From 44c7813ac1c8941f0cb7ebfc6e3ccc860f2c5c45 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 18 Nov 2009 14:35:44 -0500 Subject: [PATCH] Add login_group configuration option so only members of a certain group can login --- .../LdapAuthorizationPlugin.php | 20 +++++++++++++++++-- plugins/LdapAuthorization/README | 2 ++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/plugins/LdapAuthorization/LdapAuthorizationPlugin.php b/plugins/LdapAuthorization/LdapAuthorizationPlugin.php index 20bbd25625..5173781f9f 100644 --- a/plugins/LdapAuthorization/LdapAuthorizationPlugin.php +++ b/plugins/LdapAuthorization/LdapAuthorizationPlugin.php @@ -49,6 +49,7 @@ class LdapAuthorizationPlugin extends AuthorizationPlugin public $provider_name = null; public $uniqueMember_attribute = null; public $roles_to_groups = null; + public $login_group = null; function onInitializePlugin(){ parent::onInitializePlugin(); @@ -77,8 +78,23 @@ class LdapAuthorizationPlugin extends AuthorizationPlugin if($user_username->find() && $user_username->fetch()){ $entry = $this->ldap_get_user($user_username->username); if($entry){ - //if a user exists, we can assume he's allowed to login - return true; + if(isset($this->login_group)){ + if(is_array($this->login_group)){ + foreach($this->login_group as $group){ + if($this->isMemberOfGroup($entry->dn(),$group)){ + return true; + } + } + }else{ + if($this->isMemberOfGroup($entry->dn(),login_group)){ + return true; + } + } + return null; + }else{ + //if a user exists, we can assume he's allowed to login + return true; + } }else{ return null; } diff --git a/plugins/LdapAuthorization/README b/plugins/LdapAuthorization/README index 2ca33f653d..2166b27266 100644 --- a/plugins/LdapAuthorization/README +++ b/plugins/LdapAuthorization/README @@ -18,6 +18,8 @@ uniqueMember_attribute ('uniqueMember')*: the attribute of a group that lists the DNs of its members roles_to_groups*: array that maps StatusNet roles to LDAP groups some StatusNet roles are: moderator, administrator, sandboxed, silenced +login_group: if this is set to a group DN, only members of that group will be + allowed to login The below settings must be exact copies of the settings used for the corresponding LDAP Authentication plugin.