feat: add LDAP authentication as per-tenant login method

Add LDAP as a third authentication option alongside local password and
Microsoft Entra ID SSO. Per-tenant configuration supports Active Directory,
OpenLDAP, and FreeIPA with configurable attribute mapping, search-then-bind
and direct-bind methods, encrypted bind credentials (AES-256-GCM),
profile sync on login, and user auto-provisioning via external identity
linking.

Includes admin UI for connection settings with test-connection button,
login page LDAP form, 25 new PHPUnit tests, and de/en translations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-03-25 07:26:04 +01:00
parent a0d816caaa
commit d1eeac6692
22 changed files with 2325 additions and 18 deletions

View File

@@ -211,6 +211,168 @@ class SsoUserLinkService
$this->avatarService->saveBinary($userUuid, $binary, $avatarMime);
}
/**
* Link or provision a user from LDAP authentication result.
*
* @param array $tenant Tenant record
* @param array $ldapResult Result from LdapAuthService::authenticate()
* @param array $ldapConfig Effective LDAP provider config
* @return array{ok: bool, user_id?: int, created?: bool, error?: string}
*/
public function linkOrProvisionLdapUser(array $tenant, array $ldapResult, array $ldapConfig): array
{
$tenantId = (int) ($tenant['id'] ?? 0);
$uniqueId = trim((string) ($ldapResult['unique_id'] ?? ''));
$dn = trim((string) ($ldapResult['dn'] ?? ''));
$attributes = $ldapResult['attributes'] ?? [];
$host = trim((string) ($ldapConfig['host'] ?? ''));
$email = strtolower(trim((string) ($attributes['email'] ?? '')));
if ($tenantId <= 0 || $host === '') {
return ['ok' => false, 'error' => 'identity_invalid'];
}
$providerKey = $this->tenantSsoService->ldapProviderKey();
$tid = $host;
$oid = $uniqueId !== '' ? $uniqueId : $dn;
$issuer = $host;
$subject = $dn;
if ($oid === '') {
return ['ok' => false, 'error' => 'identity_invalid'];
}
$identity = $this->externalIdentityGateway->findByProviderTidOid($providerKey, $tid, $oid);
if ($identity) {
$userId = (int) ($identity['user_id'] ?? 0);
$user = $this->userReadRepository->find($userId);
if (!$user || empty($user['active'])) {
return ['ok' => false, 'error' => 'user_inactive'];
}
$tenantIds = array_values(array_map('intval', $this->userTenantRepository->listTenantIdsByUserId($userId)));
if (!in_array($tenantId, $tenantIds, true)) {
return ['ok' => false, 'error' => 'tenant_not_assigned'];
}
$this->syncProfileFromLdap($userId, $attributes, $ldapConfig);
return ['ok' => true, 'user_id' => $userId, 'created' => false];
}
if ($email !== '' && filter_var($email, FILTER_VALIDATE_EMAIL)) {
$user = $this->userReadRepository->findByEmail($email);
if ($user) {
$userId = (int) ($user['id'] ?? 0);
if ($userId <= 0 || empty($user['active'])) {
return ['ok' => false, 'error' => 'user_inactive'];
}
$this->ensureTenantAssignment($userId, $tenantId);
$this->createIdentityLinkForProvider($providerKey, $userId, $tid, $oid, $issuer, $subject, $email);
$this->syncProfileFromLdap($userId, $attributes, $ldapConfig);
return ['ok' => true, 'user_id' => $userId, 'created' => false];
}
}
if ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
return ['ok' => false, 'error' => 'email_missing'];
}
$firstName = trim((string) ($attributes['first_name'] ?? ''));
$lastName = trim((string) ($attributes['last_name'] ?? ''));
if ($firstName === '') {
$firstName = ucfirst(explode('@', $email, 2)[0]);
}
$createdId = $this->userWriteRepository->create([
'first_name' => $firstName,
'last_name' => $lastName,
'email' => $email,
'password' => $this->randomPassword(),
'locale' => null,
'totp_secret' => '',
'theme' => $this->resolveInitialTheme($this->settingsGateway->getAppTheme()),
'primary_tenant_id' => $tenantId,
'current_tenant_id' => $tenantId,
'active' => 1,
'created_by' => null,
'active_changed_at' => gmdate('Y-m-d H:i:s'),
'active_changed_by' => null,
]);
if (!$createdId) {
return ['ok' => false, 'error' => 'user_create_failed'];
}
$userId = (int) $createdId;
$this->userWriteRepository->setEmailVerified($userId);
$this->userAssignmentService->syncTenants($userId, [$tenantId]);
$defaultRoleId = $this->settingsGateway->getDefaultRoleId();
if ($defaultRoleId) {
$this->userAssignmentService->syncRoles($userId, [$defaultRoleId]);
}
$defaultDepartmentId = $this->settingsGateway->getDefaultDepartmentId();
if ($defaultDepartmentId) {
$this->userAssignmentService->syncDepartments($userId, [$defaultDepartmentId]);
}
$this->createIdentityLinkForProvider($providerKey, $userId, $tid, $oid, $issuer, $subject, $email);
$this->syncProfileFromLdap($userId, $attributes, $ldapConfig);
return ['ok' => true, 'user_id' => $userId, 'created' => true];
}
private function syncProfileFromLdap(int $userId, array $attributes, array $ldapConfig): void
{
if ($userId <= 0 || empty($ldapConfig['sync_profile_on_login'])) {
return;
}
$syncFields = $this->tenantSsoService->normalizeLdapProfileSyncFields($ldapConfig['sync_profile_fields'] ?? []);
if (!$syncFields) {
$syncFields = $this->tenantSsoService->defaultProfileSyncFields();
}
if (!$syncFields) {
return;
}
$updates = [];
foreach ($syncFields as $field) {
$value = trim((string) ($attributes[$field] ?? ''));
if ($value === '') {
continue;
}
$updates[$field] = $value;
}
if ($updates) {
$this->userWriteRepository->updateProfileFieldsFromSso($userId, $updates);
}
}
private function createIdentityLinkForProvider(
string $providerKey,
int $userId,
string $tid,
string $oid,
string $issuer,
string $subject,
string $email
): void {
try {
$this->externalIdentityGateway->createLink([
'user_id' => $userId,
'provider' => $providerKey,
'oid' => $oid,
'tid' => $tid,
'issuer' => $issuer,
'subject' => $subject,
'email_at_link_time' => $email,
]);
} catch (\Throwable) {
// Ignore duplicate-link race conditions.
}
}
private function ensureTenantAssignment(int $userId, int $tenantId): void
{
$tenantIds = array_values(array_unique(array_map('intval', $this->userTenantRepository->listTenantIdsByUserId($userId))));