public function __construct(&$consumer = NULL, $new = FALSE) { parent::__construct($consumer, $new); $this->fields = $this->fields(); $this->consumers = ldap_authorization_get_consumers(NULL, TRUE); if ($new) { foreach ($this->consumer->defaultConsumerConfProperties as $property => $value) { $this->{$property} = $value; } } }
public function __construct(&$consumer = NULL, $new = FALSE) { parent::__construct($consumer, $new); $this->fields = $this->fields(); $this->consumers = ldap_authorization_get_consumers(NULL, TRUE); if ($new) { foreach ($this->consumer->defaultableConsumerConfProperties as $property) { $default_prop_name = $property . 'Default'; $this->{$property} = $this->consumer->{$default_prop_name}; } } }
/** * decide if a username is excluded or not * * @param string $name as proposed drupal username * @param array $ldap_user where top level keys are 'dn','attr','mail' * @return boolean FALSE means NOT allow; TRUE means allow * * @todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter * and most of this function should go in ldap_authentication_allowuser_results_alter */ public function allowUser($name, $ldap_user) { /** * do one of the exclude attribute pairs match */ $ldap_user_conf = ldap_user_conf(); // if user does not already exists and deferring to user settings AND user settings only allow $user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL); foreach ($this->excludeIfTextInDn as $test) { if (stripos($ldap_user['dn'], $test) !== FALSE) { return FALSE; // if a match, return FALSE; } } /** * evaluate php if it exists */ if ($this->allowTestPhp) { if (module_exists('php')) { global $_name, $_ldap_user_entry; $_name = $name; $_ldap_user_entry = $ldap_user; $code = '<?php ' . "global \$_name; \n global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>'; $code_result = php_eval($code); $_name = NULL; $_ldap_user_entry = NULL; if ((bool) $code_result == FALSE) { return FALSE; } } else { drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); $tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication')); watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens); return FALSE; } } /** * do one of the allow attribute pairs match */ if (count($this->allowOnlyIfTextInDn)) { $fail = TRUE; foreach ($this->allowOnlyIfTextInDn as $test) { if (stripos($ldap_user['dn'], $test) !== FALSE) { $fail = FALSE; } } if ($fail) { return FALSE; } } /** * is excludeIfNoAuthorizations option enabled and user not granted any groups */ if ($this->excludeIfNoAuthorizations) { if (!module_exists('ldap_authorization')) { drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); $tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication')); watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens); return FALSE; } $user = new stdClass(); $user->name = $name; $user->ldap_authenticated = TRUE; // fake user property added for query $consumers = ldap_authorization_get_consumers(); $has_enabled_consumers = FALSE; $has_ldap_authorizations = FALSE; foreach ($consumers as $consumer_type => $consumer_config) { $consumer_obj = ldap_authorization_get_consumer_object($consumer_type); if ($consumer_obj->consumerConf->status) { $has_enabled_consumers = TRUE; list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted'); if (isset($authorizations[$consumer_type]) && count($authorizations[$consumer_type]) > 0) { $has_ldap_authorizations = TRUE; } } } if (!$has_enabled_consumers) { drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); $tokens = array('!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization')); watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens); return FALSE; } elseif (!$has_ldap_authorizations) { return FALSE; } } // allow other modules to hook in and refuse if they like $hook_result = TRUE; drupal_alter('ldap_authentication_allowuser_results', $ldap_user, $name, $hook_result); if ($hook_result === FALSE) { watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", array('%name' => $name), WATCHDOG_NOTICE); return FALSE; } /** * default to allowed */ return TRUE; }
/** * decide if a username is excluded or not * * return boolean */ public function allowUser($name, $ldap_user_entry) { /** * do one of the exclude attribute pairs match */ $exclude = FALSE; foreach ($this->excludeIfTextInDn as $test) { if (strpos(drupal_strtolower($ldap_user_entry['dn']), drupal_strtolower($test)) !== FALSE) { return FALSE; // if a match, return FALSE; } } /** * evaluate php if it exists */ if ($this->allowTestPhp) { if (module_exists('php')) { global $_name, $_ldap_user_entry; $_name = $name; $_ldap_user_entry = $ldap_user_entry; $code = '<?php ' . "global \$_name; \n global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>'; $code_result = php_eval($code); $_name = NULL; $_ldap_user_entry = NULL; if ((bool) $code_result == FALSE) { return FALSE; } } else { drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); $tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication')); watchdog('warning', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens); return FALSE; } } /** * do one of the allow attribute pairs match */ if (count($this->allowOnlyIfTextInDn)) { $fail = TRUE; foreach ($this->allowOnlyIfTextInDn as $test) { if (strpos(drupal_strtolower($ldap_user_entry['dn']), drupal_strtolower($test)) !== FALSE) { $fail = FALSE; } } if ($fail) { return FALSE; } } /** * is excludeIfNoAuthorizations option enabled and user not granted any groups */ if ($this->excludeIfNoAuthorizations) { if (!module_exists('ldap_authorization')) { drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); $tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication')); watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens); return FALSE; } $user = new stdClass(); $user->name = $name; $user->ldap_authenticated = TRUE; // fake user property added for query $consumers = ldap_authorization_get_consumers(); $has_enabled_consumers = FALSE; foreach ($consumers as $consumer_type => $consumer_config) { $consumer_obj = ldap_authorization_get_consumer_object($consumer_type); if ($consumer_obj->consumerConf->status) { $has_enabled_consumers = TRUE; list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted'); if (count(array_filter(array_values($authorizations))) > 0) { return TRUE; } } } if (!$has_enabled_consumers) { drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); $tokens = array('!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization')); watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens); return FALSE; } return FALSE; } /** * default to allowed */ return TRUE; }