diff --git a/app/Console/Commands/LdapLogin.php b/app/Console/Commands/LdapLogin.php new file mode 100644 index 0000000..96d41a5 --- /dev/null +++ b/app/Console/Commands/LdapLogin.php @@ -0,0 +1,51 @@ +argument('username'); + $password = $this->argument('password'); + + try { + $user = $ldapService->getUser(['password' => $password, config('laravolt.auth.identifier') => $username]); + dd($user); + } catch (\Exception $e) { + $this->error(get_class($e).":".$e->getMessage()); + } + } +} diff --git a/config/cas.php b/config/cas.php new file mode 100644 index 0000000..d4030a3 --- /dev/null +++ b/config/cas.php @@ -0,0 +1,162 @@ + env('CAS_HOSTNAME', 'cas.myuniv.edu'), + + /* + |-------------------------------------------------------------------------- + | CAS Authorized Hosts + |-------------------------------------------------------------------------- + | Example: 'cas.myuniv.edu'. This is used when SAML is active and is + | recommended for protecting against DOS attacks. If using load + | balanced hosts, then separate each with a comma. + */ + 'cas_real_hosts' => env('CAS_REAL_HOSTS', 'cas.myuniv.edu'), + + + /* + |-------------------------------------------------------------------------- + | Customize CAS Session Cookie Name + |-------------------------------------------------------------------------- + */ + 'cas_session_name' => env('CAS_SESSION_NAME', 'CASAuth'), + + /* + |-------------------------------------------------------------------------- + | Laravel has it's own authentication sessions. Unless you want phpCAS + | to manage the session, leave this set to false. Note that the + | middleware and redirect classes will be handling removal + | of the Laravel sessions when this is set to false. + |-------------------------------------------------------------------------- + */ + 'cas_control_session' => env('CAS_CONTROL_SESSIONS', false), + + /* + |-------------------------------------------------------------------------- + | Enable using this as a cas proxy + |-------------------------------------------------------------------------- + */ + 'cas_proxy' => env('CAS_PROXY', false), + + /* + |-------------------------------------------------------------------------- + | Cas Port + |-------------------------------------------------------------------------- + | Usually 443 + */ + 'cas_port' => env('CAS_PORT', 443), + + /* + |-------------------------------------------------------------------------- + | CAS URI + |-------------------------------------------------------------------------- + | Sometimes is /cas + */ + 'cas_uri' => env('CAS_URI', '/cas'), + + /* + |-------------------------------------------------------------------------- + | CAS Validation + |-------------------------------------------------------------------------- + | CAS server SSL validation: 'self' for self-signed certificate, 'ca' for + | certificate from a CA, empty for no SSL validation. + | + | VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL + */ + 'cas_validation' => env('CAS_VALIDATION', ''), + + /* + |-------------------------------------------------------------------------- + | CA Certificate + |-------------------------------------------------------------------------- + | Path to the CA certificate file. For production use set + | the CA certificate that is the issuer of the cert + */ + 'cas_cert' => env('CAS_CERT', ''), + + /* + |-------------------------------------------------------------------------- + | CN Validation (if you are using CA certs) + |-------------------------------------------------------------------------- + | If for some reason you want to disable validating the certificate + | intermediaries, here is where you can. Recommended to leave + | this set with default (true). + */ + 'cas_validate_cn' => env('CAS_VALIDATE_CN', true), + + /* + |-------------------------------------------------------------------------- + | CAS Login URI + |-------------------------------------------------------------------------- + | Empty is fine + */ + 'cas_login_url' => env('CAS_LOGIN_URL', ''), + + /* + |-------------------------------------------------------------------------- + | CAS Logout URI + |-------------------------------------------------------------------------- + */ + 'cas_logout_url' => env('CAS_LOGOUT_URL', ''), + + /* + |-------------------------------------------------------------------------- + | CAS Logout Redirect Services + |-------------------------------------------------------------------------- + | If your server supports redirection services, enter the redirect url + | in this section. If left blank, it will default to disabled. + */ + 'cas_logout_redirect' => env('CAS_LOGOUT_REDIRECT', ''), + + /* + |-------------------------------------------------------------------------- + | CAS Successful Logon Redirection Url + |-------------------------------------------------------------------------- + | By default, CAS will assume that the user should be redirected to the + | page in which the call was initiated. You can override this method + | and force the user to be redirected to a specific URL here. + */ + 'cas_redirect_path' => env('CAS_REDIRECT_PATH', ''), + + /* + |-------------------------------------------------------------------------- + | CAS Supports SAML 1.1, allowing you to retrieve more than just the + | user identifier. If your CAS authentication service supports + | this feature, you may be able to retrieve user meta data. + |-------------------------------------------------------------------------- + */ + 'cas_enable_saml' => env('CAS_ENABLE_SAML', false), + + /* + |-------------------------------------------------------------------------- + | Enable PHPCas Debug Mode + | Options are: + | 1) true (defaults logfile creation to /tmp/phpCAS.log) + | 2) 'path/to/logfile' + | 3) false + |-------------------------------------------------------------------------- + */ + 'cas_debug' => env('CAS_DEBUG', storage_path('logs/cas.log')), + + + /* + |-------------------------------------------------------------------------- + | Enable Verbose error messages. Not recommended for production. + | true | false + |-------------------------------------------------------------------------- + */ + 'cas_verbose_errors' => env('CAS_VERBOSE_ERRORS', false), + + /* + |-------------------------------------------------------------------------- + | This will cause CAS to skip authentication and assume this user id. + | This should only be used for developmental purposes. getAttributes() + | will return null in this condition. + */ + 'cas_masquerade' => env('CAS_MASQUERADE', '') +]; diff --git a/config/ldap.php b/config/ldap.php new file mode 100644 index 0000000..b4ff711 --- /dev/null +++ b/config/ldap.php @@ -0,0 +1,227 @@ + [ + + 'default' => [ + + /* + |-------------------------------------------------------------------------- + | Auto Connect + |-------------------------------------------------------------------------- + | + | If auto connect is true, Adldap will try to automatically connect to + | your LDAP server in your configuration. This allows you to assume + | connectivity rather than having to connect manually + | in your application. + | + | If this is set to false, you **must** connect manually before running + | LDAP operations. + | + */ + + 'auto_connect' => env('LDAP_AUTO_CONNECT', true), + + /* + |-------------------------------------------------------------------------- + | Connection + |-------------------------------------------------------------------------- + | + | The connection class to use to run raw LDAP operations on. + | + | Custom connection classes must implement: + | + | Adldap\Connections\ConnectionInterface + | + */ + + 'connection' => Adldap\Connections\Ldap::class, + + /* + |-------------------------------------------------------------------------- + | Connection Settings + |-------------------------------------------------------------------------- + | + | This connection settings array is directly passed into the Adldap constructor. + | + | Feel free to add or remove settings you don't need. + | + */ + + 'settings' => [ + + /* + |-------------------------------------------------------------------------- + | Schema + |-------------------------------------------------------------------------- + | + | The schema class to use for retrieving attributes and generating models. + | + | You can also set this option to `null` to use the default schema class. + | + | For OpenLDAP, you must use the schema: + | + | Adldap\Schemas\OpenLDAP::class + | + | For FreeIPA, you must use the schema: + | + | Adldap\Schemas\FreeIPA::class + | + | Custom schema classes must implement Adldap\Schemas\SchemaInterface + | + */ + + 'schema' => Adldap\Schemas\ActiveDirectory::class, + + /* + |-------------------------------------------------------------------------- + | Account Prefix + |-------------------------------------------------------------------------- + | + | The account prefix option is the prefix of your user accounts in LDAP directory. + | + | This string is prepended to all authenticating users usernames. + | + */ + + 'account_prefix' => env('LDAP_ACCOUNT_PREFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Account Suffix + |-------------------------------------------------------------------------- + | + | The account suffix option is the suffix of your user accounts in your LDAP directory. + | + | This string is appended to all authenticating users usernames. + | + */ + + 'account_suffix' => env('LDAP_ACCOUNT_SUFFIX', ''), + + /* + |-------------------------------------------------------------------------- + | Domain Controllers + |-------------------------------------------------------------------------- + | + | The domain controllers option is an array of servers located on your + | network that serve Active Directory. You can insert as many servers or + | as little as you'd like depending on your forest (with the + | minimum of one of course). + | + | These can be IP addresses of your server(s), or the host name. + | + */ + + 'hosts' => explode(' ', env('LDAP_HOSTS', 'corp-dc1.corp.acme.org corp-dc2.corp.acme.org')), + + /* + |-------------------------------------------------------------------------- + | Port + |-------------------------------------------------------------------------- + | + | The port option is used for authenticating and binding to your LDAP server. + | + */ + + 'port' => env('LDAP_PORT', 389), + + /* + |-------------------------------------------------------------------------- + | Timeout + |-------------------------------------------------------------------------- + | + | The timeout option allows you to configure the amount of time in + | seconds that your application waits until a response + | is received from your LDAP server. + | + */ + + 'timeout' => env('LDAP_TIMEOUT', 5), + + /* + |-------------------------------------------------------------------------- + | Base Distinguished Name + |-------------------------------------------------------------------------- + | + | The base distinguished name is the base distinguished name you'd + | like to perform query operations on. An example base DN would be: + | + | dc=corp,dc=acme,dc=org + | + | A correct base DN is required for any query results to be returned. + | + */ + + 'base_dn' => env('LDAP_BASE_DN', 'dc=corp,dc=acme,dc=org'), + + /* + |-------------------------------------------------------------------------- + | LDAP Username & Password + |-------------------------------------------------------------------------- + | + | When connecting to your LDAP server, a username and password is required + | to be able to query and run operations on your server(s). You can + | use any user account that has these permissions. This account + | does not need to be a domain administrator unless you + | require changing and resetting user passwords. + | + */ + + 'username' => env('LDAP_USERNAME'), + 'password' => env('LDAP_PASSWORD'), + + /* + |-------------------------------------------------------------------------- + | Follow Referrals + |-------------------------------------------------------------------------- + | + | The follow referrals option is a boolean to tell active directory + | to follow a referral to another server on your network if the + | server queried knows the information your asking for exists, + | but does not yet contain a copy of it locally. + | + | This option is defaulted to false. + | + */ + + 'follow_referrals' => false, + + /* + |-------------------------------------------------------------------------- + | SSL & TLS + |-------------------------------------------------------------------------- + | + | If you need to be able to change user passwords on your server, then an + | SSL or TLS connection is required. All other operations are allowed + | on unsecured protocols. + | + | One of these options are definitely recommended if you + | have the ability to connect to your server securely. + | + */ + + 'use_ssl' => env('LDAP_USE_SSL', false), + 'use_tls' => env('LDAP_USE_TLS', false), + + ], + + ], + + ], + +]; diff --git a/config/ldap_auth.php b/config/ldap_auth.php new file mode 100644 index 0000000..f5a52b3 --- /dev/null +++ b/config/ldap_auth.php @@ -0,0 +1,322 @@ + env('LDAP_CONNECTION', 'default'), + + /* + |-------------------------------------------------------------------------- + | Provider + |-------------------------------------------------------------------------- + | + | The LDAP authentication provider to use depending + | if you require database synchronization. + | + | For synchronizing LDAP users to your local applications database, use the provider: + | + | Adldap\Laravel\Auth\DatabaseUserProvider::class + | + | Otherwise, if you just require LDAP authentication, use the provider: + | + | Adldap\Laravel\Auth\NoDatabaseUserProvider::class + | + */ + + 'provider' => Adldap\Laravel\Auth\DatabaseUserProvider::class, + + /* + |-------------------------------------------------------------------------- + | Model + |-------------------------------------------------------------------------- + | + | The model to utilize for authentication and importing. + | + | This option is only applicable to the DatabaseUserProvider. + | + */ + + 'model' => App\User::class, + + /* + |-------------------------------------------------------------------------- + | Rules + |-------------------------------------------------------------------------- + | + | Rules allow you to control user authentication requests depending on scenarios. + | + | You can create your own rules and insert them here. + | + | All rules must extend from the following class: + | + | Adldap\Laravel\Validation\Rules\Rule + | + */ + + 'rules' => [ + + // Denys deleted users from authenticating. + + Adldap\Laravel\Validation\Rules\DenyTrashed::class, + + // Allows only manually imported users to authenticate. + + // Adldap\Laravel\Validation\Rules\OnlyImported::class, + + ], + + /* + |-------------------------------------------------------------------------- + | Scopes + |-------------------------------------------------------------------------- + | + | Scopes allow you to restrict the LDAP query that locates + | users upon import and authentication. + | + | All scopes must implement the following interface: + | + | Adldap\Laravel\Scopes\ScopeInterface + | + */ + + 'scopes' => [ + + // Only allows users with a user principal name to authenticate. + // Suitable when using ActiveDirectory. + // Adldap\Laravel\Scopes\UpnScope::class, + + // Only allows users with a uid to authenticate. + // Suitable when using OpenLDAP. + // Adldap\Laravel\Scopes\UidScope::class, + + ], + + 'usernames' => [ + + /* + |-------------------------------------------------------------------------- + | LDAP + |-------------------------------------------------------------------------- + | + | Discover: + | + | The discover value is the users attribute you would + | like to locate LDAP users by in your directory. + | + | For example, using the default configuration below, if you're + | authenticating users with an email address, your LDAP server + | will be queried for a user with the a `userprincipalname` + | equal to the entered email address. + | + | Authenticate: + | + | The authenticate value is the users attribute you would + | like to use to bind to your LDAP server. + | + | For example, when a user is located by the above 'discover' + | attribute, the users attribute you specify below will + | be used as the username to bind to your LDAP server. + | + */ + + 'ldap' => [ + + 'discover' => 'userprincipalname', + + 'authenticate' => 'sn', + + ], + + /* + |-------------------------------------------------------------------------- + | Eloquent + |-------------------------------------------------------------------------- + | + | The value you enter is the database column name used for locating + | the local database record of the authenticating user. + | + | If you're using a `username` column instead, change this to `username`. + | + | This option is only applicable to the DatabaseUserProvider. + | + */ + + 'eloquent' => 'email', + + /* + |-------------------------------------------------------------------------- + | Windows Authentication Middleware (SSO) + |-------------------------------------------------------------------------- + | + | Discover: + | + | The 'discover' value is the users attribute you would + | like to locate LDAP users by in your directory. + | + | For example, if 'samaccountname' is the value, then your LDAP server is + | queried for a user with the 'samaccountname' equal to the value of + | $_SERVER['AUTH_USER']. + | + | If a user is found, they are imported (if using the DatabaseUserProvider) + | into your local database, then logged in. + | + | Key: + | + | The 'key' value represents the 'key' of the $_SERVER + | array to pull the users account name from. + | + | For example, $_SERVER['AUTH_USER']. + | + */ + + 'windows' => [ + + 'discover' => 'samaccountname', + + 'key' => 'AUTH_USER', + + ], + + ], + + 'passwords' => [ + + /* + |-------------------------------------------------------------------------- + | Password Sync + |-------------------------------------------------------------------------- + | + | The password sync option allows you to automatically synchronize users + | LDAP passwords to your local database. These passwords are hashed + | natively by Laravel using the Hash::make() method. + | + | Enabling this option would also allow users to login to their accounts + | using the password last used when an LDAP connection was present. + | + | If this option is disabled, the local database account is applied a + | random 16 character hashed password upon first login, and will + | lose access to this account upon loss of LDAP connectivity. + | + | This option must be true or false and is only applicable + | to the DatabaseUserProvider. + | + */ + + 'sync' => env('LDAP_PASSWORD_SYNC', false), + + /* + |-------------------------------------------------------------------------- + | Column + |-------------------------------------------------------------------------- + | + | This is the column of your users database table + | that is used to store passwords. + | + | Set this to `null` if you do not have a password column. + | + | This option is only applicable to the DatabaseUserProvider. + | + */ + + 'column' => 'password', + + ], + + /* + |-------------------------------------------------------------------------- + | Login Fallback + |-------------------------------------------------------------------------- + | + | The login fallback option allows you to login as a user located on the + | local database if active directory authentication fails. + | + | Set this to true if you would like to enable it. + | + | This option must be true or false and is only + | applicable to the DatabaseUserProvider. + | + */ + + 'login_fallback' => env('LDAP_LOGIN_FALLBACK', false), + + /* + |-------------------------------------------------------------------------- + | Sync Attributes + |-------------------------------------------------------------------------- + | + | Attributes specified here will be added / replaced on the user model + | upon login, automatically synchronizing and keeping the attributes + | up to date. + | + | The array key represents the users Laravel model key, and + | the value represents the users LDAP attribute. + | + | You **must** include the users login attribute here. + | + | This option must be an array and is only applicable + | to the DatabaseUserProvider. + | + */ + + 'sync_attributes' => [ + + 'email' => 'userprincipalname', + + 'name' => 'cn', + + ], + + /* + |-------------------------------------------------------------------------- + | Logging + |-------------------------------------------------------------------------- + | + | User authentication attempts will be logged using Laravel's + | default logger if this setting is enabled. + | + | No credentials are logged, only usernames. + | + | This is usually stored in the '/storage/logs' directory + | in the root of your application. + | + | This option is useful for debugging as well as auditing. + | + | You can freely remove any events you would not like to log below, + | as well as use your own listeners if you would prefer. + | + */ + + 'logging' => [ + + 'enabled' => true, + + 'events' => [ + + \Adldap\Laravel\Events\Importing::class => \Adldap\Laravel\Listeners\LogImport::class, + \Adldap\Laravel\Events\Synchronized::class => \Adldap\Laravel\Listeners\LogSynchronized::class, + \Adldap\Laravel\Events\Synchronizing::class => \Adldap\Laravel\Listeners\LogSynchronizing::class, + \Adldap\Laravel\Events\Authenticated::class => \Adldap\Laravel\Listeners\LogAuthenticated::class, + \Adldap\Laravel\Events\Authenticating::class => \Adldap\Laravel\Listeners\LogAuthentication::class, + \Adldap\Laravel\Events\AuthenticationFailed::class => \Adldap\Laravel\Listeners\LogAuthenticationFailure::class, + \Adldap\Laravel\Events\AuthenticationRejected::class => \Adldap\Laravel\Listeners\LogAuthenticationRejection::class, + \Adldap\Laravel\Events\AuthenticationSuccessful::class => \Adldap\Laravel\Listeners\LogAuthenticationSuccess::class, + \Adldap\Laravel\Events\DiscoveredWithCredentials::class => \Adldap\Laravel\Listeners\LogDiscovery::class, + \Adldap\Laravel\Events\AuthenticatedWithWindows::class => \Adldap\Laravel\Listeners\LogWindowsAuth::class, + \Adldap\Laravel\Events\AuthenticatedModelTrashed::class => \Adldap\Laravel\Listeners\LogTrashedModel::class, + + ], + ], + +];