Esempio n. 1
0
 /**
  * Bind to LDAP with a specific DN and password. Simple wrapper around
  * ldap_bind() with some additional logging.
  *
  * @param string $dn
  * The DN used.
  * @param string $password
  * The password used.
  * @param array $sasl_args
  * Array of SASL options for SASL bind
  * @return bool
  * Returns TRUE if successful, FALSE if
  * LDAP_INVALID_CREDENTIALS, LDAP_X_PROXY_AUTHZ_FAILURE,
  * LDAP_INAPPROPRIATE_AUTH, LDAP_INSUFFICIENT_ACCESS
  * @throws SimpleSAML_Error_Exception on other errors
  */
 public function bind($dn, $password, array $sasl_args = NULL)
 {
     $authz_id = null;
     if ($sasl_args != NULL) {
         if (!function_exists(ldap_sasl_bind)) {
             $ex_msg = 'Library - missing SASL support';
             throw $this->makeException($ex_msg);
         }
         // SASL Bind, with error handling.
         $authz_id = $sasl_args['authz_id'];
         $error = @ldap_sasl_bind($this->ldap, $dn, $password, $sasl_args['mech'], $sasl_args['realm'], $sasl_args['authc_id'], $sasl_args['authz_id'], $sasl_args['props']);
     } else {
         // Simple Bind, with error handling.
         $authz_id = $dn;
         $error = @ldap_bind($this->ldap, $dn, $password);
     }
     if ($error === TRUE) {
         // Good.
         $this->authz_id = $authz_id;
         SimpleSAML_Logger::NOTICE('Library -----> LDAP bind(): Bind successful with DN \'' . $dn . '\'');
         return TRUE;
     }
     /* Handle errors
      * LDAP_INVALID_CREDENTIALS
      * LDAP_INSUFFICIENT_ACCESS */
     switch (ldap_errno($this->ldap)) {
         case 32:
             /* LDAP_NO_SUCH_OBJECT */
         /* LDAP_NO_SUCH_OBJECT */
         case 47:
             /* LDAP_X_PROXY_AUTHZ_FAILURE */
         /* LDAP_X_PROXY_AUTHZ_FAILURE */
         case 48:
             /* LDAP_INAPPROPRIATE_AUTH */
         /* LDAP_INAPPROPRIATE_AUTH */
         case 49:
             /* LDAP_INVALID_CREDENTIALS */
         /* LDAP_INVALID_CREDENTIALS */
         case 50:
             /* LDAP_INSUFFICIENT_ACCESS */
             return FALSE;
             break;
         default:
             break;
     }
     // Bad.
     throw $this->makeException('Library - LDAP bind(): Bind failed with DN \'' . $dn . '\'');
 }
Esempio n. 2
0
 /**
  * Attempt to log in using the given username and password.
  *
  * Will throw a SimpleSAML_Error_Error('WRONGUSERPASS') if the username or password is wrong.
  * If there is a configuration problem, an Exception will be thrown.
  *
  * @param string $username  The username the user wrote.
  * @param string $password  The password the user wrote.
  * @param arrray $sasl_args  Array of SASL options for LDAP bind.
  * @return array  Associative array with the users attributes.
  */
 public function login($username, $password, array $sasl_args = NULL)
 {
     assert('is_string($username)');
     assert('is_string($password)');
     if (empty($password)) {
         SimpleSAML_Logger::info($this->location . ': Login with empty password disallowed.');
         throw new SimpleSAML_Error_Error('WRONGUSERPASS');
     }
     $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout);
     if (!$this->searchEnable) {
         $ldapusername = addcslashes($username, ',+"\\<>;*');
         $dn = str_replace('%username%', $ldapusername, $this->dnPattern);
     } else {
         if ($this->searchUsername !== NULL) {
             SimpleSAML_Logger::NOTICE(" --------------- searchUsername: {$username}, searchPassword: {$password}");
             if (!$ldap->bind('promodo\\' . $username, $password)) {
                 throw new SimpleSAML_Error_Error('WRONGUSERPASS');
                 //                                  throw new Exception('Error authenticating using search username & password.');
             }
         }
         $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE);
         if ($dn === NULL) {
             /* User not found with search. */
             SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\'');
             throw new SimpleSAML_Error_Error('WRONGUSERPASS');
         }
     }
     //		if (!$ldap->bind($dn, $password, $sasl_args)) {
     //			SimpleSAML_Logger::info($this->location . ': '. $username . ' failed to authenticate. DN=' . $dn);
     //			throw new SimpleSAML_Error_Error('WRONGUSERPASS');
     //		}
     /* In case of SASL bind, authenticated and authorized DN may differ */
     if (isset($sasl_args)) {
         $dn = $ldap->whoami($this->searchBase, $this->searchAttributes);
     }
     /* Are privs needed to get the attributes? */
     if ($this->privRead) {
         /* Yes, rebind with privs */
         if (!$ldap->bind($this->privUsername, $this->privPassword)) {
             throw new Exception('Error authenticating using privileged DN & password.');
         }
     }
     return $ldap->getAttributes($dn, $this->attributes);
 }