DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-02-21 03:15:45 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Allow admin to turn LDAP password sync off.

Browse source 
This is added to handle customers/users with a security policy that prohibits third-parties or external databases from storing LDAP passwords.
This commit is contained in:
snipe 2016-08-04 14:29:28 -07:00
parent 29eadb10ae
commit 1d3255a00b
6 changed files with 73 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
app/Http/Controllers/Auth/AuthController.php
View file

@ -108,7 +108,7 @@ class AuthController extends Controller
LOG::debug("Creating local user ".Input::get('username')); LOG::debug("Creating local user ".Input::get('username'));
if ($newuser = Ldap::createUserFromLdap($userattr)) { if ($newuser = Ldap::createUserFromLdap($userattr)) {
LOG::debug("Local user created.."); LOG::debug("Local user created.");
} else { } else {
LOG::debug("Could not create local user."); LOG::debug("Could not create local user.");
} }
@ -131,12 +131,21 @@ class AuthController extends Controller
LOG::debug("Valid LDAP login. Updating the local data."); LOG::debug("Valid LDAP login. Updating the local data.");
$user->password = bcrypt($request->input('password')); if (Setting::getSettings()->ldap_pw_sync=='1') {
$user->password = bcrypt($request->input('password'));
}
$user->email = $ldap_attr['email']; $user->email = $ldap_attr['email'];
$user->first_name = $ldap_attr['firstname']; $user->first_name = $ldap_attr['firstname'];
$user->last_name = $ldap_attr['lastname']; $user->last_name = $ldap_attr['lastname'];
$user->save(); $user->save();
if (Setting::getSettings()->ldap_pw_sync!='1') {
Auth::login($user, true);
// Redirect to the users page
return redirect()->to('/home')->with('success', trans('auth/message.signin.success'));
}
} else { } else {
LOG::debug("User ".Input::get('username')." did not authenticate correctly against LDAP. Local user was not updated."); LOG::debug("User ".Input::get('username')." did not authenticate correctly against LDAP. Local user was not updated.");
}// End LDAP auth }// End LDAP auth
@ -146,14 +155,17 @@ class AuthController extends Controller
// NO LDAP enabled - just try to login the user normally // NO LDAP enabled - just try to login the user normally
} }
LOG::debug("Authenticating user against database."); LOG::debug("Authenticating user against database.");
// Try to log the user in // Try to log the user in
if (!Auth::attempt(Input::only('username', 'password'), Input::get('remember-me', 0))) { if (!Auth::attempt(Input::only('username', 'password'), Input::get('remember-me', 0))) {
LOG::debug("Local authentication failed."); LOG::debug("Local authentication failed.");
// throw new Cartalyst\Sentry\Users\UserNotFoundException(); // throw new Cartalyst\Sentry\Users\UserNotFoundException();
return redirect()->back()->withInput()->with('error', trans('auth/message.account_not_found')); return redirect()->back()->withInput()->with('error', trans('auth/message.account_not_found'));
} }
// Get the page we were before // Get the page we were before
$redirect = \Session::get('loginRedirect', 'home'); $redirect = \Session::get('loginRedirect', 'home');

1
app/Http/Controllers/SettingsController.php
View file

@ -417,6 +417,7 @@ class SettingsController extends Controller
$setting->ad_domain = e(Input::get('ad_domain')); $setting->ad_domain = e(Input::get('ad_domain'));
$setting->is_ad = e(Input::get('is_ad', '0')); $setting->is_ad = e(Input::get('is_ad', '0'));
$setting->ldap_tls = e(Input::get('ldap_tls', '0')); $setting->ldap_tls = e(Input::get('ldap_tls', '0'));
$setting->ldap_pw_sync = e(Input::get('ldap_pw_sync', '0'));
// If validation fails, we'll exit the operation now. // If validation fails, we'll exit the operation now.
if ($setting->save()) { if ($setting->save()) {

10
app/Models/Ldap.php
View file

@ -191,6 +191,7 @@ class Ldap extends Model
{ {
$item = Ldap::parseAndMapLdapAttributes($ldapatttibutes); $item = Ldap::parseAndMapLdapAttributes($ldapatttibutes);
// Create user from LDAP data // Create user from LDAP data
if (!empty($item["username"])) { if (!empty($item["username"])) {
$user = new User; $user = new User;
@ -198,7 +199,14 @@ class Ldap extends Model
$user->last_name = $item["lastname"]; $user->last_name = $item["lastname"];
$user->username = $item["username"]; $user->username = $item["username"];
$user->email = $item["email"]; $user->email = $item["email"];
$user->password = bcrypt(Input::get("password"));
if (Setting::getSettings()->ldap_pw_sync=='1') {
$user->password = bcrypt(Input::get("password"));
} else {
$pass = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 25);
$user->password = bcrypt($pass);
}
$user->activated = 1; $user->activated = 1;
$user->ldap_import = 1; $user->ldap_import = 1;
$user->notes = 'Imported on first login from LDAP'; $user->notes = 'Imported on first login from LDAP';

31
database/migrations/2016_08_04_134500_add_disallow_ldap_pw_sync_to_settings.php Normal file
View file

@ -0,0 +1,31 @@
<?php
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class AddDisallowLdapPwSyncToSettings extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('settings', function (Blueprint $table) {
$table->boolean('ldap_pw_sync')->default(1);
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('settings', function ($table) {
$table->dropColumn('ldap_pw_sync');
});
}
}

2
resources/lang/en/admin/settings/general.php
View file

@ -51,6 +51,8 @@ return array(
'ldap_pword' => 'LDAP Bind Password', 'ldap_pword' => 'LDAP Bind Password',
'ldap_basedn' => 'Base Bind DN', 'ldap_basedn' => 'Base Bind DN',
'ldap_filter' => 'LDAP Filter', 'ldap_filter' => 'LDAP Filter',
'ldap_pw_sync' => 'LDAP Password Sync',
'ldap_pw_sync_help' => 'Uncheck this box if you do not wish to keep LDAP passwords synced with local passwords. Disabling this means that your users may not be able to login if your LDAP server is unreachable for some reason.',
'ldap_username_field' => 'Username Field', 'ldap_username_field' => 'Username Field',
'ldap_lname_field' => 'Last Name', 'ldap_lname_field' => 'Last Name',
'ldap_fname_field' => 'LDAP First Name', 'ldap_fname_field' => 'LDAP First Name',

15
resources/views/settings/edit.blade.php
View file

@ -705,6 +705,21 @@
</div> </div>
<!-- /.form-group --> <!-- /.form-group -->
<!-- LDAP Password Sync -->
<div class="form-group">
<div class="col-md-3">
{{ Form::label('is_ad', trans('admin/settings/general.ldap_pw_sync')) }}
</div>
<div class="col-md-9">
{{ Form::checkbox('ldap_pw_sync', '1', Input::old('ldap_pw_sync', $setting->ldap_pw_sync),array('class' => 'minimal')) }}
{{ trans('general.yes') }}
<p class="help-block">{{ trans('admin/settings/general.ldap_pw_sync_help') }}</p>
{!! $errors->first('ldap_pw_sync', '<span class="alert-msg">:message</span>') !!}
</div>
</div>
<!-- /.form-group -->
<!-- AD Domain --> <!-- AD Domain -->
<div class="form-group {{ $errors->has('ad_domain') ? 'error' : '' }}"> <div class="form-group {{ $errors->has('ad_domain') ? 'error' : '' }}">
<div class="col-md-3"> <div class="col-md-3">