public function processLogins() { if ($this->ops_base_name) { // "merge" profile and its base $va_logins = array(); if ($this->opo_base->logins) { foreach ($this->opo_base->logins->children() as $vo_login) { $vs_logins[self::getAttribute($vo_login, "user_name")] = $vo_login; } } if ($this->opo_profile->logins) { foreach ($this->opo_profile->logins->children() as $vo_login) { $va_logins[self::getAttribute($vo_login, "user_name")] = $vo_login; } } } else { if ($this->opo_profile->logins) { foreach ($this->opo_profile->logins->children() as $vo_login) { $va_logins[self::getAttribute($vo_login, "user_name")] = $vo_login; } } } // If no logins are defined in the profile create an admin login with random password if (!sizeof($va_logins)) { $vs_password = $this->createAdminAccount(); return array('administrator' => $vs_password); } $va_login_info = array(); foreach ($va_logins as $vs_user_name => $vo_login) { if (!($vs_password = trim((string) self::getAttribute($vo_login, "password")))) { $vs_password = $this->getRandomPassword(); } $t_user = new ca_users(); $t_user->setMode(ACCESS_WRITE); $t_user->set('user_name', $vs_user_name = trim((string) self::getAttribute($vo_login, "user_name"))); $t_user->set('password', $vs_password); $t_user->set('fname', trim((string) self::getAttribute($vo_login, "fname"))); $t_user->set('lname', trim((string) self::getAttribute($vo_login, "lname"))); $t_user->set('email', trim((string) self::getAttribute($vo_login, "email"))); $t_user->set('active', 1); $t_user->set('userclass', 0); $t_user->insert(); $va_roles = array(); if ($vo_login->role) { foreach ($vo_login->role as $vo_role) { $va_roles[] = trim((string) self::getAttribute($vo_role, "code")); } } if (sizeof($va_roles)) { $t_user->addRoles($va_roles); } $va_groups = array(); if ($vo_login->group) { foreach ($vo_login->group as $vo_group) { $va_groups[] = trim((string) self::getAttribute($vo_group, "code")); } } if (sizeof($va_groups)) { $t_user->addToGroups($va_groups); } if ($t_user->numErrors()) { $this->addError("Errors adding login {$vs_user_name}: " . join("; ", $t_user->getErrors())); return false; } $va_login_info[$vs_user_name] = $vs_password; } return $va_login_info; }
public static function authenticate($ps_username, $ps_password = '', $pa_options = null) { $po_auth_config = Configuration::load(Configuration::load()->get('authentication_config')); if (!function_exists("ldap_connect")) { throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!")); } if (!$ps_username) { return false; } // ldap config $vs_ldaphost = $po_auth_config->get("ldap_host"); $vs_ldapport = $po_auth_config->get("ldap_port"); $vs_base_dn = $po_auth_config->get("ldap_base_dn"); $vs_user_ou = $po_auth_config->get("ldap_user_ou"); $vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn); $va_default_roles = $po_auth_config->get("ldap_users_default_roles"); if (!is_array($va_default_roles)) { $va_default_roles = array(); } $va_default_groups = $po_auth_config->get("ldap_users_default_groups"); if (!is_array($va_default_groups)) { $va_default_groups = array(); } $vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport); ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3); if (!$vo_ldap) { return false; } $vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn); if (strlen($vs_bind_rdn_filter) > 0) { $vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter); $va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results); if (isset($va_dn_search_results[0]['dn'])) { $vs_bind_rdn = $va_dn_search_results[0]['dn']; } } // log in $vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password); if (!$vo_bind) { // wrong credentials if (ldap_get_option($vo_ldap, 0x32, $extended_error)) { caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate"); } ldap_unbind($vo_ldap); return false; } // check group membership if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) { ldap_unbind($vo_ldap); return false; } // user role and group membership syncing with directory $t_user = new ca_users(); if ($t_user->load($ps_username)) { // don't try to sync roles for non-existing users (the first auth call is before the user is actually created) if ($po_auth_config->get('ldap_sync_user_roles')) { $va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap)); foreach ($va_expected_roles as $vs_role) { if (!$t_user->hasUserRole($vs_role)) { $t_user->addRoles($vs_role); } } foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) { if (!in_array($va_role_info['code'], $va_expected_roles)) { $t_user->removeRoles($vn_id); } } } if ($po_auth_config->get('ldap_sync_user_groups')) { $va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap)); foreach ($va_expected_groups as $vs_group) { if (!$t_user->inGroup($vs_group)) { $t_user->addToGroups($vs_group); } } foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) { if (!in_array($va_group_info['code'], $va_expected_groups)) { $t_user->removeFromGroups($vn_id); } } } } ldap_unbind($vo_ldap); return true; }
function register() { if ($this->request->config->get('dont_allow_registration_and_login')) { $this->notification->addNotification(_t("Registration is not enabled"), __NOTIFICATION_TYPE_ERROR__); $this->redirect(caNavUrl($this->request, '', 'Front', 'Index')); return; } MetaTagManager::setWindowTitle($this->request->config->get("app_display_name") . ": " . _t("Register")); # logout user in case is already logged in $this->request->deauthenticate(); $t_user = new ca_users(); $t_user->purify(true); # --- process incoming registration attempt $ps_email = $this->request->getParameter("email", pString); $ps_fname = $this->request->getParameter("fname", pString); $ps_lname = $this->request->getParameter("lname", pString); $ps_password = $this->request->getParameter("password", pString); $ps_password2 = $this->request->getParameter("password2", pString); $ps_security = $this->request->getParameter("security", pString); $va_errors = array(); if (!caCheckEmailAddress($ps_email)) { $va_errors["email"] = _t("E-mail address is not valid."); } else { $t_user->set("email", $ps_email); } if (!$ps_fname) { $va_errors["fname"] = _t("Please enter your first name"); } else { $t_user->set("fname", $ps_fname); } if (!$ps_lname) { $va_errors["lname"] = _t("Please enter your last name"); } else { $t_user->set("lname", $ps_lname); } if (!$ps_password || !$ps_password2) { $va_errors["password"] = _t("Please enter and re-type your password."); } else { if ($ps_password != $ps_password2) { $va_errors["password"] = _t("Passwords do not match"); } else { $t_user->set("password", $ps_password); } } if (!$ps_security) { $va_errors["security"] = _t("Please answer the security question."); } else { if ($ps_security != $_REQUEST["sum"]) { $va_errors["security"] = _t("Your answer was incorrect, please try again"); } } // Check user profile responses $va_profile_prefs = $t_user->getValidPreferences('profile'); if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) { foreach ($va_profile_prefs as $vs_pref) { $vs_pref_value = $this->request->getParameter('pref_' . $vs_pref, pString); if (!$t_user->isValidPreferenceValue($vs_pref, $vs_pref_value)) { $va_errors[$vs_pref] = join("; ", $t_user->getErrors()); $t_user->clearErrors(); } } } # --- does deleted user login record for this user already exist? # --- (look for active records only; inactive records will effectively block reregistration) $vb_user_exists_but_is_deleted = false; if ($t_user->load(array('user_name' => $ps_email))) { if ((int) $t_user->get('userclass') == 255) { if ($t_user->get('active') == 1) { // yeah... so allow registration $vb_user_exists_but_is_deleted = true; } else { // existing inactive user record blocks registration $va_errors["email"] = _t("User cannot register"); } } else { // already valid login with this user name $va_errors["email"] = _t("A user has already registered with this email address"); } } # get names of form fields $va_fields = $t_user->getFormFields(); # loop through fields foreach ($va_fields as $vs_f => $va_attr) { switch ($vs_f) { case "user_name": if (!$vb_user_exists_but_is_deleted && !sizeof($va_errors)) { # set field value $t_user->set("user_name", $ps_email); if ($t_user->numErrors() > 0) { $va_errors[$vs_f] = join("; ", $t_user->getErrors()); } } break; # ------------- # ------------- case "active": if ($this->request->config->get('dont_approve_logins_on_registration')) { $t_user->set("active", 0); } else { $t_user->set("active", 1); } break; # ------------- # ------------- case "userclass": $t_user->set("userclass", 1); // 1=public-only break; # ------------- # ------------- default: if (!$va_errors[$vs_f]) { $t_user->set($vs_f, $_REQUEST[$vs_f]); # set field values if ($t_user->numErrors() > 0) { $va_errors[$vs_f] = join("; ", $t_user->getErrors()); } } break; # ------------- } } // Save user profile responses if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) { foreach ($va_profile_prefs as $vs_pref) { $t_user->setPreference($vs_pref, $this->request->getParameter('pref_' . $vs_pref, pString)); } } if (sizeof($va_errors) == 0) { # --- there are no errors so make new user record $t_user->setMode(ACCESS_WRITE); if ($vb_user_exists_but_is_deleted) { $t_user->update(); } else { $t_user->insert(); } $pn_user_id = $t_user->get("user_id"); if ($t_user->numErrors()) { $va_errors["register"] = join("; ", $t_user->getErrors()); } else { # --- add default roles if (($va_default_roles = $this->request->config->getList('registration_default_roles')) && sizeof($va_default_roles)) { $t_user->addRoles($va_default_roles); } # --- user is joining a user group from a supplied link if ($this->request->session->getVar("join_user_group_id")) { if (!$t_user->inGroup($this->request->session->getVar("join_user_group_id"))) { $t_user->addToGroups($this->request->session->getVar("join_user_group_id")); $this->request->session->setVar("join_user_group_id", ""); $vs_group_message = _t(" You were added to the group"); } else { $this->request->session->setVar("join_user_group_id", ""); $vs_group_message = _t(" You are already a member of the group"); } } # --- send email confirmation $o_view = new View($this->request, array($this->request->getViewsDirectoryPath())); # -- generate email subject line from template $vs_subject_line = $o_view->render("mailTemplates/reg_conf_subject.tpl"); # -- generate mail text from template - get both the text and the html versions $vs_mail_message_text = $o_view->render("mailTemplates/reg_conf.tpl"); $vs_mail_message_html = $o_view->render("mailTemplates/reg_conf_html.tpl"); caSendmail($t_user->get('email'), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html); if ($this->request->config->get("email_notification_for_new_registrations")) { # --- send email to admin $o_view = new View($this->request, array($this->request->getViewsDirectoryPath())); $o_view->setVar("t_user", $t_user); # -- generate email subject line from template $vs_subject_line = $o_view->render("mailTemplates/reg_admin_notification_subject.tpl"); # -- generate mail text from template - get both the text and the html versions $vs_mail_message_text = $o_view->render("mailTemplates/reg_admin_notification.tpl"); $vs_mail_message_html = $o_view->render("mailTemplates/reg_admin_notification_html.tpl"); caSendmail($this->request->config->get("ca_admin_email"), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html); } $t_user = new ca_users(); $vs_action = $vs_controller = $vs_module_path = ''; if ($vs_default_action = $this->request->config->get('default_action')) { $va_tmp = explode('/', $vs_default_action); $vs_action = array_pop($va_tmp); if (sizeof($va_tmp)) { $vs_controller = array_pop($va_tmp); } if (sizeof($va_tmp)) { $vs_module_path = join('/', $va_tmp); } } else { $vs_controller = 'Splash'; $vs_action = 'Index'; } $vs_url = caNavUrl($this->request, $vs_module_path, $vs_controller, $vs_action); if ($t_user->get("active")) { # log in the new user $this->request->doAuthentication(array('dont_redirect' => true, 'user_name' => $ps_email, 'password' => $ps_password)); if ($this->request->isLoggedIn()) { if ($this->request->isAjax()) { $this->view->setVar("message", _t('Thank you for registering! You are now logged in.') . $vs_group_message); $this->render("Form/reload_html.php"); return; } else { $this->notification->addNotification(_t('Thank you for registering! You are now logged in.') . $vs_group_message, __NOTIFICATION_TYPE_INFO__); $this->response->setRedirect($vs_url); } } else { $va_errors["register"] = _t("Login failed."); } } else { # --- registration needs approval $this->notification->addNotification(_t('Thank you for registering! Your account will be activated after review.') . $vs_group_message, __NOTIFICATION_TYPE_INFO__); $this->response->setRedirect($vs_url); } } } if (sizeof($va_errors) > 0) { $this->view->setVar('errors', $va_errors); $this->registerForm($t_user); } }
private function syncWithDirectory($ps_username) { $va_default_roles = $this->getConfigValue("ldap_users_default_roles", array()); $va_default_groups = $this->getConfigValue("ldap_users_default_groups", array()); $t_user = new ca_users(); // don't try to sync roles for non-existing users (the first auth call is before the user is actually created) if (!$t_user->load($ps_username)) { return; } if ($this->getConfigValue('ldap_sync_user_roles')) { $va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username)); foreach ($va_expected_roles as $vs_role) { if (!$t_user->hasUserRole($vs_role)) { $t_user->addRoles($vs_role); } } foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) { if (!in_array($va_role_info['code'], $va_expected_roles)) { $t_user->removeRoles($vn_id); } } } if ($this->getConfigValue('ldap_sync_user_groups')) { $va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username)); foreach ($va_expected_groups as $vs_group) { if (!$t_user->inGroup($vs_group)) { $t_user->addToGroups($vs_group); } } foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) { if (!in_array($va_group_info['code'], $va_expected_groups)) { $t_user->removeFromGroups($vn_id); } } } }