/**
* Import all valid users
*
* @param TBGRequest $request
*/
public function runImportUsers(TBGRequest $request)
{
$validgroups = TBGContext::getModule('auth_ldap')->getSetting('groups');
$base_dn = TBGContext::getModule('auth_ldap')->getSetting('b_dn');
$dn_attr = TBGContext::getModule('auth_ldap')->getSetting('dn_attr');
$username_attr = TBGContext::getModule('auth_ldap')->getSetting('u_attr');
$fullname_attr = TBGContext::getModule('auth_ldap')->getSetting('f_attr');
$buddyname_attr = TBGContext::getModule('auth_ldap')->getSetting('b_attr');
$email_attr = TBGContext::getModule('auth_ldap')->getSetting('e_attr');
$groups_members_attr = TBGContext::getModule('auth_ldap')->getSetting('g_attr');
$user_class = TBGContext::getModule('auth_ldap')->getSetting('u_type');
$group_class = TBGContext::getModule('auth_ldap')->getSetting('g_type');
$users = array();
$importcount = 0;
$updatecount = 0;
try {
/*
* Connect and bind to the control user
*/
$connection = TBGContext::getModule('auth_ldap')->connect();
TBGContext::getModule('auth_ldap')->bind($connection, TBGContext::getModule('auth_ldap')->getSetting('control_user'), TBGContext::getModule('auth_ldap')->getSetting('control_pass'));
/*
* Get a list of all users of a certain objectClass
*/
$fields = array($fullname_attr, $buddyname_attr, $username_attr, $email_attr, 'cn', $dn_attr);
$filter = '(objectClass=' . TBGLDAPAuthentication::getModule()->escape($user_class) . ')';
$results = ldap_search($connection, $base_dn, $filter, $fields);
if (!$results) {
TBGLogging::log('failed to search for users: ' . ldap_error($connection), 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection));
}
$data = ldap_get_entries($connection, $results);
/*
* For every user that exists, process it.
*/
for ($i = 0; $i != $data['count']; $i++) {
$user_dn = $data[$i][strtolower($dn_attr)][0];
/*
* If groups are specified, perform group restriction tests
*/
if ($validgroups != '') {
/*
* We will repeat this for every group, but groups are supplied as a comma-separated list
*/
if (strstr($validgroups, ',')) {
$groups = explode(',', $validgroups);
} else {
$groups = array();
$groups[] = $validgroups;
}
// Assumed we are initially banned
$allowed = false;
foreach ($groups as $group) {
// No need to carry on looking if we have access
if ($allowed == true) {
continue;
}
/*
* Find the group we are looking for, we search the entire directory
* We want to find 1 group, if we don't get 1, silently ignore this group.
*/
$fields2 = array($groups_members_attr);
$filter2 = '(&(cn=' . TBGLDAPAuthentication::getModule()->escape($group) . ')(objectClass=' . TBGLDAPAuthentication::getModule()->escape($group_class) . '))';
$results2 = ldap_search($connection, $base_dn, $filter2, $fields2);
if (!$results2) {
TBGLogging::log('failed to search for user: '******'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection));
}
$data2 = ldap_get_entries($connection, $results2);
if ($data2['count'] != 1) {
continue;
}
/*
* Look through the group's member list. If we are found, grant access.
*/
foreach ($data2[0][strtolower($groups_members_attr)] as $member) {
$member = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $member);
$user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $user_dn);
if (!is_numeric($member) && strtolower($member) == strtolower($user_dn)) {
$allowed = true;
}
}
}
if ($allowed == false) {
continue;
}
}
$users[$i] = array();
/*
* Set user's properties.
* Realname is obtained from directory, if not found we set it to the username
* Email is obtained from directory, if not found we set it to blank
*/
if (!array_key_exists(strtolower($fullname_attr), $data[$i])) {
$users[$i]['realname'] = $data[$i]['cn'][0];
} else {
$users[$i]['realname'] = $data[$i][strtolower($fullname_attr)][0];
}
if (!array_key_exists(strtolower($buddyname_attr), $data[$i])) {
$users[$i]['buddyname'] = $data[$i]['cn'][0];
} else {
$users[$i]['buddyname'] = $data[$i][strtolower($buddyname_attr)][0];
}
if (!array_key_exists(strtolower($email_attr), $data[$i])) {
$users[$i]['email'] = '';
} else {
$users[$i]['email'] = $data[$i][strtolower($email_attr)][0];
}
$users[$i]['username'] = $data[$i][strtolower($username_attr)][0];
}
} catch (Exception $e) {
TBGContext::setMessage('module_error', TBGContext::getI18n()->__('Import failed'));
TBGContext::setMessage('module_error_details', $e->getMessage());
$this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap')));
}
/*
* For every user that was found, either create a new user object, or update
* the existing one. This will update the created and updated counts as appropriate.
*/
foreach ($users as $ldapuser) {
$username = $ldapuser['username'];
$email = $ldapuser['email'];
$realname = $ldapuser['realname'];
$buddyname = $ldapuser['buddyname'];
try {
$user = TBGUser::getByUsername($username);
if ($user instanceof TBGUser) {
$user->setRealname($realname);
$user->setEmail($email);
// update email address
$user->save();
$updatecount++;
} else {
// create user
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname($realname);
$user->setBuddyname($buddyname);
$user->setEmail($email);
$user->setEnabled();
$user->setActivated();
$user->setPassword($user->getJoinedDate() . $username);
$user->setJoined();
$user->save();
$importcount++;
}
} catch (Exception $e) {
ldap_unbind($connection);
TBGContext::setMessage('module_error', TBGContext::getI18n()->__('Import failed'));
TBGContext::setMessage('module_error_details', $e->getMessage());
$this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap')));
}
}
ldap_unbind($connection);
TBGContext::setMessage('module_message', TBGContext::getI18n()->__('Import successful! %imp users imported, %upd users updated from LDAP', array('%imp' => $importcount, '%upd' => $updatecount)));
$this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap')));
}
public function doLogin($username, $password, $mode = 1)
{
$validgroups = $this->getSetting('groups');
$base_dn = $this->getSetting('b_dn');
$dn_attr = $this->escape($this->getSetting('dn_attr'));
$username_attr = $this->escape($this->getSetting('u_attr'));
$fullname_attr = $this->escape($this->getSetting('f_attr'));
$buddyname_attr = $this->escape($this->getSetting('b_attr'));
$email_attr = $this->escape($this->getSetting('e_attr'));
$groups_members_attr = $this->escape($this->getSetting('g_attr'));
$user_class = TBGContext::getModule('auth_ldap')->getSetting('u_type');
$group_class = TBGContext::getModule('auth_ldap')->getSetting('g_type');
$email = null;
$integrated_auth = $this->getSetting('integrated_auth');
/*
* Do the LDAP check here.
*
* If a connection error or something, throw an exception and log
*
* If we can, set $mail and $realname to correct values from LDAP
* otherwise don't touch those variables.
*
* To log do:
* TBGLogging::log('error goes here', 'ldap', TBGLogging::LEVEL_FATAL);
*/
try {
/*
* First job is to connect to our control user (may be an anonymous bind)
* so we can find the user we want to log in as/validate.
*/
$connection = $this->connect();
$control_user = $this->getSetting('control_user');
$control_password = $this->getSetting('control_pass');
$this->bind($connection, $control_user, $control_password);
// Assume bind successful, otherwise we would have had an exception
/*
* Search for a user with the username specified. We search in the base_dn, so we can
* find users in multiple parts of the directory, and only return users of a specific
* class (default person).
*
* We want exactly 1 user to be returned. We get the user's full name, email, cn
* and dn.
*/
$fields = array($fullname_attr, $buddyname_attr, $email_attr, 'cn', $dn_attr);
$filter = '(&(objectClass=' . TBGLDAPAuthentication::getModule()->escape($user_class) . ')(' . $username_attr . '=' . $this->escape($username) . '))';
$results = ldap_search($connection, $base_dn, $filter, $fields);
if (!$results) {
TBGLogging::log('failed to search for user: '******'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection));
}
$data = ldap_get_entries($connection, $results);
// User does not exist
if ($data['count'] == 0) {
TBGLogging::log('could not find user ' . $username . ', class ' . $user_class . ', attribute ' . $username_attr, 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('User does not exist in the directory'));
}
// If we have more than 1 user, something is seriously messed up...
if ($data['count'] > 1) {
TBGLogging::log('too many users for ' . $username . ', class ' . $user_class . ', attribute ' . $username_attr, 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('This user was found multiple times in the directory, please contact your admimistrator'));
}
/*
* If groups are specified, perform group restriction tests
*/
if ($validgroups != '') {
/*
* We will repeat this for every group, but groups are supplied as a comma-separated list
*/
if (strstr($validgroups, ',')) {
$groups = explode(',', $validgroups);
} else {
$groups = array();
$groups[] = $validgroups;
}
// Assumed we are initially banned
$allowed = false;
foreach ($groups as $group) {
// No need to carry on looking if we have access
if ($allowed == true) {
continue;
}
/*
* Find the group we are looking for, we search the entire directory as per users (See that stuff)
* We want to find 1 group, if we don't get 1, silently ignore this group.
*/
$fields2 = array($groups_members_attr);
$filter2 = '(&(objectClass=' . TBGLDAPAuthentication::getModule()->escape($group_class) . ')(cn=' . $this->escape($group) . '))';
$results2 = ldap_search($connection, $base_dn, $filter2, $fields2);
if (!$results2) {
TBGLogging::log('failed to search for user after binding: ' . ldap_error($connection), 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed ') . ldap_error($connection));
}
$data2 = ldap_get_entries($connection, $results2);
if ($data2['count'] != 1) {
continue;
}
/*
* Look through the group's member list. If we are found, grant access.
*/
foreach ($data2[0][strtolower($groups_members_attr)] as $member) {
$member = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $member);
$user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($dn_attr)][0]);
if (!is_numeric($member) && strtolower($member) == strtolower($user_dn)) {
$allowed = true;
}
}
}
if ($allowed == false) {
throw new Exception(TBGContext::getI18n()->__('You are not a member of a group allowed to log in'));
}
}
/*
* Set user's properties.
* Realname is obtained from directory, if not found we set it to the username
* Email is obtained from directory, if not found we set it to blank
*/
if (!array_key_exists(strtolower($fullname_attr), $data[0])) {
$realname = $username;
} else {
$realname = $data[0][strtolower($fullname_attr)][0];
}
if (!array_key_exists(strtolower($buddyname_attr), $data[0])) {
$buddyname = $username;
} else {
$buddyname = $data[0][strtolower($buddyname_attr)][0];
}
if (!array_key_exists(strtolower($email_attr), $data[0])) {
$email = '';
} else {
$email = $data[0][strtolower($email_attr)][0];
}
/*
* If we are performing a non integrated authentication login,
* now bind to the user and see if the credentials
* are valid. We bind using the full DN of the user, so no need for DOMAIN\ stuff
* on Windows, and more importantly it fixes other servers.
*
* If the bind fails (exception), we throw a nicer exception and don't continue.
*/
if ($mode == 1 && !$integrated_auth) {
try {
if (!is_array($data[0][strtolower($dn_attr)])) {
$dn = $data[0][strtolower($dn_attr)];
} else {
$dn = $data[0][strtolower($dn_attr)][0];
}
$bind = $this->bind($connection, $this->escape($dn), $password);
} catch (Exception $e) {
throw new Exception(TBGContext::geti18n()->__('Your password was not accepted by the server'));
}
} elseif ($mode == 1) {
if (!isset($_SERVER[$this->getSetting('integrated_auth_header')]) || $_SERVER[$this->getSetting('integrated_auth_header')] != $username) {
throw new Exception(TBGContext::geti18n()->__('HTTP authentication internal error.'));
}
}
} catch (Exception $e) {
ldap_unbind($connection);
throw $e;
}
try {
/*
* Get the user object. If the user exists, update the user's
* data from the directory.
*/
$user = TBGUser::getByUsername($username);
if ($user instanceof TBGUser) {
$user->setBuddyname($buddyname);
$user->setRealname($realname);
$user->setPassword($user->getJoinedDate() . $username);
// update password
$user->setEmail($email);
// update email address
$user->save();
} else {
/*
* If not, and we are performing an initial login, create the user object
* if we are validating a log in, kick the user out as the session is invalid.
*/
if ($mode == 1) {
// create user
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname('temporary');
$user->setBuddyname($username);
$user->setEmail('temporary');
$user->setEnabled();
$user->setActivated();
$user->setJoined();
$user->setPassword($user->getJoinedDate() . $username);
$user->save();
} else {
throw new Exception('User does not exist in TBG');
}
}
} catch (Exception $e) {
ldap_unbind($connection);
throw $e;
}
ldap_unbind($connection);
/*
* Set cookies and return user row for general operations.
*/
TBGContext::getResponse()->setCookie('tbg3_username', $username);
TBGContext::getResponse()->setCookie('tbg3_password', TBGUser::hashPassword($user->getJoinedDate() . $username, $user->getSalt()));
return TBGUsersTable::getTable()->getByUsername($username);
}
