth.php +++ b/ldapauth/ldapauth.php @@ -25,12 +25,31 @@ * Note when using with Windows Active Directory: you may need to set TLS_CACERT in your site * ldap.conf file to the signing cert for your LDAP server. * - * The required configuration options for this module may be set in the .htconfig.php file + * The configuration options for this module may be set in the .htconfig.php file * e.g.: * + * // ldap hostname server - required * $a->config['ldapauth']['ldap_server'] = 'host.example.com'; - * ...etc. + * // dn to search users - required + * $a->config['ldapauth']['ldap_searchdn'] = 'ou=users,dc=example,dc=com'; + * // attribute to find username - required + * $a->config['ldapauth']['ldap_userattr'] = 'uid'; * + * // admin dn - optional - only if ldap server dont have anonymous access + * $a->config['ldapauth']['ldap_binddn'] = 'cn=admin,dc=example,dc=com'; + * // admin password - optional - only if ldap server dont have anonymous access + * $a->config['ldapauth']['ldap_bindpw'] = 'password'; + * + * // for create Friendica account if user exist in ldap + * // required an email and a simple (beautiful) nickname on user ldap object + * // active account creation - optional - default none + * $a->config['ldapauth']['ldap_autocreateaccount'] = 'true'; + * // attribute to get email - optional - default : 'mail' + * $a->config['ldapauth']['ldap_autocreateaccount_emailattribute'] = 'mail'; + * // attribute to get nickname - optional - default : 'givenName' + * $a->config['ldapauth']['ldap_autocreateaccount_nameattribute'] = 'givenName'; + * + * ...etc. */ require_once('include/user.php');