/** * Authenticates a user (Check various conditions for the user that might invalidate its * authentication, e.g., password match, domain, IP, etc.). * * @param array $user Data of user. * @return int|FALSE */ public function authUser(array $user) { if (!Configuration::isInitialized()) { // Early return since LDAP is not configured return static::STATUS_AUTHENTICATION_FAILURE_CONTINUE; } if (TYPO3_MODE === 'BE') { $status = Configuration::getValue('BEfailsafe') ? static::STATUS_AUTHENTICATION_FAILURE_CONTINUE : static::STATUS_AUTHENTICATION_FAILURE_BREAK; } else { $status = static::STATUS_AUTHENTICATION_FAILURE_CONTINUE; } $enableFrontendSso = TYPO3_MODE === 'FE' && (bool) $this->config['enableFESSO'] && !empty($_SERVER['REMOTE_USER']); if (($this->login['uident'] && $this->login['uname'] || $enableFrontendSso) && !empty($user['tx_igldapssoauth_dn'])) { if (isset($user['tx_igldapssoauth_from'])) { $status = static::STATUS_AUTHENTICATION_SUCCESS_BREAK; } elseif (TYPO3_MODE === 'BE' && Configuration::getValue('BEfailsafe')) { return static::STATUS_AUTHENTICATION_FAILURE_CONTINUE; } else { // Failed login attempt (wrong password) - write that to the log! static::getLogger()->warning('Password not accepted: ' . array('username' => $this->login['uname'], 'remote' => sprintf('%s (%s)', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST']))); $status = static::STATUS_AUTHENTICATION_FAILURE_BREAK; } // Checking the domain (lockToDomain) if ($status && $user['lockToDomain'] && $user['lockToDomain'] != $this->authInfo['HTTP_HOST']) { // Lock domain didn't match, so error: static::getLogger()->error(sprintf('Locked domain "%s" did not match "%s"', $user['lockToDomain'], $this->authInfo['HTTP_HOST']), array('username' => $user[$this->db_user['username_column']], 'remote' => sprintf('%s (%s)', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST']))); $status = static::STATUS_AUTHENTICATION_FAILURE_BREAK; } } return $status; }
/** * Processes the username according to current configuration. * * @param string $username * @return string */ public static function setUsername($username) { if (Configuration::getValue('forceLowerCaseUsername')) { // Possible enhancement: use \TYPO3\CMS\Core\Charset\CharsetConverter::conv_case instead $username = strtolower($username); } return $username; }
/** * Returns a TYPO3 user. * * @param string $username * @param string $userDn * @param int|NULL $pid * @return array */ protected static function getTypo3User($username, $userDn, $pid = NULL) { $user = NULL; $typo3_users = Typo3UserRepository::fetch(static::$authenticationService->authInfo['db_user']['table'], 0, $pid, $username, $userDn); if ($typo3_users) { if (Configuration::getValue('IfUserExist')) { // Ensure every returned record is active $numberOfUsers = count($typo3_users); for ($i = 0; $i < $numberOfUsers; $i++) { if (!empty($typo3_users[$i]['deleted'])) { // User is deleted => behave as if it did not exist at all! // Note: if user is inactive (disable=1), this will be catched by TYPO3 automatically unset($typo3_users[$i]); } } // Reset the array's indices $typo3_users = array_values($typo3_users); } // We want to return only first user in any case, if more than one are returned (e.g., // same username/DN twice) actual authentication will fail anyway later on $user = is_array($typo3_users[0]) ? $typo3_users[0] : NULL; } elseif (!Configuration::getValue('IfUserExist')) { $user = Typo3UserRepository::create(static::$authenticationService->authInfo['db_user']['table']); $user['pid'] = (int) $pid; $user['crdate'] = $GLOBALS['EXEC_TIME']; $user['tstamp'] = $GLOBALS['EXEC_TIME']; $user['username'] = $username; $user['tx_igldapssoauth_dn'] = $userDn; } return $user; }
/** * Returns the corresponding DN if a given user is provided, otherwise FALSE. * * @param string $username * @param string $password User's password. If NULL password will not be checked * @param string $baseDn * @param string $filter * @return bool|string */ public function validateUser($username = NULL, $password = NULL, $baseDn = NULL, $filter = NULL) { // If user found on ldap server. if ($this->ldapUtility->search($baseDn, str_replace('{USERNAME}', $username, $filter), array('dn'))) { // Validate with password. if ($password !== NULL) { // Bind DN of user with password. if (empty($password)) { $this->lastBindDiagnostic = 'Empty password provided!'; return FALSE; } elseif ($this->ldapUtility->bind($this->ldapUtility->getDn(), $password)) { $dn = $this->ldapUtility->getDn(); // Restore last LDAP binding $config = Configuration::getLdapConfiguration(); $this->ldapUtility->bind($config['binddn'], $config['password']); $this->lastBindDiagnostic = ''; return $dn; } else { $status = $this->ldapUtility->getStatus(); $this->lastBindDiagnostic = $status['bind']['diagnostic']; return FALSE; // Password does not match } // If enable, SSO authentication without password } elseif ($password === NULL && Configuration::getValue('SSOAuthentication')) { return $this->ldapUtility->getDn(); } else { // User invalid. Authentication failed. return FALSE; } } return FALSE; }