Search a given DN for attributes, and return the resulting associative
array.
| public getAttributes ( string $dn, string | array $attributes = null, integer $maxsize = null ) : array | ||
| $dn | string | The DN of an element. |
| $attributes | string | array | The names of the attribute(s) to retrieve. Defaults to NULL; that is, all available attributes. Note that this is not very effective. |
| $maxsize | integer | The maximum size of any attribute's value(s). If exceeded, the attribute will not be returned. |
| Résultat | array | The array of attributes and their values. |
public function getAttributes($dn, $attributes = NULL)
{
if ($attributes == NULL) {
$attributes = $this->attributes;
}
$ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals);
/* Are privs needed to get the attributes? */
if ($this->privRead) {
/* Yes, rebind with privs */
if (!$ldap->bind($this->privUsername, $this->privPassword)) {
throw new Exception('Error authenticating using privileged DN & password.');
}
}
return $ldap->getAttributes($dn, $attributes);
}
$ldapconfig = $ldapmulti[$_POST['org']];
if ($ldapconfig['search.enable'] === TRUE) {
if (!$ldap->bind($ldapconfig['search.username'], $ldapconfig['search.password'])) {
throw new Exception('Error authenticating using search username & password.');
}
$dn = $ldap->searchfordn($ldapconfig['search.base'], $ldapconfig['search.attributes'], $_POST['username']);
} else {
$dn = str_replace('%username%', $_POST['username'], $ldapconfig['dnpattern']);
}
$pwd = $_POST['password'];
$ldap = new SimpleSAML_Auth_LDAP($ldapconfig['hostname'], $ldapconfig['enable_tls']);
if ($pwd == "" or !$ldap->bind($dn, $pwd)) {
SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' failed to authenticate. DN=' . $dn);
throw new Exception('Wrong username or password');
}
$attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']);
SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' successfully authenticated');
$session->doLogin('login-ldapmulti');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK');
}
$returnto = $_REQUEST['RelayState'];
public function getAttributes($dn, $attributes = NULL)
{
if ($attributes == NULL) {
$attributes = $this->attributes;
}
$ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout);
return $ldap->getAttributes($dn, $attributes);
}
/**
* Attempt to log in using the given username and password.
*
* Will throw a SimpleSAML_Error_Error('WRONGUSERPASS') if the username or password is wrong.
* If there is a configuration problem, an Exception will be thrown.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @param arrray $sasl_args Array of SASL options for LDAP bind.
* @return array Associative array with the users attributes.
*/
public function login($username, $password, array $sasl_args = NULL)
{
assert('is_string($username)');
assert('is_string($password)');
if (empty($password)) {
SimpleSAML_Logger::info($this->location . ': Login with empty password disallowed.');
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
$ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals);
if (!$this->searchEnable) {
$ldapusername = addcslashes($username, ',+"\\<>;*');
$dn = str_replace('%username%', $ldapusername, $this->dnPattern);
} else {
if ($this->searchUsername !== NULL) {
if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
throw new Exception('Error authenticating using search username & password.');
}
}
$dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE);
if ($dn === NULL) {
/* User not found with search. */
SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
}
$qaLogin = SimpleSAML_Auth_Source::getById('auth2factor');
if (!$ldap->bind($dn, $password, $sasl_args)) {
SimpleSAML_Logger::info($this->location . ': ' . $username . ' failed to authenticate. DN=' . $dn);
/* Account lockout feature */
// we need mail attributes so that we can notify user of locked account
$attributes = $ldap->getAttributes($dn, $this->searchAttributes);
// TODO what if these attributes are not available for search or not set in config?
$qaLogin->failedLoginAttempt($username, 'login_count', array('name' => $attributes['givenName'][0], 'mail' => $attributes['mail'][0], 'uid' => $attributes['uid'][0]));
$failedAttempts = $qaLogin->getFailedAttempts($username);
$loginCount = (int) (!empty($failedAttempts)) ? $failedAttempts[0]['login_count'] : 0;
$answerCount = (int) (!empty($failedAttempts)) ? $failedAttempts[0]['answer_count'] : 0;
$failCount = $loginCount + $answerCount;
// TODO this is bad! what if maxFailLogin is not set (i.e 0) or less than 3? instant lock?
$firstFailCount = $qaLogin->getmaxFailLogin() - 2;
$secondFailCount = $qaLogin->getmaxFailLogin() - 1;
if ($failCount == $firstFailCount) {
throw new SimpleSAML_Error_Error('2FAILEDATTEMPTWARNING');
}
if ($failCount == $secondFailCount) {
throw new SimpleSAML_Error_Error('1FAILEDATTEMPTWARNING');
}
if ($qaLogin->isLocked($username)) {
throw new SimpleSAML_Error_Error('ACCOUNTLOCKED');
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
/* In case of SASL bind, authenticated and authorized DN may differ */
if (isset($sasl_args)) {
$dn = $ldap->whoami($this->searchBase, $this->searchAttributes);
}
/* Are privs needed to get the attributes? */
if ($this->privRead) {
/* Yes, rebind with privs */
if (!$ldap->bind($this->privUsername, $this->privPassword)) {
throw new Exception('Error authenticating using privileged DN & password.');
}
}
// if we are here - we must have logged in successfully .. therefore reset login attempts
$qaLogin->resetFailedLoginAttempts($username, 'login_count');
return $ldap->getAttributes($dn, $this->attributes);
}
/**
* Attempt to log in using the given username and password.
*
* Will throw a SimpleSAML_Error_Error('WRONGUSERPASS') if the username or password is wrong.
* If there is a configuration problem, an Exception will be thrown.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @param arrray $sasl_args Array of SASL options for LDAP bind.
* @return array Associative array with the users attributes.
*/
public function login($username, $password, array $sasl_args = NULL)
{
assert('is_string($username)');
assert('is_string($password)');
if (empty($password)) {
SimpleSAML_Logger::info($this->location . ': Login with empty password disallowed.');
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
$ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout);
if (!$this->searchEnable) {
$ldapusername = addcslashes($username, ',+"\\<>;*');
$dn = str_replace('%username%', $ldapusername, $this->dnPattern);
} else {
if ($this->searchUsername !== NULL) {
if (!$ldap->bind($this->searchUsername, $this->searchPassword)) {
throw new Exception('Error authenticating using search username & password.');
}
}
$dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE);
if ($dn === NULL) {
/* User not found with search. */
SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
}
if (!$ldap->bind($dn, $password, $sasl_args)) {
SimpleSAML_Logger::info($this->location . ': ' . $username . ' failed to authenticate. DN=' . $dn);
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
/* In case of SASL bind, authenticated and authorized DN may differ */
if (isset($sasl_args)) {
$dn = $ldap->whoami($this->searchBase, $this->searchAttributes);
}
/* Are privs needed to get the attributes? */
if ($this->privRead) {
/* Yes, rebind with privs */
if (!$ldap->bind($this->privUsername, $this->privPassword)) {
throw new Exception('Error authenticating using privileged DN & password.');
}
}
return $ldap->getAttributes($dn, $this->attributes);
}
/* We aren't configured to search for the dn. Insert the LDAP username into the pattern
* configured in the 'auth.ldap.dnpattern' option.
*/
$dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern'));
}
/*
* Do LDAP bind using DN.
*/
if ($password == "" or !$ldap->bind($dn, $password)) {
SimpleSAML_Logger::info('AUTH - ldap: ' . $username . ' failed to authenticate. DN=' . $dn);
throw new Exception('error_wrongpassword');
}
/*
* Retrieve attributes from LDAP
*/
$attributes = $ldap->getAttributes($dn, $ldapconfig->getValue('auth.ldap.attributes', null));
SimpleSAML_Logger::info('AUTH - ldap: ' . $ldapusername . ' successfully authenticated');
$session->doLogin('login');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login OK');
}
$returnto = $_REQUEST['RelayState'];
if (isset($orgconfig['adminUser'])) {
$ldap->bind($orgconfig['adminUser'], $orgconfig['adminPassword']);
}
$eppn = $requestedUser . "@" . $requestedOrg;
$dn = $ldap->searchfordn($orgconfig['searchbase'], 'eduPersonPrincipalName', $eppn);
/*
* Do LDAP bind using DN found from the search on ePPN.
*/
if (!$ldap->bind($dn, $password)) {
SimpleSAML_Logger::info('AUTH - ldap-feide: ' . $requestedUser . ' failed to authenticate. DN=' . $dn);
throw new Exception('Wrong username or password');
}
/*
* Retrieve attributes from LDAP
*/
$attributes = $ldap->getAttributes($dn, $orgconfig['attributes']);
/**
* Retrieve organizational attributes, if the eduPersonOrgDN attribute is set.
*/
if (isset($attributes['eduPersonOrgDN'])) {
$orgdn = $attributes['eduPersonOrgDN'][0];
$orgattributes = $ldap->getAttributes($orgdn);
$orgattr = array_keys($orgattributes);
foreach ($orgattr as $value) {
$orgattributename = 'eduPersonOrgDN:' . $value;
//SimpleSAML_Logger::debug('AUTH - ldap-feide: Orgattributename: '. $orgattributename);
$attributes[$orgattributename] = $orgattributes[$value];
//SimpleSAML_Logger::debug('AUTH - ldap-feide: Attribute added: '. $attributes[$orgattributename]);
}
}
/*
