From 46659e09e7e32568a50722de843f8ea6acc6f55d Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sun, 4 Oct 2009 12:36:06 -0700 Subject: [PATCH 01/15] Modules that provides a UserGroupStorage driver for LDAP. To use it, you have to manually update the config/ldap.php file, then go to Admin > Settings > LDAP and activate it. Very alpha quality! --- modules/ldap/config/ldap.php | 28 +++++ modules/ldap/controllers/admin_ldap.php | 64 ++++++++++ modules/ldap/helpers/ldap.php | 115 ++++++++++++++++++ modules/ldap/helpers/ldap_event.php | 28 +++++ .../drivers/UserGroupStorage/Ldap.php | 110 +++++++++++++++++ modules/ldap/models/ldap_group.php | 28 +++++ modules/ldap/models/ldap_guest.php | 36 ++++++ modules/ldap/models/ldap_user.php | 58 +++++++++ modules/ldap/module.info | 3 + modules/ldap/views/admin_ldap.html.php | 60 +++++++++ 10 files changed, 530 insertions(+) create mode 100644 modules/ldap/config/ldap.php create mode 100644 modules/ldap/controllers/admin_ldap.php create mode 100644 modules/ldap/helpers/ldap.php create mode 100644 modules/ldap/helpers/ldap_event.php create mode 100644 modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php create mode 100644 modules/ldap/models/ldap_group.php create mode 100644 modules/ldap/models/ldap_guest.php create mode 100644 modules/ldap/models/ldap_user.php create mode 100644 modules/ldap/module.info create mode 100644 modules/ldap/views/admin_ldap.html.php diff --git a/modules/ldap/config/ldap.php b/modules/ldap/config/ldap.php new file mode 100644 index 00000000..07eda591 --- /dev/null +++ b/modules/ldap/config/ldap.php @@ -0,0 +1,28 @@ + array("eng", "google", "prebuild", "guest"), + "everybody_group" => "guest", + "registered_users_group" => "google", + "admins" => array("mediratta"), + "url" => "ldaps://ldap.corp.google.com/", + "group_domain" => "ou=Posix,ou=Groups,dc=google,dc=com", + "user_domain" => "ou=People,dc=google,dc=com", +); diff --git a/modules/ldap/controllers/admin_ldap.php b/modules/ldap/controllers/admin_ldap.php new file mode 100644 index 00000000..8f206bd0 --- /dev/null +++ b/modules/ldap/controllers/admin_ldap.php @@ -0,0 +1,64 @@ +content = new View("admin_ldap.html"); + $view->content->config = Kohana::config("ldap"); + print $view; + } + + public function activate() { + access::verify_csrf(); + + + if (module::get_var("gallery", "user_group_storage", "Gallery3") == "Gallery3") { + // @todo: we should have an API for these + foreach (ORM::factory("group")->find_all() as $group) { + $group->delete(); + } + foreach (ORM::factory("user")->find_all() as $user) { + $user->delete(); + } + } + + // Create LDAP groups + foreach (Kohana::config("ldap.groups") as $group_name) { + $group = ldap::lookup_group_by_name($group_name); + module::event("group_created", $group); + } + + // Fix up permissions. + $root = item::root(); + $everybody = ldap::everybody_group(); + access::allow($everybody, "view", $root); + access::allow($everybody, "view_full", $root); + $registered_users = ldap::registered_users_group(); + access::allow($registered_users, "view", $root); + access::allow($registered_users, "view_full", $root); + + // Switch authentication + module::set_var("gallery", "user_group_storage", "Ldap"); + + // Logout and go back to the top level + user::logout(); + url::redirect(item::root()->abs_url()); + } +} \ No newline at end of file diff --git a/modules/ldap/helpers/ldap.php b/modules/ldap/helpers/ldap.php new file mode 100644 index 00000000..45cae297 --- /dev/null +++ b/modules/ldap/helpers/ldap.php @@ -0,0 +1,115 @@ + 0) { + return new Ldap_User_Model($entries[0]); + } + return null; + } + + static function lookup_user($id) { + $result = ldap_search(ldap::connection(), + Kohana::config("ldap.user_domain"), + "uidNumber=$id"); + $entries = ldap_get_entries(ldap::connection(), $result); + if ($entries["count"] > 0) { + return new Ldap_User_Model($entries[0]); + } + return null; + } + + static function validate_group($input) { + if (!self::lookup_group_by_name($input->value)) { + $input->add_error("invalid_group", 1); + } + } + + static function groups_for($user) { + $result = ldap_search(ldap::connection(), + Kohana::config("ldap.group_domain"), + "(memberUid=$user->name)"); + + $associated_groups = Kohana::config("ldap.groups"); + $groups = array(); + for ($entry_id = ldap_first_entry(ldap::connection(), $result); + $entry_id != false; + $entry_id = ldap_next_entry(ldap::connection(), $entry_id)) { + $group_id = ldap_get_values(ldap::connection(), $entry_id, "gidNumber"); + $group_name = ldap_get_values(ldap::connection(), $entry_id, "cn"); + if (in_array($group_name[0], $associated_groups)) { + $groups[] = new Ldap_Group_Model($group_id[0], $group_name[0]); + } + } + return $groups; + } + + static function guest() { + return new Ldap_Guest_Model(); + } + + public function everybody_group() { + return ldap::lookup_group_by_name(Kohana::config("ldap.everybody_group")); + } + + public function registered_users_group() { + return ldap::lookup_group_by_name(Kohana::config("ldap.registered_users_group")); + } +} diff --git a/modules/ldap/helpers/ldap_event.php b/modules/ldap/helpers/ldap_event.php new file mode 100644 index 00000000..91217f3f --- /dev/null +++ b/modules/ldap/helpers/ldap_event.php @@ -0,0 +1,28 @@ +get("settings_menu") + ->append(Menu::factory("link") + ->id("ldap") + ->label(t("LDAP")) + ->url(url::site("admin/ldap"))); + } +} diff --git a/modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php b/modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php new file mode 100644 index 00000000..eab23107 --- /dev/null +++ b/modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php @@ -0,0 +1,110 @@ +get("group_ids"))) { + + $ids = array(); + foreach (user::active()->groups as $group) { + $ids[] = $group->id; + } + $session->set("group_ids", $ids); + } + return $ids; + } + + public function active_user() { + $session = Session::instance(); + $user = $session->get("user", null); + if (!isset($user)) { + // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary + // work. + $session->set("user", $user = user::guest()); + } + return $user; + } + + public function guest_user() { + return ldap::guest(); + } + + public function set_active_user($user) { + $session = Session::instance(); + $session->set("user", $user); + $session->delete("group_ids"); + } + + public function create_user($name, $full_name, $password) { + throw new Exception("@todo UNSUPPORTED"); + } + + public function is_correct_password($user, $password) { + try { + return ldap_bind(ldap::connection(), + "uid={$user->name}," . Kohana::config("ldap.user_domain"), + $password); + } catch (Exception $e) { + // Authentication failure + } + return false; + } + + public function login($user) { + user::set_active($user); + } + + public function logout() { + try { + Session::instance()->destroy(); + } catch (Exception $e) { + Kohana::log("error", $e); + } + } + + public function lookup_user($id) { + return ldap::lookup_user($id); + } + + public function lookup_user_by_name($name) { + return ldap::lookup_user_by_name($name); + } + + public function lookup_group($id) { + return ldap::lookup_group($id); + } + + public function lookup_group_by_name($name) { + return ldap::lookup_group_by_name($name); + } + + public function create_group($name) { + throw new Exception("@todo UNSUPPORTED"); + } + + public function everybody_group() { + return ldap::everybody_group(); + } + + public function registered_users_group() { + return ldap::registered_users_group(); + } +} diff --git a/modules/ldap/models/ldap_group.php b/modules/ldap/models/ldap_group.php new file mode 100644 index 00000000..22e2ae4b --- /dev/null +++ b/modules/ldap/models/ldap_group.php @@ -0,0 +1,28 @@ +id = $id; + $this->name = $name; + } +} diff --git a/modules/ldap/models/ldap_guest.php b/modules/ldap/models/ldap_guest.php new file mode 100644 index 00000000..645ec095 --- /dev/null +++ b/modules/ldap/models/ldap_guest.php @@ -0,0 +1,36 @@ +ldap_entry = $ldap_entry; + } + + public function display_name() { + return $this->ldap_entry["displayname"][0]; + } + + public function __get($key) { + switch($key) { + case "name": + return $this->ldap_entry["uid"][0]; + + case "guest": + return false; + + case "login_count": + return 0; + + case "id": + return $this->ldap_entry["uidnumber"][0]; + + case "groups": + return ldap::groups_for($this); + + case "locale": // @todo + return null; + + case "admin": + return in_array($this->ldap_entry["uid"][0], Kohana::config("ldap.admins")); + + default: + throw new Exception("@todo UNKNOWN_KEY ($key)"); + } + } +} diff --git a/modules/ldap/module.info b/modules/ldap/module.info new file mode 100644 index 00000000..06fa311b --- /dev/null +++ b/modules/ldap/module.info @@ -0,0 +1,3 @@ +name = "LDAP" +description = "Use LDAP for authentication" +version = 1 diff --git a/modules/ldap/views/admin_ldap.html.php b/modules/ldap/views/admin_ldap.html.php new file mode 100644 index 00000000..e8080449 --- /dev/null +++ b/modules/ldap/views/admin_ldap.html.php @@ -0,0 +1,60 @@ + +
+

+

+ will be deleted and you'll use users and groups from your LDAP directory.") ?> +

+ +

+ +

+ + + + + + + + + + + + + + + + + + + + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ +

+

+ %username user. There is no undo!", array("username" => $config["admins"][0])) ?> +

+ + ">activate +
From 0963c99eb8e1cf93425cbdd9485fa7a3ffba743a Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 19 Oct 2009 13:46:04 -0700 Subject: [PATCH 02/15] 2nd iteration of the ldap identity manager provider --- modules/ldap/config/gallery.ldif | 70 ++++++ modules/ldap/config/identity.php | 45 ++++ modules/ldap/controllers/admin_ldap.php | 64 ----- modules/ldap/helpers/ldap.php | 115 --------- modules/ldap/helpers/ldap_event.php | 28 --- .../ldap_installer.php} | 30 ++- .../ldap/libraries/drivers/Identity/Ldap.php | 223 ++++++++++++++++++ modules/ldap/models/ldap_group.php | 28 --- modules/ldap/models/ldap_user.php | 58 ----- modules/ldap/views/admin_ldap.html.php | 60 ----- 10 files changed, 355 insertions(+), 366 deletions(-) create mode 100644 modules/ldap/config/gallery.ldif create mode 100644 modules/ldap/config/identity.php delete mode 100644 modules/ldap/controllers/admin_ldap.php delete mode 100644 modules/ldap/helpers/ldap.php delete mode 100644 modules/ldap/helpers/ldap_event.php rename modules/ldap/{models/ldap_guest.php => helpers/ldap_installer.php} (64%) create mode 100644 modules/ldap/libraries/drivers/Identity/Ldap.php delete mode 100644 modules/ldap/models/ldap_group.php delete mode 100644 modules/ldap/models/ldap_user.php delete mode 100644 modules/ldap/views/admin_ldap.html.php diff --git a/modules/ldap/config/gallery.ldif b/modules/ldap/config/gallery.ldif new file mode 100644 index 00000000..db33c494 --- /dev/null +++ b/modules/ldap/config/gallery.ldif @@ -0,0 +1,70 @@ +dn: ou=people,dc=gallery,dc=local +objectClass: organizationalUnit +ou: people + +dn: ou=groups,dc=gallery,dc=local +objectClass: organizationalUnit +ou: groups + +dn: ou=systems,dc=gallery,dc=local +objectClass: organizationalUnit +ou: systems + +dn: uid=jdoe,ou=people,dc=gallery,dc=local +objectClass: inetOrgPerson +objectClass: posixAccount +uid: jdoe +sn: Doe +givenname: John +cn: John Doe +userpassword: {SSHA}76qIsKTflGM6dj0f5c5olnD9ltKKXAFE +displayName: John Doe +homeDirectory: /home/jdoe +uidnumber: 1000 +gidnumber: 10000 +mail: jdoe@gallery.local + +dn: uid=hwallbanger,ou=people,dc=gallery,dc=local +objectClass: inetOrgPerson +objectClass: posixAccount +uid: hwallbanger +sn: Wallbanger +givenname: Harvey +cn: Harvey Wallbanger +userpassword: {SSHA}084H+FFr6s/anIoaIhI+O8OaH2u0MIBL +displayName: Harvey Wallbanger +homeDirectory: /home/hwallbanger +uidnumber: 1001 +gidnumber: 10001 +mail: hwallbanger@gallery.local + +dn: uid=rnail,ou=people,dc=gallery,dc=local +objectClass: inetOrgPerson +objectClass: posixAccount +uid: rnail +sn: Nail +givenname: Rusty +cn: Rusty Nail +userpassword: {SSHA}wXVdpfbP6n9LwoLxrB+NvY2oDN1j/M2z +displayName: Rusty Nail +homeDirectory: /home/rnail +uidnumber: 1002 +gidnumber: 10001 +mail: rnail@gallery.local + +dn: cn=admins,ou=groups,dc=gallery,dc=local +objectclass: posixGroup +cn: admins +gidnumber: 10000 +memberuid: jdoe + +dn: cn=users,ou=groups,dc=gallery,dc=local +objectclass: posixGroup +cn: users +gidnumber: 10001 +memberuid: jdoe +memberuid: hwallbanger +memberuid: rnail + + + diff --git a/modules/ldap/config/identity.php b/modules/ldap/config/identity.php new file mode 100644 index 00000000..87bc79a1 --- /dev/null +++ b/modules/ldap/config/identity.php @@ -0,0 +1,45 @@ + "ldap", + "allow_updates" => false, + "params" => array( + "groups" => array("admins", "users", "guest"), + "everybody_group" => "guest", + "registered_users_group" => "users", + "admins" => array("jdoe"), + "url" => "ldap://127.0.0./", + "group_domain" => "ou=groups,dc=gallery,dc=local", + "user_domain" => "ou=people,dc=gallery,dc=local" + ) +); diff --git a/modules/ldap/controllers/admin_ldap.php b/modules/ldap/controllers/admin_ldap.php deleted file mode 100644 index 8f206bd0..00000000 --- a/modules/ldap/controllers/admin_ldap.php +++ /dev/null @@ -1,64 +0,0 @@ -content = new View("admin_ldap.html"); - $view->content->config = Kohana::config("ldap"); - print $view; - } - - public function activate() { - access::verify_csrf(); - - - if (module::get_var("gallery", "user_group_storage", "Gallery3") == "Gallery3") { - // @todo: we should have an API for these - foreach (ORM::factory("group")->find_all() as $group) { - $group->delete(); - } - foreach (ORM::factory("user")->find_all() as $user) { - $user->delete(); - } - } - - // Create LDAP groups - foreach (Kohana::config("ldap.groups") as $group_name) { - $group = ldap::lookup_group_by_name($group_name); - module::event("group_created", $group); - } - - // Fix up permissions. - $root = item::root(); - $everybody = ldap::everybody_group(); - access::allow($everybody, "view", $root); - access::allow($everybody, "view_full", $root); - $registered_users = ldap::registered_users_group(); - access::allow($registered_users, "view", $root); - access::allow($registered_users, "view_full", $root); - - // Switch authentication - module::set_var("gallery", "user_group_storage", "Ldap"); - - // Logout and go back to the top level - user::logout(); - url::redirect(item::root()->abs_url()); - } -} \ No newline at end of file diff --git a/modules/ldap/helpers/ldap.php b/modules/ldap/helpers/ldap.php deleted file mode 100644 index 45cae297..00000000 --- a/modules/ldap/helpers/ldap.php +++ /dev/null @@ -1,115 +0,0 @@ - 0) { - return new Ldap_User_Model($entries[0]); - } - return null; - } - - static function lookup_user($id) { - $result = ldap_search(ldap::connection(), - Kohana::config("ldap.user_domain"), - "uidNumber=$id"); - $entries = ldap_get_entries(ldap::connection(), $result); - if ($entries["count"] > 0) { - return new Ldap_User_Model($entries[0]); - } - return null; - } - - static function validate_group($input) { - if (!self::lookup_group_by_name($input->value)) { - $input->add_error("invalid_group", 1); - } - } - - static function groups_for($user) { - $result = ldap_search(ldap::connection(), - Kohana::config("ldap.group_domain"), - "(memberUid=$user->name)"); - - $associated_groups = Kohana::config("ldap.groups"); - $groups = array(); - for ($entry_id = ldap_first_entry(ldap::connection(), $result); - $entry_id != false; - $entry_id = ldap_next_entry(ldap::connection(), $entry_id)) { - $group_id = ldap_get_values(ldap::connection(), $entry_id, "gidNumber"); - $group_name = ldap_get_values(ldap::connection(), $entry_id, "cn"); - if (in_array($group_name[0], $associated_groups)) { - $groups[] = new Ldap_Group_Model($group_id[0], $group_name[0]); - } - } - return $groups; - } - - static function guest() { - return new Ldap_Guest_Model(); - } - - public function everybody_group() { - return ldap::lookup_group_by_name(Kohana::config("ldap.everybody_group")); - } - - public function registered_users_group() { - return ldap::lookup_group_by_name(Kohana::config("ldap.registered_users_group")); - } -} diff --git a/modules/ldap/helpers/ldap_event.php b/modules/ldap/helpers/ldap_event.php deleted file mode 100644 index 91217f3f..00000000 --- a/modules/ldap/helpers/ldap_event.php +++ /dev/null @@ -1,28 +0,0 @@ -get("settings_menu") - ->append(Menu::factory("link") - ->id("ldap") - ->label(t("LDAP")) - ->url(url::site("admin/ldap"))); - } -} diff --git a/modules/ldap/models/ldap_guest.php b/modules/ldap/helpers/ldap_installer.php similarity index 64% rename from modules/ldap/models/ldap_guest.php rename to modules/ldap/helpers/ldap_installer.php index 645ec095..825da9fa 100644 --- a/modules/ldap/models/ldap_guest.php +++ b/modules/ldap/helpers/ldap_installer.php @@ -17,20 +17,24 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ -class Ldap_Guest_Model { - public $id = 0; - public $guest = true; - public $admin = false; - public $locale = null; - public $name = "Guest"; +class ldap_installer { + static function install() { + } - public function __get($key) { - switch($key) { - case "groups": - return array(ldap::everybody_group()); + static function uninstall() { + // Delete all users and groups so that we give other modules an opportunity to clean up + foreach (ORM::factory("user")->find_all() as $user) { + $user->delete(); + } - default: - throw new Exception("@todo UNKNOWN_KEY ($key)"); + foreach (ORM::factory("group")->find_all() as $group) { + $group->delete(); + } + + try { + Session::instance()->destroy(); + } catch (Exception $e) { + // We don't care if there was a problem destroying the session. } } -} +} \ No newline at end of file diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php new file mode 100644 index 00000000..e0cdbfaa --- /dev/null +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -0,0 +1,223 @@ +_params["url"]); + ldap_bind(self::$_connection); + } + + /** + * @see Identity_Driver::guest. + */ + public function guest() { + if (empty(self::$_guest_user)) { + self::$_guest_user = new Ldap_User(); + self::$_guest_user->id = 0; + self::$_guest_user->name = "Guest"; + self::$_guest_user->guest = true; + self::$_guest_user->admin = false; + self::$_guest_user->locale = null; + self::$_guest_user->groups = array($this->everybody()); + } + return self::$_guest_user; + } + + /** + * @see Identity_Driver::create_user. + */ + public function create_user($name, $full_name, $password) { + throw new Exception("@todo INVALID OPERATION"); + } + + /** + * @see Identity_Driver::is_correct_password. + */ + public function is_correct_password($user, $password) { + $valid = $user->password; + + // Try phpass first, since that's what we generate. + if (strlen($valid) == 34) { + require_once(MODPATH . "user/lib/PasswordHash.php"); + $hashGenerator = new PasswordHash(10, true); + return $hashGenerator->CheckPassword($password, $valid); + } + + $salt = substr($valid, 0, 4); + // Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: + $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); + if (!strcmp($guess, $valid)) { + return true; + } + + // Passwords with <&"> created by G2 prior to 2.1 were hashed with entities + $sanitizedPassword = html::specialchars($password, false); + $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) + : ($salt . md5($salt . $sanitizedPassword)); + if (!strcmp($guess, $valid)) { + return true; + } + + return false; + } + + /** + * @see Identity_Driver::lookup_user. + */ + public function lookup_user($id) { + $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uidNumber=$id"); + $entries = ldap_get_entries(self::$_connection, $result); + if ($entries["count"] > 0) { + $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); + return new Ldap_User($entries[0]); + } + return null; + } + + /** + * @see Identity_Driver::lookup_user_by_name. + */ + public function lookup_user_by_name($name) { + $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uid=$name"); + $entries = ldap_get_entries(self::$_connection, $result); + if ($entries["count"] > 0) { + $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); + return new Ldap_User($entries[0]); + } + return null; + } + + /** + * @see Identity_Driver::create_group. + */ + public function create_group($name) { + throw new Exception("@todo INVALID OPERATION"); + } + + /** + * @see Identity_Driver::everybody. + */ + public function everybody() { + return ldap::lookup_group_by_name(self::$_params["everybody_group"]); + } + + /** + * @see Identity_Driver::registered_users. + */ + public function registered_users() { + return ldap::lookup_group_by_name(self::$_params["registered_users_group"]); + } + + /** + * @see Identity_Driver::lookup_group_by_name. + */ + static function lookup_group_by_name($name) { + $result = ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name"); + $entry_id = ldap_first_entry(, $result); + if ($entry_id) { + $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); + $gid_number_entry = ldap_get_values(self::$_connection, $entry_id, "gidNumber"); + return new Ldap_Group_Model($gid_number_entry[0], $cn_entry[0]); + } + return null; + } + + /** + * @see Identity_Driver::get_user_list. + */ + public function get_user_list($ids) { + throw new Exception("@todo NOT IMPLEMENTED"); + } + + static function groups_for($user) { + $result = ldap_search(self::$_connection, self::$_params["group_domain"], + "(memberUid=$user->name)"); + + $associated_groups = Kohana::config("ldap.groups"); + $groups = array(); + for ($entry_id = ldap_first_entry(self::$_connection, $result); + $entry_id != false; + $entry_id = ldap_next_entry(self::$_connection, $entry_id)) { + $group_id = ldap_get_values(self::$_connection, $entry_id, "gidNumber"); + $group_name = ldap_get_values(self::$_connection, $entry_id, "cn"); + if (in_array($group_name[0], $associated_groups)) { + $groups[] = new Ldap_Group($group_id[0], $group_name[0]); + } + } + return $groups; + } +} // End Identity Gallery Driver + +class Ldap_User implements User_Definition { + private $ldap_entry; + + public function __construct($ldap_entry=null) { + $this->ldap_entry = $ldap_entry; + } + + public function display_name() { + return $this->ldap_entry["displayname"][0]; + } + + public function __get($key) { + switch($key) { + case "name": + return $this->ldap_entry["uid"][0]; + + case "guest": + return false; + + case "id": + return $this->ldap_entry["uidnumber"][0]; + + case "groups": + return Identity_Ldap::Driver::groups_for($this); + + case "locale": // @todo + return null; + + case "admin": + return in_array($this->ldap_entry["uid"][0], Kohana::config("ldap.admins")); + + default: + throw new Exception("@todo UNKNOWN_KEY ($key)"); + } + } + } + +class Ldap_Group implements Group_Definition { + public $id; + public $name; + + public function __construct($id, $name) { + $this->id = $id; + $this->name = $name; + $this->special = false; + } +} diff --git a/modules/ldap/models/ldap_group.php b/modules/ldap/models/ldap_group.php deleted file mode 100644 index 22e2ae4b..00000000 --- a/modules/ldap/models/ldap_group.php +++ /dev/null @@ -1,28 +0,0 @@ -id = $id; - $this->name = $name; - } -} diff --git a/modules/ldap/models/ldap_user.php b/modules/ldap/models/ldap_user.php deleted file mode 100644 index baaf8459..00000000 --- a/modules/ldap/models/ldap_user.php +++ /dev/null @@ -1,58 +0,0 @@ -ldap_entry = $ldap_entry; - } - - public function display_name() { - return $this->ldap_entry["displayname"][0]; - } - - public function __get($key) { - switch($key) { - case "name": - return $this->ldap_entry["uid"][0]; - - case "guest": - return false; - - case "login_count": - return 0; - - case "id": - return $this->ldap_entry["uidnumber"][0]; - - case "groups": - return ldap::groups_for($this); - - case "locale": // @todo - return null; - - case "admin": - return in_array($this->ldap_entry["uid"][0], Kohana::config("ldap.admins")); - - default: - throw new Exception("@todo UNKNOWN_KEY ($key)"); - } - } -} diff --git a/modules/ldap/views/admin_ldap.html.php b/modules/ldap/views/admin_ldap.html.php deleted file mode 100644 index e8080449..00000000 --- a/modules/ldap/views/admin_ldap.html.php +++ /dev/null @@ -1,60 +0,0 @@ - -
-

-

- will be deleted and you'll use users and groups from your LDAP directory.") ?> -

- -

- -

- - - - - - - - - - - - - - - - - - - - - -
- - - -
- - - -
- - - -
- - - -
- - - -
- -

-

- %username user. There is no undo!", array("username" => $config["admins"][0])) ?> -

- - ">activate -
From 1f6c84ee0f4e2f6c43e59325a54face9e4654c86 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Mon, 19 Oct 2009 14:11:36 -0700 Subject: [PATCH 03/15] Include the code to check the code by binding --- .../ldap/libraries/drivers/Identity/Ldap.php | 28 +++++-------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php index e0cdbfaa..526b6782 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -60,31 +60,17 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::is_correct_password. */ public function is_correct_password($user, $password) { - $valid = $user->password; + $ureturn=ldap_search(self::$_connection, $base_dn, "(uid=$uname)", array('dn')); - // Try phpass first, since that's what we generate. - if (strlen($valid) == 34) { - require_once(MODPATH . "user/lib/PasswordHash.php"); - $hashGenerator = new PasswordHash(10, true); - return $hashGenerator->CheckPassword($password, $valid); - } + $uent=ldap_first_entry(self::$_connection, $ureturn); + if (!$uent) return ERROR_CODE; - $salt = substr($valid, 0, 4); - // Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: - $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password)); - if (!strcmp($guess, $valid)) { - return true; - } + $bn=ldap_get_dn(self::$_connection, $uent); - // Passwords with <&"> created by G2 prior to 2.1 were hashed with entities - $sanitizedPassword = html::specialchars($password, false); - $guess = (strlen($valid) == 32) ? md5($sanitizedPassword) - : ($salt . md5($salt . $sanitizedPassword)); - if (!strcmp($guess, $valid)) { - return true; - } + //This line should use $pass rather than $password + $lbind=ldap_bind(self::$_connection, $bn, $password); - return false; + return ($lbind) ? true : false; } /** From 7a53eeb3f4bafd53028394f507825375a5d7f939 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 20 Oct 2009 16:34:03 -0700 Subject: [PATCH 04/15] Initial implementation of a Ldap identity provider --- modules/ldap/config/gallery.ldif | 4 + modules/ldap/config/identity.php | 4 +- modules/ldap/helpers/ldap_installer.php | 40 --------- .../ldap/libraries/drivers/Identity/Ldap.php | 85 ++++++++++++++----- 4 files changed, 69 insertions(+), 64 deletions(-) delete mode 100644 modules/ldap/helpers/ldap_installer.php diff --git a/modules/ldap/config/gallery.ldif b/modules/ldap/config/gallery.ldif index db33c494..bc52d08a 100644 --- a/modules/ldap/config/gallery.ldif +++ b/modules/ldap/config/gallery.ldif @@ -66,5 +66,9 @@ memberuid: jdoe memberuid: hwallbanger memberuid: rnail +dn: cn=guest,ou=groups,dc=gallery,dc=local +objectclass: posixGroup +cn: guest +gidnumber: 10002 diff --git a/modules/ldap/config/identity.php b/modules/ldap/config/identity.php index 87bc79a1..7e7d7e30 100644 --- a/modules/ldap/config/identity.php +++ b/modules/ldap/config/identity.php @@ -34,11 +34,11 @@ $config["ldap"] = array( "driver" => "ldap", "allow_updates" => false, "params" => array( - "groups" => array("admins", "users", "guest"), + "groups" => array("users", "guest"), "everybody_group" => "guest", "registered_users_group" => "users", "admins" => array("jdoe"), - "url" => "ldap://127.0.0./", + "url" => "ldap://127.0.0.1/", "group_domain" => "ou=groups,dc=gallery,dc=local", "user_domain" => "ou=people,dc=gallery,dc=local" ) diff --git a/modules/ldap/helpers/ldap_installer.php b/modules/ldap/helpers/ldap_installer.php deleted file mode 100644 index 825da9fa..00000000 --- a/modules/ldap/helpers/ldap_installer.php +++ /dev/null @@ -1,40 +0,0 @@ -find_all() as $user) { - $user->delete(); - } - - foreach (ORM::factory("group")->find_all() as $group) { - $group->delete(); - } - - try { - Session::instance()->destroy(); - } catch (Exception $e) { - // We don't care if there was a problem destroying the session. - } - } -} \ No newline at end of file diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php index 526b6782..49df9b3c 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -18,7 +18,7 @@ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ class Identity_Ldap_Driver implements Identity_Driver { - private static $_params; + static $_params; private static $_connection; private static $_guest_user; @@ -29,16 +29,45 @@ class Identity_Ldap_Driver implements Identity_Driver { */ public function __construct($params) { self::$_params = $params; - self::$_connection = ldap_connect($this->_params["url"]); + self::$_connection = ldap_connect(self::$_params["url"]); + ldap_set_option(self::$_connection, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_bind(self::$_connection); } + /** + * @see Identity_Driver::activate. + */ + public function activate() { + foreach (self::$_params["groups"] as $group_name) { + $root = item::root(); + $group = Identity::lookup_group_by_name($group_name); + module::event("group_created", $group); + access::allow($group, "view", $root); + access::allow($group, "view_full", $root); + } + } + + /** + * @see Identity_Driver::deactivate. + */ + public function deactivate() { + // Delete all groups so that we give other modules an opportunity to clean up + foreach (self::$_params["groups"] as $group_name) { + $group = Identity::lookup_group_by_name($group_name); + module::event("group_deleted", $group); + } + } + /** * @see Identity_Driver::guest. */ public function guest() { + Kohana::log("alert", "Ldap_Identity_Driver::guest is_empty: " . + empty(self::$_guest_user) ? "true" : "false"); if (empty(self::$_guest_user)) { + Kohana::log("alert", "Creating guest User"); self::$_guest_user = new Ldap_User(); + Kohana::log("alert", "allocated"); self::$_guest_user->id = 0; self::$_guest_user->name = "Guest"; self::$_guest_user->guest = true; @@ -46,6 +75,7 @@ class Identity_Ldap_Driver implements Identity_Driver { self::$_guest_user->locale = null; self::$_guest_user->groups = array($this->everybody()); } + Kohana::log("alert", "Ldap_Identity_Driver::guest exiting "); return self::$_guest_user; } @@ -60,15 +90,10 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::is_correct_password. */ public function is_correct_password($user, $password) { - $ureturn=ldap_search(self::$_connection, $base_dn, "(uid=$uname)", array('dn')); - - $uent=ldap_first_entry(self::$_connection, $ureturn); - if (!$uent) return ERROR_CODE; - - $bn=ldap_get_dn(self::$_connection, $uent); - - //This line should use $pass rather than $password - $lbind=ldap_bind(self::$_connection, $bn, $password); + $connection = ldap_connect(self::$_params["url"]); + ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3); + $lbind = ldap_bind($connection, $user->dn, $password); + ldap_unbind($connection); return ($lbind) ? true : false; } @@ -93,7 +118,6 @@ class Identity_Ldap_Driver implements Identity_Driver { $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uid=$name"); $entries = ldap_get_entries(self::$_connection, $result); if ($entries["count"] > 0) { - $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); return new Ldap_User($entries[0]); } return null; @@ -110,26 +134,36 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::everybody. */ public function everybody() { - return ldap::lookup_group_by_name(self::$_params["everybody_group"]); + Kohana::log("alert", "Ldap_Identity_Driver::everybody"); + return self::lookup_group_by_name(self::$_params["everybody_group"]); } /** * @see Identity_Driver::registered_users. */ public function registered_users() { - return ldap::lookup_group_by_name(self::$_params["registered_users_group"]); + return self::lookup_group_by_name(self::$_params["registered_users_group"]); } /** * @see Identity_Driver::lookup_group_by_name. */ static function lookup_group_by_name($name) { - $result = ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name"); - $entry_id = ldap_first_entry(, $result); - if ($entry_id) { + Kohana::log("alert", "lookup_group_by_name($name)"); + $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name"); + Kohana::log("alert", Kohana::debug($result)); + $entry_id = ldap_first_entry(self::$_connection, $result); + + Kohana::log("alert", Kohana::debug(($entry_id !== false ? $entry_id : "false"))); + if ($entry_id !== false) { $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); + Kohana::log("alert", Kohana::debug($cn_entry)); $gid_number_entry = ldap_get_values(self::$_connection, $entry_id, "gidNumber"); - return new Ldap_Group_Model($gid_number_entry[0], $cn_entry[0]); + Kohana::log("alert", Kohana::debug($gid_number_entry)); + return new Ldap_Group($gid_number_entry[0], $cn_entry[0]); + } else { + Kohana::log("alert", Kohana::debug(ldap_errno(self::$_connection))); + Kohana::log("alert", Kohana::debug(ldap_error(self::$_connection))); } return null; } @@ -138,7 +172,11 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::get_user_list. */ public function get_user_list($ids) { - throw new Exception("@todo NOT IMPLEMENTED"); + $users = array(); + foreach ($ids as $id) { + $users[] = self::lookup_user($id); + } + return $users; } static function groups_for($user) { @@ -183,19 +221,22 @@ class Ldap_User implements User_Definition { return $this->ldap_entry["uidnumber"][0]; case "groups": - return Identity_Ldap::Driver::groups_for($this); + return Identity_Ldap_Driver::groups_for($this); case "locale": // @todo return null; case "admin": - return in_array($this->ldap_entry["uid"][0], Kohana::config("ldap.admins")); + return in_array($this->ldap_entry["uid"][0], Identity_Ldap_Driver::$_params["admins"]); + + case "dn": + return $this->ldap_entry["dn"]; default: throw new Exception("@todo UNKNOWN_KEY ($key)"); } } - } +} class Ldap_Group implements Group_Definition { public $id; From bd7f9e427f428a1889c365cde72f33154e0b0f07 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 20 Oct 2009 17:02:03 -0700 Subject: [PATCH 05/15] Add a groups api method on the Identity provider --- .../ldap/libraries/drivers/Identity/Ldap.php | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php index 49df9b3c..fc9ec511 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -149,21 +149,13 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::lookup_group_by_name. */ static function lookup_group_by_name($name) { - Kohana::log("alert", "lookup_group_by_name($name)"); $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name"); - Kohana::log("alert", Kohana::debug($result)); $entry_id = ldap_first_entry(self::$_connection, $result); - Kohana::log("alert", Kohana::debug(($entry_id !== false ? $entry_id : "false"))); if ($entry_id !== false) { $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); - Kohana::log("alert", Kohana::debug($cn_entry)); $gid_number_entry = ldap_get_values(self::$_connection, $entry_id, "gidNumber"); - Kohana::log("alert", Kohana::debug($gid_number_entry)); return new Ldap_Group($gid_number_entry[0], $cn_entry[0]); - } else { - Kohana::log("alert", Kohana::debug(ldap_errno(self::$_connection))); - Kohana::log("alert", Kohana::debug(ldap_error(self::$_connection))); } return null; } @@ -179,6 +171,18 @@ class Identity_Ldap_Driver implements Identity_Driver { return $users; } + /** + * @see Identity_Driver::groups. + */ + static function groups() { + $groups = array(); + foreach (self::$_params["groups"] as $group_name) { + $root = item::root(); + $groups[] = Identity::lookup_group_by_name($group_name); + } + return $groups; + } + static function groups_for($user) { $result = ldap_search(self::$_connection, self::$_params["group_domain"], "(memberUid=$user->name)"); From 2ece7e92b24f1d32e9f3b06d40b7c3cd8c909a6e Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 20 Oct 2009 17:20:22 -0700 Subject: [PATCH 06/15] Add lookup_group Identity provider API. --- .../ldap/libraries/drivers/Identity/Ldap.php | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php index fc9ec511..2615c4d7 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -62,12 +62,8 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::guest. */ public function guest() { - Kohana::log("alert", "Ldap_Identity_Driver::guest is_empty: " . - empty(self::$_guest_user) ? "true" : "false"); if (empty(self::$_guest_user)) { - Kohana::log("alert", "Creating guest User"); self::$_guest_user = new Ldap_User(); - Kohana::log("alert", "allocated"); self::$_guest_user->id = 0; self::$_guest_user->name = "Guest"; self::$_guest_user->guest = true; @@ -75,7 +71,6 @@ class Identity_Ldap_Driver implements Identity_Driver { self::$_guest_user->locale = null; self::$_guest_user->groups = array($this->everybody()); } - Kohana::log("alert", "Ldap_Identity_Driver::guest exiting "); return self::$_guest_user; } @@ -145,6 +140,21 @@ class Identity_Ldap_Driver implements Identity_Driver { return self::lookup_group_by_name(self::$_params["registered_users_group"]); } + /** + * @see Identity_Driver::lookup_group. + */ + static function lookup_group($id) { + $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "gidNumber=$id"); + $entry_id = ldap_first_entry(self::$_connection, $result); + + if ($entry_id !== false) { + $cn_entry = ldap_get_values(self::$_connection, $entry_id, "cn"); + $gid_number_entry = ldap_get_values(self::$_connection, $entry_id, "gidNumber"); + return new Ldap_Group($gid_number_entry[0], $cn_entry[0]); + } + return null; + } + /** * @see Identity_Driver::lookup_group_by_name. */ From 337265578b532983e02c398de3532c8ece31ae95 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Wed, 21 Oct 2009 08:25:43 -0700 Subject: [PATCH 07/15] When activating the ldap identity provider, change the ownership of all items to the first defined admin user. Also remove unused files and debugging statements. --- .../ldap/libraries/drivers/Identity/Ldap.php | 11 +- .../drivers/UserGroupStorage/Ldap.php | 110 ------------------ 2 files changed, 7 insertions(+), 114 deletions(-) delete mode 100644 modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php index 2615c4d7..36d6a9a3 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -40,11 +40,13 @@ class Identity_Ldap_Driver implements Identity_Driver { public function activate() { foreach (self::$_params["groups"] as $group_name) { $root = item::root(); - $group = Identity::lookup_group_by_name($group_name); + $group = self::lookup_group_by_name($group_name); module::event("group_created", $group); access::allow($group, "view", $root); access::allow($group, "view_full", $root); } + $admin = self::lookup_user_by_name(self::$_params["admins"][0]); + Database::instance()->query("UPDATE {items} SET owner_id = {$admin->id}"); } /** @@ -53,7 +55,7 @@ class Identity_Ldap_Driver implements Identity_Driver { public function deactivate() { // Delete all groups so that we give other modules an opportunity to clean up foreach (self::$_params["groups"] as $group_name) { - $group = Identity::lookup_group_by_name($group_name); + $group = self::lookup_group_by_name($group_name); module::event("group_deleted", $group); } } @@ -129,7 +131,6 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::everybody. */ public function everybody() { - Kohana::log("alert", "Ldap_Identity_Driver::everybody"); return self::lookup_group_by_name(self::$_params["everybody_group"]); } @@ -156,7 +157,9 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::lookup_group_by_name. + * Look up the group by name. + * @param string $name the name of the group to locate + * @return Group_Definition */ static function lookup_group_by_name($name) { $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name"); diff --git a/modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php b/modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php deleted file mode 100644 index eab23107..00000000 --- a/modules/ldap/libraries/drivers/UserGroupStorage/Ldap.php +++ /dev/null @@ -1,110 +0,0 @@ -get("group_ids"))) { - - $ids = array(); - foreach (user::active()->groups as $group) { - $ids[] = $group->id; - } - $session->set("group_ids", $ids); - } - return $ids; - } - - public function active_user() { - $session = Session::instance(); - $user = $session->get("user", null); - if (!isset($user)) { - // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary - // work. - $session->set("user", $user = user::guest()); - } - return $user; - } - - public function guest_user() { - return ldap::guest(); - } - - public function set_active_user($user) { - $session = Session::instance(); - $session->set("user", $user); - $session->delete("group_ids"); - } - - public function create_user($name, $full_name, $password) { - throw new Exception("@todo UNSUPPORTED"); - } - - public function is_correct_password($user, $password) { - try { - return ldap_bind(ldap::connection(), - "uid={$user->name}," . Kohana::config("ldap.user_domain"), - $password); - } catch (Exception $e) { - // Authentication failure - } - return false; - } - - public function login($user) { - user::set_active($user); - } - - public function logout() { - try { - Session::instance()->destroy(); - } catch (Exception $e) { - Kohana::log("error", $e); - } - } - - public function lookup_user($id) { - return ldap::lookup_user($id); - } - - public function lookup_user_by_name($name) { - return ldap::lookup_user_by_name($name); - } - - public function lookup_group($id) { - return ldap::lookup_group($id); - } - - public function lookup_group_by_name($name) { - return ldap::lookup_group_by_name($name); - } - - public function create_group($name) { - throw new Exception("@todo UNSUPPORTED"); - } - - public function everybody_group() { - return ldap::everybody_group(); - } - - public function registered_users_group() { - return ldap::registered_users_group(); - } -} From 209825bf500e4c9d90a826dc0a9252a0a0f2da8e Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Wed, 21 Oct 2009 09:12:08 -0700 Subject: [PATCH 08/15] Clean up problems with the module.info file that would cause the unit tests to fail. --- modules/tag_cloud/module.info | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/tag_cloud/module.info b/modules/tag_cloud/module.info index 727b9eef..af8f9ce1 100644 --- a/modules/tag_cloud/module.info +++ b/modules/tag_cloud/module.info @@ -1,4 +1,3 @@ -name = Tag Cloud +name = "Tag Cloud" description = "3D tag cloud" - version = 1 From 5b62f010ccad23a7975d716e6a78b64b1defe705 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Wed, 21 Oct 2009 16:06:29 -0700 Subject: [PATCH 09/15] Convert methods to instance methods instead of static to be consistent with the Identity interface. Clean up a copy/paste error to get the auhtorized list of groups. --- .../ldap/libraries/drivers/Identity/Ldap.php | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/Identity/Ldap.php index 36d6a9a3..5160f089 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/Identity/Ldap.php @@ -40,12 +40,12 @@ class Identity_Ldap_Driver implements Identity_Driver { public function activate() { foreach (self::$_params["groups"] as $group_name) { $root = item::root(); - $group = self::lookup_group_by_name($group_name); + $group = $this->lookup_group_by_name($group_name); module::event("group_created", $group); access::allow($group, "view", $root); access::allow($group, "view_full", $root); } - $admin = self::lookup_user_by_name(self::$_params["admins"][0]); + $admin = $this->lookup_user_by_name(self::$_params["admins"][0]); Database::instance()->query("UPDATE {items} SET owner_id = {$admin->id}"); } @@ -55,7 +55,7 @@ class Identity_Ldap_Driver implements Identity_Driver { public function deactivate() { // Delete all groups so that we give other modules an opportunity to clean up foreach (self::$_params["groups"] as $group_name) { - $group = self::lookup_group_by_name($group_name); + $group = $this->lookup_group_by_name($group_name); module::event("group_deleted", $group); } } @@ -131,20 +131,20 @@ class Identity_Ldap_Driver implements Identity_Driver { * @see Identity_Driver::everybody. */ public function everybody() { - return self::lookup_group_by_name(self::$_params["everybody_group"]); + return $this->lookup_group_by_name(self::$_params["everybody_group"]); } /** * @see Identity_Driver::registered_users. */ public function registered_users() { - return self::lookup_group_by_name(self::$_params["registered_users_group"]); + return $this->lookup_group_by_name(self::$_params["registered_users_group"]); } /** * @see Identity_Driver::lookup_group. */ - static function lookup_group($id) { + public function lookup_group($id) { $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "gidNumber=$id"); $entry_id = ldap_first_entry(self::$_connection, $result); @@ -161,7 +161,7 @@ class Identity_Ldap_Driver implements Identity_Driver { * @param string $name the name of the group to locate * @return Group_Definition */ - static function lookup_group_by_name($name) { + public function lookup_group_by_name($name) { $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "cn=$name"); $entry_id = ldap_first_entry(self::$_connection, $result); @@ -179,7 +179,7 @@ class Identity_Ldap_Driver implements Identity_Driver { public function get_user_list($ids) { $users = array(); foreach ($ids as $id) { - $users[] = self::lookup_user($id); + $users[] = $this->lookup_user($id); } return $users; } @@ -187,11 +187,11 @@ class Identity_Ldap_Driver implements Identity_Driver { /** * @see Identity_Driver::groups. */ - static function groups() { + public function groups() { $groups = array(); foreach (self::$_params["groups"] as $group_name) { $root = item::root(); - $groups[] = Identity::lookup_group_by_name($group_name); + $groups[] = $this->lookup_group_by_name($group_name); } return $groups; } @@ -200,7 +200,7 @@ class Identity_Ldap_Driver implements Identity_Driver { $result = ldap_search(self::$_connection, self::$_params["group_domain"], "(memberUid=$user->name)"); - $associated_groups = Kohana::config("ldap.groups"); + $associated_groups = self::$_params["groups"]; $groups = array(); for ($entry_id = ldap_first_entry(self::$_connection, $result); $entry_id != false; From 57f331250d9ee6c4b884bbe822bdb232bb5f865f Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Thu, 22 Oct 2009 13:08:22 -0700 Subject: [PATCH 10/15] Change the name of identity library from Identity to IdentityProvider. Create a helper class called identity to simplify call the Identity Provider. Move the contents of MY_Session.php to the new helper class and remove the MY_Session class --- .../{Identity => IdentityProvider}/Ldap.php | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) rename modules/ldap/libraries/drivers/{Identity => IdentityProvider}/Ldap.php (88%) diff --git a/modules/ldap/libraries/drivers/Identity/Ldap.php b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php similarity index 88% rename from modules/ldap/libraries/drivers/Identity/Ldap.php rename to modules/ldap/libraries/drivers/IdentityProvider/Ldap.php index 5160f089..121ae31a 100644 --- a/modules/ldap/libraries/drivers/Identity/Ldap.php +++ b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ -class Identity_Ldap_Driver implements Identity_Driver { +class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver { static $_params; private static $_connection; private static $_guest_user; @@ -35,7 +35,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::activate. + * @see IdentityProvider_Driver::activate. */ public function activate() { foreach (self::$_params["groups"] as $group_name) { @@ -50,7 +50,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::deactivate. + * @see IdentityProvider_Driver::deactivate. */ public function deactivate() { // Delete all groups so that we give other modules an opportunity to clean up @@ -61,7 +61,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::guest. + * @see IdentityProvider_Driver::guest. */ public function guest() { if (empty(self::$_guest_user)) { @@ -77,14 +77,14 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::create_user. + * @see IdentityProvider_Driver::create_user. */ public function create_user($name, $full_name, $password) { throw new Exception("@todo INVALID OPERATION"); } /** - * @see Identity_Driver::is_correct_password. + * @see IdentityProvider_Driver::is_correct_password. */ public function is_correct_password($user, $password) { $connection = ldap_connect(self::$_params["url"]); @@ -96,7 +96,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::lookup_user. + * @see IdentityProvider_Driver::lookup_user. */ public function lookup_user($id) { $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uidNumber=$id"); @@ -109,7 +109,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::lookup_user_by_name. + * @see IdentityProvider_Driver::lookup_user_by_name. */ public function lookup_user_by_name($name) { $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uid=$name"); @@ -121,28 +121,28 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::create_group. + * @see IdentityProvider_Driver::create_group. */ public function create_group($name) { throw new Exception("@todo INVALID OPERATION"); } /** - * @see Identity_Driver::everybody. + * @see IdentityProvider_Driver::everybody. */ public function everybody() { return $this->lookup_group_by_name(self::$_params["everybody_group"]); } /** - * @see Identity_Driver::registered_users. + * @see IdentityProvider_Driver::registered_users. */ public function registered_users() { return $this->lookup_group_by_name(self::$_params["registered_users_group"]); } /** - * @see Identity_Driver::lookup_group. + * @see IdentityProvider_Driver::lookup_group. */ public function lookup_group($id) { $result = @ldap_search(self::$_connection, self::$_params["group_domain"], "gidNumber=$id"); @@ -174,7 +174,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::get_user_list. + * @see IdentityProvider_Driver::get_user_list. */ public function get_user_list($ids) { $users = array(); @@ -185,7 +185,7 @@ class Identity_Ldap_Driver implements Identity_Driver { } /** - * @see Identity_Driver::groups. + * @see IdentityProvider_Driver::groups. */ public function groups() { $groups = array(); @@ -238,13 +238,14 @@ class Ldap_User implements User_Definition { return $this->ldap_entry["uidnumber"][0]; case "groups": - return Identity_Ldap_Driver::groups_for($this); + return IdentityProvider_Ldap_Driver::groups_for($this); case "locale": // @todo return null; case "admin": - return in_array($this->ldap_entry["uid"][0], Identity_Ldap_Driver::$_params["admins"]); + return in_array($this->ldap_entry["uid"][0], + IdentityProvider_Ldap_Driver::$_params["admins"]); case "dn": return $this->ldap_entry["dn"]; From 952322cd95dfd7323f8b592e316679f5c270653c Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 23 Oct 2009 06:17:21 -0700 Subject: [PATCH 11/15] If the user name is "admin", then use the first user name in the 'admins' driver parameter. --- .../drivers/IdentityProvider/Ldap.php | 32 ++++--------------- 1 file changed, 6 insertions(+), 26 deletions(-) diff --git a/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php index 121ae31a..38139916 100644 --- a/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php +++ b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php @@ -34,32 +34,6 @@ class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver { ldap_bind(self::$_connection); } - /** - * @see IdentityProvider_Driver::activate. - */ - public function activate() { - foreach (self::$_params["groups"] as $group_name) { - $root = item::root(); - $group = $this->lookup_group_by_name($group_name); - module::event("group_created", $group); - access::allow($group, "view", $root); - access::allow($group, "view_full", $root); - } - $admin = $this->lookup_user_by_name(self::$_params["admins"][0]); - Database::instance()->query("UPDATE {items} SET owner_id = {$admin->id}"); - } - - /** - * @see IdentityProvider_Driver::deactivate. - */ - public function deactivate() { - // Delete all groups so that we give other modules an opportunity to clean up - foreach (self::$_params["groups"] as $group_name) { - $group = $this->lookup_group_by_name($group_name); - module::event("group_deleted", $group); - } - } - /** * @see IdentityProvider_Driver::guest. */ @@ -110,8 +84,14 @@ class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver { /** * @see IdentityProvider_Driver::lookup_user_by_name. + * + * Special processing: if the supplied name is admin then look up the first user + * specified by the "admins" driver params */ public function lookup_user_by_name($name) { + if ($name == "admin") { + $name = self::$_params["admins"][0]; + } $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uid=$name"); $entries = ldap_get_entries(self::$_connection, $result); if ($entries["count"] > 0) { From 0b3bb9a64301ccfb47a197e3cc032b10e3549e13 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Sun, 25 Oct 2009 10:47:08 -0700 Subject: [PATCH 12/15] Forgot to check this in, which will help Bharat's review. --- modules/ldap/helpers/ldap_installer.php | 40 +++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 modules/ldap/helpers/ldap_installer.php diff --git a/modules/ldap/helpers/ldap_installer.php b/modules/ldap/helpers/ldap_installer.php new file mode 100644 index 00000000..7f86cb3d --- /dev/null +++ b/modules/ldap/helpers/ldap_installer.php @@ -0,0 +1,40 @@ +query("UPDATE {items} SET owner_id = {$admin->id}"); + } + + static function uninstall() { + // Delete all groups so that we give other modules an opportunity to clean up + foreach (identity::groups() as $group) { + module::event("group_deleted", $group); + } + } +} \ No newline at end of file From 93082a12f1322b00c1777cea8076e0264787f646 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 27 Oct 2009 07:16:50 -0700 Subject: [PATCH 13/15] Add an get_admin_user api call and use it to determine the admin user instead of calling lookup by name with a hardcoded name. --- .../ldap/libraries/drivers/IdentityProvider/Ldap.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php index 38139916..60bfe432 100644 --- a/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php +++ b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php @@ -50,6 +50,13 @@ class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver { return self::$_guest_user; } + /** + * @see IdentityProvider_Driver::admin_user. + */ + public function admin_user() { + return self::lookup_user_by_name(self::$_params["admins"][0];); + } + /** * @see IdentityProvider_Driver::create_user. */ @@ -89,9 +96,6 @@ class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver { * specified by the "admins" driver params */ public function lookup_user_by_name($name) { - if ($name == "admin") { - $name = self::$_params["admins"][0]; - } $result = ldap_search(self::$_connection, self::$_params["user_domain"], "uid=$name"); $entries = ldap_get_entries(self::$_connection, $result); if ($entries["count"] > 0) { From 9ea73e5effb18c8dd345e0a54c834f914d6fb166 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 27 Oct 2009 07:30:13 -0700 Subject: [PATCH 14/15] Change the name of the get adminsitrator function to admin_user (it was easier to change it here than everywhere else." --- modules/ldap/helpers/ldap_installer.php | 4 ++-- modules/ldap/libraries/drivers/IdentityProvider/Ldap.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/ldap/helpers/ldap_installer.php b/modules/ldap/helpers/ldap_installer.php index 7f86cb3d..cc227960 100644 --- a/modules/ldap/helpers/ldap_installer.php +++ b/modules/ldap/helpers/ldap_installer.php @@ -26,8 +26,8 @@ class ldap_installer { access::allow($group, "view", $root); access::allow($group, "view_full", $root); } - - $admin = identity::lookup_user_by_name("admin"); + // Let the admin own everything + $admin = identity::admin_user(); Database::instance()->query("UPDATE {items} SET owner_id = {$admin->id}"); } diff --git a/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php index 60bfe432..11b59c3a 100644 --- a/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php +++ b/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php @@ -54,7 +54,7 @@ class IdentityProvider_Ldap_Driver implements IdentityProvider_Driver { * @see IdentityProvider_Driver::admin_user. */ public function admin_user() { - return self::lookup_user_by_name(self::$_params["admins"][0];); + return self::lookup_user_by_name(self::$_params["admins"][0]); } /** From 7a3fd9d2ede1cc6a65680ec8a66389081abd6d0a Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Tue, 27 Oct 2009 07:57:21 -0700 Subject: [PATCH 15/15] Add a flag in the module.info (no_module_admin) to indicate that this module shouldn't be managed by the default module administration screen. This module will always be locked on that screen. --- modules/ldap/module.info | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/ldap/module.info b/modules/ldap/module.info index 06fa311b..1b7bef08 100644 --- a/modules/ldap/module.info +++ b/modules/ldap/module.info @@ -1,3 +1,6 @@ name = "LDAP" description = "Use LDAP for authentication" version = 1 + +; Don't show this module on the module administration screen +no_module_admin = 1