function ldap_authenticate($p_login_name, $p_password)
{
# if password is empty and ldap allows anonymous login, then
# the user will be able to login, hence, we need to check
# for this special case.
if (is_blank($p_password)) {
return false;
}
$t_authenticated = new stdClass();
$t_authenticated->status_ok = TRUE;
$t_authenticated->status_code = null;
$authCfg = config_get('authentication');
$t_ldap_organization = $authCfg['ldap_organization'];
$t_ldap_root_dn = $authCfg['ldap_root_dn'];
$t_ldap_uid_field = $authCfg['ldap_uid_field'];
// 'uid' by default
$t_username = $p_login_name;
$t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$t_username}))";
$t_search_attrs = array($t_ldap_uid_field, 'dn');
$t_connect = ldap_connect_bind();
if (!is_null($t_connect->handler)) {
$t_ds = $t_connect->handler;
# Search for the user id
$t_sr = ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs);
$t_info = ldap_get_entries($t_ds, $t_sr);
$t_authenticated->status_ok = false;
$t_authenticated->status_code = ERROR_LDAP_AUTH_FAILED;
if ($t_info) {
# Try to authenticate to each until we get a match
for ($i = 0; $i < $t_info['count']; $i++) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if (@ldap_bind($t_ds, $t_dn, $p_password)) {
$t_authenticated->status_ok = true;
break;
# Don't need to go any further
}
}
}
ldap_free_result($t_sr);
ldap_unbind($t_ds);
} else {
$t_authenticated->status_ok = false;
$t_authenticated->status_code = $t_connect->status;
}
return $t_authenticated;
}
function ldap_authenticate($p_user_id, $p_password)
{
# if password is empty and ldap allows anonymous login, then
# the user will be able to login, hence, we need to check
# for this special case.
if (is_blank($p_password)) {
return false;
}
$t_ldap_organization = config_get('ldap_organization');
$t_ldap_root_dn = config_get('ldap_root_dn');
$t_username = user_get_field($p_user_id, 'username');
$t_ldap_uid_field = config_get('ldap_uid_field', 'uid');
$t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$t_username}))";
$t_search_attrs = array($t_ldap_uid_field, 'dn');
$t_ds = ldap_connect_bind();
# Search for the user id
$t_sr = ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs);
$t_info = ldap_get_entries($t_ds, $t_sr);
$t_authenticated = false;
if ($t_info) {
# Try to authenticate to each until we get a match
for ($i = 0; $i < $t_info['count']; $i++) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if (@ldap_bind($t_ds, $t_dn, $p_password)) {
$t_authenticated = true;
break;
# Don't need to go any further
}
}
}
ldap_free_result($t_sr);
ldap_unbind($t_ds);
return $t_authenticated;
}
/**
* Gets the username from LDAP given the email address
*
* @todo Implement caching by retrieving all needed information in one query.
* @todo Implement logging to LDAP queries same way like DB queries.
*
* @param string $p_email_address The email address.
* @return string The username or null if not found.
*
* Based on ldap_get_field_from_username from MantisBT 1.2.14
*/
private function ldap_get_username_from_email($p_email_address)
{
if ($this->_login_method == LDAP) {
$t_email_field = 'mail';
$t_ldap_organization = config_get('ldap_organization');
$t_ldap_root_dn = config_get('ldap_root_dn');
$t_ldap_uid_field = config_get('ldap_uid_field');
$c_email_address = ldap_escape_string($p_email_address);
log_event(LOG_LDAP, "Retrieving field '{$t_ldap_uid_field}' for '{$p_email_address}'");
# Bind
log_event(LOG_LDAP, "Binding to LDAP server");
$t_ds = @ldap_connect_bind();
if ($t_ds === false) {
ldap_log_error($t_ds);
return null;
}
# Search
$t_search_filter = "(&{$t_ldap_organization}({$t_email_field}={$c_email_address}))";
$t_search_attrs = array($t_ldap_uid_field, $t_email_field, 'dn');
log_event(LOG_LDAP, "Searching for {$t_search_filter}");
$t_sr = @ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs);
if ($t_sr === false) {
ldap_log_error($t_ds);
ldap_unbind($t_ds);
log_event(LOG_LDAP, "ldap search failed");
return null;
}
# Get results
$t_info = ldap_get_entries($t_ds, $t_sr);
if ($t_info === false) {
ldap_log_error($t_ds);
log_event(LOG_LDAP, "ldap_get_entries() returned false.");
return null;
}
# Free results / unbind
log_event(LOG_LDAP, "Unbinding from LDAP server");
ldap_free_result($t_sr);
ldap_unbind($t_ds);
# If no matches, return null.
if ($t_info['count'] == 0) {
log_event(LOG_LDAP, "No matches found.");
return null;
}
# Make sure the requested field exists
if (is_array($t_info[0]) && array_key_exists(strtolower($t_ldap_uid_field), $t_info[0])) {
$t_value = $t_info[0][strtolower($t_ldap_uid_field)][0];
log_event(LOG_LDAP, "Found value '{$t_value}' for field '{$t_ldap_uid_field}'.");
} else {
log_event(LOG_LDAP, "WARNING: field '{$t_ldap_uid_field}' does not exist");
return null;
}
return $t_value;
}
return null;
}
/**
* Authenticates an user via LDAP given the username and password.
*
* @param string $p_username The user name.
* @param string $p_password The password.
* @return true: authenticated, false: failed to authenticate.
*/
function ldap_authenticate_by_username($p_username, $p_password)
{
if (ldap_simulation_is_enabled()) {
log_event(LOG_LDAP, "Authenticating via LDAP simulation");
$t_authenticated = ldap_simulation_authenticate_by_username($p_username, $p_password);
} else {
$c_username = ldap_escape_string($p_username);
$t_ldap_organization = config_get('ldap_organization');
$t_ldap_root_dn = config_get('ldap_root_dn');
$t_ldap_uid_field = config_get('ldap_uid_field', 'uid');
$t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$c_username}))";
$t_search_attrs = array($t_ldap_uid_field, 'dn');
# Bind
log_event(LOG_LDAP, "Binding to LDAP server");
$t_ds = ldap_connect_bind();
if ($t_ds === false) {
ldap_log_error($t_ds);
trigger_error(ERROR_LDAP_AUTH_FAILED, ERROR);
}
# Search for the user id
log_event(LOG_LDAP, "Searching for {$t_search_filter}");
$t_sr = ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs);
if ($t_sr === false) {
ldap_log_error($t_ds);
ldap_unbind($t_ds);
log_event(LOG_LDAP, "ldap search failed");
trigger_error(ERROR_LDAP_AUTH_FAILED, ERROR);
}
$t_info = @ldap_get_entries($t_ds, $t_sr);
if ($t_info === false) {
ldap_log_error($t_ds);
ldap_free_result($t_sr);
ldap_unbind($t_ds);
trigger_error(ERROR_LDAP_AUTH_FAILED, ERROR);
}
$t_authenticated = false;
if ($t_info['count'] > 0) {
# Try to authenticate to each until we get a match
for ($i = 0; $i < $t_info['count']; $i++) {
$t_dn = $t_info[$i]['dn'];
log_event(LOG_LDAP, "Checking {$t_info[$i]['dn']}");
# Attempt to bind with the DN and password
if (@ldap_bind($t_ds, $t_dn, $p_password)) {
$t_authenticated = true;
break;
}
}
} else {
log_event(LOG_LDAP, "No matching entries found");
}
log_event(LOG_LDAP, "Unbinding from LDAP server");
ldap_free_result($t_sr);
ldap_unbind($t_ds);
}
# If user authenticated successfully then update the local DB with information
# from LDAP. This will allow us to use the local data after login without
# having to go back to LDAP. This will also allow fallback to DB if LDAP is down.
if ($t_authenticated) {
$t_user_id = user_get_id_by_name($p_username);
if (false !== $t_user_id) {
$t_fields_to_update = array('password' => md5($p_password));
if (ON == config_get('use_ldap_realname')) {
$t_fields_to_update['realname'] = ldap_realname($t_user_id);
}
if (ON == config_get('use_ldap_email')) {
$t_fields_to_update['email'] = ldap_email_from_username($p_username);
}
user_set_fields($t_user_id, $t_fields_to_update);
}
log_event(LOG_LDAP, "User '{$p_username}' authenticated");
} else {
log_event(LOG_LDAP, "Authentication failed");
}
return $t_authenticated;
}
/**
* Function to search the dn for a given user. Error messages in $ldap_cache["error"];
*
* @param string User login
*
* @return mixed The DN if the user is found, false in other case
*/
function ldap_search_user($login)
{
global $ldap_cache, $config;
$nick = false;
if (ldap_connect_bind()) {
$sr = @ldap_search($ldap_cache["ds"], $config["auth_methods"]["ldap_base_dn"], "(&(" . $config["auth_methods"]["ldap_login_attr"] . "=" . $login . ")" . $config["auth_methods"]["ldap_user_filter"] . ")", array_values($config["auth_methods"]["ldap_user_attr"]));
if (!$sr) {
$ldap_cache["error"] .= 'Error searching LDAP server: ' . ldap_error($ldap_cache["ds"]);
} else {
$info = @ldap_get_entries($ldap_cache["ds"], $sr);
if ($info['count'] != 1) {
$ldap_cache["error"] .= 'Invalid user';
} else {
$nick = $info[0]['dn'];
}
@ldap_free_result($sr);
}
@ldap_close($ldap_cache["ds"]);
}
return $nick;
}
/**
* CRITICAL - Mantis and TestLink have different return structure from ldap_connect_bind()
*
* Gets the value of a specific field from LDAP given the user name
* and LDAP field name.
*
* @param string $p_username The user name.
* @param string $p_field The LDAP field name.
* @return string The field value or null if not found.
*/
function ldap_get_field_from_username($p_username, $p_field)
{
$authCfg = config_get('authentication');
$t_ldap_organization = $authCfg['ldap_organization'];
$t_ldap_root_dn = $authCfg['ldap_root_dn'];
$t_ldap_uid_field = $authCfg['ldap_uid_field'];
// 'uid' by default
$c_username = ldap_escape_string($p_username);
$t_connect = @ldap_connect_bind();
if ($t_connect === false) {
return null;
}
$t_ds = $t_connect->handler;
// DIFFERENCE WITH MANTIS
# Search
$t_search_filter = "(&{$t_ldap_organization}({$t_ldap_uid_field}={$c_username}))";
$t_search_attrs = array($t_ldap_uid_field, $p_field, 'dn');
// log_event( LOG_LDAP, "Searching for $t_search_filter" );
$t_sr = @ldap_search($t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs);
if ($t_sr === false) {
// ldap_log_error( $t_ds );
ldap_unbind($t_ds);
// log_event( LOG_LDAP, "ldap search failed" );
return null;
}
# Get results
$t_info = ldap_get_entries($t_ds, $t_sr);
if ($t_info === false) {
ldap_log_error($t_ds);
// log_event( LOG_LDAP, "ldap_get_entries() returned false." );
return null;
}
# Free results / unbind
// log_event( LOG_LDAP, "Unbinding from LDAP server" );
ldap_free_result($t_sr);
ldap_unbind($t_ds);
# If no matches, return null.
if ($t_info['count'] == 0) {
// log_event( LOG_LDAP, "No matches found." );
return null;
}
# Make sure the requested field exists
if (is_array($t_info[0]) && array_key_exists($p_field, $t_info[0])) {
$t_value = $t_info[0][$p_field][0];
// log_event( LOG_LDAP, "Found value '{$t_value}' for field '{$p_field}'." );
} else {
//log_event( LOG_LDAP, "WARNING: field '$p_field' does not exist" );
return null;
}
return $t_value;
}
