Added SASL EXTERNAL authentication support

New auth_type 'sasl_external'.  Login is hard coded as 'external'
This commit is contained in:
Scott Shambarger 2019-11-03 20:14:12 +00:00 committed by Deon George
parent a8fe6f3274
commit da69ebf06a
4 changed files with 23 additions and 2 deletions

View File

@ -314,6 +314,7 @@ $servers->setValue('server','name','My LDAP Server');
login will be required to use phpLDAPadmin for this server.
5. 'sasl': login will be taken from the webserver's kerberos authentication.
Currently only GSSAPI has been tested (using mod_auth_kerb).
6. 'sasl_external': login will be taken from SASL external mechanism.
Choose wisely to protect your authentication information appropriately for
your situation. If you choose 'cookie', your cookie contents will be
@ -355,6 +356,9 @@ $servers->setValue('server','name','My LDAP Server');
NOTE: auth_type must be simple auth compatible (ie not sasl) */
# $servers->setValue('sasl','mech','PLAIN');
/* SASL EXTERNAL support... really a different auth_type */
# $servers->setValue('login','auth_type','sasl_external');
/* SASL authentication realm name */
// $servers->setValue('sasl','realm','');
# $servers->setValue('sasl','realm','EXAMPLE.COM');

View File

@ -136,6 +136,7 @@ class HTMLTree extends Tree {
case 'config':
case 'proxy':
case 'sasl':
case 'sasl_external':
break;
default:
@ -334,7 +335,7 @@ class HTMLTree extends Tree {
$server = $this->getServer();
$href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex());
if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl')))
if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl','sasl_external')))
return '';
else
return sprintf('<a href="%s" title="%s"><img src="%s/%s" alt="%s" /><br />%s</a>',

View File

@ -139,6 +139,7 @@ abstract class DS {
case 'proxy':
case 'session':
case 'sasl':
case 'sasl_external':
return $this->getValue('login','auth_type');
default:
@ -194,6 +195,8 @@ abstract class DS {
else
return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']);
case 'sasl_external':
return 'external';
default:
die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
}
@ -215,6 +218,7 @@ abstract class DS {
return true;
case 'config':
case 'sasl_external':
return true;
case 'proxy':
@ -274,6 +278,8 @@ abstract class DS {
else
return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']);
case 'sasl_external':
return '';
default:
die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
}
@ -400,6 +406,7 @@ abstract class DS {
set_cookie($method.'-PASS','',time()-3600,'/');
case 'config':
case 'sasl_external':
return true;
case 'http':

View File

@ -590,6 +590,8 @@ class ldap extends DS {
* $servers->setValue('login','auth_type','sasl');
* OR
* $servers->setValue('sasl','mech','PLAIN');
* OR
* $servers->setValue('login','auth_type','sasl_external');
* </code>
*
* @return boolean
@ -598,7 +600,7 @@ class ldap extends DS {
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
if (! in_array($this->getValue('login','auth_type'), array('sasl'))) {
if (! in_array($this->getValue('login','auth_type'), array('sasl','sasl_external'))) {
// check if SASL mech uses login from other auth_types
if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain')))
return false;
@ -630,6 +632,13 @@ class ldap extends DS {
if ($method == 'anon')
return false;
# EXTERNAL mech is really a different authType
if ($this->getAuthType() == 'sasl_external') {
return @ldap_sasl_bind($resource,NULL,NULL,
'EXTERNAL',NULL,NULL,
$this->getValue('sasl','props'));
}
# At the moment, we have only implemented GSSAPI and PLAIN
if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) {
system_message(array(