/**
* Authenticate a user
* If successful and the user is new, the user is created in the database
* If successful and the user is returning, the user record is resynced
* @author Lea Anthony and Paul Heaney
* @param string $username. Username
* @param string $password. Password
* @param int $id. The userid or contactid, > 0 if you wish to update, else creates new
* @param bool $user. True for user, false for customer
* @return mixed, true if sucessful, false if unsucessful or -1 if connection to LDAP server failed
* @retval 0 the credentials were wrong or the user was not found.
* @retval 1 to indicate user is authenticated and allowed to continue.
*/
function authenticateLDAP($username, $password, $id = 0, $user = TRUE, $populateOnly = FALSE, $searchOnEmail = FALSE)
{
debug_log("authenticateLDAP {$username}", TRUE);
global $CONFIG;
$toReturn = false;
$ldap_conn = ldapOpen();
if ($ldap_conn != -1) {
/*
* Search for user DN
* Authenticate
* Verify roles
*/
$entry = ldap_getDetails($username, $searchOnEmail, $ldap_conn);
if (!$entry) {
// Multiple or zero
trigger_error("Unable to locate user", E_USER_ERROR);
$toReturn = false;
} else {
// just one
debug_log("One entry found", TRUE);
$_SESSION['ldap_user_dn'] = ldap_get_dn($ldap_conn, $entry);
$user_attributes = ldap_get_attributes($ldap_conn, $entry);
$toReturn = ldap_storeDetails($password, $id, $user, $populateOnly, $ldap_conn, $user_attributes);
}
} else {
$toReturn = -1;
}
@ldap_close($ldap_conn);
return $toReturn;
}
/**
* Perform the periodic sync of existing user and contact details from LDAP
* @author Paul Heaney
* @note This function does not create users or contacts it simply updates existing
* @note details.
*/
function saction_ldapSync()
{
global $CONFIG;
$success = FALSE;
if ($CONFIG['use_ldap']) {
$ldap_conn = ldapOpen();
if ($ldap_conn) {
// NOTE TODO FIXME would be more optimal to pass the user type into the create as in the case where the group membership isn't stored its looked up again
// Search for members of each group and then unique the members and loop through
// Populate an array ($users) with a list of SIT users in LDAP
// Only want GROUPS
$filter = "(objectClass={$CONFIG['ldap_grpobjecttype']})";
$attributesToGet = array($CONFIG['ldap_grpattributegrp']);
$users = array();
$userGrps = array($CONFIG['ldap_admin_group'], $CONFIG['ldap_manager_group'], $CONFIG['ldap_user_group']);
foreach ($userGrps as $grp) {
if (!empty($grp)) {
$sr = ldap_search($ldap_conn, $grp, $filter, $attributesToGet);
if (ldap_count_entries($ldap_conn, $sr) != 1) {
trigger_error("Group {$grp} not found in LDAP");
} else {
$entry = ldap_first_entry($ldap_conn, $sr);
$attributes = ldap_get_attributes($ldap_conn, $entry);
for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) {
$member = $attributes[$CONFIG['ldap_grpattributegrp']][$i];
if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) {
$users[$member] = $member;
} elseif (!$CONFIG['ldap_grpfulldn']) {
$users[$member] = $member;
}
}
}
}
}
// Populate an array with the LDAP users already in the SiT database
$sit_db_users = array();
$sql = "SELECT id, username, status FROM `{$GLOBALS['dbUsers']}` WHERE user_source = 'ldap'";
$result = mysql_query($sql);
if (mysql_error()) {
trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING);
}
if (mysql_num_rows($result) > 0) {
while ($obj = mysql_fetch_object($result)) {
$user_obj = new User();
$user_obj->id = $obj->id;
$user_obj->username = $obj->username;
$user_obj->status = $obj->status;
$sit_db_users[$obj->username] = $user_obj;
}
}
foreach ($users as $u) {
$e = ldap_getDetails($u, FALSE, $ldap_conn);
if ($e) {
$user_attributes = ldap_get_attributes($ldap_conn, $e);
debug_log("user attributes: " . print_r($user_attributes, true), TRUE);
debug_log("db users: " . print_r($sit_db_users, true), TRUE);
// If the directory supports disabling of users
if (!empty($CONFIG['ldap_logindisabledattribute'])) {
if ($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status === USERSTATUS_ACCOUNT_DISABLED) {
// User is disabled in the SIT db, check to see if we need to re-enable
if (!empty($user_attributes[$CONFIG['ldap_logindisabledattribute']])) {
if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) {
// The user is enabled in LDAP so we want to enable
debug_log("Re-enabling user '{$u}' in the SiT users database", TRUE);
$sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->status = $CONFIG['ldap_default_user_status'];
$sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->edit();
}
}
} else {
// User is not disabled in the SiT database, check to see if we need to disable
if (strtolower($user_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) {
// User is disabled in LDAP so we want to disable
$sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->disable();
}
}
}
$userid = 0;
if (!empty($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]])) {
$userid = $sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]->id;
unset($sit_db_users[$user_attributes[$CONFIG['ldap_userattribute']][0]]);
}
if (!ldap_storeDetails('', $userid, TRUE, TRUE, $ldap_conn, $user_attributes)) {
trigger_error("Failed to store details for userid {$userid}", E_USER_WARNING);
$success = FALSE;
} else {
$success = TRUE;
}
} else {
debug_log("Failed to get details for {$u}");
}
}
// Disable users we no longer know about
// TODO reassign incidents?
foreach ($sit_db_users as $u) {
debug_log("Disabling {$u->username}");
$u->disable();
}
/** CONTACTS */
$contacts = array();
if (!empty($CONFIG["ldap_customer_group"])) {
debug_log("CONTACTS");
$sr = ldap_search($ldap_conn, $CONFIG["ldap_customer_group"], $filter, $attributesToGet);
if (ldap_count_entries($ldap_conn, $sr) != 1) {
trigger_error("No contact group found in LDAP");
} else {
$entry = ldap_first_entry($ldap_conn, $sr);
$attributes = ldap_get_attributes($ldap_conn, $entry);
for ($i = 0; $i < $attributes[$CONFIG['ldap_grpattributegrp']]['count']; $i++) {
$member = $attributes[$CONFIG['ldap_grpattributegrp']][$i];
if (endsWith(strtolower($member), strtolower($CONFIG['ldap_user_base'])) and $CONFIG['ldap_grpfulldn']) {
$contacts[$member] = $member;
} elseif (!$CONFIG['ldap_grpfulldn']) {
$contacts[$member] = $member;
}
}
}
$sit_db_contacts = array();
$sql = "SELECT id, username, active FROM `{$GLOBALS['dbContacts']}` WHERE contact_source = 'ldap'";
$result = mysql_query($sql);
if (mysql_error()) {
trigger_error("MySQL Query Error" . mysql_error(), E_USER_WARNING);
}
if (mysql_num_rows($result) > 0) {
while ($obj = mysql_fetch_object($result)) {
$c = new Contact();
$c->id = $obj->id;
$c->username = $obj->username;
$c->status = $obj->active;
$sit_db_contacts[$c->username] = $c;
}
}
foreach ($contacts as $c) {
$e = ldap_getDetails($c, FALSE, $ldap_conn);
if ($e) {
$contact_attributes = ldap_get_attributes($ldap_conn, $e);
if (isset($CONFIG['ldap_logindisabledattribute'])) {
// Directory supports disabling
if ($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->status == 'false') {
// User disabled in SIT check if needs renameding
if (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) {
if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) != strtolower($CONFIG['ldap_logindisabledvalue'])) {
// We want to enable
$sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->active = 'true';
$sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->edit();
}
}
} elseif (!empty($contact_attributes[$CONFIG['ldap_logindisabledattribute']])) {
// User not disabled in SiT though attribite is available to us
if (strtolower($contact_attributes[$CONFIG['ldap_logindisabledattribute']][0]) == strtolower($CONFIG['ldap_logindisabledvalue'])) {
// We want to disable
$sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->disable();
}
}
}
$contactid = 0;
if (!empty($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]])) {
$contactid = $sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]->id;
unset($sit_db_contacts[$contact_attributes[$CONFIG['ldap_userattribute']][0]]);
}
if (!ldap_storeDetails('', $contactid, FALSE, TRUE, $ldap_conn, $contact_attributes)) {
trigger_error("Failed to store details for userid {$contactid}", E_USER_WARNING);
$success = FALSE;
}
}
}
// Disable users we no longer know about
// TODO reassign incidents?
foreach ($sit_db_contacts as $c) {
debug_log("Disabling {$c->username}", TRUE);
$c->disable();
}
}
}
} else {
$success = TRUE;
}
return $success;
}
