From 7d06e77125d5ae3039acdbb97c3c847906032b10 Mon Sep 17 00:00:00 2001 From: Russ Long Date: Thu, 29 Mar 2018 14:56:15 -0400 Subject: [PATCH] Add AD packages --- composer.json | 1 + composer.lock | 109 ++++++++++++++- config/adldap.php | 243 ++++++++++++++++++++++++++++++++ config/adldap_auth.php | 307 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 658 insertions(+), 2 deletions(-) create mode 100644 config/adldap.php create mode 100644 config/adldap_auth.php diff --git a/composer.json b/composer.json index 0aa7120..291701d 100644 --- a/composer.json +++ b/composer.json @@ -6,6 +6,7 @@ "type": "project", "require": { "php": ">=7.0.0", + "adldap2/adldap2-laravel": "^4.0", "fideloper/proxy": "~3.3", "laravel/framework": "5.5.*", "laravel/tinker": "~1.0" diff --git a/composer.lock b/composer.lock index 94eb9e9..0e848f1 100644 --- a/composer.lock +++ b/composer.lock @@ -4,9 +4,114 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "7f1915ec708986f5c88e22e683d74275", - "content-hash": "b7904d07d1e1765a0a199aa11d6301a3", + "hash": "5aab24f0ee97fdfe641b8bd45303e646", + "content-hash": "64501f9652b04ad84b93486cb8cd48a5", "packages": [ + { + "name": "adldap2/adldap2", + "version": "v8.1.4", + "source": { + "type": "git", + "url": "https://github.com/Adldap2/Adldap2.git", + "reference": "2abf3c6cd68ba4d3239fbc761dee4484dfd170d0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/Adldap2/Adldap2/zipball/2abf3c6cd68ba4d3239fbc761dee4484dfd170d0", + "reference": "2abf3c6cd68ba4d3239fbc761dee4484dfd170d0", + "shasum": "" + }, + "require": { + "ext-ldap": "*", + "illuminate/support": "~5.0", + "php": ">=5.5.9" + }, + "require-dev": { + "mockery/mockery": "~0.9|~1.0", + "phpunit/phpunit": "~4.8|~5.6" + }, + "type": "library", + "autoload": { + "psr-4": { + "Adldap\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Steve Bauman", + "email": "steven_bauman@outlook.com", + "role": "Developer" + } + ], + "description": "A PHP LDAP Package for humans.", + "keywords": [ + "active directory", + "ad", + "adLDAP", + "adldap2", + "directory", + "ldap", + "windows" + ], + "time": "2018-03-29 15:42:37" + }, + { + "name": "adldap2/adldap2-laravel", + "version": "v4.0.7", + "source": { + "type": "git", + "url": "https://github.com/Adldap2/Adldap2-Laravel.git", + "reference": "a48185cb302304e230d6109a7961e920a05ad065" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/Adldap2/Adldap2-Laravel/zipball/a48185cb302304e230d6109a7961e920a05ad065", + "reference": "a48185cb302304e230d6109a7961e920a05ad065", + "shasum": "" + }, + "require": { + "adldap2/adldap2": "^8.0", + "php": ">=7.0" + }, + "require-dev": { + "mockery/mockery": "~1.0", + "orchestra/testbench": "~3.2", + "phpunit/phpunit": "~6.0" + }, + "type": "project", + "extra": { + "laravel": { + "providers": [ + "Adldap\\Laravel\\AdldapServiceProvider", + "Adldap\\Laravel\\AdldapAuthServiceProvider" + ], + "aliases": { + "Adldap": "Adldap\\Laravel\\Facades\\Adldap" + } + } + }, + "autoload": { + "psr-4": { + "Adldap\\Laravel\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "description": "LDAP Authentication & Management for Laravel.", + "keywords": [ + "adLDAP", + "adldap2", + "laravel", + "ldap" + ], + "time": "2018-02-17 00:33:05" + }, { "name": "dnoegel/php-xdg-base-dir", "version": "0.1", diff --git a/config/adldap.php b/config/adldap.php new file mode 100644 index 0000000..e22c5c1 --- /dev/null +++ b/config/adldap.php @@ -0,0 +1,243 @@ + [ + + 'default' => [ + + /* + |-------------------------------------------------------------------------- + | Auto Connect + |-------------------------------------------------------------------------- + | + | If auto connect is true, Adldap will try to automatically connect to + | your LDAP server in your configuration. This allows you to assume + | connectivity rather than having to connect manually + | in your application. + | + | If this is set to false, you **must** connect manually before running + | LDAP operations. + | + */ + + 'auto_connect' => env('ADLDAP_AUTO_CONNECT', true), + + /* + |-------------------------------------------------------------------------- + | Connection + |-------------------------------------------------------------------------- + | + | The connection class to use to run raw LDAP operations on. + | + | Custom connection classes must implement: + | + | Adldap\Connections\ConnectionInterface + | + */ + + 'connection' => Adldap\Connections\Ldap::class, + + /* + |-------------------------------------------------------------------------- + | Schema + |-------------------------------------------------------------------------- + | + | The schema class to use for retrieving attributes and generating models. + | + | You can also set this option to `null` to use the default schema class. + | + | For OpenLDAP, you must use the schema: + | + | Adldap\Schemas\OpenLDAP::class + | + | For FreeIPA, you must use the schema: + | + | Adldap\Schemas\FreeIPA::class + | + | Custom schema classes must implement Adldap\Schemas\SchemaInterface + | + */ + + 'schema' => Adldap\Schemas\ActiveDirectory::class, + + /* + |-------------------------------------------------------------------------- + | Connection Settings + |-------------------------------------------------------------------------- + | + | This connection settings array is directly passed into the Adldap constructor. + | + | Feel free to add or remove settings you don't need. + | + */ + + 'connection_settings' => [ + + /* + |-------------------------------------------------------------------------- + | Account Prefix + |-------------------------------------------------------------------------- + | + | The account prefix option is the prefix of your user accounts in LDAP directory. + | + | This string is prepended to authenticating users usernames. + | + */ + + 'account_prefix' => env('ADLDAP_ACCOUNT_PREFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Account Suffix + |-------------------------------------------------------------------------- + | + | The account suffix option is the suffix of your user accounts in your LDAP directory. + | + | This string is appended to authenticating users usernames. + | + */ + + 'account_suffix' => env('ADLDAP_ACCOUNT_SUFFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Domain Controllers + |-------------------------------------------------------------------------- + | + | The domain controllers option is an array of servers located on your + | network that serve Active Directory. You can insert as many servers or + | as little as you'd like depending on your forest (with the + | minimum of one of course). + | + | These can be IP addresses of your server(s), or the host name. + | + */ + + 'domain_controllers' => explode(' ', env('ADLDAP_CONTROLLERS', 'corp-dc1.corp.acme.org corp-dc2.corp.acme.org')), + + /* + |-------------------------------------------------------------------------- + | Port + |-------------------------------------------------------------------------- + | + | The port option is used for authenticating and binding to your LDAP server. + | + */ + + 'port' => env('ADLDAP_PORT', 389), + + /* + |-------------------------------------------------------------------------- + | Timeout + |-------------------------------------------------------------------------- + | + | The timeout option allows you to configure the amount of time in + | seconds that your application waits until a response + | is received from your LDAP server. + | + */ + + 'timeout' => env('ADLDAP_TIMEOUT', 5), + + /* + |-------------------------------------------------------------------------- + | Base Distinguished Name + |-------------------------------------------------------------------------- + | + | The base distinguished name is the base distinguished name you'd + | like to perform query operations on. An example base DN would be: + | + | dc=corp,dc=acme,dc=org + | + | A correct base DN is required for any query results to be returned. + | + */ + + 'base_dn' => env('ADLDAP_BASEDN', 'dc=corp,dc=acme,dc=org'), + + /* + |-------------------------------------------------------------------------- + | Administrator Account Suffix / Prefix + |-------------------------------------------------------------------------- + | + | This option allows you to set a different account prefix and suffix + | for your configured administrator account upon binding. + | + | If left empty or set to `null`, your `account_prefix` and + | `account_suffix` options above will be used. + | + */ + + 'admin_account_prefix' => env('ADLDAP_ADMIN_ACCOUNT_PREFIX', ''), + 'admin_account_suffix' => env('ADLDAP_ADMIN_ACCOUNT_SUFFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Administrator Username & Password + |-------------------------------------------------------------------------- + | + | When connecting to your LDAP server, a username and password is required + | to be able to query and run operations on your server(s). You can + | use any user account that has these permissions. This account + | does not need to be a domain administrator unless you + | require changing and resetting user passwords. + | + */ + + 'admin_username' => env('ADLDAP_ADMIN_USERNAME', 'username'), + 'admin_password' => env('ADLDAP_ADMIN_PASSWORD', 'password'), + + /* + |-------------------------------------------------------------------------- + | Follow Referrals + |-------------------------------------------------------------------------- + | + | The follow referrals option is a boolean to tell active directory + | to follow a referral to another server on your network if the + | server queried knows the information your asking for exists, + | but does not yet contain a copy of it locally. + | + | This option is defaulted to false. + | + */ + + 'follow_referrals' => false, + + /* + |-------------------------------------------------------------------------- + | SSL & TLS + |-------------------------------------------------------------------------- + | + | If you need to be able to change user passwords on your server, then an + | SSL or TLS connection is required. All other operations are allowed + | on unsecured protocols. + | + | One of these options are definitely recommended if you + | have the ability to connect to your server securely. + | + */ + + 'use_ssl' => env('ADLDAP_USE_SSL', false), + 'use_tls' => env('ADLDAP_USE_TLS', false), + + ], + + ], + + ], + +]; diff --git a/config/adldap_auth.php b/config/adldap_auth.php new file mode 100644 index 0000000..adc6dd2 --- /dev/null +++ b/config/adldap_auth.php @@ -0,0 +1,307 @@ + env('ADLDAP_CONNECTION', 'default'), + + /* + |-------------------------------------------------------------------------- + | Provider + |-------------------------------------------------------------------------- + | + | The LDAP authentication provider to use depending + | if you require database synchronization. + | + | For synchronizing LDAP users to your local applications database, use the provider: + | + | Adldap\Laravel\Auth\DatabaseUserProvider::class + | + | Otherwise, if you just require LDAP authentication, use the provider: + | + | Adldap\Laravel\Auth\NoDatabaseUserProvider::class + | + */ + + 'provider' => Adldap\Laravel\Auth\DatabaseUserProvider::class, + + /* + |-------------------------------------------------------------------------- + | Rules + |-------------------------------------------------------------------------- + | + | Rules allow you to control user authentication requests depending on scenarios. + | + | You can create your own rules and insert them here. + | + | All rules must extend from the following class: + | + | Adldap\Laravel\Validation\Rules\Rule + | + */ + + 'rules' => [ + + // Denys deleted users from authenticating. + + Adldap\Laravel\Validation\Rules\DenyTrashed::class, + + // Allows only manually imported users to authenticate. + + // Adldap\Laravel\Validation\Rules\OnlyImported::class, + + ], + + /* + |-------------------------------------------------------------------------- + | Scopes + |-------------------------------------------------------------------------- + | + | Scopes allow you to restrict the LDAP query that locates + | users upon import and authentication. + | + | All scopes must implement the following interface: + | + | Adldap\Laravel\Scopes\ScopeInterface + | + */ + + 'scopes' => [ + + // Only allows users with a user principal name to authenticate. + // Remove this if you're using OpenLDAP. + Adldap\Laravel\Scopes\UpnScope::class, + + // Only allows users with a uid to authenticate. + // Uncomment if you're using OpenLDAP. + // Adldap\Laravel\Scopes\UidScope::class, + + ], + + 'usernames' => [ + + /* + |-------------------------------------------------------------------------- + | LDAP + |-------------------------------------------------------------------------- + | + | Discover: + | + | The discover value is the users attribute you would + | like to locate LDAP users by in your directory. + | + | For example, using the default configuration below, if you're + | authenticating users with an email address, your LDAP server + | will be queried for a user with the a `userprincipalname` + | equal to the entered email address. + | + | Authenticate: + | + | The authenticate value is the users attribute you would + | like to use to bind to your LDAP server. + | + | For example, when a user is located by the above 'discover' + | attribute, the users attribute you specify below will + | be used as the username to bind to your LDAP server. + | + */ + + 'ldap' => [ + + 'discover' => 'userprincipalname', + + 'authenticate' => 'distinguishedname', + + ], + + /* + |-------------------------------------------------------------------------- + | Eloquent + |-------------------------------------------------------------------------- + | + | The value you enter is the database column name used for locating + | the local database record of the authenticating user. + | + | If you're using a `username` column instead, change this to `username`. + | + | This option is only applicable to the DatabaseUserProvider. + | + */ + + 'eloquent' => 'email', + + /* + |-------------------------------------------------------------------------- + | Windows Authentication Middleware (SSO) + |-------------------------------------------------------------------------- + | + | Discover: + | + | The 'discover' value is the users attribute you would + | like to locate LDAP users by in your directory. + | + | For example, if 'samaccountname' is the value, then your LDAP server is + | queried for a user with the 'samaccountname' equal to the value of + | $_SERVER['AUTH_USER']. + | + | If a user is found, they are imported (if using the DatabaseUserProvider) + | into your local database, then logged in. + | + | Key: + | + | The 'key' value represents the 'key' of the $_SERVER + | array to pull the users account name from. + | + | For example, $_SERVER['AUTH_USER']. + | + */ + + 'windows' => [ + + 'discover' => 'samaccountname', + + 'key' => 'AUTH_USER', + + ], + + ], + + 'passwords' => [ + + /* + |-------------------------------------------------------------------------- + | Password Sync + |-------------------------------------------------------------------------- + | + | The password sync option allows you to automatically synchronize users + | LDAP passwords to your local database. These passwords are hashed + | natively by Laravel using the bcrypt() method. + | + | Enabling this option would also allow users to login to their accounts + | using the password last used when an LDAP connection was present. + | + | If this option is disabled, the local database account is applied a + | random 16 character hashed password upon every login, and will + | lose access to this account upon loss of LDAP connectivity. + | + | This option must be true or false and is only applicable + | to the DatabaseUserProvider. + | + */ + + 'sync' => env('ADLDAP_PASSWORD_SYNC', false), + + /* + |-------------------------------------------------------------------------- + | Column + |-------------------------------------------------------------------------- + | + | This is the column of your users database table + | that is used to store passwords. + | + | Set this to `null` if you do not have a password column. + | + | This option is only applicable to the DatabaseUserProvider. + | + */ + + 'column' => 'password', + + ], + + /* + |-------------------------------------------------------------------------- + | Login Fallback + |-------------------------------------------------------------------------- + | + | The login fallback option allows you to login as a user located on the + | local database if active directory authentication fails. + | + | Set this to true if you would like to enable it. + | + | This option must be true or false and is only + | applicable to the DatabaseUserProvider. + | + */ + + 'login_fallback' => env('ADLDAP_LOGIN_FALLBACK', false), + + /* + |-------------------------------------------------------------------------- + | Sync Attributes + |-------------------------------------------------------------------------- + | + | Attributes specified here will be added / replaced on the user model + | upon login, automatically synchronizing and keeping the attributes + | up to date. + | + | The array key represents the users Laravel model key, and + | the value represents the users LDAP attribute. + | + | This option must be an array and is only applicable + | to the DatabaseUserProvider. + | + */ + + 'sync_attributes' => [ + + 'email' => 'userprincipalname', + + 'name' => 'cn', + + ], + + /* + |-------------------------------------------------------------------------- + | Logging + |-------------------------------------------------------------------------- + | + | User authentication attempts will be logged using Laravel's + | default logger if this setting is enabled. + | + | No credentials are logged, only usernames. + | + | This is usually stored in the '/storage/logs' directory + | in the root of your application. + | + | This option is useful for debugging as well as auditing. + | + | You can freely remove any events you would not like to log below, + | as well as use your own listeners if you would prefer. + | + */ + + 'logging' => [ + + 'enabled' => true, + + 'events' => [ + + \Adldap\Laravel\Events\Importing::class => \Adldap\Laravel\Listeners\LogImport::class, + \Adldap\Laravel\Events\Synchronized::class => \Adldap\Laravel\Listeners\LogSynchronized::class, + \Adldap\Laravel\Events\Synchronizing::class => \Adldap\Laravel\Listeners\LogSynchronizing::class, + \Adldap\Laravel\Events\Authenticated::class => \Adldap\Laravel\Listeners\LogAuthenticated::class, + \Adldap\Laravel\Events\Authenticating::class => \Adldap\Laravel\Listeners\LogAuthentication::class, + \Adldap\Laravel\Events\AuthenticationFailed::class => \Adldap\Laravel\Listeners\LogAuthenticationFailure::class, + \Adldap\Laravel\Events\AuthenticationRejected::class => \Adldap\Laravel\Listeners\LogAuthenticationRejection::class, + \Adldap\Laravel\Events\AuthenticationSuccessful::class => \Adldap\Laravel\Listeners\LogAuthenticationSuccess::class, + \Adldap\Laravel\Events\DiscoveredWithCredentials::class => \Adldap\Laravel\Listeners\LogDiscovery::class, + \Adldap\Laravel\Events\AuthenticatedWithWindows::class => \Adldap\Laravel\Listeners\LogWindowsAuth::class, + \Adldap\Laravel\Events\AuthenticatedModelTrashed::class => \Adldap\Laravel\Listeners\LogTrashedModel::class, + + ], + ], + +];