Merge remote-tracking branch 'upstream/master' into modernjs

changelog/62_UNRELEASED_xxxx-xx-xx.md

@@ -1,3 +1,5 @@
+> ⚠️ The following PHP extensions are now additionally required: `json`, `intl`, `zlib`
+
 ### New feature: (Own) Product and stock entry labels/barcodes ("grocycode")
 - Print own labels/barcodes for products and/or every stock entry and then scan that code on every place a product or stock entry can be selected
 - Can be printed (or downloaded) via
@@ -45,6 +47,11 @@
 - Fixed that numeric Userfields were initialised with `1.0`
 
 ### General & other improvements/fixes
+- LDAP authentication improvements / OpenLDAP support (thanks @tank0226)
+  - A read only service account can now be used for binding
+  - The username attribute is now configurable
+  - Filtering of accounts is now possible
+  - => See the new `config.php` options
 - Some night mode style improvements (thanks @BlizzWave and @KTibow)
 - Fixed that the number picker up/down buttons did not work when the input field was empty or contained an invalid number
 

config-dist.php

@@ -78,9 +78,12 @@ Setting('AUTH_CLASS', 'Grocy\Middleware\DefaultAuthMiddleware');
 Setting('REVERSE_PROXY_AUTH_HEADER', 'REMOTE_USER');
 
 // When using LdapAuthMiddleware
-Setting('LDAP_DOMAIN', ''); // Example value "local"
 Setting('LDAP_ADDRESS', ''); // Example value "ldap://vm-dc2019.local.berrnd.net"
-Setting('LDAP_BASE_DN', ''); // Example value "OU=OU_Users,DC=local,DC=berrnd,DC=net"
+Setting('LDAP_BASE_DN', ''); // Example value "DC=local,DC=berrnd,DC=net"
+Setting('LDAP_BIND_DN', ''); // Example value "CN=grocy_bind_account,OU=service_accounts,DC=local,DC=berrnd,DC=net"
+Setting('LDAP_BIND_PW', ''); // Password for the above account
+Setting('LDAP_USER_FILTER', ''); // Example value "(OU=grocy_users)"
+Setting('LDAP_UID_ATTR', ''); // Windows AD: "sAMAccountName", OpenLDAP: "uid", Glauth: "cn"
 
 // Set this to true if you want to disable the ability to scan a barcode via the device camera (Browser API)
 Setting('DISABLE_BROWSER_BARCODE_CAMERA_SCANNING', false);

middleware/LdapAuthMiddleware.php

@@ -34,16 +34,33 @@ class LdapAuthMiddleware extends AuthMiddleware
 			ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
 			ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
 
-			if ($bind = ldap_bind($connect, GROCY_LDAP_DOMAIN . '\\' . $postParams['username'], $postParams['password']))
+			// bind with service account to retrieve user DN
+			if ($bind = ldap_bind($connect, GROCY_LDAP_BIND_DN, GROCY_LDAP_BIND_PW))
 			{
-				$fields = '(|(samaccountname=*' . $postParams['username'] . '*))';
+				$filter = '(&(' . GROCY_LDAP_UID_ATTR . '=' . $postParams['username'] . ')' . GROCY_LDAP_USER_FILTER . ')';
 
-				$search = ldap_search($connect, GROCY_LDAP_BASE_DN, $fields);
+				$search = ldap_search($connect, GROCY_LDAP_BASE_DN, $filter);
 				$result = ldap_get_entries($connect, $search);
 
 				$ldapFirstName = $result[0]['givenname'][0];
 				$ldapLastName = $result[0]['sn'][0];
-
+				$ldapDistinguishedName = $result[0]['dn'];
+				
+				if (is_null($ldapDistinguishedName))
+				{
+					// User not found
+					return false;
+				}
+			}
+			else
+			{
+				// Bind authentication failed
+				return false;
+			}
+			
+			// bind with user account to validate password
+			if ($bind = ldap_bind($connect, $ldapDistinguishedName, $postParams['password']))
+			{
 				ldap_close($connect);
 
 				$db = DatabaseService::getInstance()->GetDbConnection();
@@ -60,7 +77,9 @@ class LdapAuthMiddleware extends AuthMiddleware
 			}
 			else
 			{
-				// LDAP authentication failed
+				ldap_close($connect);
+				
+				// User authentication failed
 				return false;
 			}
 		}
@@ -70,4 +89,4 @@ class LdapAuthMiddleware extends AuthMiddleware
 			return false;
 		}
 	}
-}
+}