adding LDAP authentication support

Author: Jonathan Creasy

application/config/rest.php

@@ -44,7 +44,7 @@
 |
 | Is login required and if so, which type of login?
 |
-|	'' = no login required, 'basic' = unsecure login, 'digest' = more secure login
+|	'' = no login required, 'basic' = unsecure login, 'digest' = more secure login, 'ldap' = digest with ldap
 |
 */
 $config['rest_auth'] = false;
@@ -65,19 +65,20 @@
 |			$config['auth_override_class_method']['accounts']['user'] = 'basic';
 |
 | Here 'deals' and 'accounts' are controller names, 'view', 'insert' and 'user' are methods within. (NOTE: leave off the '_get' or '_post' from the end of the method name)
-| Acceptable values are; 'none', 'digest' and 'basic'.
+| Acceptable values are; 'none', 'digest', 'ldap', and 'basic'
 |
 */
 // $config['auth_override_class_method']['deals']['view'] = 'none';
 // $config['auth_override_class_method']['deals']['insert'] = 'digest';
 // $config['auth_override_class_method']['accounts']['user'] = 'basic';
+// $config['auth_override_class_method']['accounts']['create'] = 'ldap';
 
 /*
 |--------------------------------------------------------------------------
 | REST Login usernames
 |--------------------------------------------------------------------------
 |
-| Array of usernames and passwords for login
+| Array of usernames and passwords for login, if ldap is configured this is ignored
 |
 |	array('admin' => '1234')
 |
@@ -290,4 +291,4 @@
 $config['rest_ajax_only'] = FALSE;
 
 /* End of file config.php */
-/* Location: ./system/application/config/rest.php */
+/* Location: ./system/application/config/rest.php */

application/libraries/REST_Controller.php

@@ -109,6 +109,13 @@ abstract class REST_Controller extends CI_Controller
 	 */
 	protected $_zlib_oc = FALSE;
 
+	/**
+	 * The LDAP Distinguished Name of the User post authentication
+	 *
+	 * @var string
+	*/
+	protected $_user_ldap_dn = ''
+
 	/**
 	 * List all supported methods, the first will be the default format
 	 *
@@ -909,6 +916,94 @@ public function validation_errors()
 
 	// SECURITY FUNCTIONS ---------------------------------------------------------
 
+	/**
+	 * Perform LDAP Authentication
+	 *
+	 * @param string $username The username to validate
+	 * @param string $password The password to validate
+	 * @return boolean
+	 */
+	protected function _perform_ldap_auth($username = '', $password = NULL)
+	{
+		if (empty($username))
+		{
+			log_message('debug', 'LDAP Auth: failure, empty username');
+			return false;
+		}
+
+		log_message('debug', 'LDAP Auth: Loading Config');
+
+		$this->config->load('ldap.php', true);
+
+		$ldaptimeout = $this->config->item('timeout', 'ldap');
+		$ldaphost = $this->config->item('server', 'ldap');
+		$ldapport = $this->config->item('port', 'ldap');
+		$ldaprdn = $this->config->item('binduser', 'ldap');
+		$ldappass = $this->config->item('bindpw', 'ldap');
+		$ldapbasedn = $this->config->item('basedn', 'ldap');
+
+		log_message('debug', 'LDAP Auth: Connect to ' . $ldaphost);
+
+		$ldapconfig['authrealm'] = $this->config->item('domain', 'ldap');
+
+		// connect to ldap server
+		$ldapconn = ldap_connect($ldaphost, $ldapport);
+
+		if ($ldapconn) {
+
+			log_message('debug', 'Setting timeout to ' . $ldaptimeout . ' seconds');
+
+			ldap_set_option($ldapconn, LDAP_OPT_NETWORK_TIMEOUT, $ldaptimeout);
+
+			log_message('debug', 'LDAP Auth: Binding to ' . $ldaphost . ' with dn ' . $ldaprdn);
+
+			// binding to ldap server
+			$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
+
+			// verify binding
+			if ($ldapbind) {
+				log_message('debug', 'LDAP Auth: bind successful');
+			} else {
+				log_message('error', 'LDAP Auth: bind unsuccessful');
+				return false;
+			}
+
+		}
+
+		// search for user
+		if (($res_id = ldap_search( $ldapconn, $ldapbasedn, "uid=$username")) == false) {
+			log_message('error', 'LDAP Auth: User ' . $username . ' not found in search');
+			return false;
+		}
+
+		if (ldap_count_entries($ldapconn, $res_id) != 1) {
+			log_message('error', 'LDAP Auth: failure, username ' . $username . 'found more than once');
+			return false;
+		}
+
+		if (( $entry_id = ldap_first_entry($ldapconn, $res_id))== false) {
+			log_message('error', 'LDAP Auth: failure, entry of searchresult could not be fetched');
+			return false;
+		}
+
+		if (( $user_dn = ldap_get_dn($ldapconn, $entry_id)) == false) {
+			log_message('error', 'LDAP Auth: failure, user-dn could not be fetched');
+			return false;
+		}
+
+		// User found, could not authenticate as user
+		if (($link_id = ldap_bind($ldapconn, $user_dn, $password)) == false) {
+			log_message('error', 'LDAP Auth: failure, username/password did not match: ' . $user_dn);
+			return false;
+		}
+
+		log_message('debug', 'LDAP Auth: Success ' . $user_dn . ' authenticated successfully');
+
+		$this->_user_ldap_dn = $user_dn;
+		ldap_close($ldapconn);
+		return true;
+	}
+
 	/**
 	 * Check if the user is logged in.
 	 *
@@ -923,6 +1018,14 @@ protected function _check_login($username = '', $password = NULL)
 			return FALSE;
 		}
 
+		$auth_source = strtolower($this-config->item('auth_source'));
+
+		if ($auth_source == 'ldap')
+		{
+			log_message('debug', 'performing LDAP authentication for $username');
+			return $this->_perform_ldap_auth($username, $password);
+		}
+
 		$valid_logins = & $this->config->item('rest_valid_logins');
 
 		if ( ! array_key_exists($username, $valid_logins))