Ejemplo n.º 1
0
function authenticate_and_cache($ip_radius_server, $shared_secret, $username, $password, $timeout = 900)
{
    $result = FALSE;
    $cache_unique_id = isset($_SESSION['authentication_unique_id']) ? $_SESSION['authentication_unique_id'] : '';
    if ($cache_unique_id != '') {
        $cache_timestamp = $_SESSION[$cache_unique_id . '_authentication_timestamp'];
        $cache_remote_addr = $_SESSION[$cache_unique_id . '_authentication_remote_addr'];
        $cache_username = $_SESSION[$cache_unique_id . '_authentication_username'];
    }
    if ($cache_timestamp == 0 or $cache_timestamp + $timeout < time() or $cache_remote_addr != $_SERVER['REMOTE_ADDR'] or $cache_username != $username) {
        $radius = new Radius($ip_radius_server, $shared_secret);
        $radius->SetDebugMode($php_debug_mode);
        $result = $radius->AccessRequest($username, $password);
        if ($result === TRUE) {
            if ($cache_unique_id == '') {
                $cache_unique_id = md5(uniqid(rand(), true));
            }
            $_SESSION['authentication_unique_id'] = $cache_unique_id;
            $_SESSION[$cache_unique_id . '_authentication_timestamp'] = time();
            $_SESSION[$cache_unique_id . '_authentication_remote_addr'] = $_SERVER['REMOTE_ADDR'];
            $_SESSION[$cache_unique_id . '_authentication_username'] = $username;
        } else {
            $_SESSION['authentication_unique_id'] = '';
        }
    } else {
        $_SESSION[$cache_unique_id . '_authentication_timestamp'] = time();
        $result = TRUE;
    }
    return $result;
}
Ejemplo n.º 2
0
 function authenticate($login, $password)
 {
     if (!(require_once 'php-radius/radius.php')) {
         $this->_log('Cannot require radius class files!');
         return FALSE;
     }
     if ($login && $password) {
         if (!defined('RADIUS_AUTH_SERVER') or !defined('RADIUS_AUTH_SECRET')) {
             $this->_log('Could not parse RADIUS_AUTH_ options from config.php!');
             return FALSE;
         } elseif (!defined('RADIUS_AUTH_PORT')) {
             define('RADIUS_AUTH_PORT', 1812);
         }
         $radius = new Radius(RADIUS_AUTH_SERVER, RADIUS_AUTH_SECRET, '', 5, RADIUS_AUTH_PORT);
         $radius->SetNasIpAddress('1.2.3.4');
         $auth = $radius->AccessRequest($login, $password);
         if ($auth) {
             return $this->base->auto_create_user($login);
         } else {
             $this->_log('Radius authentication rejected!');
             return FALSE;
         }
     }
     return FALSE;
 }
Ejemplo n.º 3
0
 /**
  * Authenticates user on radius server
  *
  * @access private
  * @param mixed $username
  * @param mixed $password
  * @return void
  */
 private function auth_radius($username, $password)
 {
     # decode radius parameters
     $params = json_decode($this->authmethodparams);
     # check for socket support !
     if (!in_array("sockets", get_loaded_extensions())) {
         $this->Log->write("Radius login", "php Socket extension missing", 2);
         $this->Result->show("danger", _("php Socket extension missing"), true);
     }
     # initialize radius class
     require dirname(__FILE__) . '/class.Radius.php';
     $Radius = new Radius($params->hostname, $params->secret, $params->suffix, $params->timeout, $params->port);
     $Radius->SetNasIpAddress($params->hostname);
     //debugging
     $this->debugging !== true ?: $Radius->SetDebugMode(TRUE);
     # authenticate
     $auth = $Radius->AccessRequest($username, $password);
     # debug?
     if ($this->debugging) {
         print "<pre style='width:700px;margin:auto;margin-top:10px;'>";
         print implode("<br>", $Radius->debug_text);
         print "</pre>";
     }
     # authenticate user
     if ($auth) {
         # save to session
         $this->write_session_parameters();
         $this->Log->write("Radius login", "User " . $this->user->real_name . " logged in via radius", 0, $username);
         $this->Result->show("success", _("Radius login successful"));
         # write last logintime
         $this->update_login_time();
         # remove possible blocked IP
         $this->block_remove_entry();
     } else {
         # add blocked count
         $this->block_ip();
         $this->Log->write("Radius login", "Failed to authenticate user on radius server", 2, $username);
         $this->Result->show("danger", _("Invalid username or password"), true);
     }
 }
Ejemplo n.º 4
0
 /**
  * authenticate() - defined by \Zend_Auth_Adapter_Interface.  This method is called to
  * attempt an authenication.  Previous to this call, this adapter would have already
  * been configured with all necessary information to successfully connect to a Radius
  * server and attempt to find a record matching the provided identity.
  *
  * @throws \Zend_Auth_Adapter_Exception if answering the authentication query is impossible
  * @return \Zend_Auth_Result
  */
 public function authenticate()
 {
     $this->_authenticateSetup();
     if ($this->_radius->AccessRequest($this->_identity, $this->_credential)) {
         $this->_authenticateResultInfo['code'] = \Zend_Auth_Result::SUCCESS;
         $this->_authenticateResultInfo['messages'][] = 'Authentication successful.';
     } else {
         $this->_authenticateResultInfo['code'] = \Zend_Auth_Result::FAILURE;
         $this->_authenticateResultInfo['messages'][] = 'Authentication failed.';
     }
     $authResult = $this->_authenticateCreateAuthResult();
     return $authResult;
 }
Ejemplo n.º 5
0
/**
 * Alternate Login.
 * Try to login user using alternative systems (Radius, LDAP, CAS, HTTP BASIC, ...)
 * @param $username (string) user name
 * @param $password (string) password
 * @return array of user's data for successful login, false otherwise
 * @since 2008-03-28
 */
function F_altLogin($username, $password)
{
    global $l, $db;
    require_once '../config/tce_config.php';
    // TCExam tries to retrive the user login information from the following systems:
    // 1) RADIUS ---------------------------------------------
    require_once '../../shared/config/tce_radius.php';
    if (K_RADIUS_ENABLED) {
        require_once '../../shared/radius/radius.class.php';
        $radius = new Radius(K_RADIUS_SERVER_IP, K_RADIUS_SHARED_SECRET, K_RADIUS_SUFFIX, K_RADIUS_UDP_TIMEOUT, K_RADIUS_AUTHENTICATION_PORT, K_RADIUS_ACCOUNTING_PORT);
        if (K_RADIUS_UTF8) {
            $radusername = utf8_encode($username);
            $radpassword = utf8_encode($password);
        } else {
            $radusername = $username;
            $radpassword = $password;
        }
        if ($radius->AccessRequest($radusername, $radpassword)) {
            $usr = array();
            $usr['user_email'] = '';
            $usr['user_firstname'] = '';
            $usr['user_lastname'] = '';
            $usr['user_birthdate'] = '';
            $usr['user_birthplace'] = '';
            $usr['user_regnumber'] = '';
            $usr['user_ssn'] = '';
            $usr['user_level'] = K_RADIUS_USER_LEVEL;
            $usr['usrgrp_group_id'] = K_RADIUS_USER_GROUP_ID;
            return $usr;
        }
    }
    // -------------------------------------------------------
    // 2) LDAP -----------------------------------------------
    require_once '../../shared/config/tce_ldap.php';
    if (K_LDAP_ENABLED) {
        // make ldap connection
        $ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
        // recommended for W2K3
        // bind anonymously and get dn for username.
        if (K_LDAP_UTF8) {
            $ldapusername = utf8_encode($username);
            $ldappassword = utf8_encode($password);
        } else {
            $ldapusername = $username;
            $ldappassword = $password;
        }
        if ($lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword)) {
            // Search user on LDAP tree
            sort($ldap_attr);
            $ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
            if ($search = @ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
                if ($rdn = @ldap_get_entries($ldapconn, $search)) {
                    if (@ldap_bind($ldapconn, $rdn['dn'], $password)) {
                        @ldap_unbind($ldapconn);
                        $usr = array();
                        foreach ($ldap_attr as $k => $v) {
                            if (!empty($v) and isset($rdn[$v])) {
                                $usr[$k] = $rdn[$v];
                            } else {
                                $usr[$k] = '';
                            }
                        }
                        $usr['user_level'] = K_LDAP_USER_LEVEL;
                        $usr['usrgrp_group_id'] = K_LDAP_USER_GROUP_ID;
                        return $usr;
                    }
                }
            }
        }
        @ldap_unbind($ldapconn);
    }
    // -------------------------------------------------------
    // 3) CAS ------------------------------------------------
    require_once '../../shared/config/tce_cas.php';
    if (K_CAS_ENABLED) {
        require_once '../../shared/cas/CAS.php';
        $usr = array();
        $usr['user_email'] = '';
        $usr['user_firstname'] = '';
        $usr['user_lastname'] = '';
        $usr['user_birthdate'] = '';
        $usr['user_birthplace'] = '';
        $usr['user_regnumber'] = '';
        $usr['user_ssn'] = '';
        $usr['user_level'] = K_CAS_USER_LEVEL;
        $usr['usrgrp_group_id'] = K_CAS_USER_GROUP_ID;
        return $usr;
    }
    // -------------------------------------------------------
    // 4) HTTP BASIC -----------------------------------------
    require_once '../../shared/config/tce_httpbasic.php';
    if (K_HTTPBASIC_ENABLED and isset($_SERVER['AUTH_TYPE']) and $_SERVER['AUTH_TYPE'] == 'Basic' and isset($_SERVER['PHP_AUTH_USER']) and isset($_SERVER['PHP_AUTH_PW'])) {
        $usr = array();
        $usr['user_email'] = '';
        $usr['user_firstname'] = '';
        $usr['user_lastname'] = '';
        $usr['user_birthdate'] = '';
        $usr['user_birthplace'] = '';
        $usr['user_regnumber'] = '';
        $usr['user_ssn'] = '';
        $usr['user_level'] = K_HTTPBASIC_USER_LEVEL;
        $usr['usrgrp_group_id'] = K_HTTPBASIC_USER_GROUP_ID;
        return $usr;
    }
    // -------------------------------------------------------
    return false;
}
Ejemplo n.º 6
0
/**
 * Try various external Login Systems.
 * (SSL, HTTP-BASIC, CAS, SHIBBOLETH, RADIUS, LDAP)
 * @return array of user's data for successful login, false otherwise
 * @since 2012-06-05
 */
function F_altLogin()
{
    global $l, $db;
    require_once '../config/tce_config.php';
    // TCExam tries to retrive the user login information from the following systems:
    // 1) SSL ----------------------------------------------------------
    require_once '../../shared/config/tce_ssl.php';
    if (K_SSL_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
        if (isset($_SERVER['SSL_CLIENT_M_SERIAL']) and isset($_SERVER['SSL_CLIENT_I_DN']) and isset($_SERVER['SSL_CLIENT_V_END']) and isset($_SERVER['SSL_CLIENT_VERIFY']) and $_SERVER['SSL_CLIENT_VERIFY'] === 'SUCCESS' and isset($_SERVER['SSL_CLIENT_V_REMAIN']) and $_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
            $_POST['xuser_name'] = md5($_SERVER['SSL_CLIENT_M_SERIAL'] . $_SERVER['SSL_CLIENT_I_DN']);
            $_POST['xuser_password'] = getPasswordHash($_SERVER['SSL_CLIENT_M_SERIAL'] . $_SERVER['SSL_CLIENT_I_DN'] . K_RANDOM_SECURITY . $_SERVER['SSL_CLIENT_V_END']);
            $_POST['logaction'] = 'login';
            $usr = array();
            if (isset($_SERVER['SSL_CLIENT_S_DN_Email'])) {
                $usr['user_email'] = $_SERVER['SSL_CLIENT_S_DN_Email'];
            } else {
                $usr['user_email'] = '';
            }
            if (isset($_SERVER['SSL_CLIENT_S_DN_CN'])) {
                $usr['user_firstname'] = $_SERVER['SSL_CLIENT_S_DN_CN'];
            } else {
                $usr['user_firstname'] = '';
            }
            $usr['user_lastname'] = '';
            $usr['user_birthdate'] = '';
            $usr['user_birthplace'] = '';
            $usr['user_regnumber'] = '';
            $usr['user_ssn'] = '';
            $usr['user_level'] = K_SSL_USER_LEVEL;
            $usr['usrgrp_group_id'] = K_SSL_USER_GROUP_ID;
            return $usr;
        }
    }
    // -----------------------------------------------------------------
    // 2) HTTP BASIC ---------------------------------------------------
    require_once '../../shared/config/tce_httpbasic.php';
    if (K_HTTPBASIC_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
        if (isset($_SERVER['AUTH_TYPE']) and $_SERVER['AUTH_TYPE'] == 'Basic' and isset($_SERVER['PHP_AUTH_USER']) and isset($_SERVER['PHP_AUTH_PW']) and $_SESSION['session_user_name'] != $_SERVER['PHP_AUTH_USER']) {
            $_POST['xuser_name'] = $_SERVER['PHP_AUTH_USER'];
            $_POST['xuser_password'] = $_SERVER['PHP_AUTH_PW'];
            $_POST['logaction'] = 'login';
            $usr = array();
            $usr['user_email'] = '';
            $usr['user_firstname'] = '';
            $usr['user_lastname'] = '';
            $usr['user_birthdate'] = '';
            $usr['user_birthplace'] = '';
            $usr['user_regnumber'] = '';
            $usr['user_ssn'] = '';
            $usr['user_level'] = K_HTTPBASIC_USER_LEVEL;
            $usr['usrgrp_group_id'] = K_HTTPBASIC_USER_GROUP_ID;
            return $usr;
        }
    }
    // -----------------------------------------------------------------
    // 3) CAS - Central Authentication Service -------------------------
    require_once '../../shared/config/tce_cas.php';
    if (K_CAS_ENABLED) {
        require_once '../../shared/cas/CAS.php';
        phpCAS::client(K_CAS_VERSION, K_CAS_HOST, K_CAS_PORT, K_CAS_PATH, false);
        phpCAS::setNoCasServerValidation();
        phpCAS::forceAuthentication();
        if ($_SESSION['session_user_name'] != phpCAS::getUser()) {
            $_POST['xuser_name'] = phpCAS::getUser();
            $_POST['xuser_password'] = getPasswordHash($_POST['xuser_name'] . K_RANDOM_SECURITY);
            $_POST['logaction'] = 'login';
            $usr = array();
            $usr['user_email'] = '';
            $usr['user_firstname'] = '';
            $usr['user_lastname'] = '';
            $usr['user_birthdate'] = '';
            $usr['user_birthplace'] = '';
            $usr['user_regnumber'] = '';
            $usr['user_ssn'] = '';
            $usr['user_level'] = K_CAS_USER_LEVEL;
            $usr['usrgrp_group_id'] = K_CAS_USER_GROUP_ID;
            return $usr;
        }
    }
    // -----------------------------------------------------------------
    // 4) Shibboleth ---------------------------------------------------
    require_once '../../shared/config/tce_shibboleth.php';
    if (K_SHIBBOLETH_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
        if (isset($_SERVER['AUTH_TYPE']) and $_SERVER['AUTH_TYPE'] == 'shibboleth' and (isset($_SERVER['Shib_Session_ID']) and !empty($_SERVER['Shib_Session_ID']) or isset($_SERVER['HTTP_SHIB_IDENTITY_PROVIDER']) and !empty($_SERVER['HTTP_SHIB_IDENTITY_PROVIDER'])) and isset($_SERVER['eppn']) and $_SESSION['session_user_name'] != $_SERVER['eppn']) {
            $_POST['xuser_name'] = $_SERVER['eppn'];
            $_POST['xuser_password'] = getPasswordHash($_POST['xuser_name'] . K_RANDOM_SECURITY);
            $_POST['logaction'] = 'login';
            $usr = array();
            $usr['user_email'] = $_SERVER['eppn'];
            if (isset($_SERVER['givenName'])) {
                $usr['user_firstname'] = $_SERVER['givenName'];
            } else {
                $usr['user_firstname'] = '';
            }
            if (isset($_SERVER['sn'])) {
                $usr['user_lastname'] = $_SERVER['sn'];
            } else {
                $usr['user_lastname'] = '';
            }
            $usr['user_birthdate'] = '';
            $usr['user_birthplace'] = '';
            if (isset($_SERVER['employeeNumber'])) {
                $usr['user_regnumber'] = $_SERVER['employeeNumber'];
            } else {
                $usr['user_regnumber'] = '';
            }
            $usr['user_ssn'] = '';
            $usr['user_level'] = K_SHIBBOLETH_USER_LEVEL;
            $usr['usrgrp_group_id'] = K_SHIBBOLETH_USER_GROUP_ID;
            return $usr;
        }
    }
    // -----------------------------------------------------------------
    if (isset($_POST['logaction']) and $_POST['logaction'] == 'login' and isset($_POST['xuser_name']) and isset($_POST['xuser_password'])) {
        // 5) RADIUS ---------------------------------------------------
        require_once '../../shared/config/tce_radius.php';
        if (K_RADIUS_ENABLED) {
            require_once '../../shared/radius/radius.class.php';
            $radius = new Radius(K_RADIUS_SERVER_IP, K_RADIUS_SHARED_SECRET, K_RADIUS_SUFFIX, K_RADIUS_UDP_TIMEOUT, K_RADIUS_AUTHENTICATION_PORT, K_RADIUS_ACCOUNTING_PORT);
            if (K_RADIUS_UTF8) {
                $radusername = utf8_encode($_POST['xuser_name']);
                $radpassword = utf8_encode($_POST['xuser_password']);
            } else {
                $radusername = $_POST['xuser_name'];
                $radpassword = $_POST['xuser_password'];
            }
            if ($radius->AccessRequest($radusername, $radpassword)) {
                $usr = array();
                $usr['user_email'] = '';
                $usr['user_firstname'] = '';
                $usr['user_lastname'] = '';
                $usr['user_birthdate'] = '';
                $usr['user_birthplace'] = '';
                $usr['user_regnumber'] = '';
                $usr['user_ssn'] = '';
                $usr['user_level'] = K_RADIUS_USER_LEVEL;
                $usr['usrgrp_group_id'] = K_RADIUS_USER_GROUP_ID;
                return $usr;
            }
        }
        // -------------------------------------------------------------
        // 6) LDAP -----------------------------------------------------
        require_once '../../shared/config/tce_ldap.php';
        if (K_LDAP_ENABLED) {
            // make ldap connection
            $ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
            ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
            ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
            // recommended for W2K3
            // bind anonymously and get dn for username.
            if (K_LDAP_UTF8) {
                $ldapusername = utf8_encode($_POST['xuser_name']);
                $ldappassword = utf8_encode($_POST['xuser_password']);
            } else {
                $ldapusername = $_POST['xuser_name'];
                $ldappassword = $_POST['xuser_password'];
            }
            if ($lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword)) {
                // Search user on LDAP tree
                sort($ldap_attr);
                $ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
                if ($search = @ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
                    if ($rdn = @ldap_get_entries($ldapconn, $search)) {
                        if (@ldap_bind($ldapconn, $rdn['dn'], $_POST['xuser_password'])) {
                            @ldap_unbind($ldapconn);
                            $usr = array();
                            foreach ($ldap_attr as $k => $v) {
                                if (!empty($v) and isset($rdn[$v])) {
                                    $usr[$k] = $rdn[$v];
                                } else {
                                    $usr[$k] = '';
                                }
                            }
                            $usr['user_level'] = K_LDAP_USER_LEVEL;
                            $usr['usrgrp_group_id'] = K_LDAP_USER_GROUP_ID;
                            return $usr;
                        }
                    }
                }
            }
            @ldap_unbind($ldapconn);
        }
        // -------------------------------------------------------------
    }
    return false;
}