public/gallery3-contrib
Archived
1
0
Fork 0
Code Releases Activity

2nd iteration of the ldap identity manager provider

Browse Source
This commit is contained in:
Tim Almdal 2009-10-19 13:46:04 -07:00
parent dd22142107
commit 0963c99eb8
10 changed files with 355 additions and 366 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
modules/ldap/config/gallery.ldif Normal file
View File

@ -0,0 +1,70 @@
dn: ou=people,dc=gallery,dc=local
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=gallery,dc=local
objectClass: organizationalUnit
ou: groups
dn: ou=systems,dc=gallery,dc=local
objectClass: organizationalUnit
ou: systems
dn: uid=jdoe,ou=people,dc=gallery,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
uid: jdoe
sn: Doe
givenname: John
cn: John Doe
userpassword: {SSHA}76qIsKTflGM6dj0f5c5olnD9ltKKXAFE
displayName: John Doe
homeDirectory: /home/jdoe
uidnumber: 1000
gidnumber: 10000
mail: jdoe@gallery.local
dn: uid=hwallbanger,ou=people,dc=gallery,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
uid: hwallbanger
sn: Wallbanger
givenname: Harvey
cn: Harvey Wallbanger
userpassword: {SSHA}084H+FFr6s/anIoaIhI+O8OaH2u0MIBL
displayName: Harvey Wallbanger
homeDirectory: /home/hwallbanger
uidnumber: 1001
gidnumber: 10001
mail: hwallbanger@gallery.local
dn: uid=rnail,ou=people,dc=gallery,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
uid: rnail
sn: Nail
givenname: Rusty
cn: Rusty Nail
userpassword: {SSHA}wXVdpfbP6n9LwoLxrB+NvY2oDN1j/M2z
displayName: Rusty Nail
homeDirectory: /home/rnail
uidnumber: 1002
gidnumber: 10001
mail: rnail@gallery.local
dn: cn=admins,ou=groups,dc=gallery,dc=local
objectclass: posixGroup
cn: admins
gidnumber: 10000
memberuid: jdoe
dn: cn=users,ou=groups,dc=gallery,dc=local
objectclass: posixGroup
cn: users
gidnumber: 10001
memberuid: jdoe
memberuid: hwallbanger
memberuid: rnail

45
modules/ldap/config/identity.php Normal file
View File

@ -0,0 +1,45 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
/*
* @package Identity
*
* User settings, defined as arrays, or "groups". If no group name is
* used when loading the cache library, the group named "default" will be used.
*
* Each group can be used independently, and multiple groups can be used at once.
*
* Group Options:
* driver - User backend driver. Gallery comes with Gallery user driver.
* allow_updates - Flag to indicate that the back end allows updates.
* params - Driver parameters, specific to each driver.
*/
$config["ldap"] = array(
"driver" => "ldap",
"allow_updates" => false,
"params" => array(
"groups" => array("admins", "users", "guest"),
"everybody_group" => "guest",
"registered_users_group" => "users",
"admins" => array("jdoe"),
"url" => "ldap://127.0.0./",
"group_domain" => "ou=groups,dc=gallery,dc=local",
"user_domain" => "ou=people,dc=gallery,dc=local"
)
);

64
modules/ldap/controllers/admin_ldap.php
View File

@ -1,64 +0,0 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class Admin_Ldap_Controller extends Admin_Controller {
public function index() {
$view = new Admin_View("admin.html");
$view->content = new View("admin_ldap.html");
$view->content->config = Kohana::config("ldap");
print $view;
}
public function activate() {
access::verify_csrf();
if (module::get_var("gallery", "user_group_storage", "Gallery3") == "Gallery3") {
// @todo: we should have an API for these
foreach (ORM::factory("group")->find_all() as $group) {
$group->delete();
}
foreach (ORM::factory("user")->find_all() as $user) {
$user->delete();
}
}
// Create LDAP groups
foreach (Kohana::config("ldap.groups") as $group_name) {
$group = ldap::lookup_group_by_name($group_name);
module::event("group_created", $group);
}
// Fix up permissions.
$root = item::root();
$everybody = ldap::everybody_group();
access::allow($everybody, "view", $root);
access::allow($everybody, "view_full", $root);
$registered_users = ldap::registered_users_group();
access::allow($registered_users, "view", $root);
access::allow($registered_users, "view_full", $root);
// Switch authentication
module::set_var("gallery", "user_group_storage", "Ldap");
// Logout and go back to the top level
user::logout();
url::redirect(item::root()->abs_url());
}
}

115
modules/ldap/helpers/ldap.php
View File

@ -1,115 +0,0 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class ldap_Core {
private static $connection;
static function connection() {
if (!isset(self::$connection)) {
self::$connection = ldap_connect(Kohana::config("ldap.url"));
ldap_bind(self::$connection);
}
return self::$connection;
}
static function lookup_group_by_name($name) {
$result = ldap_search(ldap::connection(),
Kohana::config("ldap.group_domain"),
"cn=$name");
$entry_id = ldap_first_entry(ldap::connection(), $result);
if ($entry_id) {
$cn_entry = ldap_get_values(ldap::connection(), $entry_id, "cn");
$gid_number_entry = ldap_get_values(ldap::connection(), $entry_id, "gidNumber");
return new Ldap_Group_Model($gid_number_entry[0], $cn_entry[0]);
}
return null;
}
static function lookup_group($id) {
$result = ldap_search(ldap::connection(),
Kohana::config("ldap.group_domain"),
"gidNumber=$id");
$entry_id = ldap_first_entry(ldap::connection(), $result);
if ($entry_id) {
$cn_entry = ldap_get_values(ldap::connection(), $entry_id, "cn");
return new Ldap_Group_Model($id, $cn_entry[0]);
}
return null;
}
static function lookup_user_by_name($name) {
$result = ldap_search(ldap::connection(),
Kohana::config("ldap.user_domain"),
"uid=$name");
$entries = ldap_get_entries(ldap::connection(), $result);
if ($entries["count"] > 0) {
return new Ldap_User_Model($entries[0]);
}
return null;
}
static function lookup_user($id) {
$result = ldap_search(ldap::connection(),
Kohana::config("ldap.user_domain"),
"uidNumber=$id");
$entries = ldap_get_entries(ldap::connection(), $result);
if ($entries["count"] > 0) {
return new Ldap_User_Model($entries[0]);
}
return null;
}
static function validate_group($input) {
if (!self::lookup_group_by_name($input->value)) {
$input->add_error("invalid_group", 1);
}
}
static function groups_for($user) {
$result = ldap_search(ldap::connection(),
Kohana::config("ldap.group_domain"),
"(memberUid=$user->name)");
$associated_groups = Kohana::config("ldap.groups");
$groups = array();
for ($entry_id = ldap_first_entry(ldap::connection(), $result);
$entry_id != false;
$entry_id = ldap_next_entry(ldap::connection(), $entry_id)) {
$group_id = ldap_get_values(ldap::connection(), $entry_id, "gidNumber");
$group_name = ldap_get_values(ldap::connection(), $entry_id, "cn");
if (in_array($group_name[0], $associated_groups)) {
$groups[] = new Ldap_Group_Model($group_id[0], $group_name[0]);
}
}
return $groups;
}
static function guest() {
return new Ldap_Guest_Model();
}
public function everybody_group() {
return ldap::lookup_group_by_name(Kohana::config("ldap.everybody_group"));
}
public function registered_users_group() {
return ldap::lookup_group_by_name(Kohana::config("ldap.registered_users_group"));
}
}

28
modules/ldap/helpers/ldap_event.php
View File

@ -1,28 +0,0 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class ldap_event_Core {
static function admin_menu($menu, $theme) {
$menu->get("settings_menu")
->append(Menu::factory("link")
->id("ldap")
->label(t("LDAP"))
->url(url::site("admin/ldap")));
}
}

30
modules/ldap/models/ldap_guest.php → modules/ldap/helpers/ldap_installer.php
View File

@ -17,20 +17,24 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class Ldap_Guest_Model {
public $id = 0;
public $guest = true;
public $admin = false;
public $locale = null;
public $name = "Guest";
class ldap_installer {
static function install() {
}
public function __get($key) {
switch($key) {
case "groups":
return array(ldap::everybody_group());
static function uninstall() {
// Delete all users and groups so that we give other modules an opportunity to clean up
foreach (ORM::factory("user")->find_all() as $user) {
$user->delete();
}
default:
throw new Exception("@todo UNKNOWN_KEY ($key)");
foreach (ORM::factory("group")->find_all() as $group) {
$group->delete();
}
try {
Session::instance()->destroy();
} catch (Exception $e) {
// We don't care if there was a problem destroying the session.
}
}
}
}

223
modules/ldap/libraries/drivers/Identity/Ldap.php Normal file
View File

@ -0,0 +1,223 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class Identity_Ldap_Driver implements Identity_Driver {
private static $_params;
private static $_connection;
private static $_guest_user;
/**
* Initializes the LDAP Driver
*
* @return void
*/
public function __construct($params) {
self::$_params = $params;
self::$_connection = ldap_connect($this->_params["url"]);
ldap_bind(self::$_connection);
}
/**
* @see Identity_Driver::guest.
*/
public function guest() {
if (empty(self::$_guest_user)) {
self::$_guest_user = new Ldap_User();
self::$_guest_user->id = 0;
self::$_guest_user->name = "Guest";
self::$_guest_user->guest = true;
self::$_guest_user->admin = false;
self::$_guest_user->locale = null;
self::$_guest_user->groups = array($this->everybody());
}
return self::$_guest_user;
}
/**
* @see Identity_Driver::create_user.
*/
public function create_user($name, $full_name, $password) {
throw new Exception("@todo INVALID OPERATION");
}
/**
* @see Identity_Driver::is_correct_password.
*/
public function is_correct_password($user, $password) {
$valid = $user->password;
// Try phpass first, since that's what we generate.
if (strlen($valid) == 34) {
require_once(MODPATH . "user/lib/PasswordHash.php");
$hashGenerator = new PasswordHash(10, true);
return $hashGenerator->CheckPassword($password, $valid);
}
$salt = substr($valid, 0, 4);
// Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes:
$guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password));
if (!strcmp($guess, $valid)) {
return true;
}
// Passwords with <&"> created by G2 prior to 2.1 were hashed with entities
$sanitizedPassword = html::specialchars($password, false);
$guess = (strlen($valid) == 32) ? md5($sanitizedPassword)
: ($salt . md5($salt . $sanitizedPassword));
if (!strcmp($guess, $valid)) {
return true;
}
return false;
}
/**
* @see Identity_Driver::lookup_user.
*/
public function lookup_user($id) {
$result = ldap_search(self::$_connection, self::$_params["user_domain"], "uidNumber=$id");
$entries = ldap_get_entries(self::$_connection, $result);
if ($entries["count"] > 0) {
$cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn");
return new Ldap_User($entries[0]);
}
return null;
}
/**
* @see Identity_Driver::lookup_user_by_name.
*/
public function lookup_user_by_name($name) {
$result = ldap_search(self::$_connection, self::$_params["user_domain"], "uid=$name");
$entries = ldap_get_entries(self::$_connection, $result);
if ($entries["count"] > 0) {
$cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn");
return new Ldap_User($entries[0]);
}
return null;
}
/**
* @see Identity_Driver::create_group.
*/
public function create_group($name) {
throw new Exception("@todo INVALID OPERATION");
}
/**
* @see Identity_Driver::everybody.
*/
public function everybody() {
return ldap::lookup_group_by_name(self::$_params["everybody_group"]);
}
/**
* @see Identity_Driver::registered_users.
*/
public function registered_users() {
return ldap::lookup_group_by_name(self::$_params["registered_users_group"]);
}
/**
* @see Identity_Driver::lookup_group_by_name.
*/
static function lookup_group_by_name($name) {
$result = ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name");
$entry_id = ldap_first_entry(, $result);
if ($entry_id) {
$cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn");
$gid_number_entry = ldap_get_values(self::$_connection, $entry_id, "gidNumber");
return new Ldap_Group_Model($gid_number_entry[0], $cn_entry[0]);
}
return null;
}
/**
* @see Identity_Driver::get_user_list.
*/
public function get_user_list($ids) {
throw new Exception("@todo NOT IMPLEMENTED");
}
static function groups_for($user) {
$result = ldap_search(self::$_connection, self::$_params["group_domain"],
"(memberUid=$user->name)");
$associated_groups = Kohana::config("ldap.groups");
$groups = array();
for ($entry_id = ldap_first_entry(self::$_connection, $result);
$entry_id != false;
$entry_id = ldap_next_entry(self::$_connection, $entry_id)) {
$group_id = ldap_get_values(self::$_connection, $entry_id, "gidNumber");
$group_name = ldap_get_values(self::$_connection, $entry_id, "cn");
if (in_array($group_name[0], $associated_groups)) {
$groups[] = new Ldap_Group($group_id[0], $group_name[0]);
}
}
return $groups;
}
} // End Identity Gallery Driver
class Ldap_User implements User_Definition {
private $ldap_entry;
public function __construct($ldap_entry=null) {
$this->ldap_entry = $ldap_entry;
}
public function display_name() {
return $this->ldap_entry["displayname"][0];
}
public function __get($key) {
switch($key) {
case "name":
return $this->ldap_entry["uid"][0];
case "guest":
return false;
case "id":
return $this->ldap_entry["uidnumber"][0];
case "groups":
return Identity_Ldap::Driver::groups_for($this);
case "locale": // @todo
return null;
case "admin":
return in_array($this->ldap_entry["uid"][0], Kohana::config("ldap.admins"));
default:
throw new Exception("@todo UNKNOWN_KEY ($key)");
}
}
}
class Ldap_Group implements Group_Definition {
public $id;
public $name;
public function __construct($id, $name) {
$this->id = $id;
$this->name = $name;
$this->special = false;
}
}

28
modules/ldap/models/ldap_group.php
View File

@ -1,28 +0,0 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class Ldap_Group_Model {
public $id;
public $name;
public function __construct($id, $name) {
$this->id = $id;
$this->name = $name;
}
}

58
modules/ldap/models/ldap_user.php
View File

@ -1,58 +0,0 @@
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2009 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class Ldap_User_Model {
private $ldap_entry;
public function __construct($ldap_entry) {
$this->ldap_entry = $ldap_entry;
}
public function display_name() {
return $this->ldap_entry["displayname"][0];
}
public function __get($key) {
switch($key) {
case "name":
return $this->ldap_entry["uid"][0];
case "guest":
return false;
case "login_count":
return 0;
case "id":
return $this->ldap_entry["uidnumber"][0];
case "groups":
return ldap::groups_for($this);
case "locale": // @todo
return null;
case "admin":
return in_array($this->ldap_entry["uid"][0], Kohana::config("ldap.admins"));
default:
throw new Exception("@todo UNKNOWN_KEY ($key)");
}
}
}

60
modules/ldap/views/admin_ldap.html.php
View File

@ -1,60 +0,0 @@
<?php defined("SYSPATH") or die("No direct script access.") ?>
<div id="gAdminLdap">
<h1> <?= t("LDAP Configuration") ?> </h1>
<p>
<?= t("LDAP is an alternate authentication system. When you switch to it, all your Gallery3 users and groups <b>will be deleted</b> and you'll use users and groups from your LDAP directory.") ?>
</p>
<p>
<?= t("Your current LDAP configuration is:") ?>
</p>
<table>
<tr>
<td>
<?= t("Base LDAP url") ?>
</td>
<td>
<?= $config["url"] ?>
</td>
</tr>
<tr>
<td>
<?= t("Group LDAP Domain") ?>
</td>
<td>
<?= $config["group_domain"] ?>
</td>
</tr>
<tr>
<td>
<?= t("User LDAP Domain") ?>
</td>
<td>
<?= $config["user_domain"] ?>
</td>
</tr>
<tr>
<td>
<?= t("Groups") ?>
</td>
<td>
<?= join(", ", $config["groups"]) ?>
</td>
</tr>
<tr>
<td>
<?= t("Admin users") ?>
</td>
<td>
<?= join(", ", $config["admins"]) ?>
</td>
</tr>
</table>
<h2> <?= t("LDAP is not currently active") ?> </h2>
<p>
<?= t("Upon activation, all existing users and groups will be deleted. The groups listed above and all available users will be associated with Gallery 3. You will be logged in as the <b>%username</b> user. <b>There is no undo!</b>", array("username" => $config["admins"][0])) ?>
</p>
<a href="<?= url::site("admin/ldap/activate?csrf=$csrf") ?>">activate</a>
</div>