From 3f091a86cc00f9029f8e17ffcfec478ad134691e Mon Sep 17 00:00:00 2001
From: Michael Hafen <michael.hafen@washk12.org>
Date: Tue, 3 Jul 2018 14:49:56 -0600
Subject: [PATCH] Local patch to have auth_LDAP find the DN instead of assuming
 the OU.

Instead of assuming all users are in the same OU, this patch changes
auth_LDAP so that it will find the ldap user and get their dn directly.
---
 functions/classes/class.User.php | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/functions/classes/class.User.php b/functions/classes/class.User.php
index 70c85a7b6..ae5aac801 100644
--- a/functions/classes/class.User.php
+++ b/functions/classes/class.User.php
@@ -1018,7 +1018,7 @@ private function show_http_login () {
      */
     private function directory_connect ($authparams) {
         # adLDAP script
-        require(dirname(__FILE__) . "/../adLDAP/src/adLDAP.php");
+        require_once(dirname(__FILE__) . "/../adLDAP/src/adLDAP.php");
         $dirparams = Array();
         $dirparams['base_dn'] = @$authparams['base_dn'];
         $dirparams['ad_port'] = @$authparams['ad_port'];
@@ -1033,7 +1033,7 @@ private function directory_connect ($authparams) {
             // TODO: remove legacy support at some point
             if ($authparams['ldap_security'] == 'tls' || $authparams['use_tls'] == 1)         { $dirparams['use_tls'] = true; }
             elseif ($authparams['ldap_security'] == 'ssl' || $authparams['use_ssl'] == 1)     { $dirparams['use_ssl'] = true; }
-            if (isset($authparams['admin_username']) && isset($authparams['admin_password'])) {
+            if (isset($authparams['adminUsername']) && isset($authparams['adminPassword'])) {
                 $dirparams['admin_username'] = $authparams['adminUsername'];
                 $dirparams['admin_password'] = $authparams['adminPassword'];
             }
@@ -1130,12 +1130,23 @@ private function auth_LDAP ($username, $password) {
         $authparams = json_decode($this->authmethodparams, true);
         $this->ldap = true;                            //set ldap flag
 
-        // set uid
-        if (!empty($authparams['uid_attr'])) { $udn = $authparams['uid_attr'] . '=' . $username; }
-        else                                 { $udn = 'uid=' . $username; }
-        // set DN
-        if (!empty($authparams['users_base_dn'])) { $udn = $udn . "," . $authparams['users_base_dn']; }
-        else                                      { $udn = $udn . "," . $authparams['base_dn']; }
+        // get DN from directory
+        $dn_authparams = $authparams;
+        if (!empty($authparams['users_base_dn'])) { $dn_authparams['base_dn'] = $authparams['users_base_dn']; }
+        $adldap = $this->directory_connect($dn_authparams);
+        $dn_user = $adldap->user()->info($username, array("cn"), false, 'LDAP');
+        if (!empty($dn_user[0]["dn"])) {
+                $udn = $dn_user[0]["dn"];
+        }
+
+        if (empty($udn)) {
+                // set uid
+                if (!empty($authparams['uid_attr'])) { $udn = $authparams['uid_attr'] . '=' . $username; }
+                else                                 { $udn = 'uid=' . $username; }
+                // set DN
+                if (!empty($authparams['users_base_dn'])) { $udn = $udn . "," . $authparams['users_base_dn']; }
+                else                                      { $udn = $udn . "," . $authparams['base_dn']; }
+        }
         // authenticate
         $this->directory_authenticate($authparams, $udn, $password);
     }