This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, master has been updated
via 638b01fc492b4a52e19593e65d1daa0f96a2a7b6 (commit)
from 001cb135542d21481ee83b79dce8812330c341d9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=638b01fc492b4a52e19593e65d1daa0f96a2a7b6
commit 638b01fc492b4a52e19593e65d1daa0f96a2a7b6
Author: Franck Villaume <[email protected]>
Date: Thu Sep 1 15:52:23 2016 +0200
plugin AuthLDAP: add support X_FORWARD_USER to delegate authentication to
other system and retrieve user from LDAP
diff --git a/src/CHANGES b/src/CHANGES
index 6aa7f57..2661793 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -13,6 +13,7 @@ FusionForge 6.X:
* FRS: link package release to tracker roadmap. (TrivialDev)
* Layout: new dynamic quickNav menu: based on user activity to select 5 more
visited projects (TrivialDev)
* Plugin AuthBuiltin: add captcha after 3 attempts with the same login [#795]
(TrivialDev)
+* Plugin AuthLDAP: support X_FORWARD_USER to delegate authentication and then
retry user from LDAP (TrivialDev)
* Projects Page: add paging system in full_list and tag_cloud subpages
(TrivialDev)
* SearchEngine: support only FTI queries (TrivialDev)
* Search: index project tags and use them for search (Roland Mas)
diff --git a/src/plugins/authldap/common/AuthLDAPPlugin.class.php
b/src/plugins/authldap/common/AuthLDAPPlugin.class.php
index ad88b20..4f252ff 100644
--- a/src/plugins/authldap/common/AuthLDAPPlugin.class.php
+++ b/src/plugins/authldap/common/AuthLDAPPlugin.class.php
@@ -137,6 +137,7 @@ into the FusionForge database.");
$user_data['title'],
$user_data['ccode'],
$send_mail)) {
+ error_log("LDAP: user::create() failed:
".$u->getErrorMessage());
return false;
}
@@ -232,6 +233,7 @@ into the FusionForge database.");
forge_define_config_item('ldap_version', $this->name, 3);
forge_define_config_item('manager_dn', $this->name, '');
forge_define_config_item('manager_password', $this->name, '');
+ forge_define_config_item('use_x_forward_user', $this->name,
false);
}
/// HELPERS
@@ -340,6 +342,57 @@ into the FusionForge database.");
$this->ldap_conn = $conn;
return true;
}
+
+ /**
+ * Is there a valid session?
+ *
+ * @param array $params
+ * @return FORGE_AUTH_AUTHORITATIVE_ACCEPT,
FORGE_AUTH_AUTHORITATIVE_REJECT or FORGE_AUTH_NOT_AUTHORITATIVE
+ * TODO : document 'auth_token' param
+ */
+ function checkAuthSession(&$params) {
+ // check the session cookie/token to get a user_id
+ if (isset($params['auth_token']) && $params['auth_token'] !=
'') {
+ $user_id =
$this->checkSessionToken($params['auth_token']);
+ //WARNING: I HOPE YOU KNOW WHAT YOU ARE DOING WHEN
USING THIS OPTION!
+ } elseif (forge_get_config('use_x_forward_user', $this->name)) {
+ $username = $_SERVER['HTTP_X_FORWARDED_USER'];
+ $userObject = user_get_object_by_name($username);
+ if ($userObject && is_object($userObject)) {
+ $user_id = $userObject->getID();
+ } else {
+ $user_id = false;
+ }
+ if (!$user_id) {
+ $params['username'] = $username;
+ $params['event'] =
forge_get_config('sync_data_on', $this->name);
+ $this->syncAccountInfo($params);
+ $userObject =
user_get_object_by_name($username);
+ if ($userObject && is_object($userObject)) {
+ $user_id = $userObject->getID();
+ } else {
+ $user_id = false;
+ }
+ }
+ } else {
+ $user_id = $this->checkSessionCookie();
+ }
+ if ($user_id) {
+ $this->saved_user = user_get_object($user_id);
+ if ($this->isSufficient()) {
+ $params['results'][$this->name] =
FORGE_AUTH_AUTHORITATIVE_ACCEPT;
+ } else {
+ $params['results'][$this->name] =
FORGE_AUTH_NOT_AUTHORITATIVE;
+ }
+ } else {
+ $this->saved_user = NULL;
+ if ($this->isRequired()) {
+ $params['results'][$this->name] =
FORGE_AUTH_AUTHORITATIVE_REJECT;
+ } else {
+ $params['results'][$this->name] =
FORGE_AUTH_NOT_AUTHORITATIVE;
+ }
+ }
+ }
}
// Local Variables:
diff --git a/src/plugins/authldap/etc/authldap.ini
b/src/plugins/authldap/etc/authldap.ini
index 62ea5af..6fe1607 100644
--- a/src/plugins/authldap/etc/authldap.ini
+++ b/src/plugins/authldap/etc/authldap.ini
@@ -26,6 +26,10 @@ base_dn = "ou=users,dc=example,dc=com"
manager_dn = ''
manager_password = ''
+; delegate the authentication to a reverse proxy or any external service that
support X_FORWARD_USER
+; WARNING: YOU BETTER KNOW WHAT YOU ARE DOING IF YOU SET THIS OPTION TO TRUE
+use_x_forward_user = false
+
; LDAP attributes mapping for data sync
; Comma-separated list of fusionforgefield=ldapfield
; the ldapfield MUST be in lower case
-----------------------------------------------------------------------
Summary of changes:
src/CHANGES | 1 +
.../authldap/common/AuthLDAPPlugin.class.php | 53 ++++++++++++++++++++++
src/plugins/authldap/etc/authldap.ini | 4 ++
3 files changed, 58 insertions(+)
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
