kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-30 23:38:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove non-functional Joomla LDAP integration

Browse Source 
- Disabled LDAP feature flag (set to false by default, with comment)
- Removed ldapautocreate plugin (PHP + XML)
- Deleted LDAP helper tasks (01_ldap_files.yml, 05_ldap.yml, 07_diagnose.yml)
- Deleted LDAP CLI helper scripts (cli.php, diagnose.php, plugins.php, auth-trace.php)
- Removed LDAP configuration variables from vars/main.yml
- Removed LDAP environment variables from env.j2
- Removed LDAP-specific mounts from docker-compose.yml.j2
- Dropped php-ldap installation from Dockerfile
- Renamed task files for consistent numbering (02->01_install, 03->02_debug, 04->03_patch, 06->04_assert)

Reason: LDAP integration was removed because it was not functional.

Conversation: https://chatgpt.com/share/68b09373-7aa8-800f-8f2c-11e27123bad1
This commit is contained in:
Kevin Veen-Birkenbach
2025-08-28 19:36:12 +02:00
parent fe399c3967
commit 9f2cfe65af
19 changed files with 15 additions and 947 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
roles/web-app-joomla/templates/Dockerfile.j2
View File

@@ -1,15 +1 @@
FROM {{ JOOMLA_IMAGE }}:{{ JOOMLA_VERSION }}
{% if JOOMLA_LDAP_ENABLED %}
ENV DEBIAN_FRONTEND=noninteractive
RUN set -eux; \
apt-get update; \
PHPV="$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')" || PHPV=""; \
apt-get install -y --no-install-recommends "php${PHPV}-ldap" \
|| ( \
apt-get install -y --no-install-recommends libldap2-dev libsasl2-dev pkg-config; \
docker-php-ext-configure ldap --with-ldap=/usr --with-ldap-sasl=/usr \
|| docker-php-ext-configure ldap --with-ldap=/usr; \
docker-php-ext-install -j"$(nproc)" ldap \
); \
rm -rf /var/lib/apt/lists/*
{% endif %}

11
roles/web-app-joomla/templates/docker-compose.yml.j2
View File

@@ -9,17 +9,6 @@
{% include 'roles/docker-container/templates/base.yml.j2' %}
volumes:
- data:/var/www/html
{% if JOOMLA_LDAP_ENABLED %}
- {{ JOOMLA_LDAP_CONF_FILE }}:/var/www/html/cli/cli-ldap.php:ro
{% if JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool %}
- {{ JOOMLA_LDAP_AUT_CRT_HOST_DIR }}:{{ JOOMLA_LDAP_AUT_CRT_DOCK_DIR }}:ro
{% endif %}
{% if MODE_DEBUG | bool %}
- {{ JOOMLA_LDAP_DIAG_HOST_FILE }}:{{ JOOMLA_LDAP_DIAG_DOCK_FILE }}:ro
- {{ docker_compose.directories.volumes }}/cli-plugins.php:/var/www/html/cli/cli-plugins.php:ro
- {{ docker_compose.directories.volumes }}/cli-ldap-auth-trace.php:/var/www/html/cli/ldap-auth-trace.php:ro
{% endif %}
{% endif %}
ports:
- "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
{% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}

21
roles/web-app-joomla/templates/env.j2
View File

@@ -12,24 +12,3 @@ JOOMLA_DB_PASSWORD={{ database_password }}
JOOMLA_DB_NAME={{ database_name }}
JOOMLA_DB_TYPE={{ JOOMLA_DB_CONNECTOR }}
{% endif %}
{% if JOOMLA_LDAP_ENABLED %}
# LDAP
JOOMLA_LDAP_AUTOCREATE_LOG={{ MODE_DEBUG | ternary('1','') }}
JOOMLA_LDAP_HOST={{ JOOMLA_LDAP_HOST }}
JOOMLA_LDAP_PORT={{ JOOMLA_LDAP_PORT }}
JOOMLA_LDAP_BASE_DN={{ JOOMLA_LDAP_BASE_DN }}
JOOMLA_LDAP_USER_TREE_DN={{ JOOMLA_LDAP_USER_TREE_DN }}
JOOMLA_LDAP_GROUP_TREE_DN={{ JOOMLA_LDAP_GROUP_TREE_DN }}
JOOMLA_LDAP_UID_ATTR={{ JOOMLA_LDAP_UID_ATTR }}
JOOMLA_LDAP_EMAIL_ATTR={{ JOOMLA_LDAP_EMAIL_ATTR }}
JOOMLA_LDAP_NAME_ATTR={{ JOOMLA_LDAP_NAME_ATTR }}
JOOMLA_LDAP_BIND_DN={{ JOOMLA_LDAP_BIND_DN }}
JOOMLA_LDAP_BIND_PASSWORD={{ JOOMLA_LDAP_BIND_PASSWORD }}
JOOMLA_LDAP_USE_STARTTLS={{ JOOMLA_LDAP_USE_STARTTLS | ternary('1','') }}
JOOMLA_LDAP_IGNORE_CERT={{ JOOMLA_LDAP_IGNORE_CERT | ternary('1','') }}
JOOMLA_LDAP_MAP_FULLNAME={{ JOOMLA_LDAP_MAP_FULLNAME | ternary('1','') }}
JOOMLA_LDAP_MAP_EMAIL={{ JOOMLA_LDAP_MAP_EMAIL | ternary('1','') }}
JOOMLA_LDAP_AUTH_METHOD={{ JOOMLA_LDAP_AUTH_METHOD }}
JOOMLA_LDAP_USER_SEARCH_STRING={{ JOOMLA_LDAP_USER_SEARCH_STRING }}
{% endif %}

242
roles/web-app-joomla/templates/ldap/auth-trace.php.j2
View File

@@ -1,242 +0,0 @@
<?php
/**
* CLI: LDAP auth trace (plugin-accurate, without booting Joomla plugins)
*
* This script reads Joomla's "Authentication - LDAP" plugin parameters from #__extensions
* and then performs the same login flow the plugin would:
* - Connect → optional StartTLS → bind (service) → search user → bind as user with given password
*
* Usage:
* php /var/www/html/cli/ldap-auth-trace.php --username <u> --password '<p>' [--json]
*
* Exit codes:
* 0 = authentication SUCCESS
* 1 = authentication FAILED (see messages)
* 2 = usage error
* 3 = LDAP plugin row not found / misconfigured
* 4 = PHP ldap extension missing
*
* Notes:
* - This bypasses Joomla plugin boot issues in CLI and gives precise LDAP errors.
* - Honors LDAP plugin params + ENV overrides (same names as your role uses).
*/
define('_JEXEC', 1);
define('JPATH_BASE', __DIR__ . '/..');
// Bootstrap minimal Joomla DB access (no need to boot Site/CMS app)
require JPATH_BASE . '/includes/defines.php';
require JPATH_BASE . '/includes/framework.php';
ini_set('display_errors', '1');
error_reporting(E_ALL);
use Joomla\CMS\Factory;
function getenv_clean(string $key, $default = null) {
$v = getenv($key);
if ($v === false || $v === '') return $default;
return preg_replace('/^(["\'])(.*)\1$/', '$2', $v);
}
function outln($msg) { echo $msg . "\n"; }
function result($ok, $label, $detail = null) {
$prefix = $ok ? '[OK] ' : '[ERR] ';
echo $prefix . $label . ($detail !== null ? " — $detail" : '') . "\n";
}
/**
* Attempt a full LDAP auth:
* - connect (host:port)
* - optional StartTLS (negotiate_tls)
* - service bind (admin)
* - lookup DN (search or users_dn template)
* - user bind with provided password
*/
function ldap_auth_flow(array $cfg, string $username, string $password, bool $asJson): int
{
$report = [
'connect' => null,
'starttls' => null,
'serviceBind' => null,
'userSearch' => null,
'userBind' => null,
'dn' => null,
'messages' => [],
];
if (!extension_loaded('ldap')) {
$msg = 'PHP LDAP extension not loaded';
if ($asJson) echo json_encode(['error' => $msg], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n";
else result(false, $msg);
return 4;
}
// Connect
$ds = @ldap_connect($cfg['host'], $cfg['port']);
if (!$ds) {
$report['connect'] = false;
$report['messages'][] = "ldap_connect failed to {$cfg['host']}:{$cfg['port']}";
return emit($report, $asJson);
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 5);
$report['connect'] = true;
// StartTLS if configured
if ($cfg['use_tls']) {
if (@ldap_start_tls($ds)) {
$report['starttls'] = true;
} else {
$report['starttls'] = false;
$report['messages'][] = 'StartTLS failed: ' . ldap_error($ds);
return emit($report, $asJson, $ds);
}
} else {
$report['starttls'] = null; // not requested
}
// Service/admin bind (may be empty for anonymous)
$serviceBound = @ldap_bind($ds, $cfg['bind_dn'], $cfg['bind_pw']);
if (!$serviceBound) {
$report['serviceBind'] = false;
$report['messages'][] = 'Service bind failed: ' . ldap_error($ds) . sprintf(" (bind_dn=%s)", $cfg['bind_dn'] ?: '(anonymous)');
return emit($report, $asJson, $ds);
}
$report['serviceBind'] = true;
// Resolve user DN
$userDn = null;
if (strtolower($cfg['auth_method']) === 'bind') {
// Direct template substitution (no search)
$userDn = str_replace(['[username]', '[USER]', '[uid]'], $username, $cfg['users_dn']);
$report['userSearch'] = 'skipped (bind mode)';
} else {
// search mode: find DN first
$filter = sprintf('(%s=%s)', $cfg['uid_attr'], ldap_escape($username, '', LDAP_ESCAPE_FILTER));
$sr = @ldap_search($ds, $cfg['base_dn'], $filter, [$cfg['name_attr'], $cfg['mail_attr']]);
if (!$sr) {
$report['userSearch'] = false;
$report['messages'][] = 'Search failed: ' . ldap_error($ds) . " (base_dn={$cfg['base_dn']}, filter={$filter})";
return emit($report, $asJson, $ds);
}
$entries = @ldap_get_entries($ds, $sr);
$count = (int)($entries['count'] ?? 0);
if ($count < 1) {
$report['userSearch'] = false;
$report['messages'][] = "User not found under base_dn={$cfg['base_dn']} with {$cfg['uid_attr']}={$username}";
return emit($report, $asJson, $ds);
}
$userDn = $entries[0]['dn'] ?? null;
$report['userSearch'] = true;
}
if (!$userDn) {
$report['messages'][] = 'No user DN resolved.';
return emit($report, $asJson, $ds);
}
$report['dn'] = $userDn;
// Attempt user bind with provided password
$ok = @ldap_bind($ds, $userDn, $password);
if ($ok) {
$report['userBind'] = true;
return emit($report, $asJson, $ds, /*success*/true);
} else {
$report['userBind'] = false;
$report['messages'][] = 'User bind failed: ' . ldap_error($ds);
return emit($report, $asJson, $ds);
}
}
function emit(array $report, bool $asJson, $ds = null, bool $success = false): int
{
if ($asJson) {
echo json_encode($report, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n";
} else {
if ($report['connect'] !== null) result((bool)$report['connect'], 'Connected');
if ($report['starttls'] !== null) result((bool)$report['starttls'], 'StartTLS');
if ($report['serviceBind'] !== null) result((bool)$report['serviceBind'], 'Service bind');
if ($report['userSearch'] !== null && $report['userSearch'] !== 'skipped (bind mode)') {
result((bool)$report['userSearch'], 'User search');
} elseif ($report['userSearch'] === 'skipped (bind mode)') {
outln('Info User search: skipped (bind mode)');
}
if ($report['dn']) outln('Info User DN: ' . $report['dn']);
if ($report['userBind'] !== null) result((bool)$report['userBind'], 'User bind');
foreach ($report['messages'] as $m) {
outln('Note ' . $m);
}
outln($success ? 'Overall: SUCCESS' : 'Overall: FAIL');
}
if ($ds) { @ldap_unbind($ds); }
return $success ? 0 : 1;
}
// ------ Parse CLI args ------
$args = getopt('', ['username:', 'password:', 'json']);
$username = $args['username'] ?? null;
$password = $args['password'] ?? null;
$asJson = array_key_exists('json', $args);
if (!$username || $password === null) {
fwrite(STDERR, "Usage: --username <u> --password '<p>' [--json]\n");
exit(2);
}
// ------ Load LDAP plugin params from DB ------
$dbo = Factory::getDbo();
$q = $dbo->getQuery(true)
->select('*')
->from($dbo->quoteName('#__extensions'))
->where($dbo->quoteName('type') . ' = ' . $dbo->quote('plugin'))
->where($dbo->quoteName('folder') . ' = ' . $dbo->quote('authentication'))
->where($dbo->quoteName('element') . ' = ' . $dbo->quote('ldap'));
$dbo->setQuery($q);
$ext = $dbo->loadObject();
if (!$ext) {
if ($asJson) echo json_encode(['error' => 'LDAP plugin row not found in #__extensions'], JSON_PRETTY_PRINT) . "\n";
else result(false, 'LDAP plugin not found in #__extensions (authentication/ldap)');
exit(3);
}
$params = json_decode($ext->params ?: "{}", true) ?: [];
// Effective config with ENV overrides (matches your role variables)
$cfg = [
'host' => getenv_clean('JOOMLA_LDAP_HOST', $params['host'] ?? 'openldap'),
'port' => (int) getenv_clean('JOOMLA_LDAP_PORT', (string)($params['port'] ?? 389)),
'base_dn' => getenv_clean('JOOMLA_LDAP_BASE_DN', $params['base_dn'] ?? ''),
'users_dn' => getenv_clean('JOOMLA_LDAP_USER_TREE_DN', $params['users_dn'] ?? ''),
'bind_dn' => getenv_clean('JOOMLA_LDAP_BIND_DN', $params['username'] ?? ''),
'bind_pw' => getenv_clean('JOOMLA_LDAP_BIND_PASSWORD', $params['password'] ?? ''),
'use_tls' => filter_var(getenv_clean('JOOMLA_LDAP_USE_STARTTLS', $params['negotiate_tls'] ?? false), FILTER_VALIDATE_BOOL),
'auth_method' => getenv_clean('JOOMLA_LDAP_AUTH_METHOD', $params['auth_method'] ?? 'search'),
'search_string' => getenv_clean('JOOMLA_LDAP_USER_SEARCH_STRING', $params['search_string'] ?? 'uid=[username]'),
'uid_attr' => getenv_clean('JOOMLA_LDAP_UID_ATTR', $params['ldap_uid'] ?? 'uid'),
'mail_attr' => getenv_clean('JOOMLA_LDAP_EMAIL_ATTR', $params['ldap_email'] ?? 'mail'),
'name_attr' => getenv_clean('JOOMLA_LDAP_NAME_ATTR', $params['ldap_fullname'] ?? 'cn'),
];
// Print effective config (non-JSON mode) with masked password
if (!$asJson) {
outln('Effective LDAP configuration:');
outln(' host: ' . $cfg['host']);
outln(' port: ' . $cfg['port']);
outln(' base_dn: ' . $cfg['base_dn']);
outln(' users_dn: ' . $cfg['users_dn']);
outln(' bind_dn: ' . ($cfg['bind_dn'] ?: '(anonymous)'));
outln(' bind_pw: ' . ($cfg['bind_pw'] !== '' ? '***' : ''));
outln(' use_tls: ' . ($cfg['use_tls'] ? '1' : ''));
outln(' auth_method: ' . $cfg['auth_method']);
outln(' uid_attr: ' . $cfg['uid_attr']);
}
// Run the flow
exit( ldap_auth_flow($cfg, $username, $password, $asJson) );

68
roles/web-app-joomla/templates/ldap/cli.php.j2
View File

@@ -1,68 +0,0 @@
<?php
// Joomla CLI script to enable and configure the Authentication - LDAP plugin.
// Safe to run multiple times. Uses only Factory::getDbo() (no web/administrator app context required).
define('_JEXEC', 1);
define('JPATH_BASE', __DIR__ . '/..');
// Load Joomla framework
require JPATH_BASE . '/includes/defines.php';
require JPATH_BASE . '/includes/framework.php';
use Joomla\CMS\Factory;
// Database driver from Factory
$dbo = Factory::getDbo();
// Locate the LDAP plugin row in #__extensions
$query = $dbo->getQuery(true)
->select('*')
->from($dbo->quoteName('#__extensions'))
->where($dbo->quoteName('type') . ' = ' . $dbo->quote('plugin'))
->where($dbo->quoteName('folder') . ' = ' . $dbo->quote('authentication'))
->where($dbo->quoteName('element') . ' = ' . $dbo->quote('ldap'));
$dbo->setQuery($query);
$ext = $dbo->loadObject();
if (!$ext) {
fwrite(STDERR, "LDAP plugin not found.\n");
exit(2);
}
// Helper to strip quotes if present in env-file values
$get = static fn($k) => preg_replace('/^(["\'])(.*)\1$/', '$2', getenv($k) ?: '');
// Desired plugin parameters (must match Joomla LDAP plugin schema)
$desired = [
// Connection settings
"host" => $get('JOOMLA_LDAP_HOST'),
"port" => (int) $get('JOOMLA_LDAP_PORT'),
"use_ldapV3" => true,
"negotiate_tls" => (bool) $get('JOOMLA_LDAP_USE_STARTTLS'),
"no_referrals" => false,
// Authentication settings
"auth_method" => $get('JOOMLA_LDAP_AUTH_METHOD') ?: "search", // "search" or "bind"
"base_dn" => $get('JOOMLA_LDAP_BASE_DN'),
"search_string" => $get('JOOMLA_LDAP_USER_SEARCH_STRING'), // e.g. uid=[username]
"users_dn" => $get('JOOMLA_LDAP_USER_TREE_DN'), // required for "bind" mode
"username" => $get('JOOMLA_LDAP_BIND_DN'),
"password" => $get('JOOMLA_LDAP_BIND_PASSWORD'),
// Attribute mapping
"ldap_uid" => $get('JOOMLA_LDAP_UID_ATTR') ?: "uid",
"ldap_email" => $get('JOOMLA_LDAP_EMAIL_ATTR') ?: "mail",
"ldap_fullname" => $get('JOOMLA_LDAP_NAME_ATTR') ?: "cn",
];
// Merge current parameters with desired values
$current = json_decode($ext->params ?: "{}", true) ?: [];
$clean = array_filter($desired, static fn($v) => $v !== null && $v !== '');
$merged = array_replace($current, $clean);
// Save back to database and enable the plugin
$ext->params = json_encode($merged, JSON_UNESCAPED_SLASHES);
$ext->enabled = 1;
$dbo->updateObject('#__extensions', $ext, 'extension_id');
echo "LDAP plugin enabled={$ext->enabled} and configured.\n";

194
roles/web-app-joomla/templates/ldap/diagnose.php.j2
View File

@@ -1,194 +0,0 @@
<?php
/**
* Joomla LDAP Diagnostic CLI
*
* Usage inside the container:
* php /var/www/html/cli/ldap-diagnose.php --username <uid> [--verbose]
*
* Behavior:
* - Loads the "Authentication - LDAP" plugin parameters from #__extensions.
* - Allows ENV overrides for any LDAP setting (see list below).
* - Checks step-by-step: PHP-LDAP → connect → (optional) StartTLS → bind → search → read attributes.
* - Optionally previews the candidate DN for user-bind when auth_method=bind (no password tested).
*
* Supported ENV overrides (optional):
* JOOMLA_LDAP_HOST
* JOOMLA_LDAP_PORT
* JOOMLA_LDAP_BASE_DN
* JOOMLA_LDAP_USER_TREE_DN
* JOOMLA_LDAP_BIND_DN
* JOOMLA_LDAP_BIND_PASSWORD
* JOOMLA_LDAP_USE_STARTTLS (true/false)
* JOOMLA_LDAP_AUTH_METHOD ("search" or "bind")
* JOOMLA_LDAP_USER_SEARCH_STRING (e.g., "uid=[username]")
* JOOMLA_LDAP_UID_ATTR (e.g., "uid")
* JOOMLA_LDAP_EMAIL_ATTR (e.g., "mail")
* JOOMLA_LDAP_NAME_ATTR (e.g., "cn")
* TEST_USERNAME (fallback if --username is not passed)
*/
define('_JEXEC', 1);
define('JPATH_BASE', __DIR__ . '/..');
require JPATH_BASE . '/includes/defines.php';
require JPATH_BASE . '/includes/framework.php';
use Joomla\CMS\Factory;
function println($msg, ?bool $ok = null, int $indent = 0): void {
$pad = str_repeat(' ', $indent);
if ($ok === true) {
echo $pad . "[OK] $msg\n";
} elseif ($ok === false) {
echo $pad . "[ERR] $msg\n";
} else {
echo $pad . "$msg\n";
}
}
function getenv_clean(string $key, $default = null) {
$v = getenv($key);
if ($v === false || $v === '') return $default;
// Strip surrounding single/double quotes if present
return preg_replace('/^(["\'])(.*)\1$/', '$2', $v);
}
function env_bool($key, $default = false): bool {
$v = getenv_clean($key, null);
if ($v === null) return (bool)$default;
return filter_var($v, FILTER_VALIDATE_BOOL);
}
// ---- CLI args
$args = getopt('', ['username:', 'verbose']);
$username = $args['username'] ?? getenv_clean('TEST_USERNAME', null);
$verbose = array_key_exists('verbose', $args);
// ---- Preflight: php-ldap
if (!extension_loaded('ldap')) {
println('PHP LDAP extension not loaded (php-ldap missing in the image).', false);
exit(1);
}
println('PHP LDAP extension: loaded', true);
// ---- Load LDAP plugin params from DB
$dbo = Factory::getDbo();
$q = $dbo->getQuery(true)
->select('*')
->from($dbo->quoteName('#__extensions'))
->where($dbo->quoteName('type') . ' = ' . $dbo->quote('plugin'))
->where($dbo->quoteName('folder') . ' = ' . $dbo->quote('authentication'))
->where($dbo->quoteName('element') . ' = ' . $dbo->quote('ldap'));
$dbo->setQuery($q);
$ext = $dbo->loadObject();
if (!$ext) {
println('LDAP plugin row not found in #__extensions (authentication/ldap).', false);
exit(2);
}
$params = json_decode($ext->params ?: "{}", true) ?: [];
// ---- Effective config (DB params with ENV overrides)
$cfg = [
'host' => getenv_clean('JOOMLA_LDAP_HOST', $params['host'] ?? 'openldap'),
'port' => (int) getenv_clean('JOOMLA_LDAP_PORT', (string)($params['port'] ?? 389)),
'base_dn' => getenv_clean('JOOMLA_LDAP_BASE_DN', $params['base_dn'] ?? ''),
'users_dn' => getenv_clean('JOOMLA_LDAP_USER_TREE_DN', $params['users_dn'] ?? ''),
'bind_dn' => getenv_clean('JOOMLA_LDAP_BIND_DN', $params['username'] ?? ''),
'bind_pw' => getenv_clean('JOOMLA_LDAP_BIND_PASSWORD', $params['password'] ?? ''),
'use_tls' => env_bool('JOOMLA_LDAP_USE_STARTTLS', $params['negotiate_tls'] ?? false),
'auth_method' => getenv_clean('JOOMLA_LDAP_AUTH_METHOD', $params['auth_method'] ?? 'search'),
'search_string' => getenv_clean('JOOMLA_LDAP_USER_SEARCH_STRING', $params['search_string'] ?? 'uid=[username]'),
'uid_attr' => getenv_clean('JOOMLA_LDAP_UID_ATTR', $params['ldap_uid'] ?? 'uid'),
'mail_attr' => getenv_clean('JOOMLA_LDAP_EMAIL_ATTR', $params['ldap_email'] ?? 'mail'),
'name_attr' => getenv_clean('JOOMLA_LDAP_NAME_ATTR', $params['ldap_fullname'] ?? 'cn'),
];
if (!$username) {
println('Missing username. Provide --username <uid> or set TEST_USERNAME.', false);
exit(3);
}
// ---- Print effective config (mask password)
$cfg_to_show = $cfg;
$cfg_to_show['bind_pw'] = ($cfg['bind_pw'] !== '') ? '***' : '';
println('Effective LDAP configuration:');
foreach ($cfg_to_show as $k => $v) {
println("$k: $v", null, 1);
}
// ---- Connect
$ds = @ldap_connect($cfg['host'], $cfg['port']);
if (!$ds) {
println("ldap_connect to {$cfg['host']}:{$cfg['port']} failed.", false);
exit(4);
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 5);
println("ldap_connect to {$cfg['host']}:{$cfg['port']}", true);
// ---- Optional StartTLS
if ($cfg['use_tls']) {
if (@ldap_start_tls($ds)) {
println('StartTLS negotiated', true);
} else {
println('StartTLS failed: ' . ldap_error($ds), false);
exit(5);
}
} else {
println('StartTLS: disabled');
}
// ---- Service/Admin bind
if ($cfg['bind_dn'] !== '') {
if (@ldap_bind($ds, $cfg['bind_dn'], $cfg['bind_pw'])) {
println("Bind as {$cfg['bind_dn']}", true);
} else {
println("Bind failed for {$cfg['bind_dn']}: " . ldap_error($ds), false);
exit(6);
}
} else {
// Anonymous bind
if (@ldap_bind($ds)) {
println('Anonymous bind', true);
} else {
println('Anonymous bind failed: ' . ldap_error($ds), false);
exit(6);
}
}
// ---- Search user entry
$filter = sprintf('(%s=%s)', $cfg['uid_attr'], ldap_escape($username, '', LDAP_ESCAPE_FILTER));
$attrs = [$cfg['uid_attr'], $cfg['mail_attr'], $cfg['name_attr']];
$sr = @ldap_search($ds, $cfg['base_dn'], $filter, $attrs);
if (!$sr) {
println("Search failed under base_dn={$cfg['base_dn']} filter={$filter}: " . ldap_error($ds), false);
exit(7);
}
$entries = @ldap_get_entries($ds, $sr);
$count = (int)($entries['count'] ?? 0);
println("Search entries returned: $count", $count > 0);
if ($count < 1) {
println('No entry found. Check base_dn, uid_attr, filter, and where the user actually lives.', false, 1);
@ldap_unbind($ds);
exit(8);
}
// ---- Print first entry summary
$dn = $entries[0]['dn'] ?? '(unknown DN)';
$name = $entries[0][strtolower($cfg['name_attr'])][0] ?? '(missing name attribute)';
$mail = $entries[0][strtolower($cfg['mail_attr'])][0] ?? '(missing mail attribute)';
println("Found DN: $dn", true, 1);
println("Name: $name", null, 1);
println("Mail: $mail", null, 1);
// ---- If auth_method=bind, preview candidate DN (no password test here)
if (strtolower($cfg['auth_method']) === 'bind') {
$candidate = str_replace(['[username]', '[USER]', '[uid]'], $username, $cfg['users_dn']);
println("auth_method=bind → candidate DN for user-bind: $candidate");
println("Note: This script does not attempt the real user password bind.", null, 1);
}
@ldap_unbind($ds);
println('Diagnosis finished: basic LDAP connectivity and search are OK.', true);
exit(0);

59
roles/web-app-joomla/templates/ldap/plugins.php.j2
View File

@@ -1,59 +0,0 @@
<?php
/**
* Joomla CLI: List plugin states from #__extensions
*
* Usage:
* php /var/www/html/cli/cli-plugins.php [filter]
*
* Example:
* php cli-plugins.php ldap
* php cli-plugins.php authentication
*/
define('_JEXEC', 1);
define('JPATH_BASE', __DIR__ . '/..');
require JPATH_BASE . '/includes/defines.php';
require JPATH_BASE . '/includes/framework.php';
use Joomla\CMS\Factory;
$dbo = Factory::getDbo();
// Optional filter argument
$filter = $argv[1] ?? null;
// Build query
$query = $dbo->getQuery(true)
->select('*')
->from($dbo->quoteName('#__extensions'))
->where($dbo->quoteName('type') . ' = ' . $dbo->quote('plugin'));
if ($filter) {
$query->where(
'(' .
$dbo->quoteName('element') . ' LIKE ' . $dbo->quote("%$filter%") . ' OR ' .
$dbo->quoteName('folder') . ' LIKE ' . $dbo->quote("%$filter%") .
')'
);
}
$dbo->setQuery($query);
$rows = $dbo->loadObjectList();
if (!$rows) {
echo "No plugins found.\n";
exit(0);
}
foreach ($rows as $row) {
printf(
"[%s/%s] enabled=%d ordering=%d access=%d\n params=%s\n\n",
$row->folder,
$row->element,
$row->enabled,
$row->ordering,
$row->access,
$row->params ?: '{}'
);
}