From: umorigu <umorigu@gmail.com>
Date: Sat, 13 Feb 2016 00:45:44 +0000 (+0900)
Subject: BugTrack2/362 Support ldaps(SSL) - Secure LDAP server connection
X-Git-Tag: r1_5_1~12
X-Git-Url: http://git.osdn.net/view?p=pukiwiki%2Fpukiwiki.git;a=commitdiff_plain;h=f50271d7309dbc61fdcc612d889ee0aeef48582c

BugTrack2/362 Support ldaps(SSL) - Secure LDAP server connection
---

diff --git a/lib/auth.php b/lib/auth.php
index 88b6642..2e72138 100644
--- a/lib/auth.php
+++ b/lib/auth.php
@@ -244,7 +244,7 @@ function ensure_valid_auth_user()
 {
 	global $auth_type, $auth_users, $_msg_auth, $auth_user, $auth_groups;
 	global $auth_user_groups, $auth_user_fullname;
-	global $auth_provider_user_prefix, $ldap_user_account;
+	global $ldap_user_account;
 	global $read_auth, $edit_auth;
 	if ($read_auth || $edit_auth) {
 		switch ($auth_type) {
@@ -399,41 +399,38 @@ function form_auth($username, $password)
 
 function ldap_auth($username, $password)
 {
-	global $ldap_url, $ldap_bind_dn, $ldap_bind_password;
-	if (preg_match('#^(ldap\:\/\/[^/]+/)(.*)$#', $ldap_url, $m)) {
-		$ldap_server = $m[1];
-		$ldap_base_dn = $m[2];
-		$ldapconn = ldap_connect($ldap_server);
-		if ($ldapconn) {
-			ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
-			if (preg_match('#\$login\b#', $ldap_bind_dn)) {
-				// Bind by user credential
-				$bind_dn_user = preg_replace('#\$login#', $username, $ldap_bind_dn);
-				$ldap_bind_user = ldap_bind($ldapconn, $bind_dn_user, $password);
-				if ($ldap_bind_user) {
-					$user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
-					if ($user_info) {
+	global $ldap_server, $ldap_base_dn, $ldap_bind_dn, $ldap_bind_password;
+	$ldapconn = ldap_connect($ldap_server);
+	if ($ldapconn) {
+		ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+		ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
+		if (preg_match('#\$login\b#', $ldap_bind_dn)) {
+			// Bind by user credential
+			$bind_dn_user = preg_replace('#\$login#', $username, $ldap_bind_dn);
+			$ldap_bind_user = ldap_bind($ldapconn, $bind_dn_user, $password);
+			if ($ldap_bind_user) {
+				$user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
+				if ($user_info) {
+					session_regenerate_id(true); // require: PHP5.1+
+					$_SESSION['authenticated_user'] = $user_info['uid'];
+					$_SESSION['authenticated_user_fullname'] = $user_info['fullname'];
+					return true;
+				}
+			}
+		} else {
+			// Bind by bind dn
+			$ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
+			if ($ldap_bind) {
+				$user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
+				if ($user_info) {
+					$ldap_bind_user2 = ldap_bind($ldapconn, $user_info['dn'], $password);
+					if ($ldap_bind_user2) {
 						session_regenerate_id(true); // require: PHP5.1+
 						$_SESSION['authenticated_user'] = $user_info['uid'];
 						$_SESSION['authenticated_user_fullname'] = $user_info['fullname'];
 						return true;
 					}
 				}
-			} else {
-				// Bind by bind dn
-				$ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
-				if ($ldap_bind) {
-					$user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
-					if ($user_info) {
-						$ldap_bind_user2 = ldap_bind($ldapconn, $user_info['dn'], $password);
-						if ($ldap_bind_user2) {
-							session_regenerate_id(true); // require: PHP5.1+
-							$_SESSION['authenticated_user'] = $user_info['uid'];
-							$_SESSION['authenticated_user_fullname'] = $user_info['fullname'];
-							return true;
-						}
-					}
-				}
 			}
 		}
 	}
@@ -443,20 +440,17 @@ function ldap_auth($username, $password)
 // Get LDAP user info via bind DN
 function ldap_get_simple_user_info($username)
 {
-	global $ldap_url, $ldap_bind_dn, $ldap_bind_password;
-	if (preg_match('#^(ldap\:\/\/[^/]+/)(.*)$#', $ldap_url, $m)) {
-		$ldap_server = $m[1];
-		$ldap_base_dn = $m[2];
-		$ldapconn = ldap_connect($ldap_server);
-		if ($ldapconn) {
-			ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
-			// Bind by bind dn
-			$ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
-			if ($ldap_bind) {
-				$user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
-				if ($user_info) {
-					return $user_info;
-				}
+	global $ldap_server, $ldap_base_dn, $ldap_bind_dn, $ldap_bind_password;
+	$ldapconn = ldap_connect($ldap_server);
+	if ($ldapconn) {
+		ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+		ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
+		// Bind by bind dn
+		$ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
+		if ($ldap_bind) {
+			$user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
+			if ($user_info) {
+				return $user_info;
 			}
 		}
 	}
diff --git a/lib/file.php b/lib/file.php
index f643969..79c7ad7 100644
--- a/lib/file.php
+++ b/lib/file.php
@@ -170,6 +170,9 @@ function make_str_rules($source)
 function add_author_info($wikitext)
 {
 	global $auth_user, $auth_user_fullname, $auth_type, $ldap_user_account;
+	global $auth_provider_user_prefix_default;
+	global $auth_provider_user_prefix_ldap;
+	global $auth_provider_user_prefix_external;
 	$author = preg_replace('/"/', '', $auth_user);
 	$fullname = $auth_user_fullname;
 	if (!$fullname && $author) {
@@ -180,18 +183,18 @@ function add_author_info($wikitext)
 	$user_prefix = '';
 	switch ($auth_type) {
 		case AUTH_TYPE_BASIC:
-			$user_prefix = AUTH_PROVIDER_USER_PREFIX_DEFAULT;
+			$user_prefix = $auth_provider_user_prefix_default;
 			break;
 		case AUTH_TYPE_EXTERNAL:
 		case AUTH_TYPE_EXTERNAL_REMOTE_USER:
 		case AUTH_TYPE_EXTERNAL_X_FORWARDED_USER:
-			$user_prefix = AUTH_PROVIDER_USER_PREFIX_EXTERNAL;
+			$user_prefix = $auth_provider_user_prefix_external;
 			break;
 		case AUTH_TYPE_FORM:
 			if ($ldap_user_account) {
-				$user_prefix = AUTH_PROVIDER_USER_PREFIX_LDAP;
+				$user_prefix = $auth_provider_user_prefix_ldap;
 			} else {
-				$user_prefix = AUTH_PROVIDER_USER_PREFIX_DEFAULT;
+				$user_prefix = $auth_provider_user_prefix_default;
 			}
 			break;
 	}
diff --git a/pukiwiki.ini.php b/pukiwiki.ini.php
index ce28343..040295f 100644
--- a/pukiwiki.ini.php
+++ b/pukiwiki.ini.php
@@ -1,8 +1,8 @@
 <?php
 // PukiWiki - Yet another WikiWikiWeb clone
-// $Id: pukiwiki.ini.php,v 1.148 2007/02/11 05:53:30 henoheno Exp $
-// Copyright (C)
-//   2002-2006 PukiWiki Developers Team
+// pukiwiki.ini.php
+// Copyright
+//   2002-2016 PukiWiki Development Team
 //   2001-2002 Originally written by yu-ji
 // License: GPL v2 or (at your option) any later version
 //
@@ -215,6 +215,28 @@ $pagereading_config_page = ':config/PageReading';
 // Page name of default pronouncing dictionary, used when converter = 'none'
 $pagereading_config_dict = ':config/PageReading/dict';
 
+
+/////////////////////////////////////////////////
+// Authentication type
+// AUTH_TYPE_NONE, AUTH_TYPE_FORM, AUTH_TYPE_BASIC, AUTH_TYPE_EXTERNAL, ...
+// $auth_type = AUTH_TYPE_FORM;
+// $auth_external_login_url_base = './exlogin.php';
+
+/////////////////////////////////////////////////
+// LDAP
+$ldap_user_account = 0; // (0: Disabled, 1: Enabled)
+// $ldap_server = 'ldap://ldapserver:389';
+// $ldap_base_dn = 'ou=Users,dc=ldap,dc=example,dc=com';
+// $ldap_bind_dn = 'uid=$login,dc=example,dc=com';
+// $ldap_bind_password = '';
+
+/////////////////////////////////////////////////
+// User prefix that shows its auth provider
+$auth_provider_user_prefix_default = 'default:';
+$auth_provider_user_prefix_ldap = 'ldap:';
+$auth_provider_user_prefix_external = 'external:';
+
+
 /////////////////////////////////////////////////
 // User definition
 $auth_users = array(
@@ -234,12 +256,6 @@ $auth_groups = array(
 );
 
 /////////////////////////////////////////////////
-// Authentication type
-// AUTH_TYPE_FORM, AUTH_TYPE_BASIC or AUTH_TYPE_EXTERNAL
-// $auth_type = AUTH_TYPE_FORM;
-// $auth_external_login_url_base = './exlogin.php';
-
-/////////////////////////////////////////////////
 // Authentication method
 
 $auth_method_type	= 'pagename';	// By Page name
@@ -274,20 +290,6 @@ $edit_auth_pages = array(
 $search_auth = 0;
 
 /////////////////////////////////////////////////
-// LDAP
-$ldap_user_account = 0;
-// $ldap_user_account = 1; // (0: Disabled, 1: Enabled)
-// $ldap_url = 'ldap://ldapserver:389/ou=Users,dc=ldap,dc=example,dc=com';
-// $ldap_bind_dn = '';
-// $ldap_bind_password = '';
-
-/////////////////////////////////////////////////
-// User prefix that shows its auth provider
-define('AUTH_PROVIDER_USER_PREFIX_DEFAULT', 'default:');
-define('AUTH_PROVIDER_USER_PREFIX_LDAP', 'ldap:');
-define('AUTH_PROVIDER_USER_PREFIX_EXTERNAL', 'external:');
-
-/////////////////////////////////////////////////
 // $whatsnew: Max number of RecentChanges
 $maxshow = 60;