/** Import a user from a specific ldap server
  *
  * @param $params       array of parameters: method (IDENTIFIER_LOGIN or IDENTIFIER_EMAIL) + value
  * @param $action             synchoronize (true) or import (false)
  * @param $ldap_server        ID of the LDAP server to use
  * @param $display            display message information on redirect (false by default)
  *
  * @return  nothing
  **/
 static function ldapImportUserByServerId($params = array(), $action, $ldap_server, $display = false)
 {
     global $DB;
     static $conn_cache = array();
     $params = Toolbox::stripslashes_deep($params);
     $config_ldap = new self();
     $res = $config_ldap->getFromDB($ldap_server);
     $ldap_users = array();
     // we prevent some delay...
     if (!$res) {
         return false;
     }
     $search_parameters = array();
     //Connect to the directory
     if (isset($conn_cache[$ldap_server])) {
         $ds = $conn_cache[$ldap_server];
     } else {
         $ds = $config_ldap->connect();
     }
     if ($ds) {
         $conn_cache[$ldap_server] = $ds;
         $search_parameters['method'] = $params['method'];
         $search_parameters['fields'][self::IDENTIFIER_LOGIN] = $config_ldap->fields['login_field'];
         if ($params['method'] == self::IDENTIFIER_EMAIL) {
             $search_parameters['fields'][self::IDENTIFIER_EMAIL] = $config_ldap->fields['email1_field'];
         }
         //Get the user's dn & login
         $attribs = array('basedn' => $config_ldap->fields['basedn'], 'login_field' => $search_parameters['fields'][$search_parameters['method']], 'search_parameters' => $search_parameters, 'user_params' => $params, 'condition' => $config_ldap->fields['condition']);
         $infos = self::searchUserDn($ds, $attribs);
         if ($infos && $infos['dn']) {
             $user_dn = $infos['dn'];
             $login = $infos[$config_ldap->fields['login_field']];
             $groups = array();
             $user = new User();
             //Get information from LDAP
             if ($user->getFromLDAP($ds, $config_ldap->fields, $user_dn, addslashes($login), $action == self::ACTION_IMPORT)) {
                 // Add the auth method
                 // Force date sync
                 $user->fields["date_sync"] = $_SESSION["glpi_currenttime"];
                 $user->fields['is_deleted_ldap'] = 0;
                 if ($action == self::ACTION_IMPORT) {
                     $user->fields["authtype"] = Auth::LDAP;
                     $user->fields["auths_id"] = $ldap_server;
                     //Save information in database !
                     $input = $user->fields;
                     // Display message after redirect
                     if ($display) {
                         $input['add'] = 1;
                     }
                     $user->fields["id"] = $user->add($input);
                     return array('action' => self::USER_IMPORTED, 'id' => $user->fields["id"]);
                 }
                 $input = $user->fields;
                 //Get the ID by user name
                 if (!($id = User::getIdByfield('name', $login))) {
                     //In case user id as changed : get id by dn
                     $id = User::getIdByfield('user_dn', $user_dn);
                 }
                 $input['id'] = $id;
                 if ($display) {
                     $input['update'] = 1;
                 }
                 $user->update($input);
                 return array('action' => self::USER_SYNCHRONIZED, 'id' => $input['id']);
             }
             return false;
         }
         if ($action != self::ACTION_IMPORT) {
             $users_id = User::getIdByField('name', $params['value']);
             User::manageDeletedUserInLdap($users_id);
             return array('action' => self::USER_DELETED_LDAP, 'id' => $users_id);
         }
     } else {
         return false;
     }
 }
Example #2
0
 /**
  * Manage use authentication and initialize the session
  *
  * @param $login_name      string
  * @param $login_password  string
  * @param $noauto          boolean (false by default)
  *
  * @return boolean (success)
  */
 function Login($login_name, $login_password, $noauto = false)
 {
     global $DB, $CFG_GLPI;
     $this->getAuthMethods();
     $this->user_present = 1;
     $this->auth_succeded = false;
     //In case the user was deleted in the LDAP directory
     $user_deleted_ldap = false;
     // Trim login_name : avoid LDAP search errors
     $login_name = trim($login_name);
     if (!$noauto && ($authtype = self::checkAlternateAuthSystems())) {
         if ($this->getAlternateAuthSystemsUserLogin($authtype) && !empty($this->user->fields['name'])) {
             // Used for log when login process failed
             $login_name = $this->user->fields['name'];
             $this->auth_succeded = true;
             $this->extauth = 1;
             $this->user_present = $this->user->getFromDBbyName(addslashes($login_name));
             $this->user->fields['authtype'] = $authtype;
             $user_dn = false;
             $ldapservers = '';
             //if LDAP enabled too, get user's infos from LDAP
             if (Toolbox::canUseLdap()) {
                 $ldapservers = array();
                 //User has already authenticate, at least once : it's ldap server if filled
                 if (isset($this->user->fields["auths_id"]) && $this->user->fields["auths_id"] > 0) {
                     $authldap = new AuthLdap();
                     //If ldap server is enabled
                     if ($authldap->getFromDB($this->user->fields["auths_id"]) && $authldap->fields['is_active']) {
                         $ldapservers[] = $authldap->fields;
                     }
                     //User has never beeen authenticated : try all active ldap server to find the right one
                 } else {
                     foreach (getAllDatasFromTable('glpi_authldaps', "`is_active`='1'") as $ldap_config) {
                         $ldapservers[] = $ldap_config;
                     }
                 }
                 foreach ($ldapservers as $ldap_method) {
                     $ds = AuthLdap::connectToServer($ldap_method["host"], $ldap_method["port"], $ldap_method["rootdn"], Toolbox::decrypt($ldap_method["rootdn_passwd"], GLPIKEY), $ldap_method["use_tls"], $ldap_method["deref_option"]);
                     if ($ds) {
                         $params['method'] = AuthLdap::IDENTIFIER_LOGIN;
                         $params['fields'][AuthLdap::IDENTIFIER_LOGIN] = $ldap_method["login_field"];
                         $user_dn = AuthLdap::searchUserDn($ds, array('basedn' => $ldap_method["basedn"], 'login_field' => $ldap_method['login_field'], 'search_parameters' => $params, 'user_params' => array('method' => AuthLDAP::IDENTIFIER_LOGIN, 'value' => $login_name), 'condition' => $ldap_method["condition"]));
                         if ($user_dn) {
                             $this->user->fields['auths_id'] = $ldap_method['id'];
                             $this->user->getFromLDAP($ds, $ldap_method, $user_dn['dn'], $login_name, !$this->user_present);
                             break;
                         }
                     }
                 }
             }
             if (count($ldapservers) == 0 && $authtype == self::EXTERNAL) {
                 // Case of using external auth and no LDAP servers, so get data from external auth
                 $this->user->getFromSSO();
             } else {
                 //If user is set as present in GLPI but no LDAP DN found : it means that the user
                 //is not present in an ldap directory anymore
                 if (!$user_dn && $this->user_present) {
                     $user_deleted_ldap = true;
                     $this->user_deleted_ldap = true;
                 }
             }
             // Reset to secure it
             $this->user->fields['name'] = $login_name;
             $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"];
         } else {
             $this->addToError(__('Empty login or password'));
         }
     }
     // If not already auth
     if (!$this->auth_succeded) {
         if (empty($login_name) || strstr($login_name, "") || empty($login_password) || strstr($login_password, "")) {
             $this->addToError(__('Empty login or password'));
         } else {
             // exists=0 -> user doesn't yet exist
             // exists=1 -> user is present in DB with password
             // exists=2 -> user is present in DB but without password
             $exists = $this->userExists(array('name' => addslashes($login_name)));
             // Pas en premier car sinon on ne fait pas le blankpassword
             // First try to connect via le DATABASE
             if ($exists == 1) {
                 // Without UTF8 decoding
                 if (!$this->auth_succeded) {
                     $this->auth_succeded = $this->connection_db(addslashes($login_name), $login_password);
                     if ($this->auth_succeded) {
                         $this->extauth = 0;
                         $this->user_present = $this->user->getFromDBbyName(addslashes($login_name));
                         $this->user->fields["authtype"] = self::DB_GLPI;
                         $this->user->fields["password"] = $login_password;
                     }
                 }
             } else {
                 if ($exists == 2) {
                     //The user is not authenticated on the GLPI DB, but we need to get information about him
                     //to find out his authentication method
                     $this->user->getFromDBbyName(addslashes($login_name));
                     //If the user has already been logged, the method_auth and auths_id are already set
                     //so we test this connection first
                     switch ($this->user->fields["authtype"]) {
                         case self::CAS:
                         case self::EXTERNAL:
                         case self::LDAP:
                             if (Toolbox::canUseLdap()) {
                                 AuthLdap::tryLdapAuth($this, $login_name, $login_password, $this->user->fields["auths_id"], $this->user->fields["user_dn"]);
                                 if (!$this->auth_succeded && $this->user_deleted_ldap) {
                                     $user_deleted_ldap = true;
                                 }
                             }
                             break;
                         case self::MAIL:
                             if (Toolbox::canUseImapPop()) {
                                 AuthMail::tryMailAuth($this, $login_name, $login_password, $this->user->fields["auths_id"]);
                             }
                             break;
                         case self::NOT_YET_AUTHENTIFIED:
                             break;
                     }
                 } else {
                     if (!$exists) {
                         //test all ldap servers only is user is not present in glpi's DB
                         if (!$this->auth_succeded && Toolbox::canUseLdap()) {
                             AuthLdap::tryLdapAuth($this, $login_name, $login_password, 0, false, false);
                         }
                         //test all imap/pop servers
                         if (!$this->auth_succeded && Toolbox::canUseImapPop()) {
                             AuthMail::tryMailAuth($this, $login_name, $login_password, 0, false);
                         }
                     }
                 }
             }
             // Fin des tests de connexion
         }
     }
     if ($user_deleted_ldap) {
         User::manageDeletedUserInLdap($this->user->fields["id"]);
     }
     // Ok, we have gathered sufficient data, if the first return false the user
     // is not present on the DB, so we add him.
     // if not, we update him.
     if ($this->auth_succeded) {
         //Set user an not deleted from LDAP
         $this->user->fields['is_deleted_ldap'] = 0;
         // Prepare data
         $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"];
         if ($this->extauth) {
             $this->user->fields["_extauth"] = 1;
         }
         if ($DB->isSlave()) {
             if (!$this->user_present) {
                 // Can't add in slave mode
                 $this->addToError(__('User not authorized to connect in GLPI'));
                 $this->auth_succeded = false;
             }
         } else {
             if ($this->user_present) {
                 // First stripslashes to avoid double slashes
                 $input = Toolbox::stripslashes_deep($this->user->fields);
                 // Then ensure addslashes
                 $input = Toolbox::addslashes_deep($input);
                 // update user and Blank PWD to clean old database for the external auth
                 $this->user->update($input);
                 if ($this->extauth) {
                     $this->user->blankPassword();
                 }
             } else {
                 if ($CFG_GLPI["is_users_auto_add"]) {
                     // Auto add user
                     // First stripslashes to avoid double slashes
                     $input = Toolbox::stripslashes_deep($this->user->fields);
                     // Then ensure addslashes
                     $input = Toolbox::addslashes_deep($input);
                     unset($this->user->fields);
                     $this->user->add($input);
                 } else {
                     // Auto add not enable so auth failed
                     $this->addToError(__('User not authorized to connect in GLPI'));
                     $this->auth_succeded = false;
                 }
             }
         }
     }
     // Log Event (if possible)
     if (!$DB->isSlave()) {
         // GET THE IP OF THE CLIENT
         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
         if ($this->auth_succeded) {
             if (GLPI_DEMO_MODE) {
                 // not translation in GLPI_DEMO_MODE
                 Event::log(-1, "system", 3, "login", $login_name . " log in from " . $ip);
             } else {
                 //TRANS: %1$s is the login of the user and %2$s its IP address
                 Event::log(-1, "system", 3, "login", sprintf(__('%1$s log in from IP %2$s'), $login_name, $ip));
             }
         } else {
             if (GLPI_DEMO_MODE) {
                 Event::log(-1, "system", 1, "login", "login", "Connection failed for " . $login_name . " ({$ip})");
             } else {
                 //TRANS: %1$s is the login of the user and %2$s its IP address
                 Event::log(-1, "system", 1, "login", sprintf(__('Failed login for %1$s from IP %2$s'), $login_name, $ip));
             }
         }
     }
     Session::init($this);
     if ($noauto) {
         $_SESSION["noAUTO"] = 1;
     }
     return $this->auth_succeded;
 }
Example #3
0
 /**
  * Manage use authentication and initialize the session
  *
  * @param $login_name string
  * @param $login_password string
  * @param $noauto boolean
  *
  * @return boolean (success)
  */
 function Login($login_name, $login_password, $noauto = false)
 {
     global $DB, $CFG_GLPI, $LANG;
     $this->getAuthMethods();
     $this->user_present = 1;
     $this->auth_succeded = false;
     //In case the user was deleted in the LDAP directory
     $user_deleted_ldap = false;
     if (!$noauto && ($authtype = self::checkAlternateAuthSystems())) {
         if ($this->getAlternateAuthSystemsUserLogin($authtype) && !empty($this->user->fields['name'])) {
             // Used for log when login process failed
             $login_name = $this->user->fields['name'];
             $this->auth_succeded = true;
             $this->extauth = 1;
             $this->user_present = $this->user->getFromDBbyName(addslashes($login_name));
             $this->user->fields['authtype'] = $authtype;
             // if LDAP enabled too, get user's infos from LDAP
             $this->user->fields["auths_id"] = $CFG_GLPI['authldaps_id_extra'];
             if (canUseLdap()) {
                 if (isset($this->authtypes["ldap"][$this->user->fields["auths_id"]])) {
                     $ldap_method = $this->authtypes["ldap"][$this->user->fields["auths_id"]];
                     $ds = AuthLdap::connectToServer($ldap_method["host"], $ldap_method["port"], $ldap_method["rootdn"], decrypt($ldap_method["rootdn_passwd"], GLPIKEY), $ldap_method["use_tls"], $ldap_method["deref_option"]);
                     if ($ds) {
                         $params['method'] = AuthLdap::IDENTIFIER_LOGIN;
                         $params['fields'][AuthLdap::IDENTIFIER_LOGIN] = $ldap_method["login_field"];
                         $user_dn = AuthLdap::searchUserDn($ds, array('basedn' => $ldap_method["basedn"], 'login_field' => $ldap_method['login_field'], 'search_parameters' => $params, 'user_params' => array('method' => AuthLDAP::IDENTIFIER_LOGIN, 'value' => $login_name), 'condition' => $ldap_method["condition"]));
                         if ($user_dn) {
                             $this->user->getFromLDAP($ds, $ldap_method, $user_dn['dn'], $login_name);
                         }
                     }
                 }
             }
             // Reset to secure it
             $this->user->fields['name'] = $login_name;
             $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"];
         } else {
             $this->addToError($LANG['login'][8]);
         }
     }
     // If not already auth
     if (!$this->auth_succeded) {
         if (empty($login_name) || empty($login_password)) {
             $this->addToError($LANG['login'][8]);
         } else {
             // exists=0 -> no exist
             // exists=1 -> exist with password
             // exists=2 -> exist without password
             $exists = $this->userExists(array('name' => addslashes($login_name)));
             // Pas en premier car sinon on ne fait pas le blankpassword
             // First try to connect via le DATABASE
             if ($exists == 1) {
                 // Without UTF8 decoding
                 if (!$this->auth_succeded) {
                     $this->auth_succeded = $this->connection_db(addslashes($login_name), $login_password);
                     if ($this->auth_succeded) {
                         $this->extauth = 0;
                         $this->user_present = $this->user->getFromDBbyName(addslashes($login_name));
                         $this->user->fields["authtype"] = self::DB_GLPI;
                         $this->user->fields["password"] = $login_password;
                     }
                 }
             } else {
                 if ($exists == 2) {
                     //The user is not authenticated on the GLPI DB, but we need to get informations about him
                     //to find out his authentication method
                     $this->user->getFromDBbyName(addslashes($login_name));
                     //If the user has already been logged, the method_auth and auths_id are already set
                     //so we test this connection first
                     switch ($this->user->fields["authtype"]) {
                         case self::CAS:
                         case self::EXTERNAL:
                         case self::LDAP:
                             if (canUseLdap()) {
                                 AuthLdap::tryLdapAuth($this, $login_name, $login_password, $this->user->fields["auths_id"], $this->user->fields["user_dn"]);
                                 if (!$this->auth_succeded && $this->user_deleted_ldap) {
                                     $user_deleted_ldap = true;
                                 }
                             }
                             break;
                         case self::MAIL:
                             if (canUseImapPop()) {
                                 AuthMail::tryMailAuth($this, $login_name, $login_password, $this->user->fields["auths_id"]);
                             }
                             break;
                         case self::NOT_YET_AUTHENTIFIED:
                             break;
                     }
                 } else {
                     if (!$exists) {
                         //test all ldap servers only is user is not present in glpi's DB
                         if (!$this->auth_succeded && canUseLdap()) {
                             AuthLdap::tryLdapAuth($this, $login_name, $login_password, 0, false, false);
                         }
                         //test all imap/pop servers
                         if (!$this->auth_succeded && canUseImapPop()) {
                             AuthMail::tryMailAuth($this, $login_name, $login_password, 0, false);
                         }
                     }
                 }
             }
             // Fin des tests de connexion
         }
     }
     if ($user_deleted_ldap) {
         User::manageDeletedUserInLdap($this->user->fields["id"]);
     }
     // Ok, we have gathered sufficient data, if the first return false the user
     // is not present on the DB, so we add him.
     // if not, we update him.
     if ($this->auth_succeded) {
         // Prepare data
         $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"];
         if ($this->extauth) {
             $this->user->fields["_extauth"] = 1;
         }
         if ($DB->isSlave()) {
             if (!$this->user_present) {
                 // Can't add in slave mode
                 $this->addToError($LANG['login'][11]);
                 $this->auth_succeded = false;
             }
         } else {
             if ($this->user_present) {
                 // update user and Blank PWD to clean old database for the external auth
                 $this->user->update($this->user->fields);
                 if ($this->extauth) {
                     $this->user->blankPassword();
                 }
             } else {
                 if ($CFG_GLPI["is_users_auto_add"]) {
                     // Auto add user
                     $input = $this->user->fields;
                     unset($this->user->fields);
                     $this->user->add($input);
                 } else {
                     // Auto add not enable so auth failed
                     $this->addToError($LANG['login'][11]);
                     $this->auth_succeded = false;
                 }
             }
         }
     }
     // Log Event (if possible)
     if (!$DB->isSlave()) {
         // GET THE IP OF THE CLIENT
         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
         if ($this->auth_succeded) {
             $logged = GLPI_DEMO_MODE ? "logged in" : $LANG['log'][40];
             Event::log(-1, "system", 3, "login", $login_name . " {$logged}: " . $ip);
         } else {
             $logged = GLPI_DEMO_MODE ? "connection failed" : $LANG['log'][41];
             Event::log(-1, "system", 1, "login", $logged . ": " . $login_name . " ({$ip})");
         }
     }
     $this->initSession();
     if ($noauto) {
         $_SESSION["noAUTO"] = 1;
     }
     return $this->auth_succeded;
 }