/** * Manage use authentication and initialize the session * * @param $login_name string * @param $login_password string * @param $noauto boolean (false by default) * * @return boolean (success) */ function Login($login_name, $login_password, $noauto = false) { global $DB, $CFG_GLPI; $this->getAuthMethods(); $this->user_present = 1; $this->auth_succeded = false; //In case the user was deleted in the LDAP directory $user_deleted_ldap = false; // Trim login_name : avoid LDAP search errors $login_name = trim($login_name); if (!$noauto && ($authtype = self::checkAlternateAuthSystems())) { if ($this->getAlternateAuthSystemsUserLogin($authtype) && !empty($this->user->fields['name'])) { // Used for log when login process failed $login_name = $this->user->fields['name']; $this->auth_succeded = true; $this->extauth = 1; $this->user_present = $this->user->getFromDBbyName(addslashes($login_name)); $this->user->fields['authtype'] = $authtype; $user_dn = false; $ldapservers = ''; //if LDAP enabled too, get user's infos from LDAP if (Toolbox::canUseLdap()) { $ldapservers = array(); //User has already authenticate, at least once : it's ldap server if filled if (isset($this->user->fields["auths_id"]) && $this->user->fields["auths_id"] > 0) { $authldap = new AuthLdap(); //If ldap server is enabled if ($authldap->getFromDB($this->user->fields["auths_id"]) && $authldap->fields['is_active']) { $ldapservers[] = $authldap->fields; } //User has never beeen authenticated : try all active ldap server to find the right one } else { foreach (getAllDatasFromTable('glpi_authldaps', "`is_active`='1'") as $ldap_config) { $ldapservers[] = $ldap_config; } } foreach ($ldapservers as $ldap_method) { $ds = AuthLdap::connectToServer($ldap_method["host"], $ldap_method["port"], $ldap_method["rootdn"], Toolbox::decrypt($ldap_method["rootdn_passwd"], GLPIKEY), $ldap_method["use_tls"], $ldap_method["deref_option"]); if ($ds) { $params['method'] = AuthLdap::IDENTIFIER_LOGIN; $params['fields'][AuthLdap::IDENTIFIER_LOGIN] = $ldap_method["login_field"]; $user_dn = AuthLdap::searchUserDn($ds, array('basedn' => $ldap_method["basedn"], 'login_field' => $ldap_method['login_field'], 'search_parameters' => $params, 'user_params' => array('method' => AuthLDAP::IDENTIFIER_LOGIN, 'value' => $login_name), 'condition' => $ldap_method["condition"])); if ($user_dn) { $this->user->fields['auths_id'] = $ldap_method['id']; $this->user->getFromLDAP($ds, $ldap_method, $user_dn['dn'], $login_name, !$this->user_present); break; } } } } if (count($ldapservers) == 0 && $authtype == self::EXTERNAL) { // Case of using external auth and no LDAP servers, so get data from external auth $this->user->getFromSSO(); } else { //If user is set as present in GLPI but no LDAP DN found : it means that the user //is not present in an ldap directory anymore if (!$user_dn && $this->user_present) { $user_deleted_ldap = true; $this->user_deleted_ldap = true; } } // Reset to secure it $this->user->fields['name'] = $login_name; $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"]; } else { $this->addToError(__('Empty login or password')); } } // If not already auth if (!$this->auth_succeded) { if (empty($login_name) || strstr($login_name, "") || empty($login_password) || strstr($login_password, "")) { $this->addToError(__('Empty login or password')); } else { // exists=0 -> user doesn't yet exist // exists=1 -> user is present in DB with password // exists=2 -> user is present in DB but without password $exists = $this->userExists(array('name' => addslashes($login_name))); // Pas en premier car sinon on ne fait pas le blankpassword // First try to connect via le DATABASE if ($exists == 1) { // Without UTF8 decoding if (!$this->auth_succeded) { $this->auth_succeded = $this->connection_db(addslashes($login_name), $login_password); if ($this->auth_succeded) { $this->extauth = 0; $this->user_present = $this->user->getFromDBbyName(addslashes($login_name)); $this->user->fields["authtype"] = self::DB_GLPI; $this->user->fields["password"] = $login_password; } } } else { if ($exists == 2) { //The user is not authenticated on the GLPI DB, but we need to get information about him //to find out his authentication method $this->user->getFromDBbyName(addslashes($login_name)); //If the user has already been logged, the method_auth and auths_id are already set //so we test this connection first switch ($this->user->fields["authtype"]) { case self::CAS: case self::EXTERNAL: case self::LDAP: if (Toolbox::canUseLdap()) { AuthLdap::tryLdapAuth($this, $login_name, $login_password, $this->user->fields["auths_id"], $this->user->fields["user_dn"]); if (!$this->auth_succeded && $this->user_deleted_ldap) { $user_deleted_ldap = true; } } break; case self::MAIL: if (Toolbox::canUseImapPop()) { AuthMail::tryMailAuth($this, $login_name, $login_password, $this->user->fields["auths_id"]); } break; case self::NOT_YET_AUTHENTIFIED: break; } } else { if (!$exists) { //test all ldap servers only is user is not present in glpi's DB if (!$this->auth_succeded && Toolbox::canUseLdap()) { AuthLdap::tryLdapAuth($this, $login_name, $login_password, 0, false, false); } //test all imap/pop servers if (!$this->auth_succeded && Toolbox::canUseImapPop()) { AuthMail::tryMailAuth($this, $login_name, $login_password, 0, false); } } } } // Fin des tests de connexion } } if ($user_deleted_ldap) { User::manageDeletedUserInLdap($this->user->fields["id"]); } // Ok, we have gathered sufficient data, if the first return false the user // is not present on the DB, so we add him. // if not, we update him. if ($this->auth_succeded) { //Set user an not deleted from LDAP $this->user->fields['is_deleted_ldap'] = 0; // Prepare data $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"]; if ($this->extauth) { $this->user->fields["_extauth"] = 1; } if ($DB->isSlave()) { if (!$this->user_present) { // Can't add in slave mode $this->addToError(__('User not authorized to connect in GLPI')); $this->auth_succeded = false; } } else { if ($this->user_present) { // First stripslashes to avoid double slashes $input = Toolbox::stripslashes_deep($this->user->fields); // Then ensure addslashes $input = Toolbox::addslashes_deep($input); // update user and Blank PWD to clean old database for the external auth $this->user->update($input); if ($this->extauth) { $this->user->blankPassword(); } } else { if ($CFG_GLPI["is_users_auto_add"]) { // Auto add user // First stripslashes to avoid double slashes $input = Toolbox::stripslashes_deep($this->user->fields); // Then ensure addslashes $input = Toolbox::addslashes_deep($input); unset($this->user->fields); $this->user->add($input); } else { // Auto add not enable so auth failed $this->addToError(__('User not authorized to connect in GLPI')); $this->auth_succeded = false; } } } } // Log Event (if possible) if (!$DB->isSlave()) { // GET THE IP OF THE CLIENT $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); if ($this->auth_succeded) { if (GLPI_DEMO_MODE) { // not translation in GLPI_DEMO_MODE Event::log(-1, "system", 3, "login", $login_name . " log in from " . $ip); } else { //TRANS: %1$s is the login of the user and %2$s its IP address Event::log(-1, "system", 3, "login", sprintf(__('%1$s log in from IP %2$s'), $login_name, $ip)); } } else { if (GLPI_DEMO_MODE) { Event::log(-1, "system", 1, "login", "login", "Connection failed for " . $login_name . " ({$ip})"); } else { //TRANS: %1$s is the login of the user and %2$s its IP address Event::log(-1, "system", 1, "login", sprintf(__('Failed login for %1$s from IP %2$s'), $login_name, $ip)); } } } Session::init($this); if ($noauto) { $_SESSION["noAUTO"] = 1; } return $this->auth_succeded; }
/** * Manage use authentication and initialize the session * * @param $login_name string * @param $login_password string * @param $noauto boolean * * @return boolean (success) */ function Login($login_name, $login_password, $noauto = false) { global $DB, $CFG_GLPI, $LANG; $this->getAuthMethods(); $this->user_present = 1; $this->auth_succeded = false; //In case the user was deleted in the LDAP directory $user_deleted_ldap = false; if (!$noauto && ($authtype = self::checkAlternateAuthSystems())) { if ($this->getAlternateAuthSystemsUserLogin($authtype) && !empty($this->user->fields['name'])) { // Used for log when login process failed $login_name = $this->user->fields['name']; $this->auth_succeded = true; $this->extauth = 1; $this->user_present = $this->user->getFromDBbyName(addslashes($login_name)); $this->user->fields['authtype'] = $authtype; // if LDAP enabled too, get user's infos from LDAP $this->user->fields["auths_id"] = $CFG_GLPI['authldaps_id_extra']; if (canUseLdap()) { if (isset($this->authtypes["ldap"][$this->user->fields["auths_id"]])) { $ldap_method = $this->authtypes["ldap"][$this->user->fields["auths_id"]]; $ds = AuthLdap::connectToServer($ldap_method["host"], $ldap_method["port"], $ldap_method["rootdn"], decrypt($ldap_method["rootdn_passwd"], GLPIKEY), $ldap_method["use_tls"], $ldap_method["deref_option"]); if ($ds) { $params['method'] = AuthLdap::IDENTIFIER_LOGIN; $params['fields'][AuthLdap::IDENTIFIER_LOGIN] = $ldap_method["login_field"]; $user_dn = AuthLdap::searchUserDn($ds, array('basedn' => $ldap_method["basedn"], 'login_field' => $ldap_method['login_field'], 'search_parameters' => $params, 'user_params' => array('method' => AuthLDAP::IDENTIFIER_LOGIN, 'value' => $login_name), 'condition' => $ldap_method["condition"])); if ($user_dn) { $this->user->getFromLDAP($ds, $ldap_method, $user_dn['dn'], $login_name); } } } } // Reset to secure it $this->user->fields['name'] = $login_name; $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"]; } else { $this->addToError($LANG['login'][8]); } } // If not already auth if (!$this->auth_succeded) { if (empty($login_name) || empty($login_password)) { $this->addToError($LANG['login'][8]); } else { // exists=0 -> no exist // exists=1 -> exist with password // exists=2 -> exist without password $exists = $this->userExists(array('name' => addslashes($login_name))); // Pas en premier car sinon on ne fait pas le blankpassword // First try to connect via le DATABASE if ($exists == 1) { // Without UTF8 decoding if (!$this->auth_succeded) { $this->auth_succeded = $this->connection_db(addslashes($login_name), $login_password); if ($this->auth_succeded) { $this->extauth = 0; $this->user_present = $this->user->getFromDBbyName(addslashes($login_name)); $this->user->fields["authtype"] = self::DB_GLPI; $this->user->fields["password"] = $login_password; } } } else { if ($exists == 2) { //The user is not authenticated on the GLPI DB, but we need to get informations about him //to find out his authentication method $this->user->getFromDBbyName(addslashes($login_name)); //If the user has already been logged, the method_auth and auths_id are already set //so we test this connection first switch ($this->user->fields["authtype"]) { case self::CAS: case self::EXTERNAL: case self::LDAP: if (canUseLdap()) { AuthLdap::tryLdapAuth($this, $login_name, $login_password, $this->user->fields["auths_id"], $this->user->fields["user_dn"]); if (!$this->auth_succeded && $this->user_deleted_ldap) { $user_deleted_ldap = true; } } break; case self::MAIL: if (canUseImapPop()) { AuthMail::tryMailAuth($this, $login_name, $login_password, $this->user->fields["auths_id"]); } break; case self::NOT_YET_AUTHENTIFIED: break; } } else { if (!$exists) { //test all ldap servers only is user is not present in glpi's DB if (!$this->auth_succeded && canUseLdap()) { AuthLdap::tryLdapAuth($this, $login_name, $login_password, 0, false, false); } //test all imap/pop servers if (!$this->auth_succeded && canUseImapPop()) { AuthMail::tryMailAuth($this, $login_name, $login_password, 0, false); } } } } // Fin des tests de connexion } } if ($user_deleted_ldap) { User::manageDeletedUserInLdap($this->user->fields["id"]); } // Ok, we have gathered sufficient data, if the first return false the user // is not present on the DB, so we add him. // if not, we update him. if ($this->auth_succeded) { // Prepare data $this->user->fields["last_login"] = $_SESSION["glpi_currenttime"]; if ($this->extauth) { $this->user->fields["_extauth"] = 1; } if ($DB->isSlave()) { if (!$this->user_present) { // Can't add in slave mode $this->addToError($LANG['login'][11]); $this->auth_succeded = false; } } else { if ($this->user_present) { // update user and Blank PWD to clean old database for the external auth $this->user->update($this->user->fields); if ($this->extauth) { $this->user->blankPassword(); } } else { if ($CFG_GLPI["is_users_auto_add"]) { // Auto add user $input = $this->user->fields; unset($this->user->fields); $this->user->add($input); } else { // Auto add not enable so auth failed $this->addToError($LANG['login'][11]); $this->auth_succeded = false; } } } } // Log Event (if possible) if (!$DB->isSlave()) { // GET THE IP OF THE CLIENT $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); if ($this->auth_succeded) { $logged = GLPI_DEMO_MODE ? "logged in" : $LANG['log'][40]; Event::log(-1, "system", 3, "login", $login_name . " {$logged}: " . $ip); } else { $logged = GLPI_DEMO_MODE ? "connection failed" : $LANG['log'][41]; Event::log(-1, "system", 1, "login", $logged . ": " . $login_name . " ({$ip})"); } } $this->initSession(); if ($noauto) { $_SESSION["noAUTO"] = 1; } return $this->auth_succeded; }