From 68dcf25331d671f5896edd0325d73f895e367a99 Mon Sep 17 00:00:00 2001
From: Spitap <dev@asdrip.fr>
Date: Sat, 30 May 2026 18:38:37 +0200
Subject: [PATCH] Update LoginBaseDnRule.php

---
 app/Ldap/Rules/LoginBaseDnRule.php | 36 ++++++++++++++++++++++++++++++
 app/Ldap/Rules/LoginGroupRule.php  | 35 +++++++++++++++++++++++++++++
 config/auth.php                    |  2 ++
 config/pla.php                     |  4 ++++
 4 files changed, 77 insertions(+)
 create mode 100644 app/Ldap/Rules/LoginBaseDnRule.php
 create mode 100644 app/Ldap/Rules/LoginGroupRule.php

diff --git a/app/Ldap/Rules/LoginBaseDnRule.php b/app/Ldap/Rules/LoginBaseDnRule.php
new file mode 100644
index 00000000..e051a71e
--- /dev/null
+++ b/app/Ldap/Rules/LoginBaseDnRule.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace App\Ldap\Rules;
+
+use Illuminate\Database\Eloquent\Model as Eloquent;
+use LdapRecord\Laravel\Auth\Rule;
+use LdapRecord\Models\Model as LdapRecord;
+
+/**
+ * User must be in this end-dn to login
+ *
+ * The base DN is defined by LDAP_LOGIN_BASE_DN
+ */
+class LoginBaseDnRule implements Rule
+{
+	private const LOGKEY = 'LDNR';
+
+    public function passes(LdapRecord $user, Eloquent $model = null): bool
+    {
+		if ($x=config('pla.login.base')) {
+			$user_dn = $user->getDn();
+			$result = str_ends_with($user_dn, $x);
+
+			if (!$result)
+				\Log::alert(sprintf('%s:User login denied for [%s], not in the base dn (%s)',self::LOGKEY,$user_dn,$x));
+
+			return $result;
+
+			// Otherwise allow the user to login
+		} else {
+			\Log::debug(sprintf('%s:No login base dn rule, permitting login',self::LOGKEY));
+
+			return TRUE;
+		}
+    }
+}
diff --git a/app/Ldap/Rules/LoginGroupRule.php b/app/Ldap/Rules/LoginGroupRule.php
new file mode 100644
index 00000000..487230d6
--- /dev/null
+++ b/app/Ldap/Rules/LoginGroupRule.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace App\Ldap\Rules;
+
+use Illuminate\Database\Eloquent\Model as Eloquent;
+use LdapRecord\Laravel\Auth\Rule;
+use LdapRecord\Models\Model as LdapRecord;
+
+/**
+ * User must have this group to login
+ *
+ * The group is defined by LDAP_LOGIN_GROUP
+ */
+class LoginGroupRule implements Rule
+{
+	private const LOGKEY = 'LGR';
+
+    public function passes(LdapRecord $user, Eloquent $model = null): bool
+    {
+		if ($x=config('pla.login.group')) {
+			$result = $user->groups()->exists($x);
+
+			if (!$result)
+				\Log::alert(sprintf('%s:User login denied for [%s], not using the approved group: %s',self::LOGKEY,$user->getDN(),$x));
+
+			return $result;
+
+			// Otherwise allow the user to login
+		} else {
+			\Log::debug(sprintf('%s:No login group rule, permitting login',self::LOGKEY));
+
+			return TRUE;
+		}
+    }
+}
diff --git a/config/auth.php b/config/auth.php
index dc43bf94..5d3c9f4c 100644
--- a/config/auth.php
+++ b/config/auth.php
@@ -75,6 +75,8 @@
                 'model' => App\Ldap\User::class,
                 'rules' => [
                         App\Ldap\Rules\LoginObjectclassRule::class,
+                        App\Ldap\Rules\LoginGroupRule::class,
+                        App\Ldap\Rules\LoginBaseDnRule::class,
                 ],
         ],
     ],
diff --git a/config/pla.php b/config/pla.php
index dd4878b3..5853791e 100644
--- a/config/pla.php
+++ b/config/pla.php
@@ -107,6 +107,10 @@
 		'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')),
 		// Alert if DN is being used, and the login fails, and the the DN doesnt exist
 		'alert_rootdn' => env('LDAP_ALERT_ROOTDN',TRUE) && strtolower(env('LDAP_LOGIN_ATTR','uid')) === 'dn',
+		// Group that users must be part of to login (null if unrestricted)
+		'group' => env('LDAP_LOGIN_GROUP', null),
+		// Base DN for allowed logins (will default to RootDN if null)
+		'base' => env('LDAP_LOGIN_BASE_DN', null),
 	],
 
 	/*