} else {
$_SESSION['auth_message'] = 'Invalid auth_mechanism defined, please correct your configuration!';
session_logout();
header('Location: ' . $config['base_url']);
exit;
}
if ($vars['page'] == "logout" && $_SESSION['authenticated']) {
if (auth_can_logout()) {
// No need for a feedback message if user requested a logout
session_logout(function_exists('auth_require_login'));
}
header('Location: ' . $config['base_url']);
exit;
}
$mcrypt_exists = check_extension_exists('mcrypt');
$user_unique_id = session_unique_id();
// Get unique user id and check if IP changed (if required by config)
// Check if allowed auth by CIDR
$auth_allow_cidr = TRUE;
if (isset($config['web_session_cidr']) && count($config['web_session_cidr'])) {
$auth_allow_cidr = match_network($_SERVER['REMOTE_ADDR'], $config['web_session_cidr']);
}
if (!$_SESSION['authenticated'] && isset($_GET['username']) && isset($_GET['password'])) {
$_SESSION['username'] = $_GET['username'];
$auth_password = $_GET['password'];
} else {
if (!$_SESSION['authenticated'] && isset($_POST['username']) && isset($_POST['password'])) {
$_SESSION['username'] = $_POST['username'];
$auth_password = $_POST['password'];
} else {
if ($mcrypt_exists && !$_SESSION['authenticated'] && isset($_COOKIE['ckey'])) {
/**
* Bind with either the configured bind DN, the user's configured DN, or anonymously, depending on config.
* Private function for this LDAP module only.
*
* @param string $username Bind username (optional)
* @param string $password Bind password (optional)
* @return bool FALSE if bind succeeded, TRUE if not
*/
function ldap_bind_dn($username = "", $password = "")
{
global $config, $ds, $cache;
print_debug("LDAP[Bind DN called]");
// Avoid binding multiple times on one resource, this upsets some LDAP servers.
if (isset($cache['ldap_bind_result'])) {
return $cache['ldap_bind_result'];
} else {
if ($config['auth_ldap_binddn']) {
print_debug("LDAP[Bind][" . $config['auth_ldap_binddn'] . "]");
$bind = ldap_bind($ds, $config['auth_ldap_binddn'], $config['auth_ldap_bindpw']);
} else {
// Try anonymous bind if configured to do so
if ($config['auth_ldap_bindanonymous']) {
print_debug("LDAP[Bind][anonymous]");
$bind = ldap_bind($ds);
} else {
if (($username == '' || $password == '') && isset($_SESSION['user_encpass'])) {
// Use session credintials
print_debug("LDAP[Bind][session]");
$username = $_SESSION['username'];
if (!isset($_SESSION['mcrypt_required'])) {
$password = decrypt($_SESSION['user_encpass'], session_unique_id() . get_unique_id());
} else {
// WARNING, requires mcrypt
$password = base64_decode($_SESSION['user_encpass'], TRUE);
}
}
print_debug("LDAP[Bind][" . $config['auth_ldap_prefix'] . $username . $config['auth_ldap_suffix'] . "]");
$bind = ldap_bind($ds, $config['auth_ldap_prefix'] . $username . $config['auth_ldap_suffix'], $password);
}
}
}
if ($bind) {
$cache['ldap_bind_result'] = 0;
return FALSE;
} else {
$cache['ldap_bind_result'] = 1;
print_debug("Error binding to LDAP server: " . implode(',', $config['auth_ldap_server']) . ': ' . ldap_error($ds));
session_logout();
return TRUE;
}
}
