Add LDAP as a third authentication option alongside local password and Microsoft Entra ID SSO. Per-tenant configuration supports Active Directory, OpenLDAP, and FreeIPA with configurable attribute mapping, search-then-bind and direct-bind methods, encrypted bind credentials (AES-256-GCM), profile sync on login, and user auto-provisioning via external identity linking. Includes admin UI for connection settings with test-connection button, login page LDAP form, 25 new PHPUnit tests, and de/en translations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
76 lines
2.3 KiB
PHP
76 lines
2.3 KiB
PHP
<?php
|
|
|
|
use MintyPHP\Service\Access\TenantAuthorizationPolicy;
|
|
use MintyPHP\Session;
|
|
use MintyPHP\Support\Guard;
|
|
|
|
Guard::requireLogin();
|
|
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
|
|
if (requestInput()->method() !== 'POST') {
|
|
http_response_code(405);
|
|
echo json_encode(['ok' => false, 'error' => 'Method not allowed']);
|
|
return;
|
|
}
|
|
|
|
if (!Session::checkCsrfToken()) {
|
|
http_response_code(403);
|
|
echo json_encode(['ok' => false, 'error' => 'CSRF token invalid']);
|
|
return;
|
|
}
|
|
|
|
$session = app(\MintyPHP\Http\SessionStoreInterface::class)->all();
|
|
$currentUserId = (int) ($session['user']['id'] ?? 0);
|
|
$decision = app(\MintyPHP\Service\Access\AuthorizationService::class)->authorize(
|
|
TenantAuthorizationPolicy::ABILITY_ADMIN_TENANTS_EDIT_CONTEXT,
|
|
[
|
|
'actor_user_id' => $currentUserId,
|
|
'target_tenant_id' => (int) (requestInput()->bodyAll()['tenant_id'] ?? 0),
|
|
]
|
|
);
|
|
if (!$decision->isAllowed()) {
|
|
http_response_code(403);
|
|
echo json_encode(['ok' => false, 'error' => 'Forbidden']);
|
|
return;
|
|
}
|
|
|
|
$capabilities = $decision->attribute('capabilities', []);
|
|
if (!is_array($capabilities) || empty($capabilities['can_manage_sso'])) {
|
|
http_response_code(403);
|
|
echo json_encode(['ok' => false, 'error' => 'Forbidden']);
|
|
return;
|
|
}
|
|
|
|
$post = requestInput()->bodyAll();
|
|
$host = trim((string) ($post['ldap_host'] ?? ''));
|
|
$port = (int) ($post['ldap_port'] ?? 389);
|
|
$encryptionMode = (string) ($post['ldap_encryption_mode'] ?? 'starttls');
|
|
$verifyTls = !empty($post['ldap_verify_tls_certificate']);
|
|
$baseDn = trim((string) ($post['ldap_base_dn'] ?? ''));
|
|
$bindDn = trim((string) ($post['ldap_bind_dn'] ?? ''));
|
|
$bindPassword = trim((string) ($post['ldap_bind_password'] ?? ''));
|
|
$networkTimeout = max(1, min(10, (int) ($post['ldap_network_timeout'] ?? 5)));
|
|
|
|
if ($host === '') {
|
|
echo json_encode(['ok' => false, 'error' => t('LDAP host is required')]);
|
|
return;
|
|
}
|
|
|
|
$ldapAuthService = app(\MintyPHP\Service\Auth\LdapAuthService::class);
|
|
|
|
$config = [
|
|
'host' => $host,
|
|
'port' => $port,
|
|
'encryption_mode' => $encryptionMode,
|
|
'verify_tls_certificate' => $verifyTls,
|
|
'base_dn' => $baseDn,
|
|
'bind_dn' => $bindDn,
|
|
'bind_password' => $bindPassword,
|
|
'network_timeout' => $networkTimeout,
|
|
];
|
|
|
|
$result = $ldapAuthService->testConnection($config);
|
|
|
|
echo json_encode($result);
|