function authenticate_and_cache($ip_radius_server, $shared_secret, $username, $password, $timeout = 900)
{
$result = FALSE;
$cache_unique_id = isset($_SESSION['authentication_unique_id']) ? $_SESSION['authentication_unique_id'] : '';
if ($cache_unique_id != '') {
$cache_timestamp = $_SESSION[$cache_unique_id . '_authentication_timestamp'];
$cache_remote_addr = $_SESSION[$cache_unique_id . '_authentication_remote_addr'];
$cache_username = $_SESSION[$cache_unique_id . '_authentication_username'];
}
if ($cache_timestamp == 0 or $cache_timestamp + $timeout < time() or $cache_remote_addr != $_SERVER['REMOTE_ADDR'] or $cache_username != $username) {
$radius = new Radius($ip_radius_server, $shared_secret);
$radius->SetDebugMode($php_debug_mode);
$result = $radius->AccessRequest($username, $password);
if ($result === TRUE) {
if ($cache_unique_id == '') {
$cache_unique_id = md5(uniqid(rand(), true));
}
$_SESSION['authentication_unique_id'] = $cache_unique_id;
$_SESSION[$cache_unique_id . '_authentication_timestamp'] = time();
$_SESSION[$cache_unique_id . '_authentication_remote_addr'] = $_SERVER['REMOTE_ADDR'];
$_SESSION[$cache_unique_id . '_authentication_username'] = $username;
} else {
$_SESSION['authentication_unique_id'] = '';
}
} else {
$_SESSION[$cache_unique_id . '_authentication_timestamp'] = time();
$result = TRUE;
}
return $result;
}
function authenticate($login, $password)
{
if (!(require_once 'php-radius/radius.php')) {
$this->_log('Cannot require radius class files!');
return FALSE;
}
if ($login && $password) {
if (!defined('RADIUS_AUTH_SERVER') or !defined('RADIUS_AUTH_SECRET')) {
$this->_log('Could not parse RADIUS_AUTH_ options from config.php!');
return FALSE;
} elseif (!defined('RADIUS_AUTH_PORT')) {
define('RADIUS_AUTH_PORT', 1812);
}
$radius = new Radius(RADIUS_AUTH_SERVER, RADIUS_AUTH_SECRET, '', 5, RADIUS_AUTH_PORT);
$radius->SetNasIpAddress('1.2.3.4');
$auth = $radius->AccessRequest($login, $password);
if ($auth) {
return $this->base->auto_create_user($login);
} else {
$this->_log('Radius authentication rejected!');
return FALSE;
}
}
return FALSE;
}
/**
* Authenticates user on radius server
*
* @access private
* @param mixed $username
* @param mixed $password
* @return void
*/
private function auth_radius($username, $password)
{
# decode radius parameters
$params = json_decode($this->authmethodparams);
# check for socket support !
if (!in_array("sockets", get_loaded_extensions())) {
$this->Log->write("Radius login", "php Socket extension missing", 2);
$this->Result->show("danger", _("php Socket extension missing"), true);
}
# initialize radius class
require dirname(__FILE__) . '/class.Radius.php';
$Radius = new Radius($params->hostname, $params->secret, $params->suffix, $params->timeout, $params->port);
$Radius->SetNasIpAddress($params->hostname);
//debugging
$this->debugging !== true ?: $Radius->SetDebugMode(TRUE);
# authenticate
$auth = $Radius->AccessRequest($username, $password);
# debug?
if ($this->debugging) {
print "<pre style='width:700px;margin:auto;margin-top:10px;'>";
print implode("<br>", $Radius->debug_text);
print "</pre>";
}
# authenticate user
if ($auth) {
# save to session
$this->write_session_parameters();
$this->Log->write("Radius login", "User " . $this->user->real_name . " logged in via radius", 0, $username);
$this->Result->show("success", _("Radius login successful"));
# write last logintime
$this->update_login_time();
# remove possible blocked IP
$this->block_remove_entry();
} else {
# add blocked count
$this->block_ip();
$this->Log->write("Radius login", "Failed to authenticate user on radius server", 2, $username);
$this->Result->show("danger", _("Invalid username or password"), true);
}
}
/**
* authenticate() - defined by \Zend_Auth_Adapter_Interface. This method is called to
* attempt an authenication. Previous to this call, this adapter would have already
* been configured with all necessary information to successfully connect to a Radius
* server and attempt to find a record matching the provided identity.
*
* @throws \Zend_Auth_Adapter_Exception if answering the authentication query is impossible
* @return \Zend_Auth_Result
*/
public function authenticate()
{
$this->_authenticateSetup();
if ($this->_radius->AccessRequest($this->_identity, $this->_credential)) {
$this->_authenticateResultInfo['code'] = \Zend_Auth_Result::SUCCESS;
$this->_authenticateResultInfo['messages'][] = 'Authentication successful.';
} else {
$this->_authenticateResultInfo['code'] = \Zend_Auth_Result::FAILURE;
$this->_authenticateResultInfo['messages'][] = 'Authentication failed.';
}
$authResult = $this->_authenticateCreateAuthResult();
return $authResult;
}
/**
* Alternate Login.
* Try to login user using alternative systems (Radius, LDAP, CAS, HTTP BASIC, ...)
* @param $username (string) user name
* @param $password (string) password
* @return array of user's data for successful login, false otherwise
* @since 2008-03-28
*/
function F_altLogin($username, $password)
{
global $l, $db;
require_once '../config/tce_config.php';
// TCExam tries to retrive the user login information from the following systems:
// 1) RADIUS ---------------------------------------------
require_once '../../shared/config/tce_radius.php';
if (K_RADIUS_ENABLED) {
require_once '../../shared/radius/radius.class.php';
$radius = new Radius(K_RADIUS_SERVER_IP, K_RADIUS_SHARED_SECRET, K_RADIUS_SUFFIX, K_RADIUS_UDP_TIMEOUT, K_RADIUS_AUTHENTICATION_PORT, K_RADIUS_ACCOUNTING_PORT);
if (K_RADIUS_UTF8) {
$radusername = utf8_encode($username);
$radpassword = utf8_encode($password);
} else {
$radusername = $username;
$radpassword = $password;
}
if ($radius->AccessRequest($radusername, $radpassword)) {
$usr = array();
$usr['user_email'] = '';
$usr['user_firstname'] = '';
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_RADIUS_USER_LEVEL;
$usr['usrgrp_group_id'] = K_RADIUS_USER_GROUP_ID;
return $usr;
}
}
// -------------------------------------------------------
// 2) LDAP -----------------------------------------------
require_once '../../shared/config/tce_ldap.php';
if (K_LDAP_ENABLED) {
// make ldap connection
$ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// recommended for W2K3
// bind anonymously and get dn for username.
if (K_LDAP_UTF8) {
$ldapusername = utf8_encode($username);
$ldappassword = utf8_encode($password);
} else {
$ldapusername = $username;
$ldappassword = $password;
}
if ($lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword)) {
// Search user on LDAP tree
sort($ldap_attr);
$ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
if ($search = @ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
if ($rdn = @ldap_get_entries($ldapconn, $search)) {
if (@ldap_bind($ldapconn, $rdn['dn'], $password)) {
@ldap_unbind($ldapconn);
$usr = array();
foreach ($ldap_attr as $k => $v) {
if (!empty($v) and isset($rdn[$v])) {
$usr[$k] = $rdn[$v];
} else {
$usr[$k] = '';
}
}
$usr['user_level'] = K_LDAP_USER_LEVEL;
$usr['usrgrp_group_id'] = K_LDAP_USER_GROUP_ID;
return $usr;
}
}
}
}
@ldap_unbind($ldapconn);
}
// -------------------------------------------------------
// 3) CAS ------------------------------------------------
require_once '../../shared/config/tce_cas.php';
if (K_CAS_ENABLED) {
require_once '../../shared/cas/CAS.php';
$usr = array();
$usr['user_email'] = '';
$usr['user_firstname'] = '';
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_CAS_USER_LEVEL;
$usr['usrgrp_group_id'] = K_CAS_USER_GROUP_ID;
return $usr;
}
// -------------------------------------------------------
// 4) HTTP BASIC -----------------------------------------
require_once '../../shared/config/tce_httpbasic.php';
if (K_HTTPBASIC_ENABLED and isset($_SERVER['AUTH_TYPE']) and $_SERVER['AUTH_TYPE'] == 'Basic' and isset($_SERVER['PHP_AUTH_USER']) and isset($_SERVER['PHP_AUTH_PW'])) {
$usr = array();
$usr['user_email'] = '';
$usr['user_firstname'] = '';
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_HTTPBASIC_USER_LEVEL;
$usr['usrgrp_group_id'] = K_HTTPBASIC_USER_GROUP_ID;
return $usr;
}
// -------------------------------------------------------
return false;
}
/**
* Try various external Login Systems.
* (SSL, HTTP-BASIC, CAS, SHIBBOLETH, RADIUS, LDAP)
* @return array of user's data for successful login, false otherwise
* @since 2012-06-05
*/
function F_altLogin()
{
global $l, $db;
require_once '../config/tce_config.php';
// TCExam tries to retrive the user login information from the following systems:
// 1) SSL ----------------------------------------------------------
require_once '../../shared/config/tce_ssl.php';
if (K_SSL_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
if (isset($_SERVER['SSL_CLIENT_M_SERIAL']) and isset($_SERVER['SSL_CLIENT_I_DN']) and isset($_SERVER['SSL_CLIENT_V_END']) and isset($_SERVER['SSL_CLIENT_VERIFY']) and $_SERVER['SSL_CLIENT_VERIFY'] === 'SUCCESS' and isset($_SERVER['SSL_CLIENT_V_REMAIN']) and $_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) {
$_POST['xuser_name'] = md5($_SERVER['SSL_CLIENT_M_SERIAL'] . $_SERVER['SSL_CLIENT_I_DN']);
$_POST['xuser_password'] = getPasswordHash($_SERVER['SSL_CLIENT_M_SERIAL'] . $_SERVER['SSL_CLIENT_I_DN'] . K_RANDOM_SECURITY . $_SERVER['SSL_CLIENT_V_END']);
$_POST['logaction'] = 'login';
$usr = array();
if (isset($_SERVER['SSL_CLIENT_S_DN_Email'])) {
$usr['user_email'] = $_SERVER['SSL_CLIENT_S_DN_Email'];
} else {
$usr['user_email'] = '';
}
if (isset($_SERVER['SSL_CLIENT_S_DN_CN'])) {
$usr['user_firstname'] = $_SERVER['SSL_CLIENT_S_DN_CN'];
} else {
$usr['user_firstname'] = '';
}
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_SSL_USER_LEVEL;
$usr['usrgrp_group_id'] = K_SSL_USER_GROUP_ID;
return $usr;
}
}
// -----------------------------------------------------------------
// 2) HTTP BASIC ---------------------------------------------------
require_once '../../shared/config/tce_httpbasic.php';
if (K_HTTPBASIC_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
if (isset($_SERVER['AUTH_TYPE']) and $_SERVER['AUTH_TYPE'] == 'Basic' and isset($_SERVER['PHP_AUTH_USER']) and isset($_SERVER['PHP_AUTH_PW']) and $_SESSION['session_user_name'] != $_SERVER['PHP_AUTH_USER']) {
$_POST['xuser_name'] = $_SERVER['PHP_AUTH_USER'];
$_POST['xuser_password'] = $_SERVER['PHP_AUTH_PW'];
$_POST['logaction'] = 'login';
$usr = array();
$usr['user_email'] = '';
$usr['user_firstname'] = '';
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_HTTPBASIC_USER_LEVEL;
$usr['usrgrp_group_id'] = K_HTTPBASIC_USER_GROUP_ID;
return $usr;
}
}
// -----------------------------------------------------------------
// 3) CAS - Central Authentication Service -------------------------
require_once '../../shared/config/tce_cas.php';
if (K_CAS_ENABLED) {
require_once '../../shared/cas/CAS.php';
phpCAS::client(K_CAS_VERSION, K_CAS_HOST, K_CAS_PORT, K_CAS_PATH, false);
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
if ($_SESSION['session_user_name'] != phpCAS::getUser()) {
$_POST['xuser_name'] = phpCAS::getUser();
$_POST['xuser_password'] = getPasswordHash($_POST['xuser_name'] . K_RANDOM_SECURITY);
$_POST['logaction'] = 'login';
$usr = array();
$usr['user_email'] = '';
$usr['user_firstname'] = '';
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_CAS_USER_LEVEL;
$usr['usrgrp_group_id'] = K_CAS_USER_GROUP_ID;
return $usr;
}
}
// -----------------------------------------------------------------
// 4) Shibboleth ---------------------------------------------------
require_once '../../shared/config/tce_shibboleth.php';
if (K_SHIBBOLETH_ENABLED and (!isset($_SESSION['logout']) or !$_SESSION['logout'])) {
if (isset($_SERVER['AUTH_TYPE']) and $_SERVER['AUTH_TYPE'] == 'shibboleth' and (isset($_SERVER['Shib_Session_ID']) and !empty($_SERVER['Shib_Session_ID']) or isset($_SERVER['HTTP_SHIB_IDENTITY_PROVIDER']) and !empty($_SERVER['HTTP_SHIB_IDENTITY_PROVIDER'])) and isset($_SERVER['eppn']) and $_SESSION['session_user_name'] != $_SERVER['eppn']) {
$_POST['xuser_name'] = $_SERVER['eppn'];
$_POST['xuser_password'] = getPasswordHash($_POST['xuser_name'] . K_RANDOM_SECURITY);
$_POST['logaction'] = 'login';
$usr = array();
$usr['user_email'] = $_SERVER['eppn'];
if (isset($_SERVER['givenName'])) {
$usr['user_firstname'] = $_SERVER['givenName'];
} else {
$usr['user_firstname'] = '';
}
if (isset($_SERVER['sn'])) {
$usr['user_lastname'] = $_SERVER['sn'];
} else {
$usr['user_lastname'] = '';
}
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
if (isset($_SERVER['employeeNumber'])) {
$usr['user_regnumber'] = $_SERVER['employeeNumber'];
} else {
$usr['user_regnumber'] = '';
}
$usr['user_ssn'] = '';
$usr['user_level'] = K_SHIBBOLETH_USER_LEVEL;
$usr['usrgrp_group_id'] = K_SHIBBOLETH_USER_GROUP_ID;
return $usr;
}
}
// -----------------------------------------------------------------
if (isset($_POST['logaction']) and $_POST['logaction'] == 'login' and isset($_POST['xuser_name']) and isset($_POST['xuser_password'])) {
// 5) RADIUS ---------------------------------------------------
require_once '../../shared/config/tce_radius.php';
if (K_RADIUS_ENABLED) {
require_once '../../shared/radius/radius.class.php';
$radius = new Radius(K_RADIUS_SERVER_IP, K_RADIUS_SHARED_SECRET, K_RADIUS_SUFFIX, K_RADIUS_UDP_TIMEOUT, K_RADIUS_AUTHENTICATION_PORT, K_RADIUS_ACCOUNTING_PORT);
if (K_RADIUS_UTF8) {
$radusername = utf8_encode($_POST['xuser_name']);
$radpassword = utf8_encode($_POST['xuser_password']);
} else {
$radusername = $_POST['xuser_name'];
$radpassword = $_POST['xuser_password'];
}
if ($radius->AccessRequest($radusername, $radpassword)) {
$usr = array();
$usr['user_email'] = '';
$usr['user_firstname'] = '';
$usr['user_lastname'] = '';
$usr['user_birthdate'] = '';
$usr['user_birthplace'] = '';
$usr['user_regnumber'] = '';
$usr['user_ssn'] = '';
$usr['user_level'] = K_RADIUS_USER_LEVEL;
$usr['usrgrp_group_id'] = K_RADIUS_USER_GROUP_ID;
return $usr;
}
}
// -------------------------------------------------------------
// 6) LDAP -----------------------------------------------------
require_once '../../shared/config/tce_ldap.php';
if (K_LDAP_ENABLED) {
// make ldap connection
$ldapconn = ldap_connect(K_LDAP_HOST, K_LDAP_PORT);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, K_LDAP_PROTOCOL_VERSION);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// recommended for W2K3
// bind anonymously and get dn for username.
if (K_LDAP_UTF8) {
$ldapusername = utf8_encode($_POST['xuser_name']);
$ldappassword = utf8_encode($_POST['xuser_password']);
} else {
$ldapusername = $_POST['xuser_name'];
$ldappassword = $_POST['xuser_password'];
}
if ($lbind = ldap_bind($ldapconn, $ldapusername, $ldappassword)) {
// Search user on LDAP tree
sort($ldap_attr);
$ldap_filter = str_replace('#USERNAME#', $ldapusername, K_LDAP_FILTER);
if ($search = @ldap_search($ldapconn, K_LDAP_BASE_DN, $ldap_filter, $ldap_attr)) {
if ($rdn = @ldap_get_entries($ldapconn, $search)) {
if (@ldap_bind($ldapconn, $rdn['dn'], $_POST['xuser_password'])) {
@ldap_unbind($ldapconn);
$usr = array();
foreach ($ldap_attr as $k => $v) {
if (!empty($v) and isset($rdn[$v])) {
$usr[$k] = $rdn[$v];
} else {
$usr[$k] = '';
}
}
$usr['user_level'] = K_LDAP_USER_LEVEL;
$usr['usrgrp_group_id'] = K_LDAP_USER_GROUP_ID;
return $usr;
}
}
}
}
@ldap_unbind($ldapconn);
}
// -------------------------------------------------------------
}
return false;
}
