Skip to content

Add group and base dn login restriction #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Spitfireap wants to merge 1 commit into
base: master
Choose a base branch
from
+77 −0
Open

Add group and base dn login restriction #462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions app/Ldap/Rules/LoginBaseDnRule.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
<?php

namespace App\Ldap\Rules;

use Illuminate\Database\Eloquent\Model as Eloquent;
use LdapRecord\Laravel\Auth\Rule;
use LdapRecord\Models\Model as LdapRecord;

/**
* User must be in this end-dn to login
*
* The base DN is defined by LDAP_LOGIN_BASE_DN
*/
class LoginBaseDnRule implements Rule
{
private const LOGKEY = 'LDNR';

public function passes(LdapRecord $user, Eloquent $model = null): bool
{
if ($x=config('pla.login.base')) {
$user_dn = $user->getDn();
$result = str_ends_with($user_dn, $x);

if (!$result)
\Log::alert(sprintf('%s:User login denied for [%s], not in the base dn (%s)',self::LOGKEY,$user_dn,$x));

return $result;

// Otherwise allow the user to login
} else {
\Log::debug(sprintf('%s:No login base dn rule, permitting login',self::LOGKEY));

return TRUE;
}
}
}
35 changes: 35 additions & 0 deletions app/Ldap/Rules/LoginGroupRule.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<?php

namespace App\Ldap\Rules;

use Illuminate\Database\Eloquent\Model as Eloquent;
use LdapRecord\Laravel\Auth\Rule;
use LdapRecord\Models\Model as LdapRecord;

/**
* User must have this group to login
*
* The group is defined by LDAP_LOGIN_GROUP
*/
class LoginGroupRule implements Rule
{
private const LOGKEY = 'LGR';

public function passes(LdapRecord $user, Eloquent $model = null): bool
{
if ($x=config('pla.login.group')) {
$result = $user->groups()->exists($x);

if (!$result)
\Log::alert(sprintf('%s:User login denied for [%s], not using the approved group: %s',self::LOGKEY,$user->getDN(),$x));

return $result;

// Otherwise allow the user to login
} else {
\Log::debug(sprintf('%s:No login group rule, permitting login',self::LOGKEY));

return TRUE;
}
}
}
2 changes: 2 additions & 0 deletions config/auth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@
'model' => App\Ldap\User::class,
'rules' => [
App\Ldap\Rules\LoginObjectclassRule::class,
App\Ldap\Rules\LoginGroupRule::class,
App\Ldap\Rules\LoginBaseDnRule::class,
],
],
],
Expand Down
4 changes: 4 additions & 0 deletions config/pla.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,10 @@
'objectclass' => explode(',',env('LDAP_LOGIN_OBJECTCLASS', 'posixAccount')),
// Alert if DN is being used, and the login fails, and the the DN doesnt exist
'alert_rootdn' => env('LDAP_ALERT_ROOTDN',TRUE) && strtolower(env('LDAP_LOGIN_ATTR','uid')) === 'dn',
// Group that users must be part of to login (null if unrestricted)
'group' => env('LDAP_LOGIN_GROUP', null),
// Base DN for allowed logins (will default to RootDN if null)
'base' => env('LDAP_LOGIN_BASE_DN', null),
],

/*
Expand Down