import v1.1.0_RC2 | 2009-09-20
This commit is contained in:
@ -15,9 +15,9 @@
|
||||
* @category Zend
|
||||
* @package Zend_Auth
|
||||
* @subpackage Zend_Auth_Adapter
|
||||
* @copyright Copyright (c) 2005-2008 Zend Technologies USA Inc. (http://www.zend.com)
|
||||
* @copyright Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
|
||||
* @license http://framework.zend.com/license/new-bsd New BSD License
|
||||
* @version $Id: Ldap.php 14095 2009-02-16 22:17:54Z norm2782 $
|
||||
* @version $Id: Ldap.php 17788 2009-08-24 14:43:23Z sgehrig $
|
||||
*/
|
||||
|
||||
/**
|
||||
@ -29,7 +29,7 @@ require_once 'Zend/Auth/Adapter/Interface.php';
|
||||
* @category Zend
|
||||
* @package Zend_Auth
|
||||
* @subpackage Zend_Auth_Adapter
|
||||
* @copyright Copyright (c) 2005-2008 Zend Technologies USA Inc. (http://www.zend.com)
|
||||
* @copyright Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
|
||||
* @license http://framework.zend.com/license/new-bsd New BSD License
|
||||
*/
|
||||
class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
|
||||
@ -63,6 +63,13 @@ class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
|
||||
*/
|
||||
protected $_password = null;
|
||||
|
||||
/**
|
||||
* The DN of the authenticated account. Used to retrieve the account entry on request.
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
protected $_authenticatedDn = null;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*
|
||||
@ -151,6 +158,36 @@ class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* setIdentity() - set the identity (username) to be used
|
||||
*
|
||||
* Proxies to {@see setPassword()}
|
||||
*
|
||||
* Closes ZF-6813
|
||||
*
|
||||
* @param string $identity
|
||||
* @return Zend_Auth_Adapter_Ldap Provides a fluent interface
|
||||
*/
|
||||
public function setIdentity($identity)
|
||||
{
|
||||
return $this->setUsername($identity);
|
||||
}
|
||||
|
||||
/**
|
||||
* setCredential() - set the credential (password) value to be used
|
||||
*
|
||||
* Proxies to {@see setPassword()}
|
||||
*
|
||||
* Closes ZF-6813
|
||||
*
|
||||
* @param string $credential
|
||||
* @return Zend_Auth_Adapter_Ldap Provides a fluent interface
|
||||
*/
|
||||
public function setCredential($credential)
|
||||
{
|
||||
return $this->setPassword($credential);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the LDAP Object
|
||||
*
|
||||
@ -251,7 +288,7 @@ class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
|
||||
require_once 'Zend/Auth/Adapter/Exception.php';
|
||||
throw new Zend_Auth_Adapter_Exception('Adapter options array not in array');
|
||||
}
|
||||
$ldap->setOptions($options);
|
||||
$adapterOptions = $this->_prepareOptions($ldap, $options);
|
||||
$dname = '';
|
||||
|
||||
try {
|
||||
@ -275,15 +312,23 @@ class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
|
||||
continue;
|
||||
}
|
||||
|
||||
$ldap->bind($username, $password);
|
||||
|
||||
$canonicalName = $ldap->getCanonicalAccountName($username);
|
||||
$dn = $ldap->getCanonicalAccountName($username, Zend_Ldap::ACCTNAME_FORM_DN);
|
||||
|
||||
$ldap->bind($canonicalName, $password);
|
||||
|
||||
$messages[0] = '';
|
||||
$messages[1] = '';
|
||||
$messages[] = "$canonicalName authentication successful";
|
||||
|
||||
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $canonicalName, $messages);
|
||||
$groupResult = $this->_checkGroupMembership($ldap, $canonicalName, $dn, $adapterOptions);
|
||||
if ($groupResult === true) {
|
||||
$this->_authenticatedDn = $dn;
|
||||
$messages[0] = '';
|
||||
$messages[1] = '';
|
||||
$messages[] = "$canonicalName authentication successful";
|
||||
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $canonicalName, $messages);
|
||||
} else {
|
||||
$messages[0] = 'Account is not a member of the specified group';
|
||||
$messages[1] = $groupResult;
|
||||
$failedAuthorities[$dname] = $groupResult;
|
||||
}
|
||||
} catch (Zend_Ldap_Exception $zle) {
|
||||
|
||||
/* LDAP based authentication is notoriously difficult to diagnose. Therefore
|
||||
@ -324,6 +369,121 @@ class Zend_Auth_Adapter_Ldap implements Zend_Auth_Adapter_Interface
|
||||
return new Zend_Auth_Result($code, $username, $messages);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the LDAP specific options on the Zend_Ldap instance
|
||||
*
|
||||
* @param Zend_Ldap $ldap
|
||||
* @param array $options
|
||||
* @return array of auth-adapter specific options
|
||||
*/
|
||||
protected function _prepareOptions(Zend_Ldap $ldap, array $options)
|
||||
{
|
||||
$adapterOptions = array(
|
||||
'group' => null,
|
||||
'groupDn' => $ldap->getBaseDn(),
|
||||
'groupScope' => Zend_Ldap::SEARCH_SCOPE_SUB,
|
||||
'groupAttr' => 'cn',
|
||||
'groupFilter' => 'objectClass=groupOfUniqueNames',
|
||||
'memberAttr' => 'uniqueMember',
|
||||
'memberIsDn' => true
|
||||
);
|
||||
foreach ($adapterOptions as $key => $value) {
|
||||
if (array_key_exists($key, $options)) {
|
||||
$value = $options[$key];
|
||||
unset($options[$key]);
|
||||
switch ($key) {
|
||||
case 'groupScope':
|
||||
$value = (int)$value;
|
||||
if (in_array($value, array(Zend_Ldap::SEARCH_SCOPE_BASE,
|
||||
Zend_Ldap::SEARCH_SCOPE_ONE, Zend_Ldap::SEARCH_SCOPE_SUB), true)) {
|
||||
$adapterOptions[$key] = $value;
|
||||
}
|
||||
break;
|
||||
case 'memberIsDn':
|
||||
$adapterOptions[$key] = ($value === true ||
|
||||
$value === '1' || strcasecmp($value, 'true') == 0);
|
||||
break;
|
||||
default:
|
||||
$adapterOptions[$key] = trim($value);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$ldap->setOptions($options);
|
||||
return $adapterOptions;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks the group membership of the bound user
|
||||
*
|
||||
* @param Zend_Ldap $ldap
|
||||
* @param string $canonicalName
|
||||
* @param string $dn
|
||||
* @param array $adapterOptions
|
||||
* @return string|true
|
||||
*/
|
||||
protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions)
|
||||
{
|
||||
if ($adapterOptions['group'] === null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if ($adapterOptions['memberIsDn'] === false) {
|
||||
$user = $canonicalName;
|
||||
} else {
|
||||
$user = $dn;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see Zend_Ldap_Filter
|
||||
*/
|
||||
require_once 'Zend/Ldap/Filter.php';
|
||||
$groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']);
|
||||
$membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user);
|
||||
$group = Zend_Ldap_Filter::andFilter($groupName, $membership);
|
||||
$groupFilter = $adapterOptions['groupFilter'];
|
||||
if (!empty($groupFilter)) {
|
||||
$group = $group->addAnd($groupFilter);
|
||||
}
|
||||
|
||||
$result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']);
|
||||
|
||||
if ($result === 1) {
|
||||
return true;
|
||||
} else {
|
||||
return 'Failed to verify group membership with ' . $group->toString();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* getAccountObject() - Returns the result entry as a stdClass object
|
||||
*
|
||||
* This ressembles the feature {@see Zend_Auth_Adapter_DbTable::getResultRowObject()}.
|
||||
* Closes ZF-6813
|
||||
*
|
||||
* @param array $returnAttribs
|
||||
* @return stdClass|boolean
|
||||
*/
|
||||
public function getAccountObject(array $returnAttribs = array())
|
||||
{
|
||||
if (!$this->_authenticatedDn) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$returnObject = new stdClass();
|
||||
|
||||
$entry = $this->getLdap()->getEntry($this->_authenticatedDn, $returnAttribs, true);
|
||||
foreach ($entry as $attr => $value) {
|
||||
if (is_array($value)) {
|
||||
$returnObject->$attr = (count($value) > 1) ? $value : $value[0];
|
||||
} else {
|
||||
$returnObject->$attr = $value;
|
||||
}
|
||||
}
|
||||
return $returnObject;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts options to string
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user