public function authenticate($username, $password, &$userId)
{
// Check if username should be authenticated locally
if (in_array($username, $this->LDAP_LOCAL_ACCOUNTS)) {
return $this->kimaiAuth->authenticate($username, $password, $userId);
}
// Check environment sanity
if (!function_exists('ldap_bind')) {
echo 'ldap is not installed!';
$userId = false;
return false;
}
// Check if username is legal
$check_username = trim($username);
if (!$check_username || !trim($password) || $this->LDAP_FORCE_USERNAME_LOWERCASE && strtolower($check_username) !== $check_username) {
$userId = false;
return false;
}
// Connect to LDAP
$connect_result = ldap_connect($this->LADP_SERVER);
if (!$connect_result) {
echo "Cannot connect to ", $this->LADP_SERVER;
$userId = false;
return false;
}
ldap_set_option($connect_result, LDAP_OPT_PROTOCOL_VERSION, 3);
// Try to bind. Binding means user and pwd are valid.
$bind_result = ldap_bind($connect_result, $this->LDAP_USERNAME_PREFIX . $check_username . $this->LDAP_USERNAME_POSTFIX, $password);
if (!$bind_result) {
// Nope!
$userId = false;
return false;
}
ldap_unbind($connect_result);
// User is authenticated. Does it exist in Kimai yet?
$check_username = $this->LDAP_FORCE_USERNAME_LOWERCASE ? strtolower($check_username) : $check_username;
$userId = $this->database->user_name2id($check_username);
if ($userId === false) {
// User does not exist (yet)
if ($this->LDAP_USER_AUTOCREATE) {
// Create it!
$userId = $this->database->user_create(array('name' => $check_username, 'globalRoleID' => $this->getDefaultGlobalRole(), 'active' => 1));
$this->database->setGroupMemberships($userId, array($this->getDefaultGroups()));
// Set a password, to calm kimai down
$usr_data = array('password' => md5($this->kga['password_salt'] . md5(uniqid(rand(), true)) . $this->kga['password_salt']));
$this->database->user_edit($userId, $usr_data);
} else {
$userId = false;
return false;
}
}
return true;
}
/**
* {@inherit}
*/
public function authenticate($username, $password, &$userId)
{
// Check if username should be authenticated locally
if (in_array($username, $this->nonLdapAcounts)) {
return $this->kimaiAuth->authenticate($username, $password, $userId);
}
if (!$username || !$password) {
$userId = false;
return false;
}
// Connect to LDAP
$connect_result = ldap_connect($this->host);
if (!$connect_result) {
echo "Cannot connect to ", $this->host;
$userId = false;
return false;
}
ldap_set_option($connect_result, LDAP_OPT_PROTOCOL_VERSION, 3);
// Bind to the ldap and query for the given userinformation.
if ($this->bindDN && $this->bindPW) {
$bindResult = ldap_bind($connect_result, $this->bindDN, $this->bindPW);
} else {
$bindResult = ldap_bind($connect_result);
}
if (!$bindResult) {
echo sprintf("Can't bind to the LDAP with DN %s", $this->bindDN);
$userId = false;
return false;
}
$filter = sprintf($this->userFilter, $username);
$_ldapresults = ldap_search($connect_result, $this->searchBase, $filter, array($this->usernameAttribute, $this->mailAttribute, $this->commonNameAttribute), 0, 0, 10);
if (!$_ldapresults) {
// The server returned no result-set at all.
echo "No user with that information found";
$userId = false;
return false;
}
if (1 > ldap_count_entries($connect_result, $_ldapresults)) {
// The returned result set contains no data.
echo "No user with that information found";
$userId = false;
return false;
}
if (1 < ldap_count_entries($connect_result, $_ldapresults)) {
// The returned result-set contains more than one person. So we
// can not be sure, that the user is unique.
echo "More than one user found with that information";
$userId = false;
return false;
}
$_results = ldap_get_entries($connect_result, $_ldapresults);
if (false === $_results) {
// The returned result-set could not be retrieved.
echo 'no result set found';
$userId = false;
return false;
}
// Empty the result set. We have the results in a variable so don't
// bother the server any more.
ldap_free_result($_ldapresults);
$distinguishedName = $_results[0]['dn'];
$uidAttribute = $_results[0][$this->usernameAttribute][0];
$emailAddress = '';
$commonName = '';
if (isset($_results[0][$this->mailAttribute][0])) {
$emailAddress = $_results[0][$this->mailAttribute][0];
}
if (isset($_results[0][$this->commonNameAttribute][0])) {
$commonName = $_results[0][$this->commonNameAttribute][0];
}
// Now lets try to bind with the returned distinguishedName and the
// provided passwort to the LDAP.
$link_id = @ldap_bind($connect_result, $distinguishedName, $password);
if (false === $link_id) {
echo 'Password and/or Username mismatch';
$userId = false;
return false;
}
// Check whether the user is member of one of the required LDAP-groups
$filter = sprintf($this->groupFilter, $uidAttribute, $distinguishedName);
$_ldapresults = ldap_search($connect_result, $this->searchBase, $filter, array($this->groupidAttribute), 0, 0, 10);
if (!$_ldapresults) {
// The server returned no result-set at all.
echo "No group for the user found";
$userId = false;
return false;
}
if (1 > ldap_count_entries($connect_result, $_ldapresults)) {
// The returned result set contains no data.
echo "No group for that user found";
$userId = false;
return false;
}
$_results = ldap_get_entries($connect_result, $_ldapresults);
if (false === $_results) {
// The returned result-set could not be retrieved.
echo 'no result set for groups found';
$userId = false;
return false;
}
ldap_free_result($_ldapresults);
$groups = array();
foreach ($_results as $result) {
$resultGroups = array();
for ($i = 0; $i < $result[$this->groupidAttribute]['count']; $i++) {
$resultGroups[] = $result[$this->groupidAttribute][$i];
}
$groups = array_merge($groups, $resultGroups);
}
if (!array_intersect($groups, $this->allowedGroupIds)) {
// The returned result-set could not be retrieved.
echo 'no valid groups found';
$userId = false;
return false;
}
// User is authenticated. Does it exist in Kimai yet?
$check_username = $this->createCheckUsername($username, $uidAttribute);
$userId = $this->database->user_name2id($check_username);
if ($userId === false) {
// User does not exist (yet)
if ($this->autocreateUsers) {
// Create it!
$userId = $this->database->user_create(array('name' => $check_username, 'globalRoleID' => $this->getDefaultGlobalRole(), 'active' => 1));
$this->database->setGroupMemberships($userId, $this->getDefaultGroups());
// Set a password, to calm kimai down
$usr_data = array('password' => md5($this->kga['password_salt'] . md5(uniqid(rand(), true)) . $this->kga['password_salt']));
if ($emailAddress) {
$usr_data['mail'] = $emailAddress;
}
if ($commonName) {
$usr_data['alias'] = $commonName;
}
$this->database->user_edit($userId, $usr_data);
} else {
$userId = false;
return false;
}
}
return true;
}
