Joomla: Add LDAP autocreate plugin support

- Introduced autocreate_users feature flag in config/main.yml - Added ldapautocreate.php and ldapautocreate.xml plugin files - Implemented tasks/01_ldap_files.yml for plugin deployment - Added tasks/05_ldap.yml to configure LDAP plugin and register ldapautocreate - Renamed tasks for better structure (01→02, 02→03, etc.) - Updated cli-ldap.php.j2 for clean parameter handling - Mounted ldapautocreate plugin via docker-compose.yml.j2 - Extended vars/main.yml with LDAP autocreate configuration Ref: https://chatgpt.com/share/68b0802f-bfd4-800f-b10a-57cf0c091f7e
2025-08-30 15:28:12 +02:00 · 2025-08-28 18:13:53 +02:00
parent 18f3b1042f
commit ef801aa498
15 changed files with 326 additions and 119 deletions
--- a/roles/web-app-joomla/files/ldapautocreate.php
+++ b/roles/web-app-joomla/files/ldapautocreate.php
@@ -0,0 +1,108 @@
+<?php
+/**
+ * System plugin that auto-creates a Joomla user after successful LDAP authentication.
+ * It reads the LDAP Auth plugin params from #__extensions (folder=authentication, element=ldap),
+ * looks up cn/mail for the authenticated uid, and creates a local Joomla user if missing.
+ */
+
+defined('_JEXEC') || die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\CMS\User\User;
+use Joomla\Database\DatabaseDriver;
+use Joomla\Authentication\Authentication;
+
+class PlgSystemLdapautocreate extends CMSPlugin
+{
+    protected $app;
+
+    /**
+     * Runs after authentication handlers; fires for both frontend and backend.
+     * @param array $options Contains 'username' and more after auth
+     * @return void
+     */
+    public function onUserAfterAuthenticate($options, $response)
+    {
+        // Only proceed on success
+        if (($response->status ?? null) !== Authentication::STATUS_SUCCESS) {
+            return;
+        }
+
+        $username = $response->username ?? $options['username'] ?? null;
+        if (!$username) {
+            return;
+        }
+
+        /** @var DatabaseDriver $dbo */
+        $dbo = Factory::getDbo();
+
+        // If user already exists locally, nothing to do
+        $exists = (int) $dbo->setQuery(
+            $dbo->getQuery(true)
+                ->select('COUNT(*)')
+                ->from($dbo->quoteName('#__users'))
+                ->where($dbo->quoteName('username') . ' = ' . $dbo->quote($username))
+        )->loadResult();
+
+        if ($exists) {
+            return;
+        }
+
+        // Read LDAP Auth plugin params to connect (the ones we configured via cli-ldap.php)
+        $ldapExt = $dbo->setQuery(
+            $dbo->getQuery(true)
+                ->select('*')
+                ->from($dbo->quoteName('#__extensions'))
+                ->where($dbo->quoteName('type') . " = 'plugin'")
+                ->where($dbo->quoteName('folder') . " = 'authentication'")
+                ->where($dbo->quoteName('element') . " = 'ldap'")
+        )->loadObject();
+
+        if (!$ldapExt) {
+            return; // LDAP plugin not found; bail out silently
+        }
+
+        $p = json_decode($ldapExt->params ?: "{}", true) ?: [];
+        $host   = $p['host'] ?? 'openldap';
+        $port   = (int) ($p['port'] ?? 389);
+        $baseDn = $p['base_dn'] ?? '';
+        $bindDn = $p['username'] ?? '';
+        $bindPw = $p['password'] ?? '';
+        $attrUid = $p['ldap_uid'] ?? 'uid';
+        $attrMail = $p['ldap_email'] ?? 'mail';
+        $attrName = $p['ldap_fullname'] ?? 'cn';
+
+        // Look up user in LDAP to fetch name/email
+        $ds = @ldap_connect($host, $port);
+        if (!$ds) { return; }
+        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+        @ldap_bind($ds, $bindDn, $bindPw);
+
+        $filter = sprintf('(%s=%s)', $attrUid, ldap_escape($username, '', LDAP_ESCAPE_FILTER));
+        $sr = @ldap_search($ds, $baseDn, $filter, [$attrName, $attrMail]);
+        $entry = $sr ? @ldap_first_entry($ds, $sr) : null;
+
+        $name  = $entry ? (@ldap_get_values($ds, $entry, $attrName)[0] ?? $username) : $username;
+        $email = $entry ? (@ldap_get_values($ds, $entry, $attrMail)[0] ?? ($username.'@example.invalid')) : ($username.'@example.invalid');
+
+        if ($ds) { @ldap_unbind($ds); }
+
+        // Create Joomla user (Registered group id=2)
+        $data = [
+            'name'     => $name,
+            'username' => $username,
+            'email'    => $email,
+            // Password is irrelevant for LDAP; set a random one
+            'password' => bin2hex(random_bytes(12)),
+            'block'    => 0,
+            'groups'   => [2],
+        ];
+
+        $user = new User;
+        if (!$user->bind($data)) {
+            return;
+        }
+        $user->save();
+    }
+}