/**
* Authenticates a user (Check various conditions for the user that might invalidate its
* authentication, e.g., password match, domain, IP, etc.).
*
* @param array $user Data of user.
* @return int|FALSE
*/
public function authUser(array $user)
{
if (!Configuration::isInitialized()) {
// Early return since LDAP is not configured
return static::STATUS_AUTHENTICATION_FAILURE_CONTINUE;
}
if (TYPO3_MODE === 'BE') {
$status = Configuration::getValue('BEfailsafe') ? static::STATUS_AUTHENTICATION_FAILURE_CONTINUE : static::STATUS_AUTHENTICATION_FAILURE_BREAK;
} else {
$status = static::STATUS_AUTHENTICATION_FAILURE_CONTINUE;
}
$enableFrontendSso = TYPO3_MODE === 'FE' && (bool) $this->config['enableFESSO'] && !empty($_SERVER['REMOTE_USER']);
if (($this->login['uident'] && $this->login['uname'] || $enableFrontendSso) && !empty($user['tx_igldapssoauth_dn'])) {
if (isset($user['tx_igldapssoauth_from'])) {
$status = static::STATUS_AUTHENTICATION_SUCCESS_BREAK;
} elseif (TYPO3_MODE === 'BE' && Configuration::getValue('BEfailsafe')) {
return static::STATUS_AUTHENTICATION_FAILURE_CONTINUE;
} else {
// Failed login attempt (wrong password) - write that to the log!
static::getLogger()->warning('Password not accepted: ' . array('username' => $this->login['uname'], 'remote' => sprintf('%s (%s)', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'])));
$status = static::STATUS_AUTHENTICATION_FAILURE_BREAK;
}
// Checking the domain (lockToDomain)
if ($status && $user['lockToDomain'] && $user['lockToDomain'] != $this->authInfo['HTTP_HOST']) {
// Lock domain didn't match, so error:
static::getLogger()->error(sprintf('Locked domain "%s" did not match "%s"', $user['lockToDomain'], $this->authInfo['HTTP_HOST']), array('username' => $user[$this->db_user['username_column']], 'remote' => sprintf('%s (%s)', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'])));
$status = static::STATUS_AUTHENTICATION_FAILURE_BREAK;
}
}
return $status;
}
/**
* Processes the username according to current configuration.
*
* @param string $username
* @return string
*/
public static function setUsername($username)
{
if (Configuration::getValue('forceLowerCaseUsername')) {
// Possible enhancement: use \TYPO3\CMS\Core\Charset\CharsetConverter::conv_case instead
$username = strtolower($username);
}
return $username;
}
/**
* Returns a TYPO3 user.
*
* @param string $username
* @param string $userDn
* @param int|NULL $pid
* @return array
*/
protected static function getTypo3User($username, $userDn, $pid = NULL)
{
$user = NULL;
$typo3_users = Typo3UserRepository::fetch(static::$authenticationService->authInfo['db_user']['table'], 0, $pid, $username, $userDn);
if ($typo3_users) {
if (Configuration::getValue('IfUserExist')) {
// Ensure every returned record is active
$numberOfUsers = count($typo3_users);
for ($i = 0; $i < $numberOfUsers; $i++) {
if (!empty($typo3_users[$i]['deleted'])) {
// User is deleted => behave as if it did not exist at all!
// Note: if user is inactive (disable=1), this will be catched by TYPO3 automatically
unset($typo3_users[$i]);
}
}
// Reset the array's indices
$typo3_users = array_values($typo3_users);
}
// We want to return only first user in any case, if more than one are returned (e.g.,
// same username/DN twice) actual authentication will fail anyway later on
$user = is_array($typo3_users[0]) ? $typo3_users[0] : NULL;
} elseif (!Configuration::getValue('IfUserExist')) {
$user = Typo3UserRepository::create(static::$authenticationService->authInfo['db_user']['table']);
$user['pid'] = (int) $pid;
$user['crdate'] = $GLOBALS['EXEC_TIME'];
$user['tstamp'] = $GLOBALS['EXEC_TIME'];
$user['username'] = $username;
$user['tx_igldapssoauth_dn'] = $userDn;
}
return $user;
}
/**
* Returns the corresponding DN if a given user is provided, otherwise FALSE.
*
* @param string $username
* @param string $password User's password. If NULL password will not be checked
* @param string $baseDn
* @param string $filter
* @return bool|string
*/
public function validateUser($username = NULL, $password = NULL, $baseDn = NULL, $filter = NULL)
{
// If user found on ldap server.
if ($this->ldapUtility->search($baseDn, str_replace('{USERNAME}', $username, $filter), array('dn'))) {
// Validate with password.
if ($password !== NULL) {
// Bind DN of user with password.
if (empty($password)) {
$this->lastBindDiagnostic = 'Empty password provided!';
return FALSE;
} elseif ($this->ldapUtility->bind($this->ldapUtility->getDn(), $password)) {
$dn = $this->ldapUtility->getDn();
// Restore last LDAP binding
$config = Configuration::getLdapConfiguration();
$this->ldapUtility->bind($config['binddn'], $config['password']);
$this->lastBindDiagnostic = '';
return $dn;
} else {
$status = $this->ldapUtility->getStatus();
$this->lastBindDiagnostic = $status['bind']['diagnostic'];
return FALSE;
// Password does not match
}
// If enable, SSO authentication without password
} elseif ($password === NULL && Configuration::getValue('SSOAuthentication')) {
return $this->ldapUtility->getDn();
} else {
// User invalid. Authentication failed.
return FALSE;
}
}
return FALSE;
}
