Merge pull request #1774 from enemarke/2.4

Added support for creating users into different roles depending on ld…
2016-12-20 15:27:26 +01:00 · 2016-12-20 15:27:26 +01:00 · 871710c7e1
parent 0749273e54 ca3a1b0e9e
commit 871710c7e1
2 changed files with 51 additions and 6 deletions
--- a/app/Config/config.default.php
+++ b/app/Config/config.default.php
@ -126,11 +126,25 @@ $config = array(
 			'ldapReaderUser'     => 'cn=userWithReadAccess,ou=users,dc=example,dc=com', // DN ou RDN LDAP with reader user right
 			'ldapReaderPassword' => 'UserPassword', // the LDAP reader user password
 			'ldapDN'             => 'dc=example,dc=com',
+            'ldapSearchFilter'   => '', // Search filter to limit results from ldapsearh fx to specfic group. FX
+	 		//'ldapSearchFilter'   => '(objectclass=InetOrgPerson)(!(nsaccountlock=True))(memberOf=cn=misp,cn=groups,cn=accounts,dc=example,dc=com)',
 			'ldapSearchAttribut' => 'uid',          // filter for search
 			'ldapFilter'         => array(
 				'mail',
+            //	'memberOf', //Needed filter if roles should be added depending on group membership.
 			),
 			'ldapDefaultRoleId'  => 3,               // 3:User, 1:admin. May be good to set "1" for the first user
+            //ldapDefaultRoleId can also be set as an array to support creating users into different group, depending on ldap membership.
+			//This will only work if the ldap server supports memberOf
+			//'ldapDefaultRoleId'  => array(
+            //                         'misp_admin' => 1,
+            //                         'misp_orgadmin' => 2,
+            //                         'misp_user' => 3,
+            //                         'misp_publisher' => 4,
+            //                         'misp_syncuser' => 5,
+            //                         'misp_readonly' => 6,
+            //                         ),
+			//
 			'ldapDefaultOrg'     => '1',      // uses 1st local org in MISP if undefined
 		),
 	*/
--- a/app/Controller/Component/Auth/ApacheAuthenticate.php
+++ b/app/Controller/Component/Auth/ApacheAuthenticate.php
@ -23,7 +23,21 @@ class ApacheAuthenticate extends BaseAuthenticate {
 	 * @param CakeResponse $response Unused response object.
 	 * @return mixed False on login failure. An array of User data on success.
 	 */
-	public function authenticate(CakeRequest $request, CakeResponse $response) {
+    private function isUserMemberOf($group, $ldapUserData) {
+    // return true of false depeding on if user is a member of group.
+        $returnCode = false;
+        unset($ldapUserData[0]['memberof']["count"]);
+        foreach ($ldapUserData[1]['memberof'] as $result) {
+            $r = explode(",", $result, 2);
+            $ldapgroup = explode("=", $r[0]);
+            if ($ldapgroup[0] == $group) {
+                $returnCode = true;
+            }
+        }
+        return $returnCode;
+    }
+    
+    public function authenticate(CakeRequest $request, CakeResponse $response) {

 		// Get information user for MISP auth
 		$envvar = $this->settings['fields']['envvar'];
@ -33,7 +47,7 @@ class ApacheAuthenticate extends BaseAuthenticate {
 		$ldapdn = Configure::read('ApacheSecureAuth.ldapDN');
 		$ldaprdn = Configure::read('ApacheSecureAuth.ldapReaderUser');     // DN ou RDN LDAP
 		$ldappass = Configure::read('ApacheSecureAuth.ldapReaderPassword');
-
+        $ldapSearchFilter = Configure::read('ApacheSecureAuth.ldapSearchFilter');
 		// LDAP connection
 		$ldapconn = ldap_connect(Configure::read('ApacheSecureAuth.ldapServer'))
 				or die('LDAP server connection failed');
@ -48,9 +62,14 @@ class ApacheAuthenticate extends BaseAuthenticate {
 			if (!$ldapbind) {
 				die("LDAP bind failed");
 			}
-			// example: '(uuid=ApacheUser)'
-			$filter = '('.Configure::read('ApacheSecureAuth.ldapSearchAttribut').'=' . $_SERVER[$envvar] . ')';
-			// example: mail
+            // example for searchFiler: '(objectclass=InetOrgPerson)(!(nsaccountlock=True))(memberOf=cn=misp,cn=groups,cn=accounts,dc=example,dc=com)'
+            // example for searchAttribut: '(uuid=ApacheUser)'
+            if (!empty($ldapSearchFilter)) {
+                $filter = '(&' . $ldapSearchFilter . '(' . Configure::read('ApacheSecureAuth.ldapSearchAttribut') . '=' . $_SERVER[$envvar] . '))';
+            } else {
+                $filter = '(' . Configure::read('ApacheSecureAuth.ldapSearchAttribut') . '=' . $_SERVER[$envvar] . ')';
+            }
+            // example: mail
 			$getLdapUserInfo = Configure::read('ApacheSecureAuth.ldapFilter');

 			$result = ldap_search($ldapconn, $ldapdn, $filter, $getLdapUserInfo)
@ -91,6 +110,18 @@ class ApacheAuthenticate extends BaseAuthenticate {
 			$org_id = $firstOrg['Organisation']['id'];
 		}

+         // Set roleid depending on group membership
+        $roleIds = Configure::read('ApacheSecureAuth.ldapDefaultRoleId');
+        if (is_array($roleIds)) {
+            foreach ($roleIds as $key => $id) {
+                if ($this->isUserMemberOf($key, $ldapUserData)) {
+                    $roleId = $roleIds[$key];
+                }
+            }
+        } else {
+            $roleId = $roleIds;
+        }
+
 		// create user
 		$userData = array('User' => array(
 			'email' => $mispUsername,
@ -100,7 +131,7 @@ class ApacheAuthenticate extends BaseAuthenticate {
 			'authkey' => $userModel->generateAuthKey(),
 			'nids_sid' => 4000000,
 			'newsread' => date('Y-m-d'),
-			'role_id' => Configure::read('ApacheSecureAuth.ldapDefaultRoleId'),
+			'role_id' => $roleId,
 			'change_pw' => 0
 		));
 		// save user