Merge branch 'master' of github.com:m1k1o/blog into ldap-support

Dockerfile

@@ -2,6 +2,8 @@ FROM php:7.4-apache
 
 MAINTAINER Miroslav Sedivy
 
+ARG LDAP=false
+
 RUN set -eux; apt-get update; \
 	apt-get install -y --no-install-recommends \
 	#
@@ -12,9 +14,6 @@ RUN set -eux; apt-get update; \
 	zlib1g-dev libpng-dev libjpeg-dev \
 	libwebp-dev libxpm-dev libfreetype6-dev; \
 	#
-	# clean up
-	rm -rf /var/lib/apt/lists/*; \
-	#
 	# configure extensions
 	docker-php-ext-configure gd --enable-gd \
 	--with-jpeg --with-webp --with-xpm --with-freetype; \
@@ -22,8 +21,17 @@ RUN set -eux; apt-get update; \
 	# install extensions
 	docker-php-ext-install curl gd pdo pdo_mysql; \
 	#
+	# LDAP support
+	if [ -n "$LDAP" ] && [ "$LDAP" = "true" ]; then \
+		apt-get install -y --no-install-recommends libldb-dev libldap2-dev; \
+		docker-php-ext-install ldap; \
+	fi; \
+	#
 	# set up environment
-	a2enmod rewrite;
+	a2enmod rewrite; \
+	#
+	# clean up
+	rm -rf /var/lib/apt/lists/*;
 
 #
 # copy files

app/user.class.php

@@ -18,7 +18,13 @@ class user
 			return true;
 		}
 
-		return !empty($_SESSION[User::SESSION_NAME]) && $_SESSION[User::SESSION_NAME] === hash("crc32", Config::get("nick").Config::get_safe("pass", ""), false);
+		if(Config::get_safe("ldap_enabled", false)){
+			return !empty($_SESSION[User::SESSION_NAME]) &&
+				$_SESSION[User::SESSION_NAME] === 'admin';
+		}
+
+		return !empty($_SESSION[User::SESSION_NAME]) &&
+			$_SESSION[User::SESSION_NAME] === hash("crc32", Config::get("nick").Config::get_safe("pass", ""), false);
 	}
 
 	public static function login($nick, $pass){
@@ -30,6 +36,14 @@ class user
 			throw new Exception(__("You are already logged in."));
 		}
 
+		if(Config::get_safe("ldap_enabled", false)){
+			return static::LDAP_login($nick, $pass);
+		} else {
+			return static::config_login($nick, $pass);
+		}
+	}
+
+	private static function config_login($nick, $pass){
 		if(Config::get("nick") === $nick && Config::get_safe("pass", "") === $pass){
 			$_SESSION[User::SESSION_NAME] = hash("crc32", $nick.$pass, false);
 			return ["logged_in" => true, "is_visitor" => false];
@@ -45,6 +59,34 @@ class user
 		throw new Exception(__("The nick or password is incorrect."));
 	}
 
+	private static function LDAP_login($nick, $pass){
+		$ldap_host = Config::get("ldap_host");
+		$ldap_port = Config::get_safe("ldap_port", 389);
+		$ldap_admin_dn = Config::get_safe("ldap_admin_dn", false);
+		$ldap_visitor_dn = Config::get_safe("ldap_visitor_dn", false);
+
+		if(!($ds = ldap_connect($ldap_host, $ldap_port))) {
+			throw new Exception(__("Could not connect to LDAP server."));
+		}
+
+		ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+		ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
+		ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10);
+
+		if ($ldap_admin_dn !== false && ldap_bind($ds, "cn=".$nick.",".$ldap_admin_dn, $pass)) {
+			$_SESSION[User::SESSION_NAME] = 'admin';
+			return ["logged_in" => true, "is_visitor" => false];
+		}
+
+		if ($ldap_visitor_dn !== false && ldap_bind($ds, "cn=".$nick.",".$ldap_visitor_dn, $pass)) {
+			$_SESSION[User::SESSION_NAME] = 'visitor';
+			return ["logged_in" => false, "is_visitor" => true];
+		}
+
+		Log::put("login_fails", $nick);
+		throw new Exception(__("The nick or password is incorrect."));
+	}
+
 	public static function logout(){
 		if(!Config::get_safe("force_login", false)){
 			throw new Exception(__("You can't log out. There is no account."));

config.ini

@@ -43,6 +43,13 @@ pass = demo
 ;visitor[user] = pass
 ;visitor[user] = pass
 
+;[ldap]
+;ldap_enabled = true
+;ldap_host = localhost
+;ldap_port = 389
+;ldap_admin_dn = 'ou=admin,dc=example,dc=org'
+;ldap_visitor_dn = 'ou=visitor,dc=example,dc=org'
+
 [directories]
 images_path = data/i/
 thumbnails_path = data/t/