Heavy update to the Feide authentication module. Work done by Eva, Hildegunn and Anders.
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@496 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
22803af2a7
commit
716c9ee059
|
@ -0,0 +1,39 @@
|
|||
<?php
|
||||
/*
|
||||
* Configuration for the auth/login-feide.php login module.
|
||||
*
|
||||
* The configuration file is an array with multiple organizations. The user
|
||||
* can select which organization he/she wants to log in with, with a drop-down
|
||||
* menu in the user interface.
|
||||
*
|
||||
*/
|
||||
|
||||
$config = array (
|
||||
|
||||
'orgldapconfig' => array(
|
||||
|
||||
'example1.com' => array(
|
||||
'description' => 'Example Org 1',
|
||||
'searchbase' => 'cn=people,dc=example1,dc=com',
|
||||
'hostname' => 'ldaps://ldap.example1.com',
|
||||
'attributes' => null,
|
||||
|
||||
'contactMail' => 'admin@example1.com',
|
||||
'contactURL' => 'http://admin.example1.com',
|
||||
|
||||
// System user to bind() before we do a search for eduPersonPrincipalName
|
||||
'adminUser' => 'uid=admin,dc=example1,dc=com',
|
||||
'adminPassword' => 'xxx',
|
||||
|
||||
),
|
||||
'example1.com' => array(
|
||||
'description' => 'Example Org 1',
|
||||
'searchbase' => 'cn=people,dc=example1,dc=com',
|
||||
'hostname' => 'ldaps://ldap.example1.com',
|
||||
|
||||
'attributes' => array('mail', 'street'),
|
||||
),
|
||||
),
|
||||
);
|
||||
|
||||
?>
|
|
@ -1,27 +0,0 @@
|
|||
<?php
|
||||
/*
|
||||
* The configuration of simpleSAMLphp
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
$ldapfeide = array (
|
||||
|
||||
'example1.com' => array(
|
||||
'description' => 'Example Org 1',
|
||||
'searchbase' => 'cn=people,dc=example1,dc=com',
|
||||
'hostname' => 'ldaps://ldap.example1.com',
|
||||
'attributes' => null,
|
||||
),
|
||||
'example2.com' => array(
|
||||
'description' => 'Example Org 2',
|
||||
'searchbase' => 'cn=people,dc=example2,dc=com',
|
||||
'hostname' => 'ldaps://ldap.example2.com',
|
||||
'attributes' => array('mail', 'street'),
|
||||
)
|
||||
|
||||
);
|
||||
|
||||
|
||||
|
||||
?>
|
|
@ -29,16 +29,14 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA
|
|||
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Auth/LDAP.php');
|
||||
|
||||
$config = SimpleSAML_Configuration::getInstance();
|
||||
$ldapconfig = $config->copyFromBase('loginfeide', 'config-login-feide.php');
|
||||
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
|
||||
$session = SimpleSAML_Session::getInstance();
|
||||
|
||||
$ldapconfigfile = $config->getBaseDir() . 'config/ldapfeide.php';
|
||||
require_once($ldapconfigfile);
|
||||
|
||||
SimpleSAML_Logger::info('AUTH - ldap-feide: Accessing auth endpoint login-feide');
|
||||
|
||||
$error = null;
|
||||
$attributes = array();
|
||||
$ldaporgconfig = $ldapconfig->getValue('orgldapconfig');
|
||||
|
||||
|
||||
if (empty($session))
|
||||
|
@ -53,6 +51,42 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
|
||||
}
|
||||
|
||||
|
||||
$error = null;
|
||||
$attributes = array();
|
||||
|
||||
$selectorg = true;
|
||||
$org = null;
|
||||
|
||||
/**
|
||||
* Check if user has selected organization in this request.
|
||||
*/
|
||||
if (isset($_REQUEST['org'])) {
|
||||
$org = $_REQUEST['org'];
|
||||
// OrgCookie is set to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).
|
||||
setcookie("OrgCookie", $_REQUEST['org'], time()+60*60*24*30);
|
||||
$selectorg = false;
|
||||
|
||||
/**
|
||||
* If user has not selected organization in this request, then check if the user
|
||||
* has stored the selected organization as a cookie.
|
||||
*/
|
||||
} elseif (isset($_COOKIE["OrgCookie"])) {
|
||||
$org = $_COOKIE["OrgCookie"];
|
||||
$selectorg = false;
|
||||
}
|
||||
|
||||
/**
|
||||
* If the user has excplicitly selected to change the preselected organization.
|
||||
*/
|
||||
if (isset($_REQUEST['action']) && $_REQUEST['action'] === 'change_org') {
|
||||
setcookie("OrgCookie", "", time() - 3600);
|
||||
$selectorg = true;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
if (isset($_REQUEST['username'])) {
|
||||
try {
|
||||
$requestedOrg = null;
|
||||
|
@ -86,10 +120,10 @@ if (isset($_REQUEST['username'])) {
|
|||
if (!preg_match('/^[a-z0-9.]*$/', $requestedOrg) )
|
||||
throw new Exception('Illegal characters in organization.');
|
||||
|
||||
if (!array_key_exists($requestedOrg, $ldapfeide))
|
||||
if (!array_key_exists($requestedOrg, $ldaporgconfig))
|
||||
throw new Exception('Organization ' . $requestedOrg . ' does not exist in configuration.');
|
||||
|
||||
$ldapconfig = $ldapfeide[$requestedOrg];
|
||||
$orgconfig = $ldaporgconfig[$requestedOrg];
|
||||
|
||||
/*
|
||||
* Checking password parameter.
|
||||
|
@ -105,13 +139,17 @@ if (isset($_REQUEST['username'])) {
|
|||
/*
|
||||
* Connecting to LDAP.
|
||||
*/
|
||||
$ldap = new SimpleSAML_Auth_LDAP($ldapconfig['hostname']);
|
||||
$ldap = new SimpleSAML_Auth_LDAP($orgconfig['hostname'], $orgconfig['enable_tls']);
|
||||
|
||||
/*
|
||||
* Search for eduPersonPrincipalName.
|
||||
*/
|
||||
if (isset($orgconfig['adminUser'])) {
|
||||
$ldap->bind($orgconfig['adminUser'], $orgconfig['adminPassword']);
|
||||
}
|
||||
|
||||
$eppn = $requestedUser."@".$requestedOrg;
|
||||
$dn = $ldap->searchfordn($ldapconfig['searchbase'],'eduPersonPrincipalName', $eppn);
|
||||
$dn = $ldap->searchfordn($orgconfig['searchbase'], 'eduPersonPrincipalName', $eppn);
|
||||
|
||||
/*
|
||||
* Do LDAP bind using DN found from the search on ePPN.
|
||||
|
@ -124,17 +162,62 @@ if (isset($_REQUEST['username'])) {
|
|||
/*
|
||||
* Retrieve attributes from LDAP
|
||||
*/
|
||||
$attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']);
|
||||
$attributes = $ldap->getAttributes($dn, $orgconfig['attributes']);
|
||||
|
||||
|
||||
/**
|
||||
* Retrieve organizational attributes, if the edupersonorgdn attribute is set.
|
||||
*/
|
||||
if (isset($attributes['edupersonorgdn'])) {
|
||||
$orgdn = $attributes['edupersonorgdn'][0];
|
||||
$orgattributes = $ldap->getAttributes($orgdn);
|
||||
|
||||
$orgattr = array_keys($orgattributes);
|
||||
foreach($orgattr as $value){
|
||||
$orgattributename = ('edupersonorg:' . $value);
|
||||
//SimpleSAML_Logger::debug('AUTH - ldap-feide: Orgattributename: '. $orgattributename);
|
||||
$attributes[$orgattributename] = $orgattributes[$value];
|
||||
//SimpleSAML_Logger::debug('AUTH - ldap-feide: Attribute added: '. $attributes[$orgattributename]);
|
||||
}
|
||||
|
||||
}
|
||||
/*
|
||||
|
||||
TODO: We need to figure out how to map the orgunit attributes into SAML attributes.
|
||||
|
||||
if(isset($attributes['edupersonprimaryorgunitdn'][0])){
|
||||
$orgunitdn = $attributes['edupersonprimaryorgunitdn'][0];
|
||||
}
|
||||
elseif(isset($attributes['edupersonorgunitdn'][0])){
|
||||
$orgunitdn = $attributes['edupersonorgunitdn'][0];
|
||||
}
|
||||
|
||||
$orgunitattributes = $ldap->getAttributes($orgunitdn);
|
||||
|
||||
|
||||
|
||||
$orgunitattr = array_keys($orgunitattributes);
|
||||
foreach($orgunitattr as $value){
|
||||
$orgunitattributename = ('edupersonorgunit: ' . $value);
|
||||
// SimpleSAML_Logger::debug('AUTH - ldap-feide: Orgunitattributename: '. $orgunitattributename);
|
||||
$attributes[$orgunitattributename] = $orgunitattributes[$value];
|
||||
}
|
||||
*/
|
||||
|
||||
|
||||
|
||||
//SimpleSAML_Logger::debug('AUTH - ldap-feide: '. $orgattributes . ' successfully authenticated');
|
||||
SimpleSAML_Logger::info('AUTH - ldap-feide: '. $requestedUser . ' successfully authenticated');
|
||||
|
||||
$session->setAuthenticated(true, 'login-feide');
|
||||
|
||||
|
||||
$session->setAttributes($attributes);
|
||||
|
||||
$session->setNameID(array(
|
||||
'value' => SimpleSAML_Utilities::generateID(),
|
||||
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Create a statistics log entry for every successfull login attempt.
|
||||
|
@ -159,12 +242,15 @@ if (isset($_REQUEST['username'])) {
|
|||
}
|
||||
|
||||
|
||||
$t = new SimpleSAML_XHTML_Template($config, 'login-ldapmulti.php', 'login.php');
|
||||
$t = new SimpleSAML_XHTML_Template($config, 'login-feide.php', 'login.php');
|
||||
|
||||
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
|
||||
$t->data['relaystate'] = $_REQUEST['RelayState'];
|
||||
$t->data['ldapconfig'] = $ldapfeide;
|
||||
$t->data['org'] = isset($_REQUEST['org']) ? $_REQUEST['org'] : null;
|
||||
$t->data['ldapconfig'] = $ldaporgconfig;
|
||||
#$t->data['orgconfig'] = $orgconfig;
|
||||
|
||||
$t->data['selectorg'] = $selectorg;
|
||||
$t->data['org'] = $org;
|
||||
$t->data['error'] = $error;
|
||||
if (isset($error)) {
|
||||
$t->data['username'] = $_POST['username'];
|
||||
|
|
Reference in New Issue