public static function checkLdapCredentials($username, $password)
{
$options = sfConfig::get('app_sf_guard_plugin_ldap_settings', array());
$ldap = new adLDAP($options);
$authenticated = $ldap->authenticate($username, $password);
return $authenticated ? true : false;
}
public function executeSignin($request)
{
$this->form = new sfGuardFormSignin();
if ($request->isMethod('post')) {
$data = $request->getParameter('signin');
$adldap = new adLDAP(array('account_suffix' => '@sch.bme.hu', 'domain_controllers' => array('152.66.208.42'), 'ad_username' => $data['username'], 'ad_password' => $data['password']));
try {
$authUser = $adldap->authenticate($data['username'], $data['password']);
if ($authUser === true) {
$userData = $adldap->user_info($data['username']);
$user = Doctrine::getTable('sfGuardUser')->findOneBy('username', $data['username']);
$save = false;
if ($user) {
if ($user->Profile->full_name != $userData[0]["displayname"][0] || $user->Profile->email != $userData[0]["mail"][0]) {
$save = true;
}
} else {
$user = new sfGuardUser();
$save = true;
}
if ($save) {
$user->username = $data['username'];
$user->password = $data['password'];
$user->Profile->full_name = $userData[0]["displayname"][0];
$user->Profile->email = $userData[0]["mail"][0];
$user->save();
}
}
} catch (Exception $e) {
echo $e;
}
}
parent::executeSignin($request);
}
public function authAD()
{
$adldap = new adLDAP();
if ($adldap->authenticate($this->login, $this->password)) {
$user_info = $adldap->user()->info($this->login);
$this->display_name = $user_info[0]['displayname'][0];
$this->logged = true;
$this->is_admin = $this->isAdmin($user_info);
} else {
$this->logged = false;
}
}
function loginUser()
{
$ldapOptions = array('account_suffix' => '@solitude.guc.usg.edu', 'base_dn' => 'ou=GGCNet,dc=solitude,dc=guc,dc=usg,dc=edu', 'domain_controllers' => array('llyr.solitude.guc.usg.edu'));
$ldapOptions = array('account_suffix' => '@ggc.edu', 'base_dn' => 'ou=GGCNet,dc=ggc,dc=edu', 'domain_controllers' => array('ldap.ggc.edu'));
$ldap = new adLDAP($ldapOptions);
if ($ldap->authenticate($_POST['login_user'], self::decryptRSA($_POST['login_pass']))) {
$_SESSION['loggedInParking'] = strtolower($_POST['login_user']);
// allow commenting
$_SESSION['allowComments'] = true;
} else {
//print_r($_POST);
//die("Invalid password / username combination.");
header("location: index.php?error=1");
die;
}
}
function selectUserFromLdap($username, $password)
{
try {
$adldap = new adLDAP();
$adldap->set_account_suffix('@vejleidraetsefterskole.local');
$adldap->set_domain_controllers(array('mail.vih.dk'));
} catch (adLDAPException $e) {
echo $e;
exit;
}
$authUser = $adldap->authenticate($username, $password);
if ($authUser === true) {
return new k_AuthenticatedUser($username);
} else {
throw new Exception('User authentication unsuccessful. ' . $adldap->get_last_error());
}
}
/**
*
* @param string $username
* @param string $password
* @param string $method
* @return Users
*/
public function getCredentials($username, $password, $method = 'internal')
{
if ($method == "ldap") {
require_once ROOT_PATH . 'lib/common/ldap/adLDAP.php';
$ldap = new adLDAP();
// Authenticate using adLDAP configuratoin
$authLdap = $ldap->authenticate($username, $password);
if ($authLdap) {
// Get the internally created user account (ESS/Admin accounts listed under users)
$query = Doctrine_Query::create()->from('SystemUser')->where('user_name = ?', $username)->andWhere('deleted = 0');
} else {
// Return an empty result set if authentication is false
$query = Doctrine_Query::create()->from('SystemUser')->where('1 = 2');
}
} else {
$query = Doctrine_Query::create()->from('SystemUser')->where('user_name = ?', $username)->andWhere('user_password = ?', $password)->andWhere('deleted = 0');
}
return $query->fetchOne();
}
function login($username, $password)
{
if ($password == 'vih') {
$this->logged_in = true;
return true;
}
if ($username != NULL && $password != NULL) {
//include the class and create a connection
require_once dirname(__FILE__) . '/adLdap.php';
try {
$adldap = new adLDAP();
} catch (adLDAPException $e) {
echo $e;
exit;
}
//authenticate the user
if ($adldap->authenticate($username, $password)) {
$this->logged_in = true;
return true;
}
}
return false;
}
/**
* Checks the config.php AUTHCFG value for login type and forks off to the proper module
*
* @param string $user_password - The password of the user to authenticate
* @return true if the user is authenticated, false otherwise
*/
function doLogin($user_password)
{
global $AUTHCFG;
$usr_name = $this->column_fields["user_name"];
switch (strtoupper($AUTHCFG['authType'])) {
case 'LDAP':
$this->log->debug("Using LDAP authentication");
require_once 'modules/Users/authTypes/LDAP.php';
$result = ldapAuthenticate($this->column_fields["user_name"], $user_password);
if ($result == NULL) {
return false;
} else {
return true;
}
break;
case 'AD':
$this->log->debug("Using Active Directory authentication");
require_once 'modules/Users/authTypes/adLDAP.php';
$adldap = new adLDAP();
if ($adldap->authenticate($this->column_fields["user_name"], $user_password)) {
return true;
} else {
return false;
}
break;
default:
$this->log->debug("Using integrated/SQL authentication");
$encrypted_password = $this->encrypt_password($user_password);
$query = "SELECT id from {$this->table_name} where deleted=0 and user_name='{$usr_name}' AND user_password='******'";
$result = $this->db->query($query);
$noofrows = $this->db->num_rows($result);
if ($noofrows > 0) {
$id = $this->db->query_result($result, 0, "id");
$this->log->debug("Using integrated/SQL authentication id:" . $id);
return true;
} else {
$this->log->debug("Using integrated/SQL authentication NO Record");
return false;
}
break;
}
return false;
}
function login($return = '')
{
if (func_get_args()) {
$return_parts = func_get_args();
$return = implode('/', $return_parts);
}
if ($this->authorized()) {
redirect($return);
}
$check = FALSE;
// If no valid mechanisms found, bail
if (!$this->auth_mechanisms) {
redirect('auth/generate');
}
$login = isset($_POST['login']) ? $_POST['login'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';
// User is a member of these groups
$groups = array();
// Loop through authentication mechanisms
// Break when we have a match
foreach ($this->auth_mechanisms as $mechanism => $auth_data) {
// Local is just a username => hash array
switch ($mechanism) {
case 'noauth':
// No authentication
$check = TRUE;
$login = '******';
break 2;
case 'config':
// Config authentication
if ($login && $password) {
if (isset($auth_data[$login])) {
$t_hasher = $this->load_phpass();
$check = $t_hasher->CheckPassword($password, $auth_data[$login]);
if ($check) {
// Get group memberships
foreach (conf('groups', array()) as $groupname => $members) {
if (in_array($login, $members)) {
$groups[] = $groupname;
}
}
}
break 2;
}
}
break;
case 'ldap':
// LDAP authentication
if ($login && $password) {
include_once APP_PATH . '/lib/authLDAP/authLDAP.php';
$ldap_auth_obj = new Auth_ldap($auth_data);
if ($ldap_auth_obj->authenticate($login, $password)) {
//alert('Authenticated');
// Check user against users list
if (isset($auth_data['mr_allowed_users'])) {
$admin_users = is_array($auth_data['mr_allowed_users']) ? $auth_data['mr_allowed_users'] : array($auth_data['mr_allowed_users']);
if (in_array(strtolower($login), array_map('strtolower', $admin_users))) {
$check = TRUE;
// If business units enabled, get group memberships
if (conf('enable_business_units')) {
if ($user_data = $ldap_auth_obj->getUserData($login)) {
$groups = $user_data['grps'];
}
}
break 2;
}
}
// Check user against group list
if (isset($auth_data['mr_allowed_groups'])) {
// Set mr_allowed_groups to array
$admin_groups = is_array($auth_data['mr_allowed_groups']) ? $auth_data['mr_allowed_groups'] : array($auth_data['mr_allowed_groups']);
// Get groups from AD
if ($user_data = $ldap_auth_obj->getUserData($login)) {
foreach ($user_data['grps'] as $group) {
if (in_array($group, $admin_groups)) {
$check = TRUE;
// If business units enabled, store group memberships
if (conf('enable_business_units')) {
$groups = $user_data['grps'];
}
break 3;
}
}
}
}
//end group list check
// Not in users list or group list
error('Not authorized', 'auth.not_authorized');
break;
}
}
case 'AD':
// Active Directory authentication
// Prevent empty values
if ($_POST && $login && $password) {
//include the class and create a connection
//TODO: wrap this include somewhere else?
include_once APP_PATH . '/lib/adLDAP/adLDAP.php';
try {
$adldap = new adLDAP($auth_data);
} catch (adLDAPException $e) {
error('An error ocurred while contacting AD', 'error_contacting_AD');
// When in debug mode, show additional info
if (conf('debug')) {
error($e->getMessage());
}
break 2;
}
// If nothing has failed to this point, authenticate user
if ($adldap->authenticate($login, $password)) {
// Check user against userlist
if (isset($auth_data['mr_allowed_users'])) {
$admin_users = is_array($auth_data['mr_allowed_users']) ? $auth_data['mr_allowed_users'] : array($auth_data['mr_allowed_users']);
if (in_array(strtolower($login), array_map('strtolower', $admin_users))) {
$check = TRUE;
// If business units enabled, get group memberships
if (conf('enable_business_units')) {
$groups = $adldap->user()->groups($login);
}
break 2;
}
}
// Check user against group list
if (isset($auth_data['mr_allowed_groups'])) {
// Set mr_allowed_groups to array
$admin_groups = is_array($auth_data['mr_allowed_groups']) ? $auth_data['mr_allowed_groups'] : array($auth_data['mr_allowed_groups']);
// Get groups from AD
$groups = $adldap->user()->groups($login);
foreach ($groups as $group) {
if (in_array($group, $admin_groups)) {
$check = TRUE;
break 3;
}
}
}
//end group list check
// Not in users list or group list
error('Not authorized', 'auth.not_authorized');
break;
}
break;
}
break;
//end of AD method
//end of AD method
default:
die('Unknown authentication mechanism: ' . $mechanism);
break;
}
//end switch
}
//end foreach loop
// If authentication succeeded, create session
if ($check) {
$_SESSION['user'] = $login;
$_SESSION['groups'] = $groups;
$_SESSION['auth'] = $mechanism;
$this->set_session_props();
session_regenerate_id();
redirect($return);
}
// If POST and no other alerts, auth has failed
if ($_POST && !$GLOBALS['alerts']) {
if (!$login or !$password) {
error('Empty values are not allowed', 'auth.empty_not_allowed');
} else {
error('Wrong username or password', 'auth.wrong_user_or_pass');
}
}
$data = array('login' => $login, 'url' => url("auth/login/{$return}"));
$obj = new View();
$obj->view('auth/login', $data);
}
function login($return = '')
{
if ($this->authorized()) {
redirect($return);
}
$check = FALSE;
// If no valid mechanisms found, bail
if (!$this->auth_mechanisms) {
redirect('auth/generate');
}
$login = isset($_POST['login']) ? $_POST['login'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';
// Loop through authentication mechanisms
// Break when we have a match
foreach ($this->auth_mechanisms as $mechanism => $auth_data) {
// Local is just a username => hash array
switch ($mechanism) {
case 'noauth':
// No authentication
$check = TRUE;
$login = '******';
break 2;
case 'config':
// Config authentication
if ($_POST && isset($auth_data[$login])) {
$t_hasher = $this->load_phpass();
$check = $t_hasher->CheckPassword($password, $auth_data[$login]);
break 2;
}
break;
case 'ldap':
// LDAP authentication
if ($login && $password) {
include_once APP_PATH . '/lib/authLDAP/authLDAP.php';
$ldap_auth_obj = new Auth_ldap($auth_data);
if ($ldap_auth_obj->authenticate($login, $password)) {
//alert('Authenticated');
// Check user against users list
if (isset($auth_data['mr_allowed_users'])) {
//
$admin_users = is_array($auth_data['mr_allowed_users']) ? $auth_data['mr_allowed_users'] : array($auth_data['mr_allowed_users']);
if (in_array(strtolower($login), array_map('strtolower', $admin_users))) {
$check = TRUE;
break 2;
}
}
// Check user against group list
if (isset($auth_data['mr_allowed_groups'])) {
// Set mr_allowed_groups to array
$admin_groups = is_array($auth_data['mr_allowed_groups']) ? $auth_data['mr_allowed_groups'] : array($auth_data['mr_allowed_groups']);
// Get groups from AD
if ($user_data = $ldap_auth_obj->getUserData($login)) {
foreach ($user_data['grps'] as $group) {
if (in_array($group, $admin_groups)) {
$check = TRUE;
break 3;
}
}
}
}
//end group list check
// Not in users list or group list
error(lang('not_authorized'));
break;
}
}
case 'AD':
// Active Directory authentication
// Prevent empty values
if ($_POST && $login && $password) {
//include the class and create a connection
//TODO wrap this include somewhere else?
include_once APP_PATH . '/lib/adLDAP/adLDAP.php';
try {
$adldap = new adLDAP($auth_data);
} catch (adLDAPException $e) {
// When in debug mode, show additional info
$msg = conf('debug') ? ":<br>" . $e->getMessage() : '';
error(lang('error_contacting_AD') . $msg);
break 2;
}
// Authenticate user
if ($adldap->authenticate($login, $password)) {
// Check user against userlist
if (isset($auth_data['mr_allowed_users'])) {
//
$admin_users = is_array($auth_data['mr_allowed_users']) ? $auth_data['mr_allowed_users'] : array($auth_data['mr_allowed_users']);
if (in_array(strtolower($login), array_map('strtolower', $admin_users))) {
$check = TRUE;
break 2;
}
}
// Check user against group list
if (isset($auth_data['mr_allowed_groups'])) {
// Set mr_allowed_groups to array
$admin_groups = is_array($auth_data['mr_allowed_groups']) ? $auth_data['mr_allowed_groups'] : array($auth_data['mr_allowed_groups']);
// Get groups from AD
$groups = $adldap->user()->groups($login);
foreach ($groups as $group) {
if (in_array($group, $admin_groups)) {
$check = TRUE;
break 3;
}
}
}
//end group list check
// Not in users list or group list
error(lang('not_authorized'));
break;
}
break;
}
break;
default:
die('Unknown authentication mechanism: ' . $mechanism);
break;
}
}
// If authentication succeeded, create session
if ($check) {
$_SESSION['user'] = $login;
$_SESSION['auth'] = $mechanism;
session_regenerate_id();
redirect($return);
}
// If POST and no other alerts, auth has failed
if ($_POST && !$GLOBALS['alerts']) {
if (!$login or !$password) {
error(lang('empty_not_allowed'));
} else {
error(lang('wrong_user_or_pass'));
}
}
$data = array('login' => $login, 'url' => url("auth/login/{$return}"));
$obj = new View();
$obj->view('auth/login', $data);
}
/**
* Checks the config.php AUTHCFG value for login type and forks off to the proper module
*
* @param string $user_password - The password of the user to authenticate
* @return true if the user is authenticated, false otherwise
*/
function doLogin($user_password)
{
global $AUTHCFG;
$usr_name = $this->column_fields["user_name"];
switch (strtoupper($AUTHCFG['authType'])) {
case 'LDAP':
$this->log->debug("Using LDAP authentication");
require_once 'modules/Users/authTypes/LDAP.php';
$result = ldapAuthenticate($this->column_fields["user_name"], $user_password);
if ($result == NULL) {
return false;
} else {
return true;
}
break;
case 'AD':
$this->log->debug("Using Active Directory authentication");
require_once 'modules/Users/authTypes/adLDAP.php';
$adldap = new adLDAP();
if ($adldap->authenticate($this->column_fields["user_name"], $user_password)) {
return true;
} else {
return false;
}
break;
default:
$this->log->debug("Using integrated/SQL authentication");
$query = "SELECT crypt_type FROM {$this->table_name} WHERE user_name=?";
$result = $this->db->requirePsSingleResult($query, array($usr_name), false);
if (empty($result)) {
return false;
}
$crypt_type = $this->db->query_result($result, 0, 'crypt_type');
$encrypted_password = $this->encrypt_password($user_password, $crypt_type);
$maxFailedLoginAttempts = GlobalVariable::getVariable('Application_MaxFailedLoginAttempts', 5);
$query = "SELECT * from {$this->table_name} where user_name=? AND user_password=?";
$params = array($usr_name, $encrypted_password);
$cnuser = $this->db->getColumnNames($this->table_name);
if (in_array('failed_login_attempts', $cnuser)) {
$query .= ' AND COALESCE(failed_login_attempts,0)<?';
$params[] = $maxFailedLoginAttempts;
}
$result = $this->db->requirePsSingleResult($query, $params, false);
if (empty($result)) {
return false;
} else {
return true;
}
break;
}
return false;
}
<?php
/*$ldap['user'] = '******'; //'sanvtbouser';
$ldap['pass'] = '******'; //'Datawarehous3';
$ldap['host'] = '10.40.3.97'; // nombre del host o servidor
$ldap['port'] = 389; // puerto del LDAP en el servidor
$ldap['dn'] = 'uid='.$ldap['user'].',OU=GEOI,OU=VP-IT,OU=CB,OU=NUEVATEL,OU=Servicios,OU=Usuarios,DC=nuevatel,DC=net'; // modificar respecto a los valores del LDAP
$ldap['base'] = 'DC=nuevatel,DC=net';
*/
require_once dirname(__FILE__) . '/adLDAP.php';
$options["domain_controllers"] = array("10.40.3.97", "10.20.3.97", "10.30.3.97");
$user = '******';
$password = '******';
$options["ad_username"] = $user;
//el usuario de active directory
$options["ad_password"] = $password;
$options["use_ssl"] = false;
$ldap = new adLDAP();
$aut = $ldap->authenticate($user, $password);
if ($aut) {
echo 'ok';
} else {
echo 'error';
}
/**
* Checks the config.php AUTHCFG value for login type and forks off to the proper module
*
* @param string $user_password - The password of the user to authenticate
* @return true if the user is authenticated, false otherwise
*/
function doLogin($user_password) {
global $AUTHCFG;
$usr_name = $this->column_fields["user_name"];
switch (strtoupper($AUTHCFG['authType'])) {
case 'LDAP':
$this->log->debug("Using LDAP authentication");
require_once('modules/Users/authTypes/LDAP.php');
$result = ldapAuthenticate($this->column_fields["user_name"], $user_password);
if ($result == NULL) {
return false;
} else {
return true;
}
break;
case 'AD':
$this->log->debug("Using Active Directory authentication");
require_once('modules/Users/authTypes/adLDAP.php');
$adldap = new adLDAP();
if ($adldap->authenticate($this->column_fields["user_name"],$user_password)) {
return true;
} else {
return false;
}
break;
default:
$this->log->debug("Using integrated/SQL authentication");
$query = "SELECT crypt_type, user_name FROM $this->table_name WHERE user_name=?";
$result = $this->db->requirePsSingleResult($query, array($usr_name), false);
if (empty($result)) {
return false;
}
$crypt_type = $this->db->query_result($result, 0, 'crypt_type');
$this->column_fields["user_name"] = $this->db->query_result($result, 0, 'user_name');
$encrypted_password = $this->encrypt_password($user_password, $crypt_type);
$query = "SELECT 1 from $this->table_name where user_name=? AND user_password=? AND status = ?";
$result = $this->db->requirePsSingleResult($query, array($usr_name, $encrypted_password, 'Active'), false);
if (empty($result)) {
return false;
} else {
return true;
}
break;
}
return false;
}
<?php
/*
Examples file
To test any of the functions, just change the 0 to a 1.
*/
//error_reporting(E_ALL ^ E_NOTICE);
include "adLDAP.php";
$ldap = new adLDAP($options);
//var_dump($ldap);
echo "<pre>\n";
// authenticate a username/password
if (0) {
$result = $ldap->authenticate("username", "password");
var_dump($result);
}
// add a group to a group
if (0) {
$result = $ldap->group_add_group("Parent Group Name", "Child Group Name");
var_dump($result);
}
// add a user to a group
if (0) {
$result = $ldap->group_add_user("Group Name", "username");
var_dump($result);
}
// create a group
if (0) {
$attributes = array("group_name" => "Test Group", "description" => "Just Testing", "container" => array("Groups", "A Container"));
$result = $ldap->group_create($attributes);
<?php
require_once dirname(__FILE__) . '/adLDAP.php';
$adldap = new adLDAP(array("account_suffix" => "@test.slimcrm.com", "base_dn" => "DC=test,DC=slimcrm,DC=com", "domain_controllers" => array("50.57.184.4"), "admin_username" => "administrator", "admin_password" => "CTL-tmp-domaintestD5v5mqV6D"));
echo $adldap->authenticate("tholum", "Password1");
echo "\n";
$c = $adldap->user()->groups('tholum');
var_dump($c);
echo "Deleting relay database...<br/>";
mysql_query("drop database relay");
echo "Creating database relay...";
mysql_query("create database relay");
*/
mysql_select_db($_POST['database']) || die("could not connect to the database {$_POST['database']}");
echo "done<br/>";
if (function_exists('ldap_connect') & isset($_POST['dc'], $_POST['adu'], $_POST['adp'], $_POST['ads']) & $_POST['uad'] == 'on') {
echo "Verifying Active Directory installation on {$_POST['ads']}...";
$activeDirectoryServer = $_POST['ads'];
$activeDirectoryDC = explode(".", $_POST['dc']);
include_once "inc/adLDAP.php";
$ad = new adLDAP();
if ($ad->authenticate($_POST['adu'], $_POST['adp'])) {
echo "success!<br/>";
$first = true;
foreach ($activeDirectoryDC as $dc) {
if (!$first) {
$addc .= ",";
}
$addc .= "\"{$dc}\"";
$first = false;
}
$ldapConfig = "// activeDirectory\r\n \$activeDirectoryDC = array({$addc});\r\n \$activeDirectoryServer = \"{$_POST['ads']}\";\r\n \$activeDirectoryUser = \"{$_POST['adu']}\";\r\n \$activeDirectoryPass = \"{$_POST['adp']}\";";
} else {
echo "FAILED, check your settings and try again.";
exit;
}
}
function NotUsersTreeUserAuth()
{
global $SAMSConf;
$DB = new SAMSDB();
if (isset($_POST["userid"])) {
$password = $_POST["userid"];
}
if (isset($_POST["user"])) {
$userdomain = $_POST["user"];
}
$grauditor = 0;
$SAMSConf->domainusername = "";
$SAMSConf->USERPASSWD = 0;
$num_rows = $DB->samsdb_query_value("SELECT squiduser.*,shablon.s_auth as s_auth FROM squiduser LEFT JOIN shablon ON squiduser.s_shablon_id=shablon.s_shablon_id WHERE s_nick='{$userdomain}'; ");
$row = $DB->samsdb_fetch_array();
if ($num_rows > 0) {
$SAMSConf->USERID = $row['s_user_id'];
$SAMSConf->USERWEBACCESS = $row['s_webaccess'];
$SAMSConf->AUTHERRORRC = $row['s_autherrorc'];
$SAMSConf->AUTHERRORRT = $row['s_autherrort'];
}
if ($row['s_auth'] == "ip") {
$passwd = crypt($password, substr($password, 0, 2));
if ($row['s_passwd'] == $passwd) {
$SAMSConf->domainusername = $row['s_nick'];
$SAMSConf->USERPASSWD = 1;
}
}
if ($row['s_auth'] == "adld") {
require_once "adldap.php";
//create the LDAP connection
$pdc = array("{$SAMSConf->LDAPSERVER}");
$options = array(account_suffix => "@{$SAMSConf->LDAPDOMAIN}", base_dn => "{$SAMSConf->LDAPBASEDN}", domain_controllers => $pdc, ad_username => "{$SAMSConf->LDAPUSER}", ad_password => "{$SAMSConf->LDAPUSERPASSWD}", "", "", "");
$ldap = new adLDAP($options);
// if ($ldap->authenticate($userdomain,$password))
if ($ldap->authenticate($row['s_nick'], $password)) {
$aflag = 1;
$SAMSConf->domainusername = $row['s_nick'];
$SAMSConf->USERPASSWD = 1;
}
}
if ($row['s_auth'] == "ntlm") {
$e = escapeshellcmd("{$row['s_nick']} {$password}");
$aaa = ExecuteShellScript("testwbinfopasswd", $e);
$aflag = 0;
if (stristr($aaa, "authentication succeeded") != false || stristr($aaa, "NT_STATUS_OK") != false) {
$aflag = 1;
$SAMSConf->domainusername = $row['s_nick'];
$SAMSConf->USERPASSWD = 1;
}
}
$grauditor = 0;
if ($row['s_gauditor'] > 0 && strlen($SAMSConf->domainusername) > 0) {
$grauditor = $row['s_group'];
print "<SCRIPT>\n";
print " parent.lframe.location.href=\"lframe.php\"; \n";
print "</SCRIPT> \n";
}
return $grauditor;
}
if ($debug_ldap == 1) {
$dbg_ldap = fopen("../files/ldap.debug.txt", "w");
//create temp file
}
if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username != "admin") {
if ($debug_ldap == 1) {
fputs($dbg_ldap, "Get all ldap params : \n" . 'base_dn : ' . $_SESSION['settings']['ldap_domain_dn'] . "\n" . 'account_suffix : ' . $_SESSION['settings']['ldap_suffix'] . "\n" . 'domain_controllers : ' . $_SESSION['settings']['ldap_domain_controler'] . "\n" . 'use_ssl : ' . $_SESSION['settings']['ldap_ssl'] . "\n" . 'use_tls : ' . $_SESSION['settings']['ldap_tls'] . "\n*********\n\n");
}
require_once "../includes/libraries/adLDAP/adLDAP.php";
$adldap = new adLDAP(array('base_dn' => $_SESSION['settings']['ldap_domain_dn'], 'account_suffix' => $_SESSION['settings']['ldap_suffix'], 'domain_controllers' => array($_SESSION['settings']['ldap_domain_controler']), 'use_ssl' => $_SESSION['settings']['ldap_ssl'], 'use_tls' => $_SESSION['settings']['ldap_tls']));
if ($debug_ldap == 1) {
fputs($dbg_ldap, "Create new adldap object : " . $adldap->get_last_error() . "\n\n\n");
//Debug
}
//authenticate the user
if ($adldap->authenticate($username, $password_clear)) {
$ldap_connection = true;
} else {
$ldap_connection = false;
}
if ($debug_ldap == 1) {
fputs($dbg_ldap, "After authenticate : " . $adldap->get_last_error() . "\n\n\n" . "ldap status : " . $ldap_connection . "\n\n\n");
//Debug
}
}
//Check if user exists in cpassman
$sql = "SELECT * FROM " . $pre . "users WHERE login = '******'";
$row = $db->query($sql);
$proceed_identification = false;
if (mysql_num_rows($row) > 0) {
$proceed_identification = true;
function userLogin($username, $password)
{
session_start();
$_SESSION['userid'] = NULL;
include_once "inc/adLDAP.php";
global $database, $passwordKey;
$username = mysql_escape_string($username);
$password = mysql_escape_string($password);
#ADauth check
$query = "select * from {$GLOBALS['tablePrefix']}users where username=\"{$username}\"";
$result = mysql_query($query);
// TODO: Query
$userinfo = mysql_fetch_assoc($result);
if ($userinfo['ADauth'] == 1) {
$ADconn = new adLDAP();
if ($ADconn->authenticate($username, $password)) {
#success
$loginSuccess = true;
} else {
$loginSuccess = false;
}
} else {
$query = "select * from {$GLOBALS['tablePrefix']}users where username=\"{$username}\" and password=md5(\"{$passwordKey}{$password}\")";
$result = mysql_query($query, $database);
// TODO: Query
if ($userinfo = mysql_fetch_assoc($result)) {
$loginSuccess = true;
}
}
if ($loginSuccess == true) {
$_SESSION['userid'] = $userinfo['id'];
$_SESSION['user'] = $username;
$_SESSION['name'] = $userinfo['name'];
$_SESSION['path'] = array();
$_SESSION['admin'] = $userinfo['admin'];
userPermissions();
logAction('login', $username);
if ($GLOBALS['resource'] != true) {
checkLogin();
}
} else {
logAction('loginFail', $username);
if ($GLOBALS['resource'] != true) {
checkLogin();
}
}
}
/**
* Test la connexion à l'ad
* @param array $valeur
* $valeur['login']
* $valeur['passwd']
* $valeur['dc']
* $valeur['suffix']
* $valeur['serveur']
* @return Boolean
*/
function testerAD($valeur)
{
// instanciation de adldap
$cheminAdldap = $this->getAbsolutePathForm() . "/adldap";
require_once $cheminAdldap . '/adLDAP.php';
$serveur[0] = $valeur['serveur'];
$adldap = new adLDAP(array('base_dn' => $valeur['dc'], 'account_suffix' => $valeur['suffix'], 'domain_controllers' => $serveur));
//$adldap->close();
return $adldap->authenticate($valeur['login'], $valeur['passwd']);
}
/**
* Test la connexion à l'ad
* @param array $valeur
* $valeur['login']
* $valeur['passwd']
* $valeur['dc']
* $valeur['suffix']
* $valeur['serveur']
*/
function testerAD($valeur)
{
// instanciation de adldap
$cheminAdldap = $this->getAbsolutePath() . "adldap";
require_once $cheminAdldap . '/adLDAP.php';
$serveur[0] = $valeur['serveur'];
$adldap = new adLDAP(array('base_dn' => $valeur['dc'], 'account_suffix' => $valeur['suffix'], 'domain_controllers' => $serveur));
$authUser = $adldap->authenticate($valeur['login'], $valeur['passwd']);
$adldap->close();
if ($authUser == true) {
echo "Test de connexion réussit";
} else {
echo "Test de connexion échoué";
}
}
$_SESSION['authenticated'] = "";
$_SESSION['rpage'] = $_SERVER['PHP_SELF'];
$type = "";
$page = "";
}
//LOGIN SCRIPT
if ($login != "") {
if ($user != NULL && $pass != NULL) {
include "../includes/adLDAPgroup.php";
try {
$adldap = new adLDAP();
} catch (adLDAPException $e) {
echo $e;
exit;
}
if ($adldap->authenticate($user, $pass)) {
session_start();
$_SESSION['authenticated'] = "login";
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
} else {
$failed = 1;
$_SESSION['authenticated'] = "";
}
$group = "Corporate IT";
if ($adldap->user_ingroup($user, $group)) {
$_SESSION['authenticated'] = "corpit";
header("Location: http://" . $_SERVER['HTTP_HOST'] . "/site/home.php");
} else {
$failed2 = 1;
$_SESSION['authenticated'] = "";
/**
* Check user against AD
*/
function checkADLogin($username, $password)
{
/* get All settings */
$settings = getAllSettings();
//include login script
include dirname(__FILE__) . "/adLDAP/src/adLDAP.php";
//open connection
try {
//get settings for connection
$ad = getADSettings();
//AD
$adldap = new adLDAP(array('base_dn' => $ad['base_dn'], 'account_suffix' => $ad['account_suffix'], 'domain_controllers' => $ad['domain_controllers'], 'use_ssl' => $ad['use_ssl'], 'use_tls' => $ad['use_tls'], 'ad_port' => $ad['ad_port']));
// set OpenLDAP flag
if ($settings['domainAuth'] == "2") {
$adldap->setUseOpenLDAP(true);
}
} catch (adLDAPException $e) {
die('<div class="alert alert-error">' . $e . '</div>');
}
//user authentication
$authUser = $adldap->authenticate($username, $password);
if ($authUser == true) {
global $db;
$database = new database($db['host'], $db['user'], $db['pass'], $db['name']);
$query = "SELECT id FROM users WHERE username = '******';";
$user_id = $database->getRow($query);
if (count($user_id) == 0) {
$real_name = str_replace('.', ' ', $username);
$real_name = ucwords($real_name);
$email = $username . "@enovance.com";
$query = "INSERT INTO users (username, role, real_name, email, domainUser, lang) VALUES ('{$username}', 'Administrator', '{$real_name}', '{$email}', 1, 1);";
$database->executeQuery($query);
$user_id = $database->insert_id;
if (count($user_id) > 0) {
updateLogTable('Created user ' . $username . ' successfully', "", 0);
}
}
$database->close();
if (count($user_id) > 0) {
updateLogTable('User ' . $username . ' authenticated against AD.', "", 0);
return 'ok';
} else {
updateLogTable('Failed to create user .' . $username, "", 2);
return "Failed to creater user {$username}";
}
} else {
updateLogTable('User ' . $username . ' failed to authenticate against AD.', "", 2);
$err = $adldap->getLastError();
return 'Failed to authenticate user via AD!';
}
}
/**
* Validate a user's login credentials
*
* @param string $username A user's AD username
* @param string $password A user's AD password
* @param bool optional $prevent_rebind
* @return bool
*/
public function authenticate($username, $password, $preventRebind = false)
{
return $this->adldap->authenticate($username, $password, $preventRebind);
}
}
//at least 2 chars
if (strlen($_POST['dfilter']) < 2) {
$Result->show("danger", _('Please enter at least 2 characters'), true);
}
//open connection
try {
if ($server->type == "NetIQ") {
$params->account_suffix = "";
}
//set options
$options = array('base_dn' => $params->base_dn, 'account_suffix' => $params->account_suffix, 'domain_controllers' => explode(";", $params->domain_controllers), 'use_ssl' => $params->use_ssl, 'use_tls' => $params->use_tls, 'ad_port' => $params->ad_port);
//AD
$adldap = new adLDAP($options);
//try to login with higher credentials for search
$authUser = $adldap->authenticate($params->adminUsername, $params->adminPassword);
if ($authUser == false) {
$Result->show("danger", _("Invalid credentials"), true);
}
// set OpenLDAP flag
if ($server->type == "LDAP") {
$adldap->setUseOpenLDAP(true);
}
//search groups
$groups = $adldap->group()->search(adLDAP::ADLDAP_SECURITY_GLOBAL_GROUP, true, "*{$_POST['dfilter']}*");
//echo $adldap->getLastError();
} catch (adLDAPException $e) {
$Result->show("danger", $adldap->getLastError(), false);
$Result->show("danger", $e->getMessage(), true);
}
//check for found
function UserIDAuthenticate($userid, $password)
{
$this->userid = $userid;
$request = "SELECT s_nick, s_passwd, s_domain, s_gauditor, squiduser.s_group_id, s_autherrorc, s_autherrort, s_user_id FROM squiduser WHERE s_user_id='{$userid}'";
if ($this->LoadUserVariables($request) > 0) {
require_once "src/adldap.php";
$adldserver = GetAuthParameter("adld", "adldserver");
$basedn = GetAuthParameter("adld", "basedn");
$adadmin = GetAuthParameter("adld", "adadmin");
$adadminpasswd = GetAuthParameter("adld", "adadminpasswd");
$adldusergroup = GetAuthParameter("adld", "usergroup");
$LDAPBASEDN2 = strtok($basedn, ".");
$LDAPBASEDN = "DC={$LDAPBASEDN2}";
while (strlen($LDAPBASEDN2) > 0) {
$LDAPBASEDN2 = strtok(".");
if (strlen($LDAPBASEDN2) > 0) {
$LDAPBASEDN = "{$LDAPBASEDN},DC={$LDAPBASEDN2}";
}
}
$pdc = array("{$adldserver}");
$options = array(account_suffix => "@{$basedn}", base_dn => "{$LDAPBASEDN}", domain_controllers => $pdc, ad_username => "{$adadmin}", ad_password => "{$adadminpasswd}", "", "", "");
$ldap = new adLDAP($options);
if ($ldap->authenticate(SAMSLangToUTF8($this->UserName), $password)) {
$this->authOk = 1;
}
}
return $this->authOk;
}
function checkcreds_ADGroups_ToServer($groups, $hostname, $username, $password, $account_suffix)
{
if (strlen($groups) == 0) {
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_ADGroups_ToServer no defined group in line:" . __LINE__);
}
return true;
}
$YGroups = array();
$zGroups = explode("\n", $groups);
while (list($num, $ligne) = each($zGroups)) {
$ligne = trim(strtolower($ligne));
if ($ligne == null) {
continue;
}
$YGroups[$ligne] = $ligne;
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_ADGroups_ToServer checks group {$ligne} in line:" . __LINE__);
}
}
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_ADGroups_ToServer " . count($YGroups) . " in line:" . __LINE__);
}
if (count($YGroups) == 0) {
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_ADGroups_ToServer no group defined, return true in line:" . __LINE__);
}
return true;
}
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_ADGroups_ToServer checks {$username} groups in line:" . __LINE__);
}
$account_suffixZ = explode(".", $account_suffix);
while (list($num, $a) = each($account_suffixZ)) {
$zsuffix[] = "DC={$a}";
}
$suffix = @implode(",", $zsuffix);
$options = array('base_dn' => $suffix, 'ad_username' => $username, 'ad_password' => $password, 'recursive_groups' => true, 'domain_controllers' => array($hostname), 'account_suffix' => "@{$account_suffix}");
$adldap = new adLDAP($options);
$adldap->authenticate("{$username}", $password);
$result = $adldap->user()->groups($username);
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog_array($GLOBALS["CLASS_ACTV"]);
}
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_ADGroups_ToServer {$username} in:" . count($result) . " groups in line:" . __LINE__);
}
while (list($num, $group) = each($result)) {
$group = trim(strtolower($group));
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_AD checks {$group} group in line:" . __LINE__);
}
if (isset($YGroups[$group])) {
if ($GLOBALS["HOTSPOT_DEBUG"]) {
ToSyslog("{$hostname}: checkcreds_AD checks {$group} is OK in line:" . __LINE__);
}
return true;
}
}
return false;
}
/**
* Check user against AD
*/
function checkADLogin($username, $password)
{
/* get All settings */
$settings = getAllSettings();
# include login script
include dirname(__FILE__) . "/adLDAP/src/adLDAP.php";
# open connection
try {
# get settings for connection
$ad = getADSettings();
# AD
$adldap = new adLDAP(array('base_dn' => $ad['base_dn'], 'account_suffix' => $ad['account_suffix'], 'domain_controllers' => $ad['domain_controllers'], 'use_ssl' => $ad['use_ssl'], 'use_tls' => $ad['use_tls'], 'ad_port' => $ad['ad_port']));
# set OpenLDAP flag
if ($settings['domainAuth'] == "2") {
$adldap->setUseOpenLDAP(true);
}
} catch (adLDAPException $e) {
die('<div class="alert alert-danger">' . $e . '</div>');
}
# user authentication
$authUser = $adldap->authenticate($username, $password);
# result
if ($authUser == true) {
return 'ok';
} else {
$err = $adldap->getLastError();
print "<div class='alert alert-danger'>{$err}</div>";
return 'Failed to authenticate user via AD!';
}
}
/**
* AD (Active directory) authentication function
*
* Authenticates users against MS Active Directory
* Using library > adLDAP - LDAP Authentication with PHP for Active Directory
* http://adldap.sourceforge.net
*
* @access private
* @param mixed $username
* @param mixed $password
* @return void
*/
private function auth_AD($username, $password)
{
# adLDAP script
require dirname(__FILE__) . "/../adLDAP/src/adLDAP.php";
# open connection
try {
$ad = json_decode($this->authmethodparams, true);
// parse settings for LDAP connection and store them to array
# set controllers
$ad['domain_controllers'] = explode(";", str_replace(" ", "", $ad['domain_controllers']));
# Initialize AD class
$adldap = new adLDAP(array('base_dn' => @$ad['base_dn'], 'account_suffix' => @$ad['account_suffix'], 'domain_controllers' => @$ad['domain_controllers'], 'use_ssl' => @$ad['use_ssl'], 'use_tls' => @$ad['use_tls'], 'ad_port' => @$ad['ad_port']));
# set OpenLDAP flag
if ($this->ldap) {
$adldap->setUseOpenLDAP(true);
}
} catch (adLDAPException $e) {
$this->Log->write("AD connect error", "Failed to connect to AD: " . $e->getMessage(), 2, $username);
$this->Result->show("danger", _("Error: ") . $e->getMessage(), true);
}
# authenticate
if ($adldap->authenticate($username, $password)) {
# save to session
$this->write_session_parameters();
$this->Log->write("AD login", "User " . $this->user->real_name . " logged in via AD", 0, $username);
$this->Result->show("success", _("AD Login successful"));
# write last logintime
$this->update_login_time();
# remove possible blocked IP
$this->block_remove_entry();
} else {
if (@$authAD == 'Failed to connect to AD!') {
$this->Log->write("AD login", "Failed to connect to AD server", 2, $username);
$this->Result->show("danger", _("Failed to connect to AD server"), true);
} else {
if (@$authAD == 'Failed to authenticate user via AD!') {
# add blocked count
$this->block_ip();
$this->Log->write("AD login", "User {$username} failed to authenticate against AD", 1, $username);
$this->Result->show("danger", _("Failed to authenticate user against AD"), true);
} else {
# add blocked count
$this->block_ip();
$this->Log->write("AD login", "User {$username} failed to authenticate against AD", 1, $username);
$this->Result->show("danger", _("Invalid username or password"), true);
}
}
}
}
/**
* Test la connexion à l'ad
* @param array $valeur
* $valeur['login']
* $valeur['passwd']
* $valeur['dc']
* $valeur['suffix']
* $valeur['serveur']
* @return Boolean
*/
function testerAD($valeur, $cheminAdldap = null)
{
// instanciation de adldap
if ($cheminAdldap == null) {
$cheminAdldap = $this->getAbsolutePath() . "plugins/groupead/adldap/adLDAP.php";
}
require_once $cheminAdldap;
$serveur[0] = $valeur['serveur'];
$adldap = new adLDAP(array('base_dn' => $valeur['dc'], 'account_suffix' => $valeur['suffix'], 'domain_controllers' => $serveur));
//$adldap->close();
return $adldap->authenticate($valeur['login'], $valeur['passwd']);
}
