public function authenticate($username, $password, &$userId) { // Check if username should be authenticated locally if (in_array($username, $this->LDAP_LOCAL_ACCOUNTS)) { return $this->kimaiAuth->authenticate($username, $password, $userId); } // Check environment sanity if (!function_exists('ldap_bind')) { echo 'ldap is not installed!'; $userId = false; return false; } // Check if username is legal $check_username = trim($username); if (!$check_username || !trim($password) || $this->LDAP_FORCE_USERNAME_LOWERCASE && strtolower($check_username) !== $check_username) { $userId = false; return false; } // Connect to LDAP $connect_result = ldap_connect($this->LADP_SERVER); if (!$connect_result) { echo "Cannot connect to ", $this->LADP_SERVER; $userId = false; return false; } ldap_set_option($connect_result, LDAP_OPT_PROTOCOL_VERSION, 3); // Try to bind. Binding means user and pwd are valid. $bind_result = ldap_bind($connect_result, $this->LDAP_USERNAME_PREFIX . $check_username . $this->LDAP_USERNAME_POSTFIX, $password); if (!$bind_result) { // Nope! $userId = false; return false; } ldap_unbind($connect_result); // User is authenticated. Does it exist in Kimai yet? $check_username = $this->LDAP_FORCE_USERNAME_LOWERCASE ? strtolower($check_username) : $check_username; $userId = $this->database->user_name2id($check_username); if ($userId === false) { // User does not exist (yet) if ($this->LDAP_USER_AUTOCREATE) { // Create it! $userId = $this->database->user_create(array('name' => $check_username, 'globalRoleID' => $this->getDefaultGlobalRole(), 'active' => 1)); $this->database->setGroupMemberships($userId, array($this->getDefaultGroups())); // Set a password, to calm kimai down $usr_data = array('password' => md5($this->kga['password_salt'] . md5(uniqid(rand(), true)) . $this->kga['password_salt'])); $this->database->user_edit($userId, $usr_data); } else { $userId = false; return false; } } return true; }
/** * {@inherit} */ public function authenticate($username, $password, &$userId) { // Check if username should be authenticated locally if (in_array($username, $this->nonLdapAcounts)) { return $this->kimaiAuth->authenticate($username, $password, $userId); } if (!$username || !$password) { $userId = false; return false; } // Connect to LDAP $connect_result = ldap_connect($this->host); if (!$connect_result) { echo "Cannot connect to ", $this->host; $userId = false; return false; } ldap_set_option($connect_result, LDAP_OPT_PROTOCOL_VERSION, 3); // Bind to the ldap and query for the given userinformation. if ($this->bindDN && $this->bindPW) { $bindResult = ldap_bind($connect_result, $this->bindDN, $this->bindPW); } else { $bindResult = ldap_bind($connect_result); } if (!$bindResult) { echo sprintf("Can't bind to the LDAP with DN %s", $this->bindDN); $userId = false; return false; } $filter = sprintf($this->userFilter, $username); $_ldapresults = ldap_search($connect_result, $this->searchBase, $filter, array($this->usernameAttribute, $this->mailAttribute, $this->commonNameAttribute), 0, 0, 10); if (!$_ldapresults) { // The server returned no result-set at all. echo "No user with that information found"; $userId = false; return false; } if (1 > ldap_count_entries($connect_result, $_ldapresults)) { // The returned result set contains no data. echo "No user with that information found"; $userId = false; return false; } if (1 < ldap_count_entries($connect_result, $_ldapresults)) { // The returned result-set contains more than one person. So we // can not be sure, that the user is unique. echo "More than one user found with that information"; $userId = false; return false; } $_results = ldap_get_entries($connect_result, $_ldapresults); if (false === $_results) { // The returned result-set could not be retrieved. echo 'no result set found'; $userId = false; return false; } // Empty the result set. We have the results in a variable so don't // bother the server any more. ldap_free_result($_ldapresults); $distinguishedName = $_results[0]['dn']; $uidAttribute = $_results[0][$this->usernameAttribute][0]; $emailAddress = ''; $commonName = ''; if (isset($_results[0][$this->mailAttribute][0])) { $emailAddress = $_results[0][$this->mailAttribute][0]; } if (isset($_results[0][$this->commonNameAttribute][0])) { $commonName = $_results[0][$this->commonNameAttribute][0]; } // Now lets try to bind with the returned distinguishedName and the // provided passwort to the LDAP. $link_id = @ldap_bind($connect_result, $distinguishedName, $password); if (false === $link_id) { echo 'Password and/or Username mismatch'; $userId = false; return false; } // Check whether the user is member of one of the required LDAP-groups $filter = sprintf($this->groupFilter, $uidAttribute, $distinguishedName); $_ldapresults = ldap_search($connect_result, $this->searchBase, $filter, array($this->groupidAttribute), 0, 0, 10); if (!$_ldapresults) { // The server returned no result-set at all. echo "No group for the user found"; $userId = false; return false; } if (1 > ldap_count_entries($connect_result, $_ldapresults)) { // The returned result set contains no data. echo "No group for that user found"; $userId = false; return false; } $_results = ldap_get_entries($connect_result, $_ldapresults); if (false === $_results) { // The returned result-set could not be retrieved. echo 'no result set for groups found'; $userId = false; return false; } ldap_free_result($_ldapresults); $groups = array(); foreach ($_results as $result) { $resultGroups = array(); for ($i = 0; $i < $result[$this->groupidAttribute]['count']; $i++) { $resultGroups[] = $result[$this->groupidAttribute][$i]; } $groups = array_merge($groups, $resultGroups); } if (!array_intersect($groups, $this->allowedGroupIds)) { // The returned result-set could not be retrieved. echo 'no valid groups found'; $userId = false; return false; } // User is authenticated. Does it exist in Kimai yet? $check_username = $this->createCheckUsername($username, $uidAttribute); $userId = $this->database->user_name2id($check_username); if ($userId === false) { // User does not exist (yet) if ($this->autocreateUsers) { // Create it! $userId = $this->database->user_create(array('name' => $check_username, 'globalRoleID' => $this->getDefaultGlobalRole(), 'active' => 1)); $this->database->setGroupMemberships($userId, $this->getDefaultGroups()); // Set a password, to calm kimai down $usr_data = array('password' => md5($this->kga['password_salt'] . md5(uniqid(rand(), true)) . $this->kga['password_salt'])); if ($emailAddress) { $usr_data['mail'] = $emailAddress; } if ($commonName) { $usr_data['alias'] = $commonName; } $this->database->user_edit($userId, $usr_data); } else { $userId = false; return false; } } return true; }