function ldapLogin($authtype, $userid, $passwd)
{
global $HTMLheader, $printedHTMLheader, $authMechs, $phpVer;
$esc_userid = mysql_real_escape_string($userid);
if (!($fh = fsockopen($authMechs[$authtype]['server'], 636, $errno, $errstr, 5))) {
printLoginPageWithSkin($authtype, 1);
return;
}
fclose($fh);
$ds = ldap_connect("ldaps://{$authMechs[$authtype]['server']}/");
if (!$ds) {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0);
print $HTMLheader;
$printedHTMLheader = 1;
selectAuth();
return;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if (array_key_exists('lookupuserbeforeauth', $authMechs[$authtype]) && $authMechs[$authtype]['lookupuserbeforeauth'] && array_key_exists('lookupuserfield', $authMechs[$authtype])) {
# in this case, we have to look up what part of the tree the user is in
# before we can actually look up the user
$auth = $authMechs[$authtype];
if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) {
$res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']);
} else {
$res = ldap_bind($ds);
}
if (!$res) {
addLoginLog($userid, $authtype, $auth['affiliationid'], 0);
printLoginPageWithSkin($authtype);
return;
}
$search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$userid}", array('dn'), 0, 3, 15);
if ($search) {
$tmpdata = ldap_get_entries($ds, $search);
if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) {
addLoginLog($userid, $authtype, $auth['affiliationid'], 0);
printLoginPageWithSkin($authtype);
return;
}
$ldapuser = $tmpdata[0]['dn'];
} else {
addLoginLog($userid, $authtype, $auth['affiliationid'], 0);
printLoginPageWithSkin($authtype);
return;
}
} else {
$ldapuser = sprintf($authMechs[$authtype]['userid'], $userid);
}
$res = ldap_bind($ds, $ldapuser, $passwd);
if (!$res) {
// login failed
$err = ldap_error($ds);
if ($err == 'Invalid credentials') {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0, $err);
} else {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0);
}
printLoginPageWithSkin($authtype);
return;
} else {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 1);
# used to rely on later code to update user info if update timestamp was expired
// see if user in our db
/*$query = "SELECT id "
. "FROM user "
. "WHERE unityid = '$esc_userid' AND "
. "affiliationid = {$authMechs[$authtype]['affiliationid']}";
$qh = doQuery($query, 101);
if(! mysql_num_rows($qh)) {
// if not, add user
$newid = updateLDAPUser($authtype, $userid);
if(is_null($newid))
abort(8);
}*/
# now, we always update the user info
$newid = updateLDAPUser($authtype, $userid);
if (is_null($newid)) {
abort(8);
}
// get cookie data
$cookie = getAuthCookieData("{$userid}@" . getAffiliationName($authMechs[$authtype]['affiliationid']));
// set cookie
if (version_compare(PHP_VERSION, "5.2", ">=") == true) {
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1);
} else {
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0);
}
# set skin cookie based on affiliation
$skin = getAffiliationTheme($authMechs[$authtype]['affiliationid']);
$ucskin = strtoupper($skin);
setcookie("VCLSKIN", "{$ucskin}", time() + SECINDAY * 31, "/", COOKIEDOMAIN);
// redirect to main page
header("Location: " . BASEURL . SCRIPT);
dbDisconnect();
exit;
}
}
function initGlobals()
{
global $mode, $user, $remoteIP, $authed, $oldmode, $semid;
global $days, $phpVer, $keys, $pemkey, $AUTHERROR;
global $passwdArray, $skin, $contdata, $lastmode, $inContinuation;
global $ERRORS, $actions;
global $affilValFunc, $addUserFunc, $updateUserFunc, $addUserFuncArgs;
global $uniqid;
define("SECINDAY", 86400);
define("SECINWEEK", 604800);
define("SECINMONTH", 2678400);
define("SECINYEAR", 31536000);
# TODO validate security of this
if (array_key_exists("PATH_INFO", $_SERVER)) {
$pathdata = explode("/", $_SERVER["PATH_INFO"]);
$tmp = explode('.', $pathdata[1]);
$_GET["mode"] = $tmp[0];
}
$mode = processInputVar("mode", ARG_STRING, 'main');
$inContinuation = 0;
$contdata = array();
$contuserid = '';
$continuation = processInputVar('continuation', ARG_STRING);
if (!empty($continuation)) {
$tmp = getContinuationsData($continuation);
if (empty($tmp)) {
abort(11);
} elseif (array_key_exists('error', $tmp)) {
$mode = "continuationsError";
$contdata = $tmp;
} else {
$inContinuation = 1;
$contuserid = $tmp['userid'];
$lastmode = $tmp['frommode'];
$mode = $tmp['nextmode'];
$contdata = $tmp['data'];
}
}
$submitErr = 0;
$submitErrMsg = array();
$remoteIP = $_SERVER["REMOTE_ADDR"];
$days = array(i('Sunday'), i('Monday'), i('Tuesday'), i('Wednesday'), i('Thursday'), i('Friday'), i('Saturday'));
$phpVerArr = explode('.', phpversion());
$phpVer = $phpVerArr[0];
$uniqid = uniqid($_SERVER['HTTP_HOST'] . "-" . getmypid() . "-");
$passwdArray = array('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0');
if (array_key_exists('VCLAUTH', $_COOKIE) || $mode == 'submitLogin') {
// open keys
$fp = fopen(".ht-inc/keys.pem", "r");
$key = fread($fp, 8192);
fclose($fp);
$keys["private"] = openssl_pkey_get_private($key, $pemkey);
if (!$keys['private']) {
abort(6);
}
$fp = fopen(".ht-inc/pubkey.pem", "r");
$key = fread($fp, 8192);
fclose($fp);
$keys["public"] = openssl_pkey_get_public($key);
if (!$keys['public']) {
abort(7);
}
}
# USING A SINGLE USER WITHOUT LOGGING IN:
# to automatically log in to vcl with the same user
# every time, comment out from this comment block to
# the 'end auth check' comment, then, right after
# that, set $authed = 1 and $userid to the id from
# the user table corresponding to the user you want
# logged in
# start auth check
$authed = 0;
if (array_key_exists("VCLAUTH", $_COOKIE)) {
$userid = readAuthCookie();
if (!is_null($userid)) {
$authed = 1;
}
} elseif (preg_match('/_shibsession/', join(',', array_keys($_COOKIE)))) {
# redirect to shibauth directory
header('Location: ' . BASEURL . "/shibauth/");
dbDisconnect();
exit;
}
# end auth check
if ($authed && $mode == 'selectauth') {
$mode = 'home';
}
if (!$authed) {
# set $skin based on cookie (so it gets set before user logs in
# later, we set it by affiliation (helps with 'view as user')
if (preg_match('/^152\\.9\\./', $_SERVER['REMOTE_ADDR']) || array_key_exists('VCLSKIN', $_COOKIE) && $_COOKIE['VCLSKIN'] == 'EXAMPLE1') {
$skin = 'example1';
} elseif (array_key_exists('VCLSKIN', $_COOKIE)) {
switch ($_COOKIE['VCLSKIN']) {
case 'EXAMPLE2':
$skin = 'example2';
break;
default:
$skin = DEFAULTTHEME;
break;
}
} else {
$skin = DEFAULTTHEME;
}
if ($mode != 'selectauth' && $mode != 'submitLogin') {
require_once "themes/{$skin}/page.php";
}
require_once ".ht-inc/requests.php";
if ($mode != "logout" && $mode != "shiblogout" && $mode != "xmlrpccall" && $mode != "xmlrpcaffiliations" && $mode != "selectauth" && $mode != "submitLogin" && $mode != "changeLocale") {
$oldmode = $mode;
$mode = "auth";
}
if ($mode == 'xmlrpccall' || $mode == 'xmlrpcaffiliations') {
require_once ".ht-inc/xmlrpcWrappers.php";
require_once ".ht-inc/requests.php";
require_once ".ht-inc/serverprofiles.php";
require_once ".ht-inc/groups.php";
setupSession();
}
return;
}
setupSession();
if (array_key_exists('user', $_SESSION)) {
$user = $_SESSION['user'];
if (!empty($contuserid) && $user['id'] != $contuserid) {
abort(51);
}
} else {
# get info about user
if (!($user = getUserInfo($userid))) {
// if first call to getUserInfo fails, try calling with $noupdate set
if (!($user = getUserInfo($userid, 1))) {
$ERRORS[1] = i("Failed to get user info from database. userid was ") . "{$userid}";
abort(1);
}
}
if (!empty($contuserid) && $user['id'] != $contuserid) {
abort(51);
}
$_SESSION['user'] = $user;
}
# setskin
$skin = getAffiliationTheme($user['affiliationid']);
require_once "themes/{$skin}/page.php";
$_SESSION['mode'] = $mode;
// check for and possibly clear dirty permission cache
$dontClearModes = array('AJchangeUserPrivs', 'AJchangeUserGroupPrivs', 'AJchangeResourcePrivs');
if (!in_array($mode, $dontClearModes) && array_key_exists('dirtyprivs', $_SESSION) && $_SESSION['dirtyprivs']) {
clearPrivCache();
$_SESSION['dirtyprivs'] = 0;
}
# set up $affilValFunc, $addUserFunc, $updateUserFunc for any shibonly affiliations
$query = "SELECT id FROM affiliation WHERE shibonly = 1";
$qh = doQuery($query);
while ($row = mysql_fetch_assoc($qh)) {
$id = $row['id'];
if (!array_key_exists($id, $affilValFunc)) {
if (ALLOWADDSHIBUSERS) {
$affilValFunc[$id] = create_function('', 'return 1;');
} else {
$affilValFunc[$id] = create_function('', 'return 0;');
}
}
if (!array_key_exists($id, $addUserFunc)) {
if (ALLOWADDSHIBUSERS) {
$addUserFunc[$id] = 'addShibUserStub';
$addUserFuncArgs[$id] = $id;
} else {
$addUserFunc[$id] = create_function('', 'return 0;');
}
}
if (!array_key_exists($id, $updateUserFunc)) {
$updateUserFunc[$id] = create_function('', 'return NULL;');
}
}
# include appropriate files
switch ($actions['pages'][$mode]) {
case 'blockAllocations':
require_once ".ht-inc/blockallocations.php";
break;
case 'help':
require_once ".ht-inc/help.php";
break;
case 'userPreferences':
require_once ".ht-inc/userpreferences.php";
break;
case 'statistics':
require_once ".ht-inc/statistics.php";
break;
case 'manageGroups':
require_once ".ht-inc/groups.php";
break;
case 'privileges':
case 'userLookup':
require_once ".ht-inc/privileges.php";
break;
case 'sitemaintenance':
require_once ".ht-inc/sitemaintenance.php";
break;
case 'vm':
require_once ".ht-inc/vm.php";
break;
case 'dashboard':
require_once ".ht-inc/dashboard.php";
break;
case 'siteconfig':
require_once ".ht-inc/siteconfig.php";
break;
case 'resource':
case 'config':
case 'image':
case 'computer':
case 'managementnode':
case 'schedule':
require_once ".ht-inc/resource.php";
break;
case 'storebackend':
require_once ".ht-inc/storebackend.php";
break;
case 'serverProfiles':
require_once ".ht-inc/serverprofiles.php";
require_once ".ht-inc/requests.php";
break;
default:
require_once ".ht-inc/requests.php";
}
}
