Added ability to do search using a alter admin user

README.md

@@ -52,6 +52,9 @@ map_fullname: givenName lastName
 map_email: mail
 save_grav_user: false
 store_ldap_data: false
+alter_search_enable: false
+alter_search_user_dn:
+alter_search_user_password:
 default_access_levels:
   groups: 
    - ldap_users
@@ -99,6 +102,9 @@ default_access_levels:
 |:---------------------|:---------------------------|:-------|
 |save_grav_user|Store the grav user account as a local YAML account | true \| [default: `false`] |
 |store_ldap_data|If storing a local Grav user, you can also store LDAP data so its available in Grav| true \| [default: `false`] |
+|alter_search_enable|If a normal LDAP user don't have permission to do search in the server, you can use a alter admin user to do the search for extra info |true \| [default: `false`] |
+|alter_search_user_dn|Alter admin user dn | e.g. `cn=admin,dc=company,dc=com` |
+|alter_search_user_password|Alter admin user password | e.g. `password` |
 |default_access_levels.groups|Set a default group for all users logging in via LDAP [OPTIONAL] | e.g. `ldap_users` |
 |default_access_levels.access.site|Set the default **site access** for all users logging in via LDAP (used if no `access.groups` mapping applies) | e.g. `[login: 'true']` |
 |default_access_levels.access.groups|The default **access to assign** to users logging in based on **LDAP group membership**| e.g. `user: [site: [login: 'true']]` |

blueprints.yaml

@@ -209,6 +209,32 @@ form:
               validate:
                 type: bool
 
+            alter_search_enable:
+              type: toggle
+              label: PLUGIN_LOGIN_LDAP.ALTER_SERARCH_ENABLE
+              default: 0
+              highlight: 0
+              help: PLUGIN_LOGIN_LDAP.ALTER_SERARCH_ENABLE_DESC
+              options:
+                1: Enabled
+                0: Disabled
+              validate:
+                type: bool
+
+            alter_search_user_dn:
+              type: text
+              label: PLUGIN_LOGIN_LDAP.ALTER_SERARCH_USER_DN
+              size: large
+              placeholder: cn=admin,dc=company,dc=com
+              help: PLUGIN_LOGIN_LDAP.ALTER_SERARCH_USER_DN_DESC
+
+            alter_search_user_password:
+              type: text
+              label: PLUGIN_LOGIN_LDAP.ALTER_SERARCH_USER_PASSWORD
+              size: large
+              placeholder: password
+              help: PLUGIN_LOGIN_LDAP.ALTER_SERARCH_USER_PASSWORD_DESC
+
             default_access_levels.groups:
               type: selectize
               size: large

languages/en.yaml

@@ -42,4 +42,10 @@ PLUGIN_LOGIN_LDAP:
   VERSION_DESC: 'LDAP Version 3 is most popular, only change this if you know what you are doing'
   BLACKLIST_FIELDS: 'Blacklist Fields'
   BLACKLIST_FIELDS_HELP: 'A list of LDAP fields to be skipped and ignored'
-  BLACKLIST_FIELDS_PLACEHOLDER: 'Field (ie, jpegPhoto, homePostalAddress)'
+  BLACKLIST_FIELDS_PLACEHOLDER: 'Field (ie, jpegPhoto, homePostalAddress)'
+  ALTER_SERARCH_ENABLE: 'Use Alter Search'
+  ALTER_SERARCH_USER_DN: 'Alter Search User Dn (Must be Full User Dn)'
+  ALTER_SERARCH_USER_PASSWORD: 'Alter Search User Password'
+  ALTER_SERARCH_ENABLE_DESC: 'Boolean, Use a alter user who has right to search in LDAP server'
+  ALTER_SERARCH_USER_DN_DESC: 'Required when enable ALTER SEARCH'
+  ALTER_SERARCH_USER_PASSWORD_DESC: 'Required when enable ALTER SEARCH'

login-ldap.php

@@ -88,6 +88,10 @@ public function userLoginAuthenticate(UserLoginEvent $event)
         $opt_referrals      = $this->config->get('plugins.login-ldap.opt_referrals');
         $blacklist          = $this->config->get('plugins.login-ldap.blacklist_ldap_fields', []);
 
+        $alter_search        = $this->config->get('plugins.login-ldap.alter_search_enable');
+        $alter_search_user_dn           = $this->config->get('plugins.login-ldap.alter_search_user_dn');
+        $alter_search_user_password     = $this->config->get('plugins.login-ldap.alter_search_user_password');
+
         if (is_null($host)) {
             throw new ConnectionException('FATAL: LDAP host entry missing in plugin configuration...');
         }
@@ -102,16 +106,17 @@ public function userLoginAuthenticate(UserLoginEvent $event)
         }
 
         try {
-            /** @var Ldap $ldap */
-            $ldap = Ldap::create('ext_ldap', array(
+            $config = array(
                 'host' => $host,
                 'port' => $port,
                 'encryption' => $encryption,
                 'options' => array(
                     'protocol_version' => $version,
                     'referrals' => (bool) $opt_referrals,
                 ),
-            ));
+            );
+            /** @var Ldap $ldap */
+            $ldap = Ldap::create('ext_ldap', $config);
 
             // Map Info
             $map_username = $this->config->get('plugins.login-ldap.map_username');
@@ -130,10 +135,19 @@ public function userLoginAuthenticate(UserLoginEvent $event)
             $grav_user['fullname'] = $credentials['username'];
             $user_groups = [];
 
+            // Set up search LDAP user
+            if ($alter_search) {
+                /** @var Ldap $searchLdap */
+                $searchLdap = Ldap::create('ext_ldap', $config);
+                $searchLdap->bind($alter_search_user_dn,$alter_search_user_password);
+            }else{
+                $searchLdap = $ldap;
+            }
+
             // If search_dn is set we can try to get information from LDAP
             if ($search_dn) {
                 $query_string = $map_username .'='. $credentials['username'];
-                $query = $ldap->query($search_dn, $query_string);
+                $query = $searchLdap->query($search_dn, $query_string);
                 $results = $query->execute()->toArray();
 
                 // Get LDAP Data
@@ -172,16 +186,16 @@ public function userLoginAuthenticate(UserLoginEvent $event)
                     // retrieves all extra groups for user
                     $group_query = str_replace('[username]', $credentials['username'], $group_query);
                     $group_query = str_replace('[dn]', $userdata['dn'], $group_query);
-                    $query = $ldap->query($group_dn, $group_query);
+                    $query = $searchLdap->query($group_dn, $group_query);
                     $groups = $query->execute()->toArray();
 
                     // retrieve current primary group for user
-                    $query = $ldap->query($group_dn, 'gidnumber=' . $this->getLDAPMappedItem('gidNumber', $ldap_data));
+                    $query = $searchLdap->query($group_dn, 'gidnumber=' . $this->getLDAPMappedItem('gidNumber', $ldap_data));
                     $groups = array_merge($groups, $query->execute()->toArray());
 
                     foreach ($groups as $group) {
                         $attributes = $group->getAttributes();
-                        
+
                         // make sure we have an array to read
                         if ( !empty($attributes) && !empty($attributes[$group_indentifier]) && is_array($attributes[$group_indentifier]) )
                         {

login-ldap.yaml

@@ -5,6 +5,9 @@ version: 3
 ssl: false
 start_tls: false
 opt_referrals: false
+alter_search_enable: false
+alter_search_user_dn:
+alter_search_user_password:
 user_dn: 'uid=[username],dc=company,dc=com'
 search_dn:
 group_dn: