mirror of https://github.com/MISP/MISP
Merge pull request #1774 from enemarke/2.4
Added support for creating users into different roles depending on ld…pull/1779/head
commit
871710c7e1
|
@ -126,11 +126,25 @@ $config = array(
|
|||
'ldapReaderUser' => 'cn=userWithReadAccess,ou=users,dc=example,dc=com', // DN ou RDN LDAP with reader user right
|
||||
'ldapReaderPassword' => 'UserPassword', // the LDAP reader user password
|
||||
'ldapDN' => 'dc=example,dc=com',
|
||||
'ldapSearchFilter' => '', // Search filter to limit results from ldapsearh fx to specfic group. FX
|
||||
//'ldapSearchFilter' => '(objectclass=InetOrgPerson)(!(nsaccountlock=True))(memberOf=cn=misp,cn=groups,cn=accounts,dc=example,dc=com)',
|
||||
'ldapSearchAttribut' => 'uid', // filter for search
|
||||
'ldapFilter' => array(
|
||||
'mail',
|
||||
// 'memberOf', //Needed filter if roles should be added depending on group membership.
|
||||
),
|
||||
'ldapDefaultRoleId' => 3, // 3:User, 1:admin. May be good to set "1" for the first user
|
||||
//ldapDefaultRoleId can also be set as an array to support creating users into different group, depending on ldap membership.
|
||||
//This will only work if the ldap server supports memberOf
|
||||
//'ldapDefaultRoleId' => array(
|
||||
// 'misp_admin' => 1,
|
||||
// 'misp_orgadmin' => 2,
|
||||
// 'misp_user' => 3,
|
||||
// 'misp_publisher' => 4,
|
||||
// 'misp_syncuser' => 5,
|
||||
// 'misp_readonly' => 6,
|
||||
// ),
|
||||
//
|
||||
'ldapDefaultOrg' => '1', // uses 1st local org in MISP if undefined
|
||||
),
|
||||
*/
|
||||
|
|
|
@ -23,7 +23,21 @@ class ApacheAuthenticate extends BaseAuthenticate {
|
|||
* @param CakeResponse $response Unused response object.
|
||||
* @return mixed False on login failure. An array of User data on success.
|
||||
*/
|
||||
public function authenticate(CakeRequest $request, CakeResponse $response) {
|
||||
private function isUserMemberOf($group, $ldapUserData) {
|
||||
// return true of false depeding on if user is a member of group.
|
||||
$returnCode = false;
|
||||
unset($ldapUserData[0]['memberof']["count"]);
|
||||
foreach ($ldapUserData[1]['memberof'] as $result) {
|
||||
$r = explode(",", $result, 2);
|
||||
$ldapgroup = explode("=", $r[0]);
|
||||
if ($ldapgroup[0] == $group) {
|
||||
$returnCode = true;
|
||||
}
|
||||
}
|
||||
return $returnCode;
|
||||
}
|
||||
|
||||
public function authenticate(CakeRequest $request, CakeResponse $response) {
|
||||
|
||||
// Get information user for MISP auth
|
||||
$envvar = $this->settings['fields']['envvar'];
|
||||
|
@ -33,7 +47,7 @@ class ApacheAuthenticate extends BaseAuthenticate {
|
|||
$ldapdn = Configure::read('ApacheSecureAuth.ldapDN');
|
||||
$ldaprdn = Configure::read('ApacheSecureAuth.ldapReaderUser'); // DN ou RDN LDAP
|
||||
$ldappass = Configure::read('ApacheSecureAuth.ldapReaderPassword');
|
||||
|
||||
$ldapSearchFilter = Configure::read('ApacheSecureAuth.ldapSearchFilter');
|
||||
// LDAP connection
|
||||
$ldapconn = ldap_connect(Configure::read('ApacheSecureAuth.ldapServer'))
|
||||
or die('LDAP server connection failed');
|
||||
|
@ -48,9 +62,14 @@ class ApacheAuthenticate extends BaseAuthenticate {
|
|||
if (!$ldapbind) {
|
||||
die("LDAP bind failed");
|
||||
}
|
||||
// example: '(uuid=ApacheUser)'
|
||||
$filter = '('.Configure::read('ApacheSecureAuth.ldapSearchAttribut').'=' . $_SERVER[$envvar] . ')';
|
||||
// example: mail
|
||||
// example for searchFiler: '(objectclass=InetOrgPerson)(!(nsaccountlock=True))(memberOf=cn=misp,cn=groups,cn=accounts,dc=example,dc=com)'
|
||||
// example for searchAttribut: '(uuid=ApacheUser)'
|
||||
if (!empty($ldapSearchFilter)) {
|
||||
$filter = '(&' . $ldapSearchFilter . '(' . Configure::read('ApacheSecureAuth.ldapSearchAttribut') . '=' . $_SERVER[$envvar] . '))';
|
||||
} else {
|
||||
$filter = '(' . Configure::read('ApacheSecureAuth.ldapSearchAttribut') . '=' . $_SERVER[$envvar] . ')';
|
||||
}
|
||||
// example: mail
|
||||
$getLdapUserInfo = Configure::read('ApacheSecureAuth.ldapFilter');
|
||||
|
||||
$result = ldap_search($ldapconn, $ldapdn, $filter, $getLdapUserInfo)
|
||||
|
@ -91,6 +110,18 @@ class ApacheAuthenticate extends BaseAuthenticate {
|
|||
$org_id = $firstOrg['Organisation']['id'];
|
||||
}
|
||||
|
||||
// Set roleid depending on group membership
|
||||
$roleIds = Configure::read('ApacheSecureAuth.ldapDefaultRoleId');
|
||||
if (is_array($roleIds)) {
|
||||
foreach ($roleIds as $key => $id) {
|
||||
if ($this->isUserMemberOf($key, $ldapUserData)) {
|
||||
$roleId = $roleIds[$key];
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$roleId = $roleIds;
|
||||
}
|
||||
|
||||
// create user
|
||||
$userData = array('User' => array(
|
||||
'email' => $mispUsername,
|
||||
|
@ -100,7 +131,7 @@ class ApacheAuthenticate extends BaseAuthenticate {
|
|||
'authkey' => $userModel->generateAuthKey(),
|
||||
'nids_sid' => 4000000,
|
||||
'newsread' => date('Y-m-d'),
|
||||
'role_id' => Configure::read('ApacheSecureAuth.ldapDefaultRoleId'),
|
||||
'role_id' => $roleId,
|
||||
'change_pw' => 0
|
||||
));
|
||||
// save user
|
||||
|
|
Loading…
Reference in New Issue