Revision: 1679 Author: olavmrk Date: Mon Aug 17 02:05:48 2009 Log: ldap: Privilege separation for LDAP attribute retrieval
Allow simpleSAMLphp to use a different LDAP user for retrieving the users attributes. Patch by Victoriano Giralt <victori...@uma.es>. http://code.google.com/p/simplesamlphp/source/detail?r=1679 Modified: /trunk/config-templates/authsources.php /trunk/modules/ldap/lib/ConfigHelper.php ======================================= --- /trunk/config-templates/authsources.php Fri May 8 10:52:32 2009 +++ /trunk/config-templates/authsources.php Mon Aug 17 02:05:48 2009 @@ -137,6 +137,23 @@ */ 'search.username' => NULL, 'search.password' => NULL, + + /* + * If the directory uses privilege separation, + * the authenticated user may not be able to retrieve + * all required attribures, a privileged entity is required + * to get them. This is enabled with this option. + */ + 'priv.read' => FALSE, + + /* + * The DN & password the simpleSAMLphp should bind to before + * retrieving attributes. These options are required if + * 'priv.read' is set to TRUE. + */ + 'priv.username' => NULL, + 'priv.password' => NULL, + ), /* Example of an LDAPMulti authentication source. */ ======================================= --- /trunk/modules/ldap/lib/ConfigHelper.php Fri Aug 14 04:40:31 2009 +++ /trunk/modules/ldap/lib/ConfigHelper.php Mon Aug 17 02:05:48 2009 @@ -73,6 +73,23 @@ private $attributes; + /** + * The user cannot get all attributes, privileged reader required + */ + private $privRead; + + + /** + * The DN we should bind with before we can get the attributes. + */ + private $privUsername; + + + /** + * The password we should bind with before we can get the attributes. + */ + private $privPassword; + /** * Constructor for this configuration parser. @@ -92,6 +109,7 @@ $this->hostname = $config->getString('hostname'); $this->enableTLS = $config->getBoolean('enable_tls', FALSE); $this->searchEnable = $config->getBoolean('search.enable', FALSE); + $this->privRead = $config->getBoolean('priv.read', FALSE); if ($this->searchEnable) { $this->searchUsername = $config->getString('search.username', NULL); @@ -105,6 +123,12 @@ } else { $this->dnPattern = $config->getString('dnpattern'); } + + /* Are privs needed to get to the attributes? */ + if ($this->privRead) { + $this->privUsername = $config->getString('priv.username'); + $this->privPassword = $config->getString('priv.password'); + } $this->attributes = $config->getArray('attributes', NULL); } @@ -148,6 +172,14 @@ SimpleSAML_Logger::info($this->location . ': '. $username . ' failed to authenticate. DN=' . $dn); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } + + /* Are privs needed to get the attributes? */ + if ($this->privRead) { + /* Yes, rebind with privs */ + if(!$ldap->bind($this->privUsername, $this->privPassword)) { + throw new Exception('Error authenticating using privileged DN & password.'); + } + } return $ldap->getAttributes($dn, $this->attributes); } --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "simpleSAMLphp commits" group. To post to this group, send email to simplesamlphp-commits@googlegroups.com To unsubscribe from this group, send email to simplesamlphp-commits+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/simplesamlphp-commits?hl=en -~----------~----~----~----~------~----~------~--~---
