/** * Authenticate a user * If successful and the user is new, the user is created in the database * If successful and the user is returning, the user record is resynced * @author Lea Anthony and Paul Heaney * @param string $username. Username * @param string $password. Password * @param int $id. The userid or contactid, > 0 if you wish to update, else creates new * @param bool $user. True for user, false for customer * @return mixed, true if sucessful, false if unsucessful or -1 if connection to LDAP server failed * @retval 0 the credentials were wrong or the user was not found. * @retval 1 to indicate user is authenticated and allowed to continue. */ function authenticateLDAP($username, $password, $id = 0, $user = TRUE, $populateOnly = FALSE, $searchOnEmail = FALSE) { debug_log("authenticateLDAP {$username}", TRUE); global $CONFIG; $toReturn = false; $ldap_conn = ldapOpen(); if ($ldap_conn != -1) { /* * Search for user DN * Authenticate * Verify roles */ $entry = ldap_getDetails($username, $searchOnEmail, $ldap_conn); if (!$entry) { // Multiple or zero trigger_error("Unable to locate user", E_USER_ERROR); $toReturn = false; } else { // just one debug_log("One entry found", TRUE); $_SESSION['ldap_user_dn'] = ldap_get_dn($ldap_conn, $entry); $user_attributes = ldap_get_attributes($ldap_conn, $entry); $toReturn = ldap_storeDetails($password, $id, $user, $populateOnly, $ldap_conn, $user_attributes); } } else { $toReturn = -1; } @ldap_close($ldap_conn); return $toReturn; }
/** * Perform the periodic sync of existing user and contact details from LDAP * @author Paul Heaney * @note This function does not create users or contacts it simply updates existing * @note details. */ function saction_ldapSync() { global $CONFIG; $success = FALSE; if ($CONFIG['use_ldap']) { $ldap_conn = ldapOpen(); if ($ldap_conn) { // NOTE TODO FIXME would be more optimal to pass the user type into the create as in the case where the group membership isn't stored its looked up again // Search for members of each group and then unique the members and loop through // Populate an array ($users) with a list of SIT users in LDAP // Only want GROUPS $filter = "(objectClass={$CONFIG['ldap_grpobjecttype']})"; $attributesToGet = array($CONFIG['ldap_grpattributegrp']); $users = array(); $userGrps = array($CONFIG['ldap_admin_group'], $CONFIG['ldap_manager_group'], $CONFIG['ldap_user_group']); foreach ($userGrps as $grp) { if (!empty($grp)) { $sr = ldap_search($ldap_conn, $grp, $filter, $attributesToGet); if (ldap_count_entries($ldap_conn, $sr) != 1) { trigger_error("Group {$grp} not found in LDAP"); } else { $entry = ldap_first_entry($ldap_conn, $sr); $attributes = ldap_get_attributes($ldap_conn, $entry); for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) { $member = $attributes[$CONFIG['ldap_grpattributegrp']][$i]; if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) { $users[$member] = $member; } elseif (!$CONFIG['ldap_grpfulldn']) { $users[$member] = $member; } } } } } // Populate an array with the LDAP users already in the SiT database $sit_db_users = array(); $sql = "SELECT id, username, status FROM `{$GLOBALS['dbUsers']}` WHERE user_source = 'ldap'"; $result = mysql_query($sql); if (mysql_error()) { trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING); } if (mysql_num_rows($result) > 0) { while ($obj = mysql_fetch_object($result)) { $user_obj = new User(); $user_obj->id = $obj->id; $user_obj->username = $obj->username; $user_obj->status = $obj->status; $sit_db_users[$obj->username] = $user_obj; } } foreach ($users as $u) { $e = ldap_getDetails($u, FALSE, $ldap_conn); if ($e) { $user_attributes = ldap_get_attributes($ldap_conn, $e); debug_log("user attributes: " . print_r($user_attributes, true), TRUE); debug_log("db users: " . print_r($sit_db_users, true), TRUE); // If the directory supports disabling of users if (!empty($CONFIG['ldap_logindisabledattribute'])) { if ($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status === USERSTATUS_ACCOUNT_DISABLED) { // User is disabled in the SIT db, check to see if we need to re-enable if (!empty($user_attributes[$CONFIG['ldap_logindisabledattribute']])) { if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) { // The user is enabled in LDAP so we want to enable debug_log("Re-enabling user '{$u}' in the SiT users database", TRUE); $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status = $CONFIG['ldap_default_user_status']; $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->edit(); } } } else { // User is not disabled in the SiT database, check to see if we need to disable if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) { // User is disabled in LDAP so we want to disable $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->disable(); } } } $userid = 0; if (!empty($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]])) { $userid = $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->id; unset($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]); } if (!ldap_storeDetails('', $userid, TRUE, TRUE, $ldap_conn, $user_attributes)) { trigger_error("Failed to store details for userid {$userid}", E_USER_WARNING); $success = FALSE; } else { $success = TRUE; } } else { debug_log("Failed to get details for {$u}"); } } // Disable users we no longer know about // TODO reassign incidents? foreach ($sit_db_users as $u) { debug_log("Disabling {$u->username}"); $u->disable(); } /** CONTACTS */ $contacts = array(); if (!empty($CONFIG["ldap_customer_group"])) { debug_log("CONTACTS"); $sr = ldap_search($ldap_conn, $CONFIG["ldap_customer_group"], $filter, $attributesToGet); if (ldap_count_entries($ldap_conn, $sr) != 1) { trigger_error("No contact group found in LDAP"); } else { $entry = ldap_first_entry($ldap_conn, $sr); $attributes = ldap_get_attributes($ldap_conn, $entry); for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) { $member = $attributes[$CONFIG['ldap_grpattributegrp']][$i]; if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) { $contacts[$member] = $member; } elseif (!$CONFIG['ldap_grpfulldn']) { $contacts[$member] = $member; } } } $sit_db_contacts = array(); $sql = "SELECT id, username, active FROM `{$GLOBALS['dbContacts']}` WHERE contact_source = 'ldap'"; $result = mysql_query($sql); if (mysql_error()) { trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING); } if (mysql_num_rows($result) > 0) { while ($obj = mysql_fetch_object($result)) { $c = new Contact(); $c->id = $obj->id; $c->username = $obj->username; $c->status = $obj->active; $sit_db_contacts[$c->username] = $c; } } foreach ($contacts as $c) { $e = ldap_getDetails($c, FALSE, $ldap_conn); if ($e) { $contact_attributes = ldap_get_attributes($ldap_conn, $e); if (isset($CONFIG['ldap_logindisabledattribute'])) { // Directory supports disabling if ($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->status == 'false') { // User disabled in SIT check if needs renameding if (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) { if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) { // We want to enable $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->active = 'true'; $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->edit(); } } } elseif (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) { // User not disabled in SiT though attribite is available to us if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) { // We want to disable $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->disable(); } } } $contactid = 0; if (!empty($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]])) { $contactid = $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->id; unset($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]); } if (!ldap_storeDetails('', $contactid, FALSE, TRUE, $ldap_conn, $contact_attributes)) { trigger_error("Failed to store details for userid {$contactid}", E_USER_WARNING); $success = FALSE; } } } // Disable users we no longer know about // TODO reassign incidents? foreach ($sit_db_contacts as $c) { debug_log("Disabling {$c->username}", TRUE); $c->disable(); } } } } else { $success = TRUE; } return $success; }