From 2844d6e1313146ec1b1d6b5773885cece78676c1 Mon Sep 17 00:00:00 2001
From: viharm <viharm@malviya.net>
Date: Wed, 18 Nov 2020 22:50:03 +0000
Subject: [PATCH] Added LDAP auth code

---
 composer.json                                 |  4 +-
 src/psm/Service/User.php                      | 47 +++++++++++++++----
 .../default/module/config/config.tpl.html     | 42 +++++++++++++++++
 3 files changed, 83 insertions(+), 10 deletions(-)

diff --git a/composer.json b/composer.json
index 97c48262..31228c8a 100644
--- a/composer.json
+++ b/composer.json
@@ -18,8 +18,8 @@
 		"php-pushover/php-pushover": "dev-master",
 		"paragonie/random_compat": "^2.0",
 		"twig/twig": "~1.35",
-    "jaxl/jaxl": "^3.1",
-    "viharm/psm-ldap-auth": "^1.1"
+		"jaxl/jaxl": "^3.1",
+		"viharm/psm-ldap-auth": "^1.1"
 	},
 	"autoload": {
 		"files": [
diff --git a/src/psm/Service/User.php b/src/psm/Service/User.php
index fce6213b..bc01db2a 100644
--- a/src/psm/Service/User.php
+++ b/src/psm/Service/User.php
@@ -230,20 +230,51 @@ class User
     {
         $user_name = trim($user_name);
         $user_password = trim($user_password);
+        $ldapauthstatus = false;
 
         if (empty($user_name) && empty($user_password)) {
             return false;
         }
+
+        $dirauthconfig = psm_get_conf('dirauth_status');
+        
+        // LDAP auth enabled
+        if ($dirauthconfig === '1') {
+            $ldaplibpath = realpath(
+                PSM_PATH_SRC . '..' . DIRECTORY_SEPARATOR .
+                'vendor' . DIRECTORY_SEPARATOR .
+                'viharm' . DIRECTORY_SEPARATOR .
+                'psm-ldap-auth' . DIRECTORY_SEPARATOR .
+                'psmldapauth.php'
+            );
+            // If the library is found
+            if ($ldaplibpath) {
+                // Delegate the authentication to the PsmLDAPauth module.
+                // If LDAP auth fails or if library not found, fall back to native auth
+                include_once($ldaplibpath);
+                $ldapauthstatus = psmldapauth($user_name, $user_password, $GLOBALS['sm_config'], $this->db_connection);
+            }
+        }
+
         $user = $this->getUserByUsername($user_name);
 
-        // using PHP 5.5's password_verify() function to check if the provided passwords
-        // fits to the hash of that user's password
-        if (!isset($user->user_id)) {
-            password_verify($user_password, 'dummy_call_against_timing');
-            return false;
-        } elseif (!password_verify($user_password, $user->password)) {
-            return false;
-        }
+        // Authenticated
+        if ($ldapauthstatus === true) {
+          // Remove password to prevent it from being saved in the DB.
+          // Otherwise, user may still be authenticated if LDAP is disabled later.
+          $user_password = null;
+          @fn_Debug('Authenticated', $user);
+        } else {
+
+          // using PHP 5.5's password_verify() function to check if the provided passwords
+          // fits to the hash of that user's password
+          if (!isset($user->user_id)) {
+              password_verify($user_password, 'dummy_call_against_timing');
+              return false;
+          } elseif (!password_verify($user_password, $user->password)) {
+              return false;
+          }
+        } // not authenticated
 
         $this->setUserLoggedIn($user->user_id, true);
 
diff --git a/src/templates/default/module/config/config.tpl.html b/src/templates/default/module/config/config.tpl.html
index ffb36a54..db5ab029 100644
--- a/src/templates/default/module/config/config.tpl.html
+++ b/src/templates/default/module/config/config.tpl.html
@@ -7,6 +7,11 @@
                 role="tab" aria-controls="config-general" aria-selected="{% if general_active %}true{% else %}false{% endif %}">{{
                 label_general }}</a>
         </li>
+        <li class="nav-item">
+            <a class="nav-link {{ auth_active }}" id="config-auth-tab" data-toggle="tab" href="#config-auth" role="tab"
+                aria-controls="config-auth" aria-selected="{% if auth_active %}true{% else %}false{% endif %}">{{
+                    label_tab_auth }}</a>
+        </li>
         <li class="nav-item">
             <a class="nav-link {{ email_active }}" id="config-email-tab" data-toggle="tab" href="#config-email" role="tab"
                 aria-controls="config-email" aria-selected="{% if email_active %}true{% else %}false{% endif %}">{{
@@ -93,6 +98,43 @@
                 {{ macro.button_save("general_submit",  label_save) }}
             </fieldset>
         </div>
+        <div class="tab-pane {{ auth_active }}" id="config-auth" role="tabpanel" aria-labelledby="config-auth-tab">
+            <!-- Auth settings -->
+            <fieldset>
+                <legend>{{ label_settings_dirauth }}</legend>
+                <!-- enable ldap -->
+                {{ macro.input_checkbox("dirauth_status", "dirauth_status[]", label_dirauth_status, dirauth_status_checked) }}
+                <!-- Directory host -->
+                {{ macro.input_field("text", "authdir_host_locn", null, "authdir_host_locn", label_authdir_host_locn, authdir_host_locn, label_authdir_host_locn, "100") }}
+                <!-- smtp security -->
+                {{ macro.input_select("authdir_type", "authdir_type", label_authdir_type, authdir_type, authdir_type_selected, "authdir_type_help", label_authdir_type_description) }}
+                <!-- Directory port -->
+                {{ macro.input_field("text", "authdir_host_port", null, "authdir_host_port", label_authdir_host_port, authdir_host_port, label_authdir_host_port, "10") }}
+                <!-- Active Directory domain -->
+                {{ macro.input_field("text", "authdir_userdomain", null, "authdir_userdomain", label_authdir_userdomain, authdir_userdomain, label_authdir_userdomain, "100", "authdir_userdomain_help", label_authdir_userdomain_description) }}
+                <!-- LDAP protecol version -->
+                {{ macro.input_field("text", "authdir_ldapver", null, "authdir_ldapver", label_authdir_ldapver, authdir_ldapver, label_authdir_ldapver, "100", "authdir_ldapver_help", label_authdir_ldapver_description) }}
+                <!-- Follow referrals -->
+                {{ macro.input_checkbox("authdir_ldapfollowref", "authdir_ldapfollowref[]", label_authdir_ldapfollowref, authdir_ldapfollowref_checked, "authdir_ldapfollowref_help", label_authdir_ldapfollowref_description) }}
+                <!-- Base DN* -->
+                {{ macro.input_field("text", "authdir_basedn", null, "authdir_basedn", label_authdir_basedn, authdir_basedn, "dc=domain,dc=tld", "100", "authdir_basedn_help", label_authdir_basedn_description) }}
+                <!-- Username attribute -->
+                {{ macro.input_field("text", "authdir_usernameattrib", null, "authdir_usernameattrib", label_authdir_usernameattrib, authdir_usernameattrib, label_authdir_usernameattrib, "100", "authdir_usernameattrib_help", label_authdir_usernameattrib_description) }}
+                <!-- Group name attribute -->
+                {{ macro.input_field("text", "authdir_groupnameattrib", null, "authdir_groupnameattrib", label_authdir_groupnameattrib, authdir_groupnameattrib, label_authdir_groupnameattrib, "100", "authdir_groupnameattrib_help", label_authdir_groupnameattrib_description) }}
+                <!-- Group member attribute -->
+                {{ macro.input_field("text", "authdir_groupmemattrib", null, "authdir_groupmemattrib", label_authdir_groupmemattrib, authdir_groupmemattrib, label_authdir_groupmemattrib, "100", "authdir_groupmemattrib_help", label_authdir_groupmemattrib_description) }}
+                <!-- User container RDN -->
+                {{ macro.input_field("text", "authdir_usercontainerrdn", null, "authdir_usercontainerrdn", label_authdir_usercontainerrdn, authdir_usercontainerrdn, "ou=Users", "100", "authdir_usercontainerrdn_help", label_authdir_usercontainerrdn_description) }}
+                <!-- Group container RDN -->
+                {{ macro.input_field("text", "authdir_groupcontainerrdn", null, "authdir_groupcontainerrdn", label_authdir_groupcontainerrdn, authdir_groupcontainerrdn, "ou=Groups", "100", "authdir_groupcontainerrdn_help", label_authdir_groupcontainerrdn_description) }}
+                <!-- Authorised directory group -->
+                {{ macro.input_field("text", "authdir_groupname", null, "authdir_groupname", label_authdir_groupname, authdir_groupname, label_authdir_groupname, "100", "authdir_groupname_help", label_authdir_groupname_description) }}
+                <!-- Default role -->
+                {{ macro.input_select("authdir_defaultrole", "authdir_defaultrole", label_authdir_defaultrole, authdir_defaultroles, authdir_defaultrole_selected, "authdir_defaultrole_help", label_authdir_defaultrole_description) }}
+                {{ macro.button_save("auth_submit",  label_save) }}
+            </fieldset>
+        </div>
         <div class="tab-pane {{ email_active }}" id="config-email" role="tabpanel" aria-labelledby="config-email-tab">
             <fieldset>
                 <legend>{{ label_settings_email }}</legend>