Index: ldapauth.admin.inc =================================================================== --- ldapauth.admin.inc (revision 1) +++ ldapauth.admin.inc (working copy) @@ -48,6 +48,13 @@ '#options' => $options_login_conflict, '#required' => TRUE, ); + $form['system-options']['ldapauth_create_accounts'] = array( + '#type' => 'checkbox', + '#title' => t('Enable automatic account creation'), + '#description' => t('If you disable automatic account creation, only users with an existing Drupal account will be allowed to login.'), + '#default_value' => LDAPAUTH_CREATE_ACCOUNTS, + '#required' => TRUE, + ); $form['security-options'] = array( '#type' => 'fieldset', @@ -116,6 +123,7 @@ case t('Save configuration'): variable_set('ldapauth_login_process', $values['ldapauth_login_process']); variable_set('ldapauth_login_conflict', $values['ldapauth_login_conflict']); + variable_set('ldapauth_create_accounts', $values['ldapauth_create_accounts']); variable_set('ldapauth_forget_passwords', $values['ldapauth_forget_passwords']); variable_set('ldapauth_sync_passwords', $values['ldapauth_sync_passwords']); variable_set('ldapauth_disable_pass_change', $values['ldapauth_disable_pass_change']); @@ -126,6 +134,7 @@ case t('Reset to defaults'): variable_del('ldapauth_login_process'); variable_del('ldapauth_login_conflict'); + variable_del('ldapauth_create_accounts'); variable_del('ldapauth_forget_passwords'); variable_del('ldapauth_sync_passwords'); variable_del('ldapauth_disable_pass_change'); Index: ldapauth.module =================================================================== --- ldapauth.module (revision 1) +++ ldapauth.module (working copy) @@ -20,6 +20,7 @@ define('LDAPAUTH_LOGIN_PROCESS', variable_get('ldapauth_login_process', LDAPAUTH_AUTH_MIXED)); define('LDAPAUTH_LOGIN_CONFLICT', variable_get('ldapauth_login_conflict', LDAPAUTH_CONFLICT_LOG)); +define('LDAPAUTH_CREATE_ACCOUNTS', variable_get('ldapauth_create_accounts', TRUE)); define('LDAPAUTH_FORGET_PASSWORDS', variable_get('ldapauth_forget_passwords', TRUE)); define('LDAPAUTH_SYNC_PASSWORDS', variable_get('ldapauth_sync_passwords', FALSE)); define('LDAPAUTH_DISABLE_PASS_CHANGE', variable_get('ldapauth_disable_pass_change', FALSE)); @@ -317,26 +318,34 @@ // Authenticate LDAP user. if (!($dn = _ldapauth_auth($name, $pass))) return; - if (!$account) { - // Register this new user. - if ($ldap_user = _ldapauth_user_lookup($name)) { - // If mail attribute is missing, set the name as mail. - $init = $mail = key_exists(($_ldapauth_ldap->getOption('mail_attr') ? $_ldapauth_ldap->getOption('mail_attr') : LDAPAUTH_DEFAULT_MAIL_ATTR), $ldap_user) ? $ldap_user[$_ldapauth_ldap->getOption('mail_attr')][0] : $name; + // Include Ldapgroups functions + require_once(drupal_get_path('module', 'ldapgroups') .'/ldapgroups.inc'); + + if (LDAPAUTH_CREATE_ACCOUNTS && ( module_exists('ldapgroups') ? module_invoke('ldapgroups', 'autocreation', $_ldapauth_ldap->getOption('sid'), $dn, $name, $pass): TRUE )) { + // Register this new user if automatic creation is enabled and ldapgroups is disabled or allows account creation. + if ($ldap_user = _ldapauth_user_lookup($name)) { + // If mail attribute is missing, set the name as mail. + $init = $mail = key_exists(($_ldapauth_ldap->getOption('mail_attr') ? $_ldapauth_ldap->getOption('mail_attr') : LDAPAUTH_DEFAULT_MAIL_ATTR), $ldap_user) ? $ldap_user[$_ldapauth_ldap->getOption('mail_attr')][0] : $name; - // Check if the e-mail is not denied. - if (drupal_is_denied('mail', $mail)) { - form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $name))); - return; - } + // Check if the e-mail is not denied. + if (drupal_is_denied('mail', $mail)) { + form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $name))); + return; + } - // Generate a random drupal password. LDAP password will be used anyways. - $pass_new = (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || !LDAPAUTH_SYNC_PASSWORDS) ? user_password(20) : $pass; + // Generate a random drupal password. LDAP password will be used anyways. + $pass_new = (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_EXCLUSIVED || !LDAPAUTH_SYNC_PASSWORDS) ? user_password(20) : $pass; - $userinfo = array('name' => $name, 'pass' => $pass_new, 'mail' => $mail, 'init' => $init, 'status' => 1, 'authname_ldapauth' => $name, 'ldap_authentified' => TRUE, 'ldap_dn' => $ldap_user['dn'], 'ldap_config' => $_ldapauth_ldap->getOption('sid')); - $user = user_save('', $userinfo); - watchdog('ldapauth', 'New external user %name created from the LDAP server %server.', array('%name' => $name, '%server' => $_ldapauth_ldap->getOption('name')), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit')); - } + $userinfo = array('name' => $name, 'pass' => $pass_new, 'mail' => $mail, 'init' => $init, 'status' => 1, 'authname_ldapauth' => $name, 'ldap_authentified' => TRUE, 'ldap_dn' => $ldap_user['dn'], 'ldap_config' => $_ldapauth_ldap->getOption('sid')); + $user = user_save('', $userinfo); + watchdog('ldapauth', 'New external user %name created from the LDAP server %server.', array('%name' => $name, '%server' => $_ldapauth_ldap->getOption('name')), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit')); + } + } + else { + // If autocreation is disabled or forbidden for the user's groups, deny login. + return; + } } else { // Login existing user. @@ -520,7 +529,7 @@ } /** - * Retrieve the saved ldapgroups saved setting. + * Retrieve the saved ldapgroups setting. * * @param $sid * A server ID or user object. Index: ldapgroups.admin.inc =================================================================== --- ldapgroups.admin.inc (revision 1) +++ ldapgroups.admin.inc (working copy) @@ -161,12 +161,20 @@ ); $form['groups_limit']['ldapgroups_groups'] = array( '#type' => 'textarea', - '#title' => t('LDAP groups which allow automatic account creation'), + '#title' => t('LDAP groups which allow login'), '#default_value' => implode("\n", ($edit['ldapgroups_groups'] ? unserialize($edit['ldapgroups_groups']) : array())), '#cols' => 50, '#rows' => 5, - '#description' => t('Leave blank to automatically create accounts for all LDAP authenticated users. Otherwise, enter a one per line list of LDAP groups. If the user is not in any of those groups, the login will be denied.'), + '#description' => t('Leave blank to allow login for all LDAP authenticated users. Otherwise, enter a one per line list of LDAP groups. If the user is not in any of those groups, the login will be denied.'), ); + $form['groups_limit']['ldapgroups_for_autocreation'] = array( + '#type' => 'textarea', + '#title' => t('LDAP groups allowing automatic account creation'), + '#default_value' => implode("\n", ($edit['ldapgroups_for_autocreation'] ? unserialize($edit['ldapgroups_for_autocreation']) : array(''))), + '#cols' => 50, + '#rows' => 5, + '#description' => t('Leave blank to automatically create accounts for all LDAP authenticated users. Otherwise, enter a one per line list of LDAP groups. If a user is not in any of those groups, the login will be denied unless a local account exists for that user.'), + ); $form['group_filter'] = array( '#type' => 'fieldset', '#title' => t('LDAP group to Drupal role filtering'), @@ -266,6 +274,12 @@ if (trim($line)) $form_state['ldapgroups_groups'][] = trim($line); $form_state['ldapgroups_groups'] = !empty($form_state['ldapgroups_groups']) ? serialize($form_state['ldapgroups_groups']) : ''; + + $form_state['ldapgroups_for_autocreation'] = array(); + foreach ((trim($values['ldapgroups_for_autocreation']) ? explode("\n", trim($values['ldapgroups_for_autocreation'])) : array()) as $line) + if (trim($line)) + $form_state['ldapgroups_for_autocreation'][] = trim($line); + $form_state['ldapgroups_for_autocreation'] = !empty($form_state['ldapgroups_for_autocreation']) ? serialize($form_state['ldapgroups_for_autocreation']) : ''; break; } } @@ -280,7 +294,7 @@ case t('Update'): // Update the ldapgroups configuration. - db_query("UPDATE {ldapauth} SET ldapgroups_in_dn = %d, ldapgroups_dn_attribute = '%s', ldapgroups_in_attr = %d, ldapgroups_attr = '%s', ldapgroups_as_entries = %d, ldapgroups_entries = '%s', ldapgroups_entries_attribute = '%s', ldapgroups_mappings = '%s', ldapgroups_mappings_filter = %d, ldapgroups_filter_php = '%s', ldapgroups_groups = '%s' WHERE sid = %d", $values['ldapgroups_in_dn'], trim($values['ldapgroups_dn_attribute']), $values['ldapgroups_in_attr'], $form_state['ldapgroups_attr'], $values['ldapgroups_as_entries'], $form_state['ldapgroups_entries'], trim($values['ldapgroups_entries_attribute']), $form_state['ldapgroups_mappings'], $values['ldapgroups_mappings_filter'], trim($values['ldapgroups_filter_php']), $form_state['ldapgroups_groups'], $values['sid']); + db_query("UPDATE {ldapauth} SET ldapgroups_in_dn = %d, ldapgroups_dn_attribute = '%s', ldapgroups_in_attr = %d, ldapgroups_attr = '%s', ldapgroups_as_entries = %d, ldapgroups_entries = '%s', ldapgroups_entries_attribute = '%s', ldapgroups_mappings = '%s', ldapgroups_mappings_filter = %d, ldapgroups_filter_php = '%s', ldapgroups_groups = '%s', ldapgroups_for_autocreation = '%s' WHERE sid = %d", $values['ldapgroups_in_dn'], trim($values['ldapgroups_dn_attribute']), $values['ldapgroups_in_attr'], $form_state['ldapgroups_attr'], $values['ldapgroups_as_entries'], $form_state['ldapgroups_entries'], trim($values['ldapgroups_entries_attribute']), $form_state['ldapgroups_mappings'], $values['ldapgroups_mappings_filter'], trim($values['ldapgroups_filter_php']), $form_state['ldapgroups_groups'], $form_state['ldapgroups_for_autocreation'], $values['sid']); drupal_set_message(t('The configuration options have been saved.')); $form_state['redirect'] = 'admin/settings/ldap/ldapgroups'; break; @@ -288,7 +302,7 @@ if ($values['confirm'] == 1) { // Settings reset. - db_query("UPDATE {ldapauth} SET ldapgroups_in_dn = 0, ldapgroups_dn_attribute = '', ldapgroups_in_attr = 0, ldapgroups_attr = '', ldapgroups_as_entries = 0, ldapgroups_entries = '', ldapgroups_entries_attribute = '', ldapgroups_mappings = '', ldapgroups_mappings_filter = '0', ldapgroups_filter_php = '', ldapgroups_groups = '' WHERE sid = %d", $values['sid']); + db_query("UPDATE {ldapauth} SET ldapgroups_in_dn = 0, ldapgroups_dn_attribute = '', ldapgroups_in_attr = 0, ldapgroups_attr = '', ldapgroups_as_entries = 0, ldapgroups_entries = '', ldapgroups_entries_attribute = '', ldapgroups_mappings = '', ldapgroups_mappings_filter = '0', ldapgroups_filter_php = '', ldapgroups_groups = '', ldapgroups_for_autocreation = '' WHERE sid = %d", $values['sid']); drupal_set_message(t('The configuration options have been reset to their default values.')); } $form_state['redirect'] = 'admin/settings/ldap/ldapgroups'; Index: ldapgroups.inc =================================================================== --- ldapgroups.inc (revision 1) +++ ldapgroups.inc (working copy) @@ -31,7 +31,7 @@ $account = user_load(0); return; } - + // Then, we take every mapped role from the user, later below // we'll grant back those deserved. $account->ldap_drupal_roles = isset($account->ldap_drupal_roles) ? $account->ldap_drupal_roles : array(); @@ -241,6 +241,42 @@ } /** + * Determines if automatic account creation should be allowed + * + * @param $sid + * The server ID of the LDAP server that authenticated the user. + * @param $dn + * The current user's distinguished name + * @param $name + * User's name + * @param $pass + * User's password + * + * @return + * TRUE if the account creation is allowed; FALSE otherwise. + */ +function ldapgroups_autocreation($sid, $dn, $name, $pass) { + global $_ldapgroups_ldap; + + // Setup the global $_ldapgroups_ldap object. + if (!_ldapgroups_ldap_init($sid)) + return FALSE; + + // Create a temporary $user object + $user = (object)array('name' => $name, 'pass' => $pass, 'ldap_config' => $sid, 'ldap_dn' => $dn); + + // Detect LDAP groups the user belongs to + $groups = _ldapgroups_detect_groups($user); + + // Apply account creation group restrictions + if (count($groups_allow = _ldapgroups_ldap_info($sid, 'ldapgroups_for_autocreation')) == 0 || count(array_intersect($groups, $groups_allow)) > 0) { + return TRUE; + } + return FALSE; +} + + +/** * Initiates the LDAPInterfase class. * * @param $sid @@ -314,6 +350,8 @@ return $servers[$sid]->ldapgroups_filter_php; case 'ldapgroups_groups': return !empty($servers[$sid]->ldapgroups_groups) ? unserialize($servers[$sid]->ldapgroups_groups) : array(); + case 'ldapgroups_for_autocreation': + return !empty($servers[$sid]->ldapgroups_for_autocreation) ? unserialize($servers[$sid]->ldapgroups_for_autocreation) : array(); } } Index: ldapgroups.install =================================================================== --- ldapgroups.install (revision 1) +++ ldapgroups.install (working copy) @@ -67,6 +67,10 @@ 'type' => 'text', 'not null' => FALSE, )); + db_add_field($ret, 'ldapauth', 'ldapgroups_for_autocreation', array( + 'type' => 'text', + 'not null' => FALSE, + )); return $ret; } @@ -75,7 +79,7 @@ * Implementation of hook_uninstall(). */ function ldapgroups_uninstall() { - // We're removing fileds from an existing table, not deleting a whole one. + // We're removing fields from an existing table, not deleting a whole one. $ret = array(); db_drop_field($ret, 'ldapauth', 'ldapgroups_in_dn'); @@ -89,6 +93,7 @@ db_drop_field($ret, 'ldapauth', 'ldapgroups_mappings_filter'); db_drop_field($ret, 'ldapauth', 'ldapgroups_filter_php'); db_drop_field($ret, 'ldapauth', 'ldapgroups_groups'); + db_drop_field($ret, 'ldapauth', 'ldapgroups_for_autocreation'); return $ret; } @@ -116,3 +121,11 @@ return $ret; } +function ldapgroups_update_6002() { + $ret = array(); + db_add_field($ret, 'ldapauth', 'ldapgroups_for_autocreation', array( + 'type' => 'text', + 'not null' => FALSE, + )); + return $ret; +}