public static function authenticate($ps_username, $ps_password = '', $pa_options = null)
{
$po_auth_config = Configuration::load(Configuration::load()->get('authentication_config'));
if (!function_exists("ldap_connect")) {
throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!"));
}
if (!$ps_username) {
return false;
}
// ldap config
$vs_ldaphost = $po_auth_config->get("ldap_host");
$vs_ldapport = $po_auth_config->get("ldap_port");
$vs_base_dn = $po_auth_config->get("ldap_base_dn");
$vs_user_ou = $po_auth_config->get("ldap_user_ou");
$vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn);
$va_default_roles = $po_auth_config->get("ldap_users_default_roles");
if (!is_array($va_default_roles)) {
$va_default_roles = array();
}
$va_default_groups = $po_auth_config->get("ldap_users_default_groups");
if (!is_array($va_default_groups)) {
$va_default_groups = array();
}
$vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport);
ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!$vo_ldap) {
return false;
}
$vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn);
if (strlen($vs_bind_rdn_filter) > 0) {
$vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter);
$va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results);
if (isset($va_dn_search_results[0]['dn'])) {
$vs_bind_rdn = $va_dn_search_results[0]['dn'];
}
}
// log in
$vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password);
if (!$vo_bind) {
// wrong credentials
if (ldap_get_option($vo_ldap, 0x32, $extended_error)) {
caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate");
}
ldap_unbind($vo_ldap);
return false;
}
// check group membership
if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) {
ldap_unbind($vo_ldap);
return false;
}
// user role and group membership syncing with directory
$t_user = new ca_users();
if ($t_user->load($ps_username)) {
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if ($po_auth_config->get('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($po_auth_config->get('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
ldap_unbind($vo_ldap);
return true;
}
private function syncWithDirectory($ps_username)
{
$va_default_roles = $this->getConfigValue("ldap_users_default_roles", array());
$va_default_groups = $this->getConfigValue("ldap_users_default_groups", array());
$t_user = new ca_users();
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if (!$t_user->load($ps_username)) {
return;
}
if ($this->getConfigValue('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($this->getConfigValue('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}