/** * Checks the group membership of the bound user * * @param Zend_Ldap $ldap * @param string $canonicalName * @param string $dn * @param array $adapterOptions * @return string|true */ protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions) { if ($adapterOptions['group'] === null) { return true; } if ($adapterOptions['memberIsDn'] === false) { $user = $canonicalName; } else { $user = $dn; } /** * @see Zend_Ldap_Filter */ // require_once 'Zend/Ldap/Filter.php'; $groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']); $membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user); $group = Zend_Ldap_Filter::andFilter($groupName, $membership); $groupFilter = $adapterOptions['groupFilter']; if (!empty($groupFilter)) { $group = $group->addAnd($groupFilter); } /* * Fixes problem when authenticated user is not allowed to retrieve * group-membership information. * This requires that the user specified with "username" and "password" * in the Zend_Ldap options is able to retrieve the required information. */ $ldap->bind(); $result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']); if ($result === 1) { return true; } else { return 'Failed to verify group membership with ' . $group->toString(); } }
/** * Checks the group membership of the bound user * * @param Zend_Ldap $ldap * @param string $canonicalName * @param string $dn * @param array $adapterOptions * @return string|true */ protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions) { if ($adapterOptions['group'] === null) { return true; } if ($adapterOptions['memberIsDn'] === false) { $user = $canonicalName; } else { $user = $dn; } /** * @see Zend_Ldap_Filter */ require_once 'Zend/Ldap/Filter.php'; $groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']); $membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user); $group = Zend_Ldap_Filter::andFilter($groupName, $membership); $groupFilter = $adapterOptions['groupFilter']; if (!empty($groupFilter)) { $group = $group->addAnd($groupFilter); } $result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']); if ($result === 1) { return true; } else { return 'Failed to verify group membership with ' . $group->toString(); } }
protected function autenticateLdap() { try { $container = Core_Registry::getContainers(); $ldap = $container['ldap']->getPersist(); $config = \Zend_Registry::get('configs'); $samAccountNameQuery = "samAccountName={$this->getIdentity()}"; /** * Modifica o host para o servidor secundário. */ if ($this->_secondaryHost && isset($config['resources']['container']['ldap']['host']['secondary'])) { $options = $ldap->getOptions(); $options['host'] = $config['resources']['container']['ldap']['host']['secondary']; $ldap = new Zend_Ldap($options); } $admUsr = $config['authenticate']['username']; $admPwd = $config['authenticate']['password']; $ldap->bind($admUsr, $admPwd); $userLdapCount = $ldap->count($samAccountNameQuery); if ($userLdapCount <= 0) { throw new \Sica_Auth_Exception('MN175'); } $userLdap = current($ldap->search($samAccountNameQuery)->toArray()); $pwdLastSetLDAPTimestamp = isset($userLdap['pwdlastset'][0]) ? $userLdap['pwdlastset'][0] : 0; $pwdLastSetLDAPTimestamp_div = bcdiv($pwdLastSetLDAPTimestamp, '10000000'); $pwdLastSetLDAPTimestamp_sub = bcsub($pwdLastSetLDAPTimestamp_div, '11644473600'); $pwdLastSetDate = new \Zend_Date($pwdLastSetLDAPTimestamp_sub, \Zend_Date::TIMESTAMP); $measureTime = new \Zend_Measure_Time(\Zend_Date::now()->sub($pwdLastSetDate)->toValue(), \Zend_Measure_Time::SECOND); $measureTime->convertTo(\Zend_Measure_Time::DAY); $daysLeftToChangePwd = ceil($measureTime->getValue()); if ($daysLeftToChangePwd >= self::LDAP_MAX_PWD_LAST_SET_DAYS) { throw new \Sica_Auth_Exception('EXPIRED_PWD_MSG'); } $ldap->bind($this->getIdentity(), $this->getCredential()); return TRUE; } catch (\Sica_Auth_Exception $authExc) { $this->_authenticateResultInfo['code'] = Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND; $this->_authenticateResultInfo['messages'] = $authExc->getMessage(); return false; } catch (\Zend_Ldap_Exception $ldapExc) { $ldapCode = $ldapExc->getCode(); $message = sprintf('[SICA-e] LDAP Error in %s: "%s"', __METHOD__, $ldapExc->getMessage()); error_log($message); $message = sprintf('[Erro no LDAP] %s', $ldapExc->getMessage()); /** * Se não foi possível contactar o servidor LDAP e se não * for uma tentativa de autenticação no servidor secundário. */ if ($ldapCode == self::LDAP_CONST_CODE_CANT_CONTACT_SERVER && !$this->_secondaryHost) { #Tentativa de autenticação no servidor secundário. $this->_secondaryHost = TRUE; return $this->autenticateLdap(); } if ($ldapCode > 0) { $message = sprintf('LDAP0x%02x', $ldapCode); } if (false !== strpos($ldapExc->getMessage(), self::LDAP_CONST_NT_STATUS_PASSWORD_EXPIRED)) { $message = 'EXPIRED_PWD_MSG'; } $this->_authenticateResultInfo['code'] = Zend_Auth_Result::FAILURE_UNCATEGORIZED; $this->_authenticateResultInfo['messages'] = $message; return false; } }