diff --git a/changelog.md b/changelog.md index a02d4e8d44..e798280bd0 100644 --- a/changelog.md +++ b/changelog.md @@ -8,6 +8,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - static cron token is new? - update ldap - new credit stuff +- need to force users to switch config or ignore it. ## 5.5.12 - 2021-06-03 diff --git a/config/auth.php b/config/auth.php index 732c35d54c..09c2b6e5b0 100644 --- a/config/auth.php +++ b/config/auth.php @@ -62,6 +62,10 @@ return [ 'driver' => 'session', 'provider' => 'users', ], + 'ldap' => [ + 'driver' => 'session', + 'provider' => 'ldap', + ], 'remote_user_guard' => [ 'driver' => 'remote_user_guard', 'provider' => 'remote_user_provider', @@ -91,13 +95,27 @@ return [ 'providers' => [ 'users' => [ - 'driver' => envNonEmpty('LOGIN_PROVIDER', 'eloquent'), + 'driver' => 'eloquent', 'model' => FireflyIII\User::class, ], 'remote_user_provider' => [ 'driver' => 'remote_user_provider', 'model' => FireflyIII\User::class, ], + + 'ldap' => [ + 'driver' => 'ldap', + //'model' => LdapRecord\Models\ActiveDirectory\User::class, + 'model' => LdapRecord\Models\OpenLDAP\User::class, + 'rules' => [], + 'database' => [ + 'model' => FireflyIII\User::class, + 'sync_passwords' => false, + 'sync_attributes' => [ + 'email' => 'mail', + ], + ], + ], ], /* diff --git a/config/ldap.php b/config/ldap.php index 1c2d1b52be..fd94d32e78 100644 --- a/config/ldap.php +++ b/config/ldap.php @@ -1,294 +1,73 @@ . - */ - -declare(strict_types=1); - -use Adldap\Schemas\ActiveDirectory; -use Adldap\Schemas\FreeIPA; -use Adldap\Schemas\OpenLDAP; - -/* - * Get schema from .env file. - */ -$schema = OpenLDAP::class; - -if ('FreeIPA' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { - $schema = FreeIPA::class; -} -if ('ActiveDirectory' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { - $schema = ActiveDirectory::class; -} - -/* - * Get SSL parameters from .env file. - */ -$ssl_ca_dir = envNonEmpty('ADLDAP_SSL_CACERTDIR', null); -$ssl_ca_file = envNonEmpty('ADLDAP_SSL_CACERTFILE', null); -$ssl_cert = envNonEmpty('ADLDAP_SSL_CERTFILE', null); -$ssl_key = envNonEmpty('ADLDAP_SSL_KEYFILE', null); -$ssl_ciphers = envNonEmpty('ADLDAP_SSL_CIPHER_SUITE', null); -$ssl_require = envNonEmpty('ADLDAP_SSL_REQUIRE_CERT', null); - -$sslOptions = []; -if (null !== $ssl_ca_dir) { - $sslOptions[LDAP_OPT_X_TLS_CACERTDIR] = $ssl_ca_dir; -} -if (null !== $ssl_ca_file) { - $sslOptions[LDAP_OPT_X_TLS_CACERTFILE] = $ssl_ca_file; -} -if (null !== $ssl_cert) { - $sslOptions[LDAP_OPT_X_TLS_CERTFILE] = $ssl_cert; -} -if (null !== $ssl_key) { - $sslOptions[LDAP_OPT_X_TLS_KEYFILE] = $ssl_key; -} -if (null !== $ssl_ciphers) { - $sslOptions[LDAP_OPT_X_TLS_CIPHER_SUITE] = $ssl_ciphers; -} -if (null !== $ssl_require) { - $sslOptions[LDAP_OPT_X_TLS_REQUIRE_CERT] = $ssl_require; -} - return [ + /* |-------------------------------------------------------------------------- - | Connections + | Default LDAP Connection Name |-------------------------------------------------------------------------- | - | This array stores the connections that are added to Adldap. You can add - | as many connections as you like. - | - | The key is the name of the connection you wish to use and the value is - | an array of configuration settings. + | Here you may specify which of the LDAP connections below you wish + | to use as your default connection for all LDAP operations. Of + | course you may add as many connections you'd like below. | */ + + 'default' => env('LDAP_CONNECTION', 'default'), + + /* + |-------------------------------------------------------------------------- + | LDAP Connections + |-------------------------------------------------------------------------- + | + | Below you may configure each LDAP connection your application requires + | access to. Be sure to include a valid base DN - otherwise you may + | not receive any results when performing LDAP search operations. + | + */ + 'connections' => [ 'default' => [ - - /* - |-------------------------------------------------------------------------- - | Auto Connect - |-------------------------------------------------------------------------- - | - | If auto connect is true, Adldap will try to automatically connect to - | your LDAP server in your configuration. This allows you to assume - | connectivity rather than having to connect manually - | in your application. - | - | If this is set to false, you **must** connect manually before running - | LDAP operations. - | - */ - - 'auto_connect' => env('ADLDAP_AUTO_CONNECT', true), - - /* - |-------------------------------------------------------------------------- - | Connection - |-------------------------------------------------------------------------- - | - | The connection class to use to run raw LDAP operations on. - | - | Custom connection classes must implement: - | - | Adldap\Connections\ConnectionInterface - | - */ - - 'connection' => Adldap\Connections\Ldap::class, - - /* - |-------------------------------------------------------------------------- - | Connection Settings - |-------------------------------------------------------------------------- - | - | This connection settings array is directly passed into the Adldap constructor. - | - | Feel free to add or remove settings you don't need. - | - */ - - 'settings' => [ - - /* - |-------------------------------------------------------------------------- - | Schema - |-------------------------------------------------------------------------- - | - | The schema class to use for retrieving attributes and generating models. - | - | You can also set this option to `null` to use the default schema class. - | - | For OpenLDAP, you must use the schema: - | - | Adldap\Schemas\OpenLDAP::class - | - | For FreeIPA, you must use the schema: - | - | Adldap\Schemas\FreeIPA::class - | - | Custom schema classes must implement Adldap\Schemas\SchemaInterface - | - */ - - 'schema' => $schema, - - /* - |-------------------------------------------------------------------------- - | Account Prefix - |-------------------------------------------------------------------------- - | - | The account prefix option is the prefix of your user accounts in LDAP directory. - | - | This string is prepended to authenticating users usernames. - | - */ - - 'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''), - - /* - |-------------------------------------------------------------------------- - | Account Suffix - |-------------------------------------------------------------------------- - | - | The account suffix option is the suffix of your user accounts in your LDAP directory. - | - | This string is appended to authenticating users usernames. - | - */ - - 'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''), - - /* - |-------------------------------------------------------------------------- - | Domain Controllers - |-------------------------------------------------------------------------- - | - | The domain controllers option is an array of servers located on your - | network that serve Active Directory. You can insert as many servers or - | as little as you'd like depending on your forest (with the - | minimum of one of course). - | - | These can be IP addresses of your server(s), or the host name. - | - */ - - 'hosts' => explode(' ', env('ADLDAP_CONTROLLERS', '127.0.0.1')), - - /* - |-------------------------------------------------------------------------- - | Port - |-------------------------------------------------------------------------- - | - | The port option is used for authenticating and binding to your LDAP server. - | - */ - - 'port' => env('ADLDAP_PORT', 389), - - /* - |-------------------------------------------------------------------------- - | Timeout - |-------------------------------------------------------------------------- - | - | The timeout option allows you to configure the amount of time in - | seconds that your application waits until a response - | is received from your LDAP server. - | - */ - - 'timeout' => env('ADLDAP_TIMEOUT', 5), - - /* - |-------------------------------------------------------------------------- - | Base Distinguished Name - |-------------------------------------------------------------------------- - | - | The base distinguished name is the base distinguished name you'd - | like to perform query operations on. An example base DN would be: - | - | dc=corp,dc=acme,dc=org - | - | A correct base DN is required for any query results to be returned. - | - */ - - 'base_dn' => env('ADLDAP_BASEDN', 'dc=temp'), - - /* - |-------------------------------------------------------------------------- - | Administrator Username & Password - |-------------------------------------------------------------------------- - | - | When connecting to your LDAP server, a username and password is required - | to be able to query and run operations on your server(s). You can - | use any user account that has these permissions. This account - | does not need to be a domain administrator unless you - | require changing and resetting user passwords. - | - */ - - 'username' => env('ADLDAP_ADMIN_USERNAME', ''), - 'password' => env('ADLDAP_ADMIN_PASSWORD', ''), - - /* - |-------------------------------------------------------------------------- - | Follow Referrals - |-------------------------------------------------------------------------- - | - | The follow referrals option is a boolean to tell active directory - | to follow a referral to another server on your network if the - | server queried knows the information your asking for exists, - | but does not yet contain a copy of it locally. - | - | This option is defaulted to false. - | - */ - - 'follow_referrals' => env('ADLDAP_FOLLOW_REFFERALS', false), - - /* - |-------------------------------------------------------------------------- - | SSL & TLS - |-------------------------------------------------------------------------- - | - | If you need to be able to change user passwords on your server, then an - | SSL or TLS connection is required. All other operations are allowed - | on unsecured protocols. - | - | One of these options are definitely recommended if you - | have the ability to connect to your server securely. - | - */ - - 'use_ssl' => env('ADLDAP_USE_SSL', false), - 'use_tls' => env('ADLDAP_USE_TLS', false), - - 'custom_options' => $sslOptions, - ], - + 'hosts' => [env('LDAP_HOST', '127.0.0.1')], + 'username' => env('LDAP_USERNAME', 'cn=user,dc=local,dc=com'), + 'password' => env('LDAP_PASSWORD', 'secret'), + 'port' => env('LDAP_PORT', 389), + 'base_dn' => env('LDAP_BASE_DN', 'dc=local,dc=com'), + 'timeout' => env('LDAP_TIMEOUT', 5), + 'use_ssl' => env('LDAP_SSL', false), + 'use_tls' => env('LDAP_TLS', false), ], ], + /* + |-------------------------------------------------------------------------- + | LDAP Logging + |-------------------------------------------------------------------------- + | + | When LDAP logging is enabled, all LDAP search and authentication + | operations are logged using the default application logging + | driver. This can assist in debugging issues and more. + | + */ + + 'logging' => env('LDAP_LOGGING', true), + + /* + |-------------------------------------------------------------------------- + | LDAP Cache + |-------------------------------------------------------------------------- + | + | LDAP caching enables the ability of caching search results using the + | query builder. This is great for running expensive operations that + | may take many seconds to complete, such as a pagination request. + | + */ + + 'cache' => [ + 'enabled' => env('LDAP_CACHE', false), + 'driver' => env('CACHE_DRIVER', 'file'), + ], + ]; diff --git a/config/ldap_auth.php b/config/ldap_auth.php deleted file mode 100644 index 446b9c831a..0000000000 --- a/config/ldap_auth.php +++ /dev/null @@ -1,394 +0,0 @@ -. - */ - -declare(strict_types=1); - -use FireflyIII\Scopes\LdapFilterScope; - -use Adldap\Laravel\Events\Authenticated; -use Adldap\Laravel\Events\AuthenticatedModelTrashed; -use Adldap\Laravel\Events\AuthenticatedWithWindows; -use Adldap\Laravel\Events\Authenticating; -use Adldap\Laravel\Events\AuthenticationFailed; -use Adldap\Laravel\Events\AuthenticationRejected; -use Adldap\Laravel\Events\AuthenticationSuccessful; -use Adldap\Laravel\Events\DiscoveredWithCredentials; -use Adldap\Laravel\Events\Importing; -use Adldap\Laravel\Events\Synchronized; -use Adldap\Laravel\Events\Synchronizing; -use Adldap\Laravel\Listeners\LogAuthenticated; -use Adldap\Laravel\Listeners\LogAuthentication; -use Adldap\Laravel\Listeners\LogAuthenticationFailure; -use Adldap\Laravel\Listeners\LogAuthenticationRejection; -use Adldap\Laravel\Listeners\LogAuthenticationSuccess; -use Adldap\Laravel\Listeners\LogDiscovery; -use Adldap\Laravel\Listeners\LogImport; -use Adldap\Laravel\Listeners\LogSynchronized; -use Adldap\Laravel\Listeners\LogSynchronizing; -use Adldap\Laravel\Listeners\LogTrashedModel; -use Adldap\Laravel\Listeners\LogWindowsAuth; -use Adldap\Laravel\Scopes\UidScope; -use Adldap\Laravel\Scopes\UpnScope; - -// default OpenLDAP scopes. -$scopes = [ - LdapFilterScope::class, - UidScope::class, -]; -if ('FreeIPA' === env('ADLDAP_CONNECTION_SCHEME')) { - $scopes = [ - LdapFilterScope::class, - ]; -} -if ('ActiveDirectory' === env('ADLDAP_CONNECTION_SCHEME')) { - $scopes = [ - LdapFilterScope::class, - UpnScope::class, - ]; -} - -return [ - /* - |-------------------------------------------------------------------------- - | Connection - |-------------------------------------------------------------------------- - | - | The LDAP connection to use for laravel authentication. - | - | You must specify connections in your `config/adldap.php` configuration file. - | - | This must be a string. - | - */ - - 'connection' => envNonEmpty('ADLDAP_CONNECTION', 'default'), - - /* - |-------------------------------------------------------------------------- - | Provider - |-------------------------------------------------------------------------- - | - | The LDAP authentication provider to use depending - | if you require database synchronization. - | - | For synchronizing LDAP users to your local applications database, use the provider: - | - | Adldap\Laravel\Auth\DatabaseUserProvider::class - | - | Otherwise, if you just require LDAP authentication, use the provider: - | - | Adldap\Laravel\Auth\NoDatabaseUserProvider::class - | - */ - - 'provider' => Adldap\Laravel\Auth\DatabaseUserProvider::class, - //'provider' => Adldap\Laravel\Auth\NoDatabaseUserProvider::class, - - /* - |-------------------------------------------------------------------------- - | Model - |-------------------------------------------------------------------------- - | - | The model to utilize for authentication and importing. - | - | This option is only applicable to the DatabaseUserProvider. - | - */ - - 'model' => FireflyIII\User::class, - - /* - |-------------------------------------------------------------------------- - | Rules - |-------------------------------------------------------------------------- - | - | Rules allow you to control user authentication requests depending on scenarios. - | - | You can create your own rules and insert them here. - | - | All rules must extend from the following class: - | - | Adldap\Laravel\Validation\Rules\Rule - | - */ - - 'rules' => [ - - // Denys deleted users from authenticating. - Adldap\Laravel\Validation\Rules\DenyTrashed::class, - - // Allows only manually imported users to authenticate. - // Adldap\Laravel\Validation\Rules\OnlyImported::class, - - ], - - /* - |-------------------------------------------------------------------------- - | Scopes - |-------------------------------------------------------------------------- - | - | Scopes allow you to restrict the LDAP query that locates - | users upon import and authentication. - | - | All scopes must implement the following interface: - | - | Adldap\Laravel\Scopes\ScopeInterface - |[ - - // Only allows users with a user principal name to authenticate. - // Remove this if you're using OpenLDAP. - //Adldap\Laravel\Scopes\UpnScope::class, - - // Only allows users with a uid to authenticate. - // Uncomment if you're using OpenLDAP. - Adldap\Laravel\Scopes\UidScope::class, - - ], - */ - - 'scopes' => $scopes, - - 'identifiers' => [ - - /* - |-------------------------------------------------------------------------- - | LDAP - |-------------------------------------------------------------------------- - | - | Discover: - | - | The discover value is the users attribute you would - | like to locate LDAP users by in your directory. - | - | For example, using the default configuration below, if you're - | authenticating users with an email address, your LDAP server - | will be queried for a user with the a `userprincipalname` - | equal to the entered email address. - | - | Authenticate: - | - | The authenticate value is the users attribute you would - | like to use to bind to your LDAP server. - | - | For example, when a user is located by the above 'discover' - | attribute, the users attribute you specify below will - | be used as the username to bind to your LDAP server. - | - */ - - 'ldap' => [ - - 'locate_users_by' => envNonEmpty('ADLDAP_DISCOVER_FIELD', 'userprincipalname'), - 'bind_users_by' => envNonEmpty('ADLDAP_AUTH_FIELD', 'distinguishedname'), - - ], - - /* - |-------------------------------------------------------------------------- - | Eloquent - |-------------------------------------------------------------------------- - | - | The value you enter is the database column name used for locating - | the local database record of the authenticating user. - | - | If you're using a `username` column instead, change this to `username`. - | - | This option is only applicable to the DatabaseUserProvider. - | - */ - - 'eloquent' => 'email', - - /* - |-------------------------------------------------------------------------- - | Windows Authentication Middleware (SSO) - |-------------------------------------------------------------------------- - | - | Enabled: - | - | The middleware will be registered only if enabled is set to true. - | If you update this file, beware, this is not a standard - | AdLdap2-Laravel configuration key. - | - | Locate Users By: - | - | This value is the users attribute you would like to locate LDAP - | users by in your directory. - | - | For example, if 'samaccountname' is the value, then your LDAP server is - | queried for a user with the 'samaccountname' equal to the value of - | $_SERVER['AUTH_USER']. - | - | If a user is found, they are imported (if using the DatabaseUserProvider) - | into your local database, then logged in. - | - | Server Key: - | - | This value represents the 'key' of the $_SERVER - | array to pull the users account name from. - | - | For example, $_SERVER['AUTH_USER']. - | - */ - - 'windows' => [ - 'enabled' => false, - 'locate_users_by' => 'samaccountname', - 'server_key' => 'AUTH_USER', - ], - ], - - 'passwords' => [ - - /* - |-------------------------------------------------------------------------- - | Password Sync - |-------------------------------------------------------------------------- - | - | The password sync option allows you to automatically synchronize users - | LDAP passwords to your local database. These passwords are hashed - | natively by Laravel using the bcrypt() method. - | - | Enabling this option would also allow users to login to their accounts - | using the password last used when an LDAP connection was present. - | - | If this option is disabled, the local database account is applied a - | random 16 character hashed password upon every login, and will - | lose access to this account upon loss of LDAP connectivity. - | - | This option must be true or false and is only applicable - | to the DatabaseUserProvider. - | - */ - - 'sync' => env('ADLDAP_PASSWORD_SYNC', false), - - /* - |-------------------------------------------------------------------------- - | Column - |-------------------------------------------------------------------------- - | - | This is the column of your users database table - | that is used to store passwords. - | - | Set this to `null` if you do not have a password column. - | - | This option is only applicable to the DatabaseUserProvider. - | - */ - - 'column' => 'password', - - ], - - /* - |-------------------------------------------------------------------------- - | Login Fallback - |-------------------------------------------------------------------------- - | - | The login fallback option allows you to login as a user located on the - | local database if active directory authentication fails. - | - | Set this to true if you would like to enable it. - | - | This option must be true or false and is only - | applicable to the DatabaseUserProvider. - | - */ - - 'login_fallback' => env('ADLDAP_LOGIN_FALLBACK', false), - - /* - |-------------------------------------------------------------------------- - | Sync Attributes - |-------------------------------------------------------------------------- - | - | Attributes specified here will be added / replaced on the user model - | upon login, automatically synchronizing and keeping the attributes - | up to date. - | - | The array key represents the users Laravel model key, and - | the value represents the users LDAP attribute. - | - | This option must be an array and is only applicable - | to the DatabaseUserProvider. - | - */ - - 'sync_attributes' => [ - - 'email' => envNonEmpty('ADLDAP_SYNC_FIELD', 'userprincipalname'), - - ], - - /* - |-------------------------------------------------------------------------- - | Logging - |-------------------------------------------------------------------------- - | - | User authentication attempts will be logged using Laravel's - | default logger if this setting is enabled. - | - | No credentials are logged, only usernames. - | - | This is usually stored in the '/storage/logs' directory - | in the root of your application. - | - | This option is useful for debugging as well as auditing. - | - | You can freely remove any events you would not like to log below, - | as well as use your own listeners if you would prefer. - | - */ - - 'logging' => [ - 'enabled' => true, - 'events' => [ - - Importing::class => LogImport::class, - Synchronized::class => LogSynchronized::class, - Synchronizing::class => LogSynchronizing::class, - Authenticated::class => LogAuthenticated::class, - Authenticating::class => LogAuthentication::class, - AuthenticationFailed::class => LogAuthenticationFailure::class, - AuthenticationRejected::class => LogAuthenticationRejection::class, - AuthenticationSuccessful::class => LogAuthenticationSuccess::class, - DiscoveredWithCredentials::class => LogDiscovery::class, - AuthenticatedWithWindows::class => LogWindowsAuth::class, - AuthenticatedModelTrashed::class => LogTrashedModel::class, - - ], - ], - - /* - |-------------------------------------------------------------------------- - | Custom LDAP Filter - |-------------------------------------------------------------------------- - | - | This value can be optionally provided to restrict LDAP queries to the - | given filter. It should be in LDAP filter format, and will be - | applied in the LdapFilterScope. - | - */ - 'custom_filter' => env('ADLDAP_AUTH_FILTER', ''), - -];