13483ff4e71af49ecfea38afa6fd2b19ede5589e app/models/auth_source_ldap.rb | 47 +++++++++++++----------- app/models/user.rb | 19 ++++++---- config/database.yml | 9 +++++ config/email.yml | 78 ++++++++++++++++++++++++++++++++++++++++ redmine.kpf | 9 +++++ 5 files changed, 133 insertions(+), 29 deletions(-) diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb index f3de770..d42e939 100644 --- a/app/models/auth_source_ldap.rb +++ b/app/models/auth_source_ldap.rb @@ -33,9 +33,9 @@ class AuthSourceLdap < AuthSource def authenticate(login, password) return nil if login.blank? || password.blank? - attrs = get_user_dn(login) + attrs = get_user_dn(login, password) - if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password) + if attrs && attrs[:dn] logger.debug "Authentication successful for '#{login}'" if logger && logger.debug? return attrs.except(:dn) end @@ -92,33 +92,36 @@ class AuthSourceLdap < AuthSource end end - # Check if a DN (user record) authenticates with the password - def authenticate_dn(dn, password) - if dn.present? && password.present? - initialize_ldap_con(dn, password).bind - end - end - # Get the user's dn and any attributes for them, given their login - def get_user_dn(login) - ldap_con = initialize_ldap_con(self.account, self.account_password) - login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) - object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) + def get_user_dn(login, password) + ldap = Net::LDAP.new + ldap.host = self.host + ldap.port = self.port + ldap.auth self.account, self.account_password + + result = ldap.bind_as( + :base => "o=neusoft.com", + :filter => '(uid='+login+')', + :password => password + ) + attrs = {} + if result + login_filter = Net::LDAP::Filter.eq( self.attr_login, login ) + object_filter = Net::LDAP::Filter.eq( "objectClass", "*" ) - ldap_con.search( :base => self.base_dn, + ldap.search( :base => self.base_dn, :filter => object_filter & login_filter, :attributes=> search_attributes) do |entry| - - if onthefly_register? - attrs = get_user_attributes_from_ldap_entry(entry) - else - attrs = {:dn => entry.dn} + if onthefly_register? + attrs = get_user_attributes_from_ldap_entry(entry) + else + attrs = {:dn => entry.dn} + end + + logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug? end - - logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug? end - attrs end diff --git a/app/models/user.rb b/app/models/user.rb index c912da8..9172ca0 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -112,19 +112,24 @@ class User < Principal # Make sure no one can sign in with an empty password return nil if password.to_s.empty? user = find_by_login(login) + attrs = AuthSource.authenticate(login, password) if user # user is already in local database return nil if !user.active? - if user.auth_source - # user has an external authentication method - return nil unless user.auth_source.authenticate(login, password) + if attrs + user.reload + logger.info("User '#{user.login}' created from external auth source: #{user.auth_source.type} - #{user.auth_source.name}") if logger && user.auth_source else - # authentication with local password - return nil unless User.hash_password(password) == user.hashed_password - end + if user.auth_source + # user has an external authentication method + return nil unless user.auth_source.authenticate(login, password) + else + # authentication with local password + return nil unless User.hash_password(password) == user.hashed_password + end + end else # user is not yet registered, try to authenticate with available sources - attrs = AuthSource.authenticate(login, password) if attrs user = new(attrs) user.login = login