예제 #1
0
 public static function authenticate($ps_username, $ps_password = '', $pa_options = null)
 {
     $po_auth_config = Configuration::load(Configuration::load()->get('authentication_config'));
     if (!function_exists("ldap_connect")) {
         throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!"));
     }
     if (!$ps_username) {
         return false;
     }
     // ldap config
     $vs_ldaphost = $po_auth_config->get("ldap_host");
     $vs_ldapport = $po_auth_config->get("ldap_port");
     $vs_base_dn = $po_auth_config->get("ldap_base_dn");
     $vs_user_ou = $po_auth_config->get("ldap_user_ou");
     $vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn);
     $va_default_roles = $po_auth_config->get("ldap_users_default_roles");
     if (!is_array($va_default_roles)) {
         $va_default_roles = array();
     }
     $va_default_groups = $po_auth_config->get("ldap_users_default_groups");
     if (!is_array($va_default_groups)) {
         $va_default_groups = array();
     }
     $vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport);
     ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
     if (!$vo_ldap) {
         return false;
     }
     $vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn);
     if (strlen($vs_bind_rdn_filter) > 0) {
         $vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter);
         $va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results);
         if (isset($va_dn_search_results[0]['dn'])) {
             $vs_bind_rdn = $va_dn_search_results[0]['dn'];
         }
     }
     // log in
     $vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password);
     if (!$vo_bind) {
         // wrong credentials
         if (ldap_get_option($vo_ldap, 0x32, $extended_error)) {
             caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate");
         }
         ldap_unbind($vo_ldap);
         return false;
     }
     // check group membership
     if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) {
         ldap_unbind($vo_ldap);
         return false;
     }
     // user role and group membership syncing with directory
     $t_user = new ca_users();
     if ($t_user->load($ps_username)) {
         // don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
         if ($po_auth_config->get('ldap_sync_user_roles')) {
             $va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap));
             foreach ($va_expected_roles as $vs_role) {
                 if (!$t_user->hasUserRole($vs_role)) {
                     $t_user->addRoles($vs_role);
                 }
             }
             foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
                 if (!in_array($va_role_info['code'], $va_expected_roles)) {
                     $t_user->removeRoles($vn_id);
                 }
             }
         }
         if ($po_auth_config->get('ldap_sync_user_groups')) {
             $va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap));
             foreach ($va_expected_groups as $vs_group) {
                 if (!$t_user->inGroup($vs_group)) {
                     $t_user->addToGroups($vs_group);
                 }
             }
             foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
                 if (!in_array($va_group_info['code'], $va_expected_groups)) {
                     $t_user->removeFromGroups($vn_id);
                 }
             }
         }
     }
     ldap_unbind($vo_ldap);
     return true;
 }
 private function syncWithDirectory($ps_username)
 {
     $va_default_roles = $this->getConfigValue("ldap_users_default_roles", array());
     $va_default_groups = $this->getConfigValue("ldap_users_default_groups", array());
     $t_user = new ca_users();
     // don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
     if (!$t_user->load($ps_username)) {
         return;
     }
     if ($this->getConfigValue('ldap_sync_user_roles')) {
         $va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username));
         foreach ($va_expected_roles as $vs_role) {
             if (!$t_user->hasUserRole($vs_role)) {
                 $t_user->addRoles($vs_role);
             }
         }
         foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
             if (!in_array($va_role_info['code'], $va_expected_roles)) {
                 $t_user->removeRoles($vn_id);
             }
         }
     }
     if ($this->getConfigValue('ldap_sync_user_groups')) {
         $va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username));
         foreach ($va_expected_groups as $vs_group) {
             if (!$t_user->inGroup($vs_group)) {
                 $t_user->addToGroups($vs_group);
             }
         }
         foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
             if (!in_array($va_group_info['code'], $va_expected_groups)) {
                 $t_user->removeFromGroups($vn_id);
             }
         }
     }
 }