function ldap_authenticate($p_login_name, $p_password) { # if password is empty and ldap allows anonymous login, then # the user will be able to login, hence, we need to check # for this special case. if (is_blank($p_password)) { return false; } $t_authenticated = new stdClass(); $t_authenticated->status_ok = TRUE; $t_authenticated->status_code = null; $authCfg = config_get('authentication'); $t_ldap_organization = $authCfg['ldap_organization']; $t_ldap_root_dn = $authCfg['ldap_root_dn']; $t_ldap_uid_field = $authCfg['ldap_uid_field']; // 'uid' by default $t_username = $p_login_name; $t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$t_username}))"; $t_search_attrs = array($t_ldap_uid_field, 'dn'); $t_connect = ldap_connect_bind(); if (!is_null($t_connect->handler)) { $t_ds = $t_connect->handler; # Search for the user id $t_sr = ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs); $t_info = ldap_get_entries($t_ds, $t_sr); $t_authenticated->status_ok = false; $t_authenticated->status_code = ERROR_LDAP_AUTH_FAILED; if ($t_info) { # Try to authenticate to each until we get a match for ($i = 0; $i < $t_info['count']; $i++) { $t_dn = $t_info[$i]['dn']; # Attempt to bind with the DN and password if (@ldap_bind($t_ds, $t_dn, $p_password)) { $t_authenticated->status_ok = true; break; # Don't need to go any further } } } ldap_free_result($t_sr); ldap_unbind($t_ds); } else { $t_authenticated->status_ok = false; $t_authenticated->status_code = $t_connect->status; } return $t_authenticated; }
function ldap_authenticate($p_user_id, $p_password) { # if password is empty and ldap allows anonymous login, then # the user will be able to login, hence, we need to check # for this special case. if (is_blank($p_password)) { return false; } $t_ldap_organization = config_get('ldap_organization'); $t_ldap_root_dn = config_get('ldap_root_dn'); $t_username = user_get_field($p_user_id, 'username'); $t_ldap_uid_field = config_get('ldap_uid_field', 'uid'); $t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$t_username}))"; $t_search_attrs = array($t_ldap_uid_field, 'dn'); $t_ds = ldap_connect_bind(); # Search for the user id $t_sr = ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs); $t_info = ldap_get_entries($t_ds, $t_sr); $t_authenticated = false; if ($t_info) { # Try to authenticate to each until we get a match for ($i = 0; $i < $t_info['count']; $i++) { $t_dn = $t_info[$i]['dn']; # Attempt to bind with the DN and password if (@ldap_bind($t_ds, $t_dn, $p_password)) { $t_authenticated = true; break; # Don't need to go any further } } } ldap_free_result($t_sr); ldap_unbind($t_ds); return $t_authenticated; }
/** * Gets the username from LDAP given the email address * * @todo Implement caching by retrieving all needed information in one query. * @todo Implement logging to LDAP queries same way like DB queries. * * @param string $p_email_address The email address. * @return string The username or null if not found. * * Based on ldap_get_field_from_username from MantisBT 1.2.14 */ private function ldap_get_username_from_email($p_email_address) { if ($this->_login_method == LDAP) { $t_email_field = 'mail'; $t_ldap_organization = config_get('ldap_organization'); $t_ldap_root_dn = config_get('ldap_root_dn'); $t_ldap_uid_field = config_get('ldap_uid_field'); $c_email_address = ldap_escape_string($p_email_address); log_event(LOG_LDAP, "Retrieving field '{$t_ldap_uid_field}' for '{$p_email_address}'"); # Bind log_event(LOG_LDAP, "Binding to LDAP server"); $t_ds = @ldap_connect_bind(); if ($t_ds === false) { ldap_log_error($t_ds); return null; } # Search $t_search_filter = "(&{$t_ldap_organization}({$t_email_field}={$c_email_address}))"; $t_search_attrs = array($t_ldap_uid_field, $t_email_field, 'dn'); log_event(LOG_LDAP, "Searching for {$t_search_filter}"); $t_sr = @ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs); if ($t_sr === false) { ldap_log_error($t_ds); ldap_unbind($t_ds); log_event(LOG_LDAP, "ldap search failed"); return null; } # Get results $t_info = ldap_get_entries($t_ds, $t_sr); if ($t_info === false) { ldap_log_error($t_ds); log_event(LOG_LDAP, "ldap_get_entries() returned false."); return null; } # Free results / unbind log_event(LOG_LDAP, "Unbinding from LDAP server"); ldap_free_result($t_sr); ldap_unbind($t_ds); # If no matches, return null. if ($t_info['count'] == 0) { log_event(LOG_LDAP, "No matches found."); return null; } # Make sure the requested field exists if (is_array($t_info[0]) && array_key_exists(strtolower($t_ldap_uid_field), $t_info[0])) { $t_value = $t_info[0][strtolower($t_ldap_uid_field)][0]; log_event(LOG_LDAP, "Found value '{$t_value}' for field '{$t_ldap_uid_field}'."); } else { log_event(LOG_LDAP, "WARNING: field '{$t_ldap_uid_field}' does not exist"); return null; } return $t_value; } return null; }
/** * Authenticates an user via LDAP given the username and password. * * @param string $p_username The user name. * @param string $p_password The password. * @return true: authenticated, false: failed to authenticate. */ function ldap_authenticate_by_username($p_username, $p_password) { if (ldap_simulation_is_enabled()) { log_event(LOG_LDAP, "Authenticating via LDAP simulation"); $t_authenticated = ldap_simulation_authenticate_by_username($p_username, $p_password); } else { $c_username = ldap_escape_string($p_username); $t_ldap_organization = config_get('ldap_organization'); $t_ldap_root_dn = config_get('ldap_root_dn'); $t_ldap_uid_field = config_get('ldap_uid_field', 'uid'); $t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$c_username}))"; $t_search_attrs = array($t_ldap_uid_field, 'dn'); # Bind log_event(LOG_LDAP, "Binding to LDAP server"); $t_ds = ldap_connect_bind(); if ($t_ds === false) { ldap_log_error($t_ds); trigger_error(ERROR_LDAP_AUTH_FAILED, ERROR); } # Search for the user id log_event(LOG_LDAP, "Searching for {$t_search_filter}"); $t_sr = ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs); if ($t_sr === false) { ldap_log_error($t_ds); ldap_unbind($t_ds); log_event(LOG_LDAP, "ldap search failed"); trigger_error(ERROR_LDAP_AUTH_FAILED, ERROR); } $t_info = @ldap_get_entries($t_ds, $t_sr); if ($t_info === false) { ldap_log_error($t_ds); ldap_free_result($t_sr); ldap_unbind($t_ds); trigger_error(ERROR_LDAP_AUTH_FAILED, ERROR); } $t_authenticated = false; if ($t_info['count'] > 0) { # Try to authenticate to each until we get a match for ($i = 0; $i < $t_info['count']; $i++) { $t_dn = $t_info[$i]['dn']; log_event(LOG_LDAP, "Checking {$t_info[$i]['dn']}"); # Attempt to bind with the DN and password if (@ldap_bind($t_ds, $t_dn, $p_password)) { $t_authenticated = true; break; } } } else { log_event(LOG_LDAP, "No matching entries found"); } log_event(LOG_LDAP, "Unbinding from LDAP server"); ldap_free_result($t_sr); ldap_unbind($t_ds); } # If user authenticated successfully then update the local DB with information # from LDAP. This will allow us to use the local data after login without # having to go back to LDAP. This will also allow fallback to DB if LDAP is down. if ($t_authenticated) { $t_user_id = user_get_id_by_name($p_username); if (false !== $t_user_id) { $t_fields_to_update = array('password' => md5($p_password)); if (ON == config_get('use_ldap_realname')) { $t_fields_to_update['realname'] = ldap_realname($t_user_id); } if (ON == config_get('use_ldap_email')) { $t_fields_to_update['email'] = ldap_email_from_username($p_username); } user_set_fields($t_user_id, $t_fields_to_update); } log_event(LOG_LDAP, "User '{$p_username}' authenticated"); } else { log_event(LOG_LDAP, "Authentication failed"); } return $t_authenticated; }
/** * Function to search the dn for a given user. Error messages in $ldap_cache["error"]; * * @param string User login * * @return mixed The DN if the user is found, false in other case */ function ldap_search_user($login) { global $ldap_cache, $config; $nick = false; if (ldap_connect_bind()) { $sr = @ldap_search($ldap_cache["ds"], $config["auth_methods"]["ldap_base_dn"], "(&(" . $config["auth_methods"]["ldap_login_attr"] . "=" . $login . ")" . $config["auth_methods"]["ldap_user_filter"] . ")", array_values($config["auth_methods"]["ldap_user_attr"])); if (!$sr) { $ldap_cache["error"] .= 'Error searching LDAP server: ' . ldap_error($ldap_cache["ds"]); } else { $info = @ldap_get_entries($ldap_cache["ds"], $sr); if ($info['count'] != 1) { $ldap_cache["error"] .= 'Invalid user'; } else { $nick = $info[0]['dn']; } @ldap_free_result($sr); } @ldap_close($ldap_cache["ds"]); } return $nick; }
/** * CRITICAL - Mantis and TestLink have different return structure from ldap_connect_bind() * * Gets the value of a specific field from LDAP given the user name * and LDAP field name. * * @param string $p_username The user name. * @param string $p_field The LDAP field name. * @return string The field value or null if not found. */ function ldap_get_field_from_username($p_username, $p_field) { $authCfg = config_get('authentication'); $t_ldap_organization = $authCfg['ldap_organization']; $t_ldap_root_dn = $authCfg['ldap_root_dn']; $t_ldap_uid_field = $authCfg['ldap_uid_field']; // 'uid' by default $c_username = ldap_escape_string($p_username); $t_connect = @ldap_connect_bind(); if ($t_connect === false) { return null; } $t_ds = $t_connect->handler; // DIFFERENCE WITH MANTIS # Search $t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$c_username}))"; $t_search_attrs = array($t_ldap_uid_field, $p_field, 'dn'); // log_event( LOG_LDAP, "Searching for $t_search_filter" ); $t_sr = @ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs); if ($t_sr === false) { // ldap_log_error( $t_ds ); ldap_unbind($t_ds); // log_event( LOG_LDAP, "ldap search failed" ); return null; } # Get results $t_info = ldap_get_entries($t_ds, $t_sr); if ($t_info === false) { ldap_log_error($t_ds); // log_event( LOG_LDAP, "ldap_get_entries() returned false." ); return null; } # Free results / unbind // log_event( LOG_LDAP, "Unbinding from LDAP server" ); ldap_free_result($t_sr); ldap_unbind($t_ds); # If no matches, return null. if ($t_info['count'] == 0) { // log_event( LOG_LDAP, "No matches found." ); return null; } # Make sure the requested field exists if (is_array($t_info[0]) && array_key_exists($p_field, $t_info[0])) { $t_value = $t_info[0][$p_field][0]; // log_event( LOG_LDAP, "Found value '{$t_value}' for field '{$p_field}'." ); } else { //log_event( LOG_LDAP, "WARNING: field '$p_field' does not exist" ); return null; } return $t_value; }