+3
Planned

Automatically configure user from LDAP on first login

Steve Shipway 6 years ago updated 6 years ago 4

When LDAP authentication is enabled, and a user logs in for the first time, their account is created in the database.


However, it does not populate the FirstName/SecondName/EmailAddr fields from LDAP attributes; also, there is no way to set up a default Role for newly-created LDAP users.


I would like to be able to optionally specify a default Role, and the LDAP attributes to use to initially populate the name and email for these users.


This is even more important if we want to be able to use 2FA in conjunction with LDAP login.

If using 2FA, then after setting up an email address on the account from LDAP, it should email that with the initial 2FA code.

To be more precise; the LDAP configuration will set up the name and email address when auto-provisioning a new LDAP user, but the attributes used are hard-coded.  If (like us) you use a non-standard schema, then there is no way to configure which alternative attributes should be used for these initial settings.


There is also no way to initialise the role membership or link it to LDAP groups.


In sources/identify.php, the attribute names are fixed, and fonction_id (the semicolon-separated list of roles) defaults to blank:


        DB::insert(
            prefix_table('users'),
            array(
                'login' => $username,
                'pw' => $data['pw'],
                'email' => (isset($user_info_from_ad[0]['mail'][0]) === false) ? '' : $user_info_from_ad[0]['mail'][0],
                'name' => $user_info_from_ad[0]['givenname'][0],
                'lastname' => $user_info_from_ad[0]['sn'][0],
                'admin' => '0',
                'gestionnaire' => '0',
                'can_manage_all_users' => '0',
                'personal_folder' => $SETTINGS['enable_pf_feature'] === "1" ? '1' : '0',
                'fonction_id' => '',

Of course we can (for the time being) alter these in the code to match our schema and preferred defaults, but it would be better for this to be configurable

Planned

Interesting.

I will investigate

In addition, if 2FA is enabled, then it would be really good for the initial temporary code email to be sent out immediately (provided an email address is configured) rather than when the user clicks the link on the login page.


I have roughly done this in function identifyUser(), in identify.php (line 671), by simply copying a section of the code from main.queries.php:


        // should send email notification if using 2FA
        if (isset($user_info_from_ad[0]['mail'][0]) && $SETTINGS['ga_website_name'] !== false ) {
                    // generate new GA user code
                    include_once($SETTINGS['cpassman_dir']."/includes/libraries/Authentication/TwoFactorAuth/TwoFactorAuth.php");
                    $tfa = new Authentication\TwoFactorAuth\TwoFactorAuth($SETTINGS['ga_website_name']);
                    $gaSecretKey = $tfa->createSecret();
                    $gaTemporaryCode = GenerateCryptKey(12);

                    // save the code
                    DB::update(
                        prefix_table("users"),
                        array(
                            'ga' => $gaSecretKey,
                            'ga_temporary_code' => $gaTemporaryCode
                            ),
                        "login = %i",
                        $username
                    );

                    // send mail?
                        sendEmail(
                            $LANG['email_ga_subject'],
                            str_replace(
                                "#2FACode#",
                                $gaTemporaryCode,
                                $LANG['email_ga_text']
                            ),
                            $user_info_from_ad[0]['mail'][0]
                        );

        }
    }

However this is not ideal because it does not properly test for 2FA being enabled, though it does check for the email address.


Having these features (default roles, configurable attributes, and automatic 2FA notification) would mean that self-registration would be much quicker and simpler.


Thanks for your time with this; there are almost no Linux-based enterprise password managers with a web GUI and support for LDAP, which makes it really hard to find something suitable for our situation.