2018-10-13 08:06:56 -05:00
|
|
|
<?php
|
|
|
|
|
2018-12-31 00:48:23 -06:00
|
|
|
/**
|
2019-10-01 23:38:00 -05:00
|
|
|
* ldap_auth.php
|
2020-03-17 11:06:30 -05:00
|
|
|
* Copyright (c) 2019 james@firefly-iii.org.
|
2018-12-31 00:48:23 -06:00
|
|
|
*
|
2019-10-01 23:38:00 -05:00
|
|
|
* This file is part of Firefly III (https://github.com/firefly-iii).
|
2018-12-31 00:48:23 -06:00
|
|
|
*
|
2019-10-01 23:38:00 -05:00
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License as
|
|
|
|
* published by the Free Software Foundation, either version 3 of the
|
|
|
|
* License, or (at your option) any later version.
|
2018-12-31 00:48:23 -06:00
|
|
|
*
|
2019-10-01 23:38:00 -05:00
|
|
|
* This program is distributed in the hope that it will be useful,
|
2018-12-31 00:48:23 -06:00
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2019-10-01 23:38:00 -05:00
|
|
|
* GNU Affero General Public License for more details.
|
2018-12-31 00:48:23 -06:00
|
|
|
*
|
2019-10-01 23:38:00 -05:00
|
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
|
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
2018-12-31 00:48:23 -06:00
|
|
|
*/
|
|
|
|
|
|
|
|
declare(strict_types=1);
|
|
|
|
|
2020-08-26 09:07:47 -05:00
|
|
|
use FireflyIII\Scopes\LdapFilterScope;
|
|
|
|
|
2020-03-20 11:31:54 -05:00
|
|
|
use Adldap\Laravel\Events\Authenticated;
|
|
|
|
use Adldap\Laravel\Events\AuthenticatedModelTrashed;
|
|
|
|
use Adldap\Laravel\Events\AuthenticatedWithWindows;
|
|
|
|
use Adldap\Laravel\Events\Authenticating;
|
|
|
|
use Adldap\Laravel\Events\AuthenticationFailed;
|
|
|
|
use Adldap\Laravel\Events\AuthenticationRejected;
|
|
|
|
use Adldap\Laravel\Events\AuthenticationSuccessful;
|
|
|
|
use Adldap\Laravel\Events\DiscoveredWithCredentials;
|
|
|
|
use Adldap\Laravel\Events\Importing;
|
|
|
|
use Adldap\Laravel\Events\Synchronized;
|
|
|
|
use Adldap\Laravel\Events\Synchronizing;
|
|
|
|
use Adldap\Laravel\Listeners\LogAuthenticated;
|
|
|
|
use Adldap\Laravel\Listeners\LogAuthentication;
|
|
|
|
use Adldap\Laravel\Listeners\LogAuthenticationFailure;
|
|
|
|
use Adldap\Laravel\Listeners\LogAuthenticationRejection;
|
|
|
|
use Adldap\Laravel\Listeners\LogAuthenticationSuccess;
|
|
|
|
use Adldap\Laravel\Listeners\LogDiscovery;
|
|
|
|
use Adldap\Laravel\Listeners\LogImport;
|
|
|
|
use Adldap\Laravel\Listeners\LogSynchronized;
|
|
|
|
use Adldap\Laravel\Listeners\LogSynchronizing;
|
|
|
|
use Adldap\Laravel\Listeners\LogTrashedModel;
|
|
|
|
use Adldap\Laravel\Listeners\LogWindowsAuth;
|
2018-10-13 08:06:56 -05:00
|
|
|
use Adldap\Laravel\Scopes\UidScope;
|
|
|
|
use Adldap\Laravel\Scopes\UpnScope;
|
|
|
|
|
|
|
|
// default OpenLDAP scopes.
|
|
|
|
$scopes = [
|
2020-08-26 09:07:47 -05:00
|
|
|
LdapFilterScope::class,
|
2018-10-13 08:06:56 -05:00
|
|
|
UidScope::class,
|
|
|
|
];
|
|
|
|
if ('FreeIPA' === env('ADLDAP_CONNECTION_SCHEME')) {
|
2020-08-26 09:07:47 -05:00
|
|
|
$scopes = [
|
|
|
|
LdapFilterScope::class,
|
|
|
|
];
|
2018-10-13 08:06:56 -05:00
|
|
|
}
|
|
|
|
if ('ActiveDirectory' === env('ADLDAP_CONNECTION_SCHEME')) {
|
|
|
|
$scopes = [
|
2020-08-26 09:07:47 -05:00
|
|
|
LdapFilterScope::class,
|
2018-10-13 08:06:56 -05:00
|
|
|
UpnScope::class,
|
|
|
|
];
|
|
|
|
}
|
|
|
|
|
|
|
|
return [
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Connection
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| The LDAP connection to use for laravel authentication.
|
|
|
|
|
|
|
|
|
| You must specify connections in your `config/adldap.php` configuration file.
|
|
|
|
|
|
|
|
|
| This must be a string.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'connection' => envNonEmpty('ADLDAP_CONNECTION', 'default'),
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Provider
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| The LDAP authentication provider to use depending
|
|
|
|
| if you require database synchronization.
|
|
|
|
|
|
|
|
|
| For synchronizing LDAP users to your local applications database, use the provider:
|
|
|
|
|
|
|
|
|
| Adldap\Laravel\Auth\DatabaseUserProvider::class
|
|
|
|
|
|
|
|
|
| Otherwise, if you just require LDAP authentication, use the provider:
|
|
|
|
|
|
|
|
|
| Adldap\Laravel\Auth\NoDatabaseUserProvider::class
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'provider' => Adldap\Laravel\Auth\DatabaseUserProvider::class,
|
|
|
|
//'provider' => Adldap\Laravel\Auth\NoDatabaseUserProvider::class,
|
2019-02-15 00:39:12 -06:00
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Model
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| The model to utilize for authentication and importing.
|
|
|
|
|
|
|
|
|
| This option is only applicable to the DatabaseUserProvider.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'model' => FireflyIII\User::class,
|
|
|
|
|
2018-10-13 08:06:56 -05:00
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Rules
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| Rules allow you to control user authentication requests depending on scenarios.
|
|
|
|
|
|
|
|
|
| You can create your own rules and insert them here.
|
|
|
|
|
|
|
|
|
| All rules must extend from the following class:
|
|
|
|
|
|
|
|
|
| Adldap\Laravel\Validation\Rules\Rule
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'rules' => [
|
|
|
|
|
|
|
|
// Denys deleted users from authenticating.
|
|
|
|
Adldap\Laravel\Validation\Rules\DenyTrashed::class,
|
|
|
|
|
|
|
|
// Allows only manually imported users to authenticate.
|
|
|
|
// Adldap\Laravel\Validation\Rules\OnlyImported::class,
|
|
|
|
|
|
|
|
],
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Scopes
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| Scopes allow you to restrict the LDAP query that locates
|
|
|
|
| users upon import and authentication.
|
|
|
|
|
|
|
|
|
| All scopes must implement the following interface:
|
|
|
|
|
|
|
|
|
| Adldap\Laravel\Scopes\ScopeInterface
|
|
|
|
|[
|
|
|
|
|
|
|
|
// Only allows users with a user principal name to authenticate.
|
|
|
|
// Remove this if you're using OpenLDAP.
|
|
|
|
//Adldap\Laravel\Scopes\UpnScope::class,
|
|
|
|
|
|
|
|
// Only allows users with a uid to authenticate.
|
|
|
|
// Uncomment if you're using OpenLDAP.
|
|
|
|
Adldap\Laravel\Scopes\UidScope::class,
|
|
|
|
|
|
|
|
],
|
|
|
|
*/
|
|
|
|
|
|
|
|
'scopes' => $scopes,
|
|
|
|
|
2019-03-11 05:43:02 -05:00
|
|
|
'identifiers' => [
|
2018-10-13 08:06:56 -05:00
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| LDAP
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| Discover:
|
|
|
|
|
|
|
|
|
| The discover value is the users attribute you would
|
|
|
|
| like to locate LDAP users by in your directory.
|
|
|
|
|
|
|
|
|
| For example, using the default configuration below, if you're
|
|
|
|
| authenticating users with an email address, your LDAP server
|
|
|
|
| will be queried for a user with the a `userprincipalname`
|
|
|
|
| equal to the entered email address.
|
|
|
|
|
|
|
|
|
| Authenticate:
|
|
|
|
|
|
|
|
|
| The authenticate value is the users attribute you would
|
|
|
|
| like to use to bind to your LDAP server.
|
|
|
|
|
|
|
|
|
| For example, when a user is located by the above 'discover'
|
|
|
|
| attribute, the users attribute you specify below will
|
|
|
|
| be used as the username to bind to your LDAP server.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'ldap' => [
|
|
|
|
|
2020-03-20 11:31:54 -05:00
|
|
|
'locate_users_by' => envNonEmpty('ADLDAP_DISCOVER_FIELD', 'userprincipalname'),
|
|
|
|
'bind_users_by' => envNonEmpty('ADLDAP_AUTH_FIELD', 'distinguishedname'),
|
2018-10-13 08:06:56 -05:00
|
|
|
|
|
|
|
],
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Eloquent
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| The value you enter is the database column name used for locating
|
|
|
|
| the local database record of the authenticating user.
|
|
|
|
|
|
|
|
|
| If you're using a `username` column instead, change this to `username`.
|
|
|
|
|
|
|
|
|
| This option is only applicable to the DatabaseUserProvider.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'eloquent' => 'email',
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Windows Authentication Middleware (SSO)
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
2020-05-21 13:20:46 -05:00
|
|
|
| Enabled:
|
|
|
|
|
|
|
|
|
| The middleware will be registered only if enabled is set to true.
|
|
|
|
| If you update this file, beware, this is not a standard
|
|
|
|
| AdLdap2-Laravel configuration key.
|
|
|
|
|
|
2020-05-21 10:01:54 -05:00
|
|
|
| Locate Users By:
|
2018-10-13 08:06:56 -05:00
|
|
|
|
|
2020-05-21 10:01:54 -05:00
|
|
|
| This value is the users attribute you would like to locate LDAP
|
|
|
|
| users by in your directory.
|
2018-10-13 08:06:56 -05:00
|
|
|
|
|
|
|
|
| For example, if 'samaccountname' is the value, then your LDAP server is
|
|
|
|
| queried for a user with the 'samaccountname' equal to the value of
|
|
|
|
| $_SERVER['AUTH_USER'].
|
|
|
|
|
|
|
|
|
| If a user is found, they are imported (if using the DatabaseUserProvider)
|
|
|
|
| into your local database, then logged in.
|
|
|
|
|
|
2020-05-21 10:01:54 -05:00
|
|
|
| Server Key:
|
2018-10-13 08:06:56 -05:00
|
|
|
|
|
2020-05-21 10:01:54 -05:00
|
|
|
| This value represents the 'key' of the $_SERVER
|
2018-10-13 08:06:56 -05:00
|
|
|
| array to pull the users account name from.
|
|
|
|
|
|
|
|
|
| For example, $_SERVER['AUTH_USER'].
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'windows' => [
|
2020-07-30 23:50:57 -05:00
|
|
|
'enabled' => false,
|
|
|
|
'locate_users_by' => 'samaccountname',
|
|
|
|
'server_key' => 'AUTH_USER',
|
2018-10-13 08:06:56 -05:00
|
|
|
],
|
|
|
|
],
|
|
|
|
|
|
|
|
'passwords' => [
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Password Sync
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| The password sync option allows you to automatically synchronize users
|
|
|
|
| LDAP passwords to your local database. These passwords are hashed
|
|
|
|
| natively by Laravel using the bcrypt() method.
|
|
|
|
|
|
|
|
|
| Enabling this option would also allow users to login to their accounts
|
|
|
|
| using the password last used when an LDAP connection was present.
|
|
|
|
|
|
|
|
|
| If this option is disabled, the local database account is applied a
|
|
|
|
| random 16 character hashed password upon every login, and will
|
|
|
|
| lose access to this account upon loss of LDAP connectivity.
|
|
|
|
|
|
|
|
|
| This option must be true or false and is only applicable
|
|
|
|
| to the DatabaseUserProvider.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'sync' => env('ADLDAP_PASSWORD_SYNC', false),
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Column
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| This is the column of your users database table
|
|
|
|
| that is used to store passwords.
|
|
|
|
|
|
|
|
|
| Set this to `null` if you do not have a password column.
|
|
|
|
|
|
|
|
|
| This option is only applicable to the DatabaseUserProvider.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'column' => 'password',
|
|
|
|
|
|
|
|
],
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Login Fallback
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| The login fallback option allows you to login as a user located on the
|
|
|
|
| local database if active directory authentication fails.
|
|
|
|
|
|
|
|
|
| Set this to true if you would like to enable it.
|
|
|
|
|
|
|
|
|
| This option must be true or false and is only
|
|
|
|
| applicable to the DatabaseUserProvider.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'login_fallback' => env('ADLDAP_LOGIN_FALLBACK', false),
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Sync Attributes
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| Attributes specified here will be added / replaced on the user model
|
|
|
|
| upon login, automatically synchronizing and keeping the attributes
|
|
|
|
| up to date.
|
|
|
|
|
|
|
|
|
| The array key represents the users Laravel model key, and
|
|
|
|
| the value represents the users LDAP attribute.
|
|
|
|
|
|
|
|
|
| This option must be an array and is only applicable
|
|
|
|
| to the DatabaseUserProvider.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'sync_attributes' => [
|
|
|
|
|
|
|
|
'email' => envNonEmpty('ADLDAP_SYNC_FIELD', 'userprincipalname'),
|
|
|
|
|
|
|
|
],
|
|
|
|
|
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Logging
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| User authentication attempts will be logged using Laravel's
|
|
|
|
| default logger if this setting is enabled.
|
|
|
|
|
|
|
|
|
| No credentials are logged, only usernames.
|
|
|
|
|
|
|
|
|
| This is usually stored in the '/storage/logs' directory
|
|
|
|
| in the root of your application.
|
|
|
|
|
|
|
|
|
| This option is useful for debugging as well as auditing.
|
|
|
|
|
|
|
|
|
| You can freely remove any events you would not like to log below,
|
|
|
|
| as well as use your own listeners if you would prefer.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
'logging' => [
|
|
|
|
'enabled' => true,
|
|
|
|
'events' => [
|
|
|
|
|
2020-03-20 11:31:54 -05:00
|
|
|
Importing::class => LogImport::class,
|
|
|
|
Synchronized::class => LogSynchronized::class,
|
|
|
|
Synchronizing::class => LogSynchronizing::class,
|
|
|
|
Authenticated::class => LogAuthenticated::class,
|
|
|
|
Authenticating::class => LogAuthentication::class,
|
|
|
|
AuthenticationFailed::class => LogAuthenticationFailure::class,
|
|
|
|
AuthenticationRejected::class => LogAuthenticationRejection::class,
|
|
|
|
AuthenticationSuccessful::class => LogAuthenticationSuccess::class,
|
|
|
|
DiscoveredWithCredentials::class => LogDiscovery::class,
|
|
|
|
AuthenticatedWithWindows::class => LogWindowsAuth::class,
|
|
|
|
AuthenticatedModelTrashed::class => LogTrashedModel::class,
|
2018-10-13 08:06:56 -05:00
|
|
|
|
|
|
|
],
|
|
|
|
],
|
|
|
|
|
2020-08-26 09:07:47 -05:00
|
|
|
/*
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
| Custom LDAP Filter
|
|
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
| This value can be optionally provided to restrict LDAP queries to the
|
|
|
|
| given filter. It should be in LDAP filter format, and will be
|
|
|
|
| applied in the LdapFilterScope.
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
'custom_filter' => env('ADLDAP_AUTH_FILTER', ''),
|
|
|
|
|
2018-10-13 08:06:56 -05:00
|
|
|
];
|