diff options
| -rw-r--r-- | config-templates/authsources.php | 3 | ||||
| -rw-r--r-- | lib/SimpleSAML/Auth/LDAP.php | 12 | ||||
| -rw-r--r-- | modules/ldap/docs/ldap.txt | 12 | ||||
| -rw-r--r-- | modules/ldap/lib/ConfigHelper.php | 7 |
4 files changed, 30 insertions, 4 deletions
diff --git a/config-templates/authsources.php b/config-templates/authsources.php index 4c3054d..1d44dc6 100644 --- a/config-templates/authsources.php +++ b/config-templates/authsources.php @@ -309,6 +309,9 @@ $config = array( // the array may match the value the username. 'search.attributes' => array('uid', 'mail'), + // Additional LDAP filters appended to the search attributes + 'search.filter' => '(objectclass=inetorgperson)', + // The username & password the SimpleSAMLphp should bind to before searching. If // this is left as NULL, no bind will be performed before searching. 'search.username' => NULL, diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php index 794e843..986c397 100644 --- a/lib/SimpleSAML/Auth/LDAP.php +++ b/lib/SimpleSAML/Auth/LDAP.php @@ -202,7 +202,7 @@ class SimpleSAML_Auth_LDAP { * @throws SimpleSAML_Error_UserNotFound if: * - Zero entries was found */ - private function search($base, $attribute, $value) { + private function search($base, $attribute, $value, $searchFilter=NULL) { // Create the search filter $attribute = self::escape_filter_value($attribute, FALSE); @@ -213,6 +213,11 @@ class SimpleSAML_Auth_LDAP { } $filter = '(|' . $filter . ')'; + // Append LDAP filters if defined + if ($searchFilter!=NULL) { + $filter = "(&".$filter."".$searchFilter.")"; + } + // Search using generated filter SimpleSAML_Logger::debug('Library - LDAP search(): Searching base \'' . $base . '\' for \'' . $filter . '\''); // TODO: Should aliases be dereferenced? @@ -271,7 +276,7 @@ class SimpleSAML_Auth_LDAP { * - $allowZeroHits er TRUE and no result is found * */ - public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE) { + public function searchfordn($base, $attribute, $value, $allowZeroHits = FALSE, $searchFilter = NULL) { // Traverse all search bases, returning DN if found $bases = SimpleSAML\Utils\Arrays::arrayize($base); @@ -279,7 +284,8 @@ class SimpleSAML_Auth_LDAP { foreach ($bases AS $current) { try { // Single base search - $result = $this->search($current, $attribute, $value); + $result = $this->search($current, $attribute, $value, $searchFilter); + // We don't hawe to look any futher if user is found if (!empty($result)) { return $result; diff --git a/modules/ldap/docs/ldap.txt b/modules/ldap/docs/ldap.txt index 4a6e957..151db88 100644 --- a/modules/ldap/docs/ldap.txt +++ b/modules/ldap/docs/ldap.txt @@ -72,6 +72,14 @@ authentication source: 'search.attributes' => array('uid', 'mail'), /* + * Additional filters that must match for the entire LDAP search to be TRUE + * + * This should be a single string conforming to (RFC 1960, 2544) + * The string is appended to the search attributes + */ + 'search.filter' => '(&(objectClass=Person)(|(sn=Doe)(cn=John *)))', + + /* * The username & password where SimpleSAMLphp should bind to before searching. If * this is left NULL, no bind will be performed before searching. */ @@ -103,6 +111,10 @@ options. The `search.base`-option must be the `dn` which should be used as the base/root of the search. The `search.attributes`-option is an array with attributes the username should be matched against. +You can also append the `search.filter` option to further limit your search. +The `search.filter` field is optional and need not be included in your +configuration file. + The `dnpattern` option will not be used if searching is enabled. Some LDAP servers may require authentication before a search can be diff --git a/modules/ldap/lib/ConfigHelper.php b/modules/ldap/lib/ConfigHelper.php index c39d1dd..ec6757c 100644 --- a/modules/ldap/lib/ConfigHelper.php +++ b/modules/ldap/lib/ConfigHelper.php @@ -81,6 +81,10 @@ class sspmod_ldap_ConfigHelper { */ private $searchBase; + /** + * Additional LDAP filter fields for the search + */ + private $searchFilter; /** * The attributes which should match the username. @@ -149,6 +153,7 @@ class sspmod_ldap_ConfigHelper { } $this->searchBase = $config->getArrayizeString('search.base'); + $this->searchFilter = $config->getString('search.filter',NULL); $this->searchAttributes = $config->getArray('search.attributes'); } else { @@ -197,7 +202,7 @@ class sspmod_ldap_ConfigHelper { } } - $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE); + $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE, $this->searchFilter); if ($dn === NULL) { /* User not found with search. */ SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\''); |