I needed this functionality as well so I took a shot at implementing it.
I added a new configuration value to conf/local.php
$conf['auth']['ldap']['logingroup'] = 'staff';
Users who are members of this group will be allowed to login, non-members will not.
I modified inc/auth/ldap.class.php
- in two places where $this->bound is set to 1 and the function returns, I commented out the return statement
- before the "return false" at the end of the of the function I inserted a loop which is executed if $this->bound==1
- if $this->cnf['logingroup'] is not defined return true
- the loop compares each group $user is a member of against $this->cnf['logingroup']
- if we get a match return true
- if the loop completes without a match emit an error message and return false
I am not very familiar with DW code so I consider this A COMPLETE HACK until someone who knows more about DW looks it over.
Here's the diff (I couldn't get the "Attach File" to work).
*** ldap.class.php.orig 2008-03-14 08:25:30.000000000 -0500
--- ldap.class.php 2008-03-14 09:07:18.000000000 -0500
***************
*** 43,48 ****
--- 43,50 ----
* plaintext password is correct by trying to bind
* to the LDAP server
*
+ * ULL PML: add check for allowed login group
+ *
* @author Andreas Gohr <andi@splitbrain.org>
* @return bool
*/
***************
*** 93,99 ****
return false;
}
$this->bound = 1;
! return true;
}else{
// See if we can find the user
$info = $this->getUserData($user);
--- 95,101 ----
return false;
}
$this->bound = 1;
! // PML return true;
}else{
// See if we can find the user
$info = $this->getUserData($user);
***************
*** 112,118 ****
--- 114,138 ----
return false;
}
$this->bound = 1;
+ // PML return true;
+ }
+ // ULL PML: add check for authorized login group
+ if ($this->bound == 1) {
+ // if the configuration specifed a logingroup verify this user is a member
+ if ($this->cnf['logingroup']) {
+ $groups = $info['grps'];
+ $cnt = count($groups);
+ for($i=0; $i<$cnt; $i++){
+ if ($groups[$i] == $this->cnf['logingroup']) {
+ return true;
+ }
+ }
+ msg("LDAP: $user not in logingroup " . $this->cnf['logingroup'],-1);
+ }
+ else {
+ // no logingroup restriction
return true;
+ }
}
return false;
--
patrick