public function authenticate($username, $password) { $this->username = $username; if (strlen($password) == 0) { // LDAP will succeed binding with no password on AD // (defaults to anon bind) return false; } $rs = ldap_connect($this->ldap_host, $this->ldap_port); if ($rs) { ldap_set_option($rs, LDAP_OPT_PROTOCOL_VERSION, $this->ldap_version); ldap_set_option($rs, LDAP_OPT_REFERRALS, 0); $ldap_bind_pw = empty($this->ldap_search_pass) ? null : $this->ldap_search_pass; $ldap_bind_dn = $this->ldap_search_user; if (ldap_bind($rs, $ldap_bind_dn, $ldap_bind_pw)) { $filter_r = html_entity_decode(str_replace('%USERNAME%', $username, $this->filter), ENT_COMPAT, 'UTF-8'); $result = ldap_search($rs, $this->base_dn, $filter_r); if ($result) { $result_user = ldap_get_entries($rs, $result); if ($result_user['count'] != 0) { $first_user = $result_user[0]; $ldap_user_dn = $first_user['dn']; // Bind with the dn of the user that matched our filter // (only one user should match sAMAccountName or uid etc..) if (ldap_bind($rs, $ldap_user_dn, $password)) { if ($this->userExists($username)) { // Update password if different $tmpUser = new CUser(); $tmpUser->load($this->userId($username)); $hash_pass = $this->hashPassword($password); if ($hash_pass != $tmpUser->user_password) { $tmpUser->user_password = $hash_pass; $tmpUser->store(); } return true; } else { $this->createsqluser($username, $password, $first_user); } return true; } } } } } if ($this->fallback == true) { $sqlAuth = new w2p_Authenticators_SQL(); return $sqlAuth->authenticate($username, $password); } return false; }
/** * TODO: Remove for v4.0 - caseydk 22 February 2013 * * @deprecated */ function makePass() { trigger_error("makePass() has been deprecated in v3.0 and will be removed in v4.0. Use w2p_Authenticators_SQL->createNewPassword instead.", E_USER_NOTICE); $auth = new w2p_Authenticators_SQL(); return $auth->createNewPassword(); }
public function authenticate($username, $password) { global $w2Pconfig; $this->username = $username; if (strlen($password) == 0) { return false; // LDAP will succeed binding with no password on AD (defaults to anon bind) } if ($rs = ldap_connect($this->ldap_host, $this->ldap_port)) { ldap_set_option($rs, LDAP_OPT_PROTOCOL_VERSION, $this->ldap_version); ldap_set_option($rs, LDAP_OPT_REFERRALS, 0); if ('' == $this->ldap_complete_string) { /* * This should be compliant with the old/previous LDAP settings * that we've used all along. */ if (strpos($this->ldap_search_user, 'CN=') === false) { $ldap_bind_dn = 'CN=' . $this->ldap_search_user . ',OU=Users,' . $this->base_dn; } else { $ldap_bind_dn = $this->ldap_search_user . ',' . $this->base_dn; } } else { /* * In case the LDAP configuration is different than expected, * we can configure a completely custom one. */ $ldap_bind_dn = $this->ldap_complete_string; } $ldap_bind_pw = empty($this->ldap_search_pass) ? null : $this->ldap_search_pass; if ($bindok = ldap_bind($rs, $ldap_bind_dn, $ldap_bind_pw)) { $filter_r = html_entity_decode(str_replace('%USERNAME%', $username, $this->filter), ENT_COMPAT, 'UTF-8'); $result = ldap_search($rs, $this->base_dn, $filter_r); if ($result) { $result_user = ldap_get_entries($rs, $result); if ($result_user['count'] != 0) { $first_user = $result_user[0]; $ldap_user_dn = $first_user['dn']; // Bind with the dn of the user that matched our filter (only one user should match sAMAccountName or uid etc..) if ($bind_user = ldap_bind($rs, $ldap_user_dn, $password)) { if ($this->userExists($username)) { // Update password if different $tmpUser = new CUser(); $tmpUser->load($this->userId($username)); $hash_pass = MD5($password); if ($hash_pass != $tmpUser->user_password) { $tmpUser->user_password = $hash_pass; $tmpUser->store(); } return true; } else { $this->createsqluser($username, $password, $first_user); } return true; } } } } } if ($this->fallback == true) { return parent::authenticate($username, $password); } return false; }
public function authenticate($username, $password) { global $db; if (!isset($_REQUEST['userdata'])) { // fallback to SQL Authentication if PostNuke fails. if ($this->fallback) { $sqlAuth = new w2p_Authenticators_SQL(); return $sqlAuth->authenticate($username, $password); } else { die($this->AppUI->_('You have not configured your PostNuke site correctly')); } } if (!($compressed_data = base64_decode(urldecode($_REQUEST['userdata'])))) { die($this->AppUI->_('The credentials supplied were missing or corrupted') . ' (1)'); } if (!($userdata = gzuncompress($compressed_data))) { die($this->AppUI->_('The credentials supplied were missing or corrupted') . ' (2)'); } if (!($_REQUEST['check'] = $this->hashPassword($userdata))) { die($this->AppUI->_('The credentials supplied were issing or corrupted') . ' (3)'); } $user_data = unserialize($userdata); // Now we need to check if the user already exists, if so we just // update. If not we need to create a new user and add a default // role. $username = trim($user_data['login']); $this->username = $username; $names = explode(' ', trim($user_data['name'])); $last_name = array_pop($names); $first_name = implode(' ', $names); $passwd = trim($user_data['passwd']); $email = trim($user_data['email']); $q = $this->query; $q->addTable('users'); $q->addQuery('user_id, user_password, user_contact'); $q->addWhere('user_username = \'' . $username . '\''); if (!($rs = $q->exec())) { die($this->AppUI->_('Failed to get user details') . ' - error was ' . $db->ErrorMsg()); } if ($rs->RecordCount() < 1) { $q->clear(); $this->createsqluser($username, $passwd, $email, $first_name, $last_name); } else { if (!($row = $rs->FetchRow())) { die($this->AppUI->_('Failed to retrieve user detail')); } // User exists, update the user details. $this->user_id = $row['user_id']; $q->clear(); $q->addTable('users'); $q->addUpdate('user_password', $passwd); $q->addWhere('user_id = ' . $this->user_id); if (!$q->exec()) { die($this->AppUI->_('Could not update user credentials')); } $q->clear(); $q->addTable('contacts'); $q->addUpdate('contact_first_name', $first_name); $q->addUpdate('contact_last_name', $last_name); $q->addUpdate('contact_email', $email); $q->addWhere('contact_id = ' . $row['user_contact']); if (!$q->exec()) { die($this->AppUI->_('Could not update user details')); } } return true; }
function sendNewPass() { global $AppUI; // ensure no malicous sql gets past $checkusername = preg_replace("/[^A-Za-z0-9]/", "", w2PgetParam($_POST, 'checkusername', '')); $confirmEmail = trim(w2PgetParam($_POST, 'checkemail', '')); $confirmEmail = strtolower(db_escape($confirmEmail)); $q = new w2p_Database_Query(); $q->addTable('users'); $q->addJoin('contacts', 'con', 'user_contact = contact_id', 'inner'); $q->addQuery('user_id'); $q->addWhere("user_username = '******'"); /* Begin Hack */ /* * This is a particularly annoying hack but I don't know of a better * way to resolve #457. In v2.0, there was a refactoring to allow for * muliple contact methods which resulted in the contact_email being * removed from the contacts table. If the user is upgrading from * v1.x and they try to log in before applying the database, crash. * Info: http://bugs.web2project.net/view.php?id=457 */ $qTest = new w2p_Database_Query(); $qTest->addTable('w2pversion'); $qTest->addQuery('max(db_version)'); $dbVersion = $qTest->loadResult(); if ($dbVersion >= 21 && $dbVersion < 26) { $q->leftJoin('contacts_methods', 'cm', 'cm.contact_id = con.contact_id'); $q->addWhere("cm.method_value = '{$confirmEmail}'"); } else { $q->addWhere("LOWER(user_email) = '{$confirmEmail}'"); } /* End Hack */ $user_id = $q->loadResult(); if (!$user_id) { $AppUI->setMsg('Invalid username or email.', UI_MSG_ERROR); $AppUI->redirect(); } $auth = new w2p_Authenticators_SQL(); $newpass = $auth->createNewPassword(); $hashed = $auth->hashPassword($newpass); $q->addTable('users'); $q->addUpdate('user_password', $hashed); $q->addWhere('user_id=' . $user_id); $cur = $q->exec(); if ($cur) { $emailManager = new w2p_Output_EmailManager($AppUI); $body = $emailManager->notifyPasswordReset($checkusername, $newpass); $m = new w2p_Utilities_Mail(); // create the mail $m->To($confirmEmail); $subject = $_sitename . ' :: ' . $AppUI->_('sendpass4', UI_OUTPUT_RAW) . ' - ' . $checkusername; $m->Subject($subject); $m->Body($body, isset($GLOBALS['locale_char_set']) ? $GLOBALS['locale_char_set'] : ''); // set the body $m->Send(); // send the mail $AppUI->setMsg('New User Password created and emailed to you'); $AppUI->redirect(); } }