Search a given DN for attributes, and return the resulting associative
array.
public getAttributes ( string $dn, string | array $attributes = null, integer $maxsize = null ) : array | ||
$dn | string | The DN of an element. |
$attributes | string | array | The names of the attribute(s) to retrieve. Defaults to NULL; that is, all available attributes. Note that this is not very effective. |
$maxsize | integer | The maximum size of any attribute's value(s). If exceeded, the attribute will not be returned. |
리턴 | array | The array of attributes and their values. |
public function getAttributes($dn, $attributes = NULL) { if ($attributes == NULL) { $attributes = $this->attributes; } $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals); /* Are privs needed to get the attributes? */ if ($this->privRead) { /* Yes, rebind with privs */ if (!$ldap->bind($this->privUsername, $this->privPassword)) { throw new Exception('Error authenticating using privileged DN & password.'); } } return $ldap->getAttributes($dn, $attributes); }
$ldapconfig = $ldapmulti[$_POST['org']]; if ($ldapconfig['search.enable'] === TRUE) { if (!$ldap->bind($ldapconfig['search.username'], $ldapconfig['search.password'])) { throw new Exception('Error authenticating using search username & password.'); } $dn = $ldap->searchfordn($ldapconfig['search.base'], $ldapconfig['search.attributes'], $_POST['username']); } else { $dn = str_replace('%username%', $_POST['username'], $ldapconfig['dnpattern']); } $pwd = $_POST['password']; $ldap = new SimpleSAML_Auth_LDAP($ldapconfig['hostname'], $ldapconfig['enable_tls']); if ($pwd == "" or !$ldap->bind($dn, $pwd)) { SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' failed to authenticate. DN=' . $dn); throw new Exception('Wrong username or password'); } $attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']); SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' successfully authenticated'); $session->doLogin('login-ldapmulti'); $session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK'); } $returnto = $_REQUEST['RelayState'];
public function getAttributes($dn, $attributes = NULL) { if ($attributes == NULL) { $attributes = $this->attributes; } $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout); return $ldap->getAttributes($dn, $attributes); }
/** * Attempt to log in using the given username and password. * * Will throw a SimpleSAML_Error_Error('WRONGUSERPASS') if the username or password is wrong. * If there is a configuration problem, an Exception will be thrown. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @param arrray $sasl_args Array of SASL options for LDAP bind. * @return array Associative array with the users attributes. */ public function login($username, $password, array $sasl_args = NULL) { assert('is_string($username)'); assert('is_string($password)'); if (empty($password)) { SimpleSAML_Logger::info($this->location . ': Login with empty password disallowed.'); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout, $this->port, $this->referrals); if (!$this->searchEnable) { $ldapusername = addcslashes($username, ',+"\\<>;*'); $dn = str_replace('%username%', $ldapusername, $this->dnPattern); } else { if ($this->searchUsername !== NULL) { if (!$ldap->bind($this->searchUsername, $this->searchPassword)) { throw new Exception('Error authenticating using search username & password.'); } } $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE); if ($dn === NULL) { /* User not found with search. */ SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\''); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } } $qaLogin = SimpleSAML_Auth_Source::getById('auth2factor'); if (!$ldap->bind($dn, $password, $sasl_args)) { SimpleSAML_Logger::info($this->location . ': ' . $username . ' failed to authenticate. DN=' . $dn); /* Account lockout feature */ // we need mail attributes so that we can notify user of locked account $attributes = $ldap->getAttributes($dn, $this->searchAttributes); // TODO what if these attributes are not available for search or not set in config? $qaLogin->failedLoginAttempt($username, 'login_count', array('name' => $attributes['givenName'][0], 'mail' => $attributes['mail'][0], 'uid' => $attributes['uid'][0])); $failedAttempts = $qaLogin->getFailedAttempts($username); $loginCount = (int) (!empty($failedAttempts)) ? $failedAttempts[0]['login_count'] : 0; $answerCount = (int) (!empty($failedAttempts)) ? $failedAttempts[0]['answer_count'] : 0; $failCount = $loginCount + $answerCount; // TODO this is bad! what if maxFailLogin is not set (i.e 0) or less than 3? instant lock? $firstFailCount = $qaLogin->getmaxFailLogin() - 2; $secondFailCount = $qaLogin->getmaxFailLogin() - 1; if ($failCount == $firstFailCount) { throw new SimpleSAML_Error_Error('2FAILEDATTEMPTWARNING'); } if ($failCount == $secondFailCount) { throw new SimpleSAML_Error_Error('1FAILEDATTEMPTWARNING'); } if ($qaLogin->isLocked($username)) { throw new SimpleSAML_Error_Error('ACCOUNTLOCKED'); } throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } /* In case of SASL bind, authenticated and authorized DN may differ */ if (isset($sasl_args)) { $dn = $ldap->whoami($this->searchBase, $this->searchAttributes); } /* Are privs needed to get the attributes? */ if ($this->privRead) { /* Yes, rebind with privs */ if (!$ldap->bind($this->privUsername, $this->privPassword)) { throw new Exception('Error authenticating using privileged DN & password.'); } } // if we are here - we must have logged in successfully .. therefore reset login attempts $qaLogin->resetFailedLoginAttempts($username, 'login_count'); return $ldap->getAttributes($dn, $this->attributes); }
/** * Attempt to log in using the given username and password. * * Will throw a SimpleSAML_Error_Error('WRONGUSERPASS') if the username or password is wrong. * If there is a configuration problem, an Exception will be thrown. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @param arrray $sasl_args Array of SASL options for LDAP bind. * @return array Associative array with the users attributes. */ public function login($username, $password, array $sasl_args = NULL) { assert('is_string($username)'); assert('is_string($password)'); if (empty($password)) { SimpleSAML_Logger::info($this->location . ': Login with empty password disallowed.'); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } $ldap = new SimpleSAML_Auth_LDAP($this->hostname, $this->enableTLS, $this->debug, $this->timeout); if (!$this->searchEnable) { $ldapusername = addcslashes($username, ',+"\\<>;*'); $dn = str_replace('%username%', $ldapusername, $this->dnPattern); } else { if ($this->searchUsername !== NULL) { if (!$ldap->bind($this->searchUsername, $this->searchPassword)) { throw new Exception('Error authenticating using search username & password.'); } } $dn = $ldap->searchfordn($this->searchBase, $this->searchAttributes, $username, TRUE); if ($dn === NULL) { /* User not found with search. */ SimpleSAML_Logger::info($this->location . ': Unable to find users DN. username=\'' . $username . '\''); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } } if (!$ldap->bind($dn, $password, $sasl_args)) { SimpleSAML_Logger::info($this->location . ': ' . $username . ' failed to authenticate. DN=' . $dn); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } /* In case of SASL bind, authenticated and authorized DN may differ */ if (isset($sasl_args)) { $dn = $ldap->whoami($this->searchBase, $this->searchAttributes); } /* Are privs needed to get the attributes? */ if ($this->privRead) { /* Yes, rebind with privs */ if (!$ldap->bind($this->privUsername, $this->privPassword)) { throw new Exception('Error authenticating using privileged DN & password.'); } } return $ldap->getAttributes($dn, $this->attributes); }
/* We aren't configured to search for the dn. Insert the LDAP username into the pattern * configured in the 'auth.ldap.dnpattern' option. */ $dn = str_replace('%username%', $ldapusername, $ldapconfig->getValue('auth.ldap.dnpattern')); } /* * Do LDAP bind using DN. */ if ($password == "" or !$ldap->bind($dn, $password)) { SimpleSAML_Logger::info('AUTH - ldap: ' . $username . ' failed to authenticate. DN=' . $dn); throw new Exception('error_wrongpassword'); } /* * Retrieve attributes from LDAP */ $attributes = $ldap->getAttributes($dn, $ldapconfig->getValue('auth.ldap.attributes', null)); SimpleSAML_Logger::info('AUTH - ldap: ' . $ldapusername . ' successfully authenticated'); $session->doLogin('login'); $session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login OK'); } $returnto = $_REQUEST['RelayState'];
if (isset($orgconfig['adminUser'])) { $ldap->bind($orgconfig['adminUser'], $orgconfig['adminPassword']); } $eppn = $requestedUser . "@" . $requestedOrg; $dn = $ldap->searchfordn($orgconfig['searchbase'], 'eduPersonPrincipalName', $eppn); /* * Do LDAP bind using DN found from the search on ePPN. */ if (!$ldap->bind($dn, $password)) { SimpleSAML_Logger::info('AUTH - ldap-feide: ' . $requestedUser . ' failed to authenticate. DN=' . $dn); throw new Exception('Wrong username or password'); } /* * Retrieve attributes from LDAP */ $attributes = $ldap->getAttributes($dn, $orgconfig['attributes']); /** * Retrieve organizational attributes, if the eduPersonOrgDN attribute is set. */ if (isset($attributes['eduPersonOrgDN'])) { $orgdn = $attributes['eduPersonOrgDN'][0]; $orgattributes = $ldap->getAttributes($orgdn); $orgattr = array_keys($orgattributes); foreach ($orgattr as $value) { $orgattributename = 'eduPersonOrgDN:' . $value; //SimpleSAML_Logger::debug('AUTH - ldap-feide: Orgattributename: '. $orgattributename); $attributes[$orgattributename] = $orgattributes[$value]; //SimpleSAML_Logger::debug('AUTH - ldap-feide: Attribute added: '. $attributes[$orgattributename]); } } /*