diff --git a/CHANGES.md b/CHANGES.md index a894394d..94e97f33 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,6 +3,8 @@ ## 2.2.4 (...) - introduce `userIdAttribute` for `FormLdapAuthentication` to "normalize" the user ID used inside the VPN service (issue #151) +- implement `addRealm` option for `FormLdapAuthentication` that adds a provided + domain to the user specified "authUser" if no domain is specified yet ## 2.2.3 (2020-03-23) - add German portal translation diff --git a/CONFIG_CHANGES.md b/CONFIG_CHANGES.md index 1257e195..37c089f5 100644 --- a/CONFIG_CHANGES.md +++ b/CONFIG_CHANGES.md @@ -19,6 +19,12 @@ will be used as the user ID. For example: If not provided, the exact user ID used for binding to the LDAP server will be used as the user ID in the VPN service. +You can also specify the `addRealm` option that takes a `string` value that +will add a "realm" to the users specified "authUser". For example, if the user +provides `foo`, an `addRealm` with value `example.org` would convert the +"authUser" to `foo@example.org`. If the user specifies `foo@bar.com` and the +`addRealm` value is `example.org` nothing will be changed. + ## 2.2.3 We added the translation for German (Germany). You can add it to diff --git a/src/FormLdapAuthentication.php b/src/FormLdapAuthentication.php index 7cd2b811..94987bf7 100644 --- a/src/FormLdapAuthentication.php +++ b/src/FormLdapAuthentication.php @@ -29,6 +29,7 @@ public function __construct(Config $config, SessionInterface $session, TplInterf $config->optionalItem('baseDn'), $config->optionalItem('userFilterTemplate'), $config->optionalItem('userIdAttribute'), + $config->optionalItem('addRealm'), $config->optionalItem('permissionAttribute') ); diff --git a/src/LdapAuth.php b/src/LdapAuth.php index 9e44dd75..a8919801 100644 --- a/src/LdapAuth.php +++ b/src/LdapAuth.php @@ -34,6 +34,9 @@ class LdapAuth implements CredentialValidatorInterface /** @var string|null */ private $userIdAttribute; + /** @var string|null */ + private $addRealm; + /** @var string|null */ private $permissionAttribute; @@ -42,9 +45,10 @@ class LdapAuth implements CredentialValidatorInterface * @param string|null $baseDn * @param string|null $userFilterTemplate * @param string|null $userIdAttribute + * @param string|null $addRealm * @param string|null $permissionAttribute */ - public function __construct(LoggerInterface $logger, LdapClient $ldapClient, $bindDnTemplate, $baseDn, $userFilterTemplate, $userIdAttribute, $permissionAttribute) + public function __construct(LoggerInterface $logger, LdapClient $ldapClient, $bindDnTemplate, $baseDn, $userFilterTemplate, $userIdAttribute, $addRealm, $permissionAttribute) { $this->logger = $logger; $this->ldapClient = $ldapClient; @@ -52,6 +56,7 @@ public function __construct(LoggerInterface $logger, LdapClient $ldapClient, $bi $this->baseDn = $baseDn; $this->userFilterTemplate = $userFilterTemplate; $this->userIdAttribute = $userIdAttribute; + $this->addRealm = $addRealm; $this->permissionAttribute = $permissionAttribute; } @@ -63,6 +68,13 @@ public function __construct(LoggerInterface $logger, LdapClient $ldapClient, $bi */ public function isValid($authUser, $authPass) { + // add "realm" after user name if none is specified + if (null !== $addRealm = $this->addRealm) { + if (false === strpos($authUser, '@')) { + $authUser .= '@'.$addRealm; + } + } + $bindDn = str_replace('{{UID}}', LdapClient::escapeDn($authUser), $this->bindDnTemplate); try { $this->ldapClient->bind($bindDn, $authPass);