diff --git a/composer.json b/composer.json index a18d293aca..e8f8ebc65e 100644 --- a/composer.json +++ b/composer.json @@ -84,6 +84,7 @@ "ext-xml": "*", "bacon/bacon-qr-code": "2.*", "diglactic/laravel-breadcrumbs": "^6.0", + "directorytree/ldaprecord-laravel": "^2.2", "doctrine/dbal": "3.*", "fideloper/proxy": "4.*", "gdbots/query-parser": "^2.0", diff --git a/composer.lock b/composer.lock index e3b9f18cb7..dfd2f4dadd 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "bd033cd41088c7c19fba9031a13c2286", + "content-hash": "28d6c78fd071d01b11d366d5595195fd", "packages": [ { "name": "bacon/bacon-qr-code", @@ -375,6 +375,141 @@ }, "time": "2021-04-12T18:06:07+00:00" }, + { + "name": "directorytree/ldaprecord", + "version": "v2.4.3", + "source": { + "type": "git", + "url": "https://github.com/DirectoryTree/LdapRecord.git", + "reference": "d384f2fa8926ffbef01e00e67068afdffcc9a781" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/DirectoryTree/LdapRecord/zipball/d384f2fa8926ffbef01e00e67068afdffcc9a781", + "reference": "d384f2fa8926ffbef01e00e67068afdffcc9a781", + "shasum": "" + }, + "require": { + "ext-json": "*", + "ext-ldap": "*", + "illuminate/contracts": "^5.0|^6.0|^7.0|^8.0", + "nesbot/carbon": "^1.0|^2.0", + "php": ">=7.2", + "psr/log": "^1.0", + "psr/simple-cache": "^1.0", + "tightenco/collect": "^5.6|^6.0|^7.0|^8.0" + }, + "require-dev": { + "mockery/mockery": "^1.0", + "phpunit/phpunit": "^8.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "LdapRecord\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Steve Bauman", + "email": "steven_bauman@outlook.com", + "role": "Developer" + } + ], + "description": "A fully-featured LDAP ORM.", + "homepage": "https://www.ldaprecord.com", + "keywords": [ + "active directory", + "ad", + "adLDAP", + "adldap2", + "directory", + "ldap", + "ldaprecord", + "orm", + "windows" + ], + "support": { + "docs": "https://ldaprecord.com", + "email": "steven_bauman@outlook.com", + "issues": "https://github.com/DirectoryTree/LdapRecord/issues", + "source": "https://github.com/DirectoryTree/LdapRecord" + }, + "funding": [ + { + "url": "https://github.com/stevebauman", + "type": "github" + } + ], + "time": "2021-04-25T02:35:23+00:00" + }, + { + "name": "directorytree/ldaprecord-laravel", + "version": "v2.2.3", + "source": { + "type": "git", + "url": "https://github.com/DirectoryTree/LdapRecord-Laravel.git", + "reference": "c84b7a1528f4bd0f98476a2591f80421625148cc" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/DirectoryTree/LdapRecord-Laravel/zipball/c84b7a1528f4bd0f98476a2591f80421625148cc", + "reference": "c84b7a1528f4bd0f98476a2591f80421625148cc", + "shasum": "" + }, + "require": { + "directorytree/ldaprecord": "^2.3", + "ext-ldap": "*", + "illuminate/support": "^5.6|^6.0|^7.0|^8.0", + "php": ">=7.2", + "ramsey/uuid": "*" + }, + "require-dev": { + "mockery/mockery": "~1.0", + "orchestra/testbench": "~3.7|~4.0|~5.0|~6.0", + "phpunit/phpunit": "~7.0|~8.0|~9.0" + }, + "type": "project", + "extra": { + "laravel": { + "providers": [ + "LdapRecord\\Laravel\\LdapServiceProvider", + "LdapRecord\\Laravel\\LdapAuthServiceProvider" + ] + } + }, + "autoload": { + "psr-4": { + "LdapRecord\\Laravel\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "LDAP Authentication & Management for Laravel.", + "keywords": [ + "adldap2", + "laravel", + "ldap", + "ldaprecord" + ], + "support": { + "issues": "https://github.com/DirectoryTree/LdapRecord-Laravel/issues", + "source": "https://github.com/DirectoryTree/LdapRecord-Laravel/tree/v2.2.3" + }, + "funding": [ + { + "url": "https://github.com/stevebauman", + "type": "github" + } + ], + "time": "2021-04-18T21:19:55+00:00" + }, { "name": "doctrine/cache", "version": "1.11.0", @@ -6707,6 +6842,60 @@ ], "time": "2021-03-28T09:42:18+00:00" }, + { + "name": "tightenco/collect", + "version": "v8.34.0", + "source": { + "type": "git", + "url": "https://github.com/tighten/collect.git", + "reference": "b069783ab0c547bb894ebcf8e7f6024bb401f9d2" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/tighten/collect/zipball/b069783ab0c547bb894ebcf8e7f6024bb401f9d2", + "reference": "b069783ab0c547bb894ebcf8e7f6024bb401f9d2", + "shasum": "" + }, + "require": { + "php": "^7.2|^8.0", + "symfony/var-dumper": "^3.4 || ^4.0 || ^5.0" + }, + "require-dev": { + "mockery/mockery": "^1.0", + "nesbot/carbon": "^2.23.0", + "phpunit/phpunit": "^8.3" + }, + "type": "library", + "autoload": { + "files": [ + "src/Collect/Support/helpers.php", + "src/Collect/Support/alias.php" + ], + "psr-4": { + "Tightenco\\Collect\\": "src/Collect" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Taylor Otwell", + "email": "taylorotwell@gmail.com" + } + ], + "description": "Collect - Illuminate Collections as a separate package.", + "keywords": [ + "collection", + "laravel" + ], + "support": { + "issues": "https://github.com/tighten/collect/issues", + "source": "https://github.com/tighten/collect/tree/v8.34.0" + }, + "time": "2021-03-29T21:29:00+00:00" + }, { "name": "tijsverkoyen/css-to-inline-styles", "version": "2.2.3", diff --git a/config/ldap.php b/config/ldap.php index 1c2d1b52be..fd94d32e78 100644 --- a/config/ldap.php +++ b/config/ldap.php @@ -1,294 +1,73 @@ . - */ - -declare(strict_types=1); - -use Adldap\Schemas\ActiveDirectory; -use Adldap\Schemas\FreeIPA; -use Adldap\Schemas\OpenLDAP; - -/* - * Get schema from .env file. - */ -$schema = OpenLDAP::class; - -if ('FreeIPA' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { - $schema = FreeIPA::class; -} -if ('ActiveDirectory' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { - $schema = ActiveDirectory::class; -} - -/* - * Get SSL parameters from .env file. - */ -$ssl_ca_dir = envNonEmpty('ADLDAP_SSL_CACERTDIR', null); -$ssl_ca_file = envNonEmpty('ADLDAP_SSL_CACERTFILE', null); -$ssl_cert = envNonEmpty('ADLDAP_SSL_CERTFILE', null); -$ssl_key = envNonEmpty('ADLDAP_SSL_KEYFILE', null); -$ssl_ciphers = envNonEmpty('ADLDAP_SSL_CIPHER_SUITE', null); -$ssl_require = envNonEmpty('ADLDAP_SSL_REQUIRE_CERT', null); - -$sslOptions = []; -if (null !== $ssl_ca_dir) { - $sslOptions[LDAP_OPT_X_TLS_CACERTDIR] = $ssl_ca_dir; -} -if (null !== $ssl_ca_file) { - $sslOptions[LDAP_OPT_X_TLS_CACERTFILE] = $ssl_ca_file; -} -if (null !== $ssl_cert) { - $sslOptions[LDAP_OPT_X_TLS_CERTFILE] = $ssl_cert; -} -if (null !== $ssl_key) { - $sslOptions[LDAP_OPT_X_TLS_KEYFILE] = $ssl_key; -} -if (null !== $ssl_ciphers) { - $sslOptions[LDAP_OPT_X_TLS_CIPHER_SUITE] = $ssl_ciphers; -} -if (null !== $ssl_require) { - $sslOptions[LDAP_OPT_X_TLS_REQUIRE_CERT] = $ssl_require; -} - return [ + /* |-------------------------------------------------------------------------- - | Connections + | Default LDAP Connection Name |-------------------------------------------------------------------------- | - | This array stores the connections that are added to Adldap. You can add - | as many connections as you like. - | - | The key is the name of the connection you wish to use and the value is - | an array of configuration settings. + | Here you may specify which of the LDAP connections below you wish + | to use as your default connection for all LDAP operations. Of + | course you may add as many connections you'd like below. | */ + + 'default' => env('LDAP_CONNECTION', 'default'), + + /* + |-------------------------------------------------------------------------- + | LDAP Connections + |-------------------------------------------------------------------------- + | + | Below you may configure each LDAP connection your application requires + | access to. Be sure to include a valid base DN - otherwise you may + | not receive any results when performing LDAP search operations. + | + */ + 'connections' => [ 'default' => [ - - /* - |-------------------------------------------------------------------------- - | Auto Connect - |-------------------------------------------------------------------------- - | - | If auto connect is true, Adldap will try to automatically connect to - | your LDAP server in your configuration. This allows you to assume - | connectivity rather than having to connect manually - | in your application. - | - | If this is set to false, you **must** connect manually before running - | LDAP operations. - | - */ - - 'auto_connect' => env('ADLDAP_AUTO_CONNECT', true), - - /* - |-------------------------------------------------------------------------- - | Connection - |-------------------------------------------------------------------------- - | - | The connection class to use to run raw LDAP operations on. - | - | Custom connection classes must implement: - | - | Adldap\Connections\ConnectionInterface - | - */ - - 'connection' => Adldap\Connections\Ldap::class, - - /* - |-------------------------------------------------------------------------- - | Connection Settings - |-------------------------------------------------------------------------- - | - | This connection settings array is directly passed into the Adldap constructor. - | - | Feel free to add or remove settings you don't need. - | - */ - - 'settings' => [ - - /* - |-------------------------------------------------------------------------- - | Schema - |-------------------------------------------------------------------------- - | - | The schema class to use for retrieving attributes and generating models. - | - | You can also set this option to `null` to use the default schema class. - | - | For OpenLDAP, you must use the schema: - | - | Adldap\Schemas\OpenLDAP::class - | - | For FreeIPA, you must use the schema: - | - | Adldap\Schemas\FreeIPA::class - | - | Custom schema classes must implement Adldap\Schemas\SchemaInterface - | - */ - - 'schema' => $schema, - - /* - |-------------------------------------------------------------------------- - | Account Prefix - |-------------------------------------------------------------------------- - | - | The account prefix option is the prefix of your user accounts in LDAP directory. - | - | This string is prepended to authenticating users usernames. - | - */ - - 'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''), - - /* - |-------------------------------------------------------------------------- - | Account Suffix - |-------------------------------------------------------------------------- - | - | The account suffix option is the suffix of your user accounts in your LDAP directory. - | - | This string is appended to authenticating users usernames. - | - */ - - 'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''), - - /* - |-------------------------------------------------------------------------- - | Domain Controllers - |-------------------------------------------------------------------------- - | - | The domain controllers option is an array of servers located on your - | network that serve Active Directory. You can insert as many servers or - | as little as you'd like depending on your forest (with the - | minimum of one of course). - | - | These can be IP addresses of your server(s), or the host name. - | - */ - - 'hosts' => explode(' ', env('ADLDAP_CONTROLLERS', '127.0.0.1')), - - /* - |-------------------------------------------------------------------------- - | Port - |-------------------------------------------------------------------------- - | - | The port option is used for authenticating and binding to your LDAP server. - | - */ - - 'port' => env('ADLDAP_PORT', 389), - - /* - |-------------------------------------------------------------------------- - | Timeout - |-------------------------------------------------------------------------- - | - | The timeout option allows you to configure the amount of time in - | seconds that your application waits until a response - | is received from your LDAP server. - | - */ - - 'timeout' => env('ADLDAP_TIMEOUT', 5), - - /* - |-------------------------------------------------------------------------- - | Base Distinguished Name - |-------------------------------------------------------------------------- - | - | The base distinguished name is the base distinguished name you'd - | like to perform query operations on. An example base DN would be: - | - | dc=corp,dc=acme,dc=org - | - | A correct base DN is required for any query results to be returned. - | - */ - - 'base_dn' => env('ADLDAP_BASEDN', 'dc=temp'), - - /* - |-------------------------------------------------------------------------- - | Administrator Username & Password - |-------------------------------------------------------------------------- - | - | When connecting to your LDAP server, a username and password is required - | to be able to query and run operations on your server(s). You can - | use any user account that has these permissions. This account - | does not need to be a domain administrator unless you - | require changing and resetting user passwords. - | - */ - - 'username' => env('ADLDAP_ADMIN_USERNAME', ''), - 'password' => env('ADLDAP_ADMIN_PASSWORD', ''), - - /* - |-------------------------------------------------------------------------- - | Follow Referrals - |-------------------------------------------------------------------------- - | - | The follow referrals option is a boolean to tell active directory - | to follow a referral to another server on your network if the - | server queried knows the information your asking for exists, - | but does not yet contain a copy of it locally. - | - | This option is defaulted to false. - | - */ - - 'follow_referrals' => env('ADLDAP_FOLLOW_REFFERALS', false), - - /* - |-------------------------------------------------------------------------- - | SSL & TLS - |-------------------------------------------------------------------------- - | - | If you need to be able to change user passwords on your server, then an - | SSL or TLS connection is required. All other operations are allowed - | on unsecured protocols. - | - | One of these options are definitely recommended if you - | have the ability to connect to your server securely. - | - */ - - 'use_ssl' => env('ADLDAP_USE_SSL', false), - 'use_tls' => env('ADLDAP_USE_TLS', false), - - 'custom_options' => $sslOptions, - ], - + 'hosts' => [env('LDAP_HOST', '127.0.0.1')], + 'username' => env('LDAP_USERNAME', 'cn=user,dc=local,dc=com'), + 'password' => env('LDAP_PASSWORD', 'secret'), + 'port' => env('LDAP_PORT', 389), + 'base_dn' => env('LDAP_BASE_DN', 'dc=local,dc=com'), + 'timeout' => env('LDAP_TIMEOUT', 5), + 'use_ssl' => env('LDAP_SSL', false), + 'use_tls' => env('LDAP_TLS', false), ], ], + /* + |-------------------------------------------------------------------------- + | LDAP Logging + |-------------------------------------------------------------------------- + | + | When LDAP logging is enabled, all LDAP search and authentication + | operations are logged using the default application logging + | driver. This can assist in debugging issues and more. + | + */ + + 'logging' => env('LDAP_LOGGING', true), + + /* + |-------------------------------------------------------------------------- + | LDAP Cache + |-------------------------------------------------------------------------- + | + | LDAP caching enables the ability of caching search results using the + | query builder. This is great for running expensive operations that + | may take many seconds to complete, such as a pagination request. + | + */ + + 'cache' => [ + 'enabled' => env('LDAP_CACHE', false), + 'driver' => env('CACHE_DRIVER', 'file'), + ], + ]; diff --git a/config/xldap.php b/config/xldap.php new file mode 100644 index 0000000000..1c2d1b52be --- /dev/null +++ b/config/xldap.php @@ -0,0 +1,294 @@ +. + */ + +declare(strict_types=1); + +use Adldap\Schemas\ActiveDirectory; +use Adldap\Schemas\FreeIPA; +use Adldap\Schemas\OpenLDAP; + +/* + * Get schema from .env file. + */ +$schema = OpenLDAP::class; + +if ('FreeIPA' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { + $schema = FreeIPA::class; +} +if ('ActiveDirectory' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) { + $schema = ActiveDirectory::class; +} + +/* + * Get SSL parameters from .env file. + */ +$ssl_ca_dir = envNonEmpty('ADLDAP_SSL_CACERTDIR', null); +$ssl_ca_file = envNonEmpty('ADLDAP_SSL_CACERTFILE', null); +$ssl_cert = envNonEmpty('ADLDAP_SSL_CERTFILE', null); +$ssl_key = envNonEmpty('ADLDAP_SSL_KEYFILE', null); +$ssl_ciphers = envNonEmpty('ADLDAP_SSL_CIPHER_SUITE', null); +$ssl_require = envNonEmpty('ADLDAP_SSL_REQUIRE_CERT', null); + +$sslOptions = []; +if (null !== $ssl_ca_dir) { + $sslOptions[LDAP_OPT_X_TLS_CACERTDIR] = $ssl_ca_dir; +} +if (null !== $ssl_ca_file) { + $sslOptions[LDAP_OPT_X_TLS_CACERTFILE] = $ssl_ca_file; +} +if (null !== $ssl_cert) { + $sslOptions[LDAP_OPT_X_TLS_CERTFILE] = $ssl_cert; +} +if (null !== $ssl_key) { + $sslOptions[LDAP_OPT_X_TLS_KEYFILE] = $ssl_key; +} +if (null !== $ssl_ciphers) { + $sslOptions[LDAP_OPT_X_TLS_CIPHER_SUITE] = $ssl_ciphers; +} +if (null !== $ssl_require) { + $sslOptions[LDAP_OPT_X_TLS_REQUIRE_CERT] = $ssl_require; +} + +return [ + /* + |-------------------------------------------------------------------------- + | Connections + |-------------------------------------------------------------------------- + | + | This array stores the connections that are added to Adldap. You can add + | as many connections as you like. + | + | The key is the name of the connection you wish to use and the value is + | an array of configuration settings. + | + */ + 'connections' => [ + + 'default' => [ + + /* + |-------------------------------------------------------------------------- + | Auto Connect + |-------------------------------------------------------------------------- + | + | If auto connect is true, Adldap will try to automatically connect to + | your LDAP server in your configuration. This allows you to assume + | connectivity rather than having to connect manually + | in your application. + | + | If this is set to false, you **must** connect manually before running + | LDAP operations. + | + */ + + 'auto_connect' => env('ADLDAP_AUTO_CONNECT', true), + + /* + |-------------------------------------------------------------------------- + | Connection + |-------------------------------------------------------------------------- + | + | The connection class to use to run raw LDAP operations on. + | + | Custom connection classes must implement: + | + | Adldap\Connections\ConnectionInterface + | + */ + + 'connection' => Adldap\Connections\Ldap::class, + + /* + |-------------------------------------------------------------------------- + | Connection Settings + |-------------------------------------------------------------------------- + | + | This connection settings array is directly passed into the Adldap constructor. + | + | Feel free to add or remove settings you don't need. + | + */ + + 'settings' => [ + + /* + |-------------------------------------------------------------------------- + | Schema + |-------------------------------------------------------------------------- + | + | The schema class to use for retrieving attributes and generating models. + | + | You can also set this option to `null` to use the default schema class. + | + | For OpenLDAP, you must use the schema: + | + | Adldap\Schemas\OpenLDAP::class + | + | For FreeIPA, you must use the schema: + | + | Adldap\Schemas\FreeIPA::class + | + | Custom schema classes must implement Adldap\Schemas\SchemaInterface + | + */ + + 'schema' => $schema, + + /* + |-------------------------------------------------------------------------- + | Account Prefix + |-------------------------------------------------------------------------- + | + | The account prefix option is the prefix of your user accounts in LDAP directory. + | + | This string is prepended to authenticating users usernames. + | + */ + + 'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Account Suffix + |-------------------------------------------------------------------------- + | + | The account suffix option is the suffix of your user accounts in your LDAP directory. + | + | This string is appended to authenticating users usernames. + | + */ + + 'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Domain Controllers + |-------------------------------------------------------------------------- + | + | The domain controllers option is an array of servers located on your + | network that serve Active Directory. You can insert as many servers or + | as little as you'd like depending on your forest (with the + | minimum of one of course). + | + | These can be IP addresses of your server(s), or the host name. + | + */ + + 'hosts' => explode(' ', env('ADLDAP_CONTROLLERS', '127.0.0.1')), + + /* + |-------------------------------------------------------------------------- + | Port + |-------------------------------------------------------------------------- + | + | The port option is used for authenticating and binding to your LDAP server. + | + */ + + 'port' => env('ADLDAP_PORT', 389), + + /* + |-------------------------------------------------------------------------- + | Timeout + |-------------------------------------------------------------------------- + | + | The timeout option allows you to configure the amount of time in + | seconds that your application waits until a response + | is received from your LDAP server. + | + */ + + 'timeout' => env('ADLDAP_TIMEOUT', 5), + + /* + |-------------------------------------------------------------------------- + | Base Distinguished Name + |-------------------------------------------------------------------------- + | + | The base distinguished name is the base distinguished name you'd + | like to perform query operations on. An example base DN would be: + | + | dc=corp,dc=acme,dc=org + | + | A correct base DN is required for any query results to be returned. + | + */ + + 'base_dn' => env('ADLDAP_BASEDN', 'dc=temp'), + + /* + |-------------------------------------------------------------------------- + | Administrator Username & Password + |-------------------------------------------------------------------------- + | + | When connecting to your LDAP server, a username and password is required + | to be able to query and run operations on your server(s). You can + | use any user account that has these permissions. This account + | does not need to be a domain administrator unless you + | require changing and resetting user passwords. + | + */ + + 'username' => env('ADLDAP_ADMIN_USERNAME', ''), + 'password' => env('ADLDAP_ADMIN_PASSWORD', ''), + + /* + |-------------------------------------------------------------------------- + | Follow Referrals + |-------------------------------------------------------------------------- + | + | The follow referrals option is a boolean to tell active directory + | to follow a referral to another server on your network if the + | server queried knows the information your asking for exists, + | but does not yet contain a copy of it locally. + | + | This option is defaulted to false. + | + */ + + 'follow_referrals' => env('ADLDAP_FOLLOW_REFFERALS', false), + + /* + |-------------------------------------------------------------------------- + | SSL & TLS + |-------------------------------------------------------------------------- + | + | If you need to be able to change user passwords on your server, then an + | SSL or TLS connection is required. All other operations are allowed + | on unsecured protocols. + | + | One of these options are definitely recommended if you + | have the ability to connect to your server securely. + | + */ + + 'use_ssl' => env('ADLDAP_USE_SSL', false), + 'use_tls' => env('ADLDAP_USE_TLS', false), + + 'custom_options' => $sslOptions, + ], + + ], + + ], + +]; diff --git a/config/ldap_auth.php b/config/xldap_auth.php similarity index 100% rename from config/ldap_auth.php rename to config/xldap_auth.php