/**
* Tries to logon to the HTTP server with given id and password
*
* @access public
*
* @param string $source Authentication source to be used
* @param string $external_uid The ID entered
* @param string $external_passwd The password of the user
*
* @return boolean True if the authentication was a success, false
* otherwise
*/
public function Authenticate($source, $external_uid, $external_passwd)
{
require_once 'HTTP/Request.php';
// Set some default HTTP request options
$request_options['method'] = 'GET';
$request_options['timeout'] = 5;
$request_options['allowRedirects'] = true;
$enc = ExternalAuthenticator::getAuthEnc($source);
$port = ExternalAuthenticator::getAuthPort($source);
$folder = ExternalAuthenticator::getOption($source, 'folder');
$proxy = ExternalAuthenticator::getOption($source, 'proxy');
$proxy_port = ExternalAuthenticator::getOption($source, 'proxy_port');
$proxy_user = ExternalAuthenticator::getOption($source, 'proxy_user');
$proxy_pass = ExternalAuthenticator::getOption($source, 'proxy_pass');
if (!is_null($proxy) && !is_null($proxy_port)) {
ExternalAuthenticator::AuthLog($external_uid . '.http - Proxy is set to ' . $proxy . ':' . $proxy_port);
$request_options['proxy_host'] = $proxy;
$request_options['proxy_port'] = $proxy_port;
} else {
ExternalAuthenticator::AuthLog($external_uid . '.http - Proxy is not set');
}
if (!is_null($proxy_user)) {
ExternalAuthenticator::AuthLog($external_uid . '.http - Proxy user is set to ' . $proxy_user);
$request_options['proxy_user'] = $proxy_user;
if (!is_null($proxy_pass)) {
ExternalAuthenticator::AuthLog($external_uid . '.http - Proxy password is set');
$request_options['proxy_pass'] = $proxy_pass;
} else {
ExternalAuthenticator::AuthLog($external_uid . '.http - Proxy password is NOT set');
}
} else {
ExternalAuthenticator::AuthLog($external_uid . '.http - Proxy user is NOT set');
}
if ($enc == 'ssl') {
$url = 'https://';
} else {
$url = 'http://';
}
$url .= ExternalAuthenticator::getAuthServer($source);
if (!is_null($port)) {
$url .= ':' . $port;
}
if (!is_null($folder)) {
$url .= $folder;
}
ExternalAuthenticator::AuthLog($external_uid . '.http - Authentication URL is set to ' . $url);
$request = new HTTP_Request($url, $request_options);
$request->setBasicAuth($external_uid, $external_passwd);
ExternalAuthenticator::AuthLog($external_uid . '.http - Sending authentication request');
$request->sendRequest();
// HTTP code 200 means everything is OK
if ($request->getResponseCode() == 200) {
ExternalAuthenticator::AuthLog($external_uid . '.http - Remote server returned code 200');
return true;
} else {
ExternalAuthenticator::AuthLog($external_uid . '.http - Authentication failed with HTTP code ' . $request->getResponseCode());
ExternalAuthenticator::setAuthMessage(_t('ExternalAuthenticator.Failed'));
return false;
}
}
/**
* Tries to logon to the IMAP server with given id and password
*
* @access public
*
* @param string $source Authentication source to be used
* @param string $external_uid The ID entered
* @param string $external_passwd The password of the user
*
* @return boolean True if the authentication was a success, false
* otherwise
*/
public function Authenticate($source, $external_uid, $external_passwd)
{
$servicetype = ExternalAuthenticator::getOption($source, 'protocol');
if (is_null($servicetype) || !in_array(strtolower($servicetype), array('imap', 'pop3'))) {
ExternalAuthenticator::setAuthMessage(_t('IMAP_Authenticator.Protocol', 'Protocol is not set to a valid type'));
return false;
}
$enc = ExternalAuthenticator::getAuthEnc($source);
$port = ExternalAuthenticator::getAuthPort($source);
if (is_null($port)) {
if (is_null($enc)) {
$port = self::$portlist["{$servicetype}"]['default'];
} else {
$port = self::$portlist["{$servicetype}"]["{$enc}"];
}
}
$connectstring = '{' . ExternalAuthenticator::getAuthServer($source);
$connectstring .= ':' . $port;
$connectstring .= '/' . $servicetype;
if (!is_null($enc)) {
$connectstring .= '/' . $enc;
$validate = ExternalAuthenticator::getOption($source, 'certnovalidate');
if (!is_null($validate) || $validate) {
$connectstring .= '/novalidate-cert';
}
} else {
$connectstring .= '/notls';
}
$connectstring .= '}';
ExternalAuthenticator::AuthLog($external_uid . '.imap - Connect string to server is ' . $connectstring);
ExternalAuthenticator::AuthLog($external_uid . '.imap - If you get a blank screen and the process end here, check php_imap module');
$mbox = @imap_open($connectstring, $external_uid, $external_passwd);
if (!$mbox) {
ExternalAuthenticator::AuthLog($external_uid . '.imap - ' . imap_last_error());
ExternalAuthenticator::setAuthMessage(_t('ExternalAuthenticator.Failed'));
return false;
} else {
ExternalAuthenticator::AuthLog($external_uid . '.imap - imap_open returned mailbox handle');
@imap_close($mbox);
return true;
}
}
/**
* Tries to logon to the LDAP server with given id and password
*
* @access public
*
* @param string $source The Authentication source to be used
* @param string $external_anchor The ID entered
* @param string $external_passwd The password of the user
*
* @return mixed Account details if succesful , false if not
*/
public function Authenticate($source, $external_anchor, $external_passwd)
{
// A password should have some lenght. An empty password will result
// in a succesfull anonymous bind. A password should not be all spaces
if (strlen(trim($external_passwd)) == 0) {
ExternalAuthenticator::setAuthMessage(_t('LDAP_Authenticator.NoPasswd', 'Please enter a password'));
return false;
}
// Do we support password expiration?
$expire = ExternalAuthenticator::getOption($source, 'passwd_expiration');
$result = self::Connect($source, $external_anchor);
if (is_string($result)) {
ExternalAuthenticator::setAuthMessage($result);
return false;
}
$dn = self::findDN($source, ExternalAuthenticator::getOption($source, 'attribute'), $external_anchor);
if (is_bool($dn)) {
@ldap_close(self::$ds);
ExternalAuthenticator::setAuthMessage(_t('ExternalAuthenticator.Failed'));
return false;
}
// Restore the default error handler. We dont want a red bordered
// screen on error, but a civilized message to the user
restore_error_handler();
$success = false;
//Initialize the result of the authentication
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - Binding to LDAP as ' . $dn);
$bind = @ldap_bind(self::$ds, $dn, $external_passwd);
if ($bind != false) {
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP accepted password for ' . $dn);
$accountdetails = self::lookupDetails($source, $dn, $external_anchor);
if (!is_null($expire) && $expire) {
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - Check if password has expired');
// Reset the SilverStripe error handler
Debug::loadErrorHandlers();
// Do some calculations on the attributes to convert them
// to the interval [now]-[expires at]
if ($accountdetails['shadowmax']['value'] && $accountdetails['shadowlastchange']['value'] && $accountdetails['shadowwarning']['value']) {
$today = floor(time() / 86400);
$warnday = $accountdetails['shadowlastchange']['value'] + $accountdetails['shadowmax']['value'] - $accountdetails['shadowwarning']['value'];
$toexpire = $accountdetails['shadowlastchange']['value'] + $accountdetails['shadowmax']['value'] - $today;
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - ' . $toexpire . ' before password expires ' . $towarn . ' days before warning');
// Out of luck. His password has expired.
if ($toexpire < 0) {
ExternalAuthenticator::setAuthMessage(_t('LDAP_Authenticator.Expired', 'Your password has expired'));
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP Authentication FAILED due to expired password');
} else {
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP Authentication success');
$success = array('firstname' => $accountdetails['firstname']['value'], 'surname' => $accountdetails['surname']['value'], 'email' => $accountdetails['email']['value'], 'group' => $accountdetails['group']['value']);
// Lets be civilized and warn the user that he should
// change his password soon
if ($today >= $warnday) {
ExternalAuthenticator::setAuthMessage(sprintf(_t('LDAP_Authenticator.WillExpire', 'Your password expires in %d days'), $toexpire));
}
}
} else {
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP password expiry enabled, but attributes not set; IGNORING');
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP Authentication success');
$success = array('firstname' => $accountdetails['firstname']['value'], 'surname' => $accountdetails['surname']['value'], 'email' => $accountdetails['email']['value'], 'group' => $accountdetails['group']['value']);
}
} else {
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - Password expiry not enabled');
// Reset the SilverStripe error handler
Debug::loadErrorHandlers();
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP Authentication success');
$success = array('firstname' => $accountdetails['firstname']['value'], 'surname' => $accountdetails['surname']['value'], 'email' => $accountdetails['email']['value'], 'group' => $accountdetails['group']['value']);
}
} else {
// Reset the SilverStripe error handler
Debug::loadErrorHandlers();
ExternalAuthenticator::AuthLog($external_anchor . '.ldap - LDAP authentication for ' . $dn . ' failed');
ExternalAuthenticator::setAuthMessage(_t('ExternalAuthenticator.Failed'));
$success = false;
}
@ldap_close(self::$ds);
return $success;
}
