FreeIPA Auth Adaptor for LibreTime

Allow delegating user authentication to FreeIPA rather than having it be checked against the database.
2017-03-18 19:15:20 +01:00 · 2017-03-18 19:15:20 +01:00 · aa5bc06d74
commit aa5bc06d74
parent a01c7c23ec
8 changed files with 371 additions and 2 deletions
--- a/airtime_mvc/application/models/Auth.php
+++ b/airtime_mvc/application/models/Auth.php
@ -76,7 +76,10 @@ class Application_Model_Auth
    public static function getAuthAdapter()
    {
        $CC_CONFIG = Config::getConfig();
-        
+        if ($CC_CONFIG['auth'] !== 'local') {
+            return self::getCustomAuthAdapter($CC_CONFIG['auth']);
+        }
+  
        // Database config        
        $db = Zend_Db::factory('PDO_' . $CC_CONFIG['dsn']['phptype'], array(
            'host'     => $CC_CONFIG['dsn']['hostspec'],
@ -95,6 +98,15 @@ class Application_Model_Auth
        return $authAdapter;
    }

+    /**
+     * Gets an alternative Adapter that does not need to auth agains a databse table
+     *
+     * @return object
+     */
+    public static function getCustomAuthAdapter($adaptor) {
+        return new $adaptor();
+    }
+
    /**
     * Get random string
     *
--- a/airtime_mvc/application/models/FreeIpa.php
+++ b/airtime_mvc/application/models/FreeIpa.php
@ -0,0 +1,74 @@
+<?php
+
+class LibreTime_Model_FreeIpa {
+
+    /**
+     * get userinfo in the format needed by the Auth Adaptor
+     *
+     * @return array
+     */
+    public static function GetUserInfo($username)
+    {
+        $config = Config::getConfig();
+        $conn = self::_getLdapConnection();
+
+        $ldapResults = $conn->search(sprintf('%s=%s', $config['ldap_filter_field'], $username, $config['ldap_basedn']));
+
+        if ($ldapResults->count() !== 1) {
+            throw new Exception('Could not find logged user in LDAP');
+        }
+        $ldapUser = $ldapResults->getFirst();
+
+        $groupMap = array(
+            UTYPE_GUEST           => $config['ldap_groupmap_guest'],
+            UTYPE_HOST            => $config['ldap_groupmap_host'],
+            UTYPE_PROGRAM_MANAGER => $config['ldap_groupmap_program_manager'],
+            UTYPE_ADMIN           => $config['ldap_groupmap_admin'],
+            UTYPE_SUPERADMIN      => $config['ldap_groupmap_superadmin'],
+        );
+        $type = UTYPE_GUEST;
+        foreach ($groupMap as $groupType => $group) {
+            if (in_array($group, $ldapUser['memberof'])) {
+                $type = $groupType;
+            }
+        }
+
+        // grab first value for multivalue field
+        $firstName = $ldapUser['givenname'][0];
+        $lastName = $ldapUser['sn'][0];
+        $mail = $ldapUser['mail'][0];
+
+        // return full user info for auth adapter
+        return array(
+            'type'       => $type,
+            'first_name' => $firstName,
+            'last_name'  => $lastName,
+            'email'      => $mail,
+            'cell_phone' => '', # empty since I did not find it in ldap
+            'skype'      => '', # empty until we decide on a field
+            'jabber'     => ''  # empty until we decide on a field
+        );
+    }
+
+    /**
+     * Bind to ldap so we can fetch additional user info
+     *
+     * @return Zend_Ldap
+     */
+    private static function _getLdapConnection()
+    {
+        $config = Config::getConfig();
+       
+        $options = array(
+            'host'              => $config['ldap_hostname'],
+            'username'          => $config['ldap_binddn'],
+            'password'          => $config['ldap_password'],
+            'bindRequiresDn'    => true,
+            'accountDomainName' => $config['ldap_account_domain'],
+            'baseDn'            => $config['ldap_basedn']
+        );
+        $conn = new Zend_Ldap($options);
+        $conn->connect();
+        return $conn;
+    }
+}