static function loginUser($login, $password, $authenticationMatch = false) { $http = eZHTTPTool::instance(); $db = eZDB::instance(); if ($authenticationMatch === false) { $authenticationMatch = eZUser::authenticationMatch(); } $loginEscaped = $db->escapeString($login); $passwordEscaped = $db->escapeString($password); $loginLdapEscaped = self::ldap_escape($login); $loginArray = array(); if ($authenticationMatch & eZUser::AUTHENTICATE_LOGIN) { $loginArray[] = "login='******'"; } if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) { $loginArray[] = "email='{$loginEscaped}'"; } if (count($loginArray) == 0) { $loginArray[] = "login='******'"; } $loginText = implode(' OR ', $loginArray); $contentObjectStatus = eZContentObject::STATUS_PUBLISHED; $ini = eZINI::instance(); $LDAPIni = eZINI::instance('ldap.ini'); $databaseName = $db->databaseName(); // if mysql if ($databaseName === 'mysql') { $query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ( ezcontentobject.id=contentobject_id OR ( password_hash_type=4 AND ( {$loginText} ) AND password_hash=PASSWORD('{$passwordEscaped}') ) )"; } else { $query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ezcontentobject.id=contentobject_id"; } $users = $db->arrayQuery($query); $exists = false; if (count($users) >= 1) { foreach ($users as $userRow) { $userID = $userRow['contentobject_id']; $hashType = $userRow['password_hash_type']; $hash = $userRow['password_hash']; $exists = eZUser::authenticateHash($userRow['login'], $password, eZUser::site(), $hashType, $hash); // If hash type is MySql if ($hashType == eZUser::PASSWORD_HASH_MYSQL and $databaseName === 'mysql') { $queryMysqlUser = "******"; $mysqlUsers = $db->arrayQuery($queryMysqlUser); if (count($mysqlUsers) >= 1) { $exists = true; } } eZDebugSetting::writeDebug('kernel-user', eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType), "check hash"); eZDebugSetting::writeDebug('kernel-user', $hash, "stored hash"); // If current user has been disabled after a few failed login attempts. $canLogin = eZUser::isEnabledAfterFailedLogin($userID); if ($exists) { // We should store userID for warning message. $GLOBALS['eZFailedLoginAttemptUserID'] = $userID; $userSetting = eZUserSetting::fetch($userID); $isEnabled = $userSetting->attribute("is_enabled"); if ($hashType != eZUser::hashType() and strtolower($ini->variable('UserSettings', 'UpdateHash')) == 'true') { $hashType = eZUser::hashType(); $hash = eZUser::createHash($login, $password, eZUser::site(), $hashType); $db->query("UPDATE ezuser SET password_hash='{$hash}', password_hash_type='{$hashType}' WHERE contentobject_id='{$userID}'"); } break; } } } if ($exists and $isEnabled and $canLogin) { eZDebugSetting::writeDebug('kernel-user', $userRow, 'user row'); $user = new eZUser($userRow); eZDebugSetting::writeDebug('kernel-user', $user, 'user'); $userID = $user->attribute('contentobject_id'); eZUser::updateLastVisit($userID); eZUser::setCurrentlyLoggedInUser($user, $userID); // Reset number of failed login attempts eZUser::setFailedLoginAttempts($userID, 0); return $user; } else { if ($LDAPIni->variable('LDAPSettings', 'LDAPEnabled') === 'true') { // read LDAP ini settings // and then try to bind to the ldap server $LDAPDebugTrace = $LDAPIni->variable('LDAPSettings', 'LDAPDebugTrace') === 'enabled'; $LDAPVersion = $LDAPIni->variable('LDAPSettings', 'LDAPVersion'); $LDAPServer = $LDAPIni->variable('LDAPSettings', 'LDAPServer'); $LDAPPort = $LDAPIni->variable('LDAPSettings', 'LDAPPort'); $LDAPFollowReferrals = (int) $LDAPIni->variable('LDAPSettings', 'LDAPFollowReferrals'); $LDAPBaseDN = $LDAPIni->variable('LDAPSettings', 'LDAPBaseDn'); $LDAPBindUser = $LDAPIni->variable('LDAPSettings', 'LDAPBindUser'); $LDAPBindPassword = $LDAPIni->variable('LDAPSettings', 'LDAPBindPassword'); $LDAPSearchScope = $LDAPIni->variable('LDAPSettings', 'LDAPSearchScope'); $LDAPLoginAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPLoginAttribute')); $LDAPFirstNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPFirstNameAttribute')); $LDAPFirstNameIsCN = $LDAPIni->variable('LDAPSettings', 'LDAPFirstNameIsCommonName') === 'true'; $LDAPLastNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPLastNameAttribute')); $LDAPEmailAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPEmailAttribute')); $defaultUserPlacement = $ini->variable("UserSettings", "DefaultUserPlacement"); $LDAPUserGroupAttributeType = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPUserGroupAttributeType')); $LDAPUserGroupAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPUserGroupAttribute')); if ($LDAPIni->hasVariable('LDAPSettings', 'Utf8Encoding')) { $Utf8Encoding = $LDAPIni->variable('LDAPSettings', 'Utf8Encoding'); if ($Utf8Encoding == "true") { $isUtf8Encoding = true; } else { $isUtf8Encoding = false; } } else { $isUtf8Encoding = false; } if ($LDAPIni->hasVariable('LDAPSettings', 'LDAPSearchFilters')) { $LDAPFilters = $LDAPIni->variable('LDAPSettings', 'LDAPSearchFilters'); } if ($LDAPIni->hasVariable('LDAPSettings', 'LDAPUserGroupType') and $LDAPIni->hasVariable('LDAPSettings', 'LDAPUserGroup')) { $LDAPUserGroupType = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroupType'); $LDAPUserGroup = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroup'); } $LDAPFilter = "( &"; if (count($LDAPFilters) > 0) { foreach (array_keys($LDAPFilters) as $key) { $LDAPFilter .= "(" . $LDAPFilters[$key] . ")"; } } $LDAPEqualSign = trim($LDAPIni->variable('LDAPSettings', "LDAPEqualSign")); $LDAPBaseDN = str_replace($LDAPEqualSign, "=", $LDAPBaseDN); $LDAPFilter = str_replace($LDAPEqualSign, "=", $LDAPFilter); $LDAPBindUser = str_replace($LDAPEqualSign, "=", $LDAPBindUser); if ($LDAPDebugTrace) { $debugArray = array('stage' => '1/5: Connecting and Binding to LDAP server', 'LDAPServer' => $LDAPServer, 'LDAPPort' => $LDAPPort, 'LDAPBindUser' => $LDAPBindUser, 'LDAPVersion' => $LDAPVersion); // Set debug trace mode for ldap connections if (function_exists('ldap_set_option')) { ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); } eZDebug::writeNotice(var_export($debugArray, true), __METHOD__); } if (function_exists('ldap_connect')) { $ds = ldap_connect($LDAPServer, $LDAPPort); } else { $ds = false; } if ($ds) { ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPVersion); ldap_set_option($ds, LDAP_OPT_REFERRALS, $LDAPFollowReferrals); if ($LDAPBindUser == '') { $r = ldap_bind($ds); } else { $r = ldap_bind($ds, $LDAPBindUser, $LDAPBindPassword); } if (!$r) { // Increase number of failed login attempts. eZDebug::writeError('Cannot bind to LDAP server, might be something wronge with connetion or bind user!', __METHOD__); if (isset($userID)) { eZUser::setFailedLoginAttempts($userID); } $user = false; return $user; } $LDAPFilter .= "({$LDAPLoginAttribute}={$loginLdapEscaped})"; $LDAPFilter .= ")"; ldap_set_option($ds, LDAP_OPT_SIZELIMIT, 0); ldap_set_option($ds, LDAP_OPT_TIMELIMIT, 0); $retrieveAttributes = array($LDAPLoginAttribute, $LDAPFirstNameAttribute, $LDAPLastNameAttribute, $LDAPEmailAttribute); if ($LDAPUserGroupAttributeType) { $retrieveAttributes[] = $LDAPUserGroupAttribute; } if ($LDAPDebugTrace) { $debugArray = array('stage' => '2/5: finding user', 'LDAPFilter' => $LDAPFilter, 'retrieveAttributes' => $retrieveAttributes, 'LDAPSearchScope' => $LDAPSearchScope, 'LDAPBaseDN' => $LDAPBaseDN); eZDebug::writeNotice(var_export($debugArray, true), __METHOD__); } if ($LDAPSearchScope == "one") { $sr = ldap_list($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes); } else { if ($LDAPSearchScope == "base") { $sr = ldap_read($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes); } else { $sr = ldap_search($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes); } } $info = ldap_get_entries($ds, $sr); if ($info['count'] > 1) { // More than one user with same uid, not allow login. eZDebug::writeWarning('More then one user with same uid, not allowed to login!', __METHOD__); $user = false; return $user; } else { if ($info['count'] < 1) { // Increase number of failed login attempts. if (isset($userID)) { eZUser::setFailedLoginAttempts($userID); } // user DN was not found eZDebug::writeWarning('User DN was not found!', __METHOD__); $user = false; return $user; } else { if ($LDAPDebugTrace) { $debugArray = array('stage' => '3/5: real authentication of user', 'info' => $info); eZDebug::writeNotice(var_export($debugArray, true), __METHOD__); } } } if (!$password) { $password = crypt(microtime()); } // is it real authenticated LDAP user? if (!@ldap_bind($ds, $info[0]['dn'], $password)) { // Increase number of failed login attempts. if (isset($userID)) { eZUser::setFailedLoginAttempts($userID); } eZDebug::writeWarning("User {$userID} failed to login!", __METHOD__); $user = false; return $user; } $extraNodeAssignments = array(); $userGroupClassID = $ini->variable("UserSettings", "UserGroupClassID"); // default user group assigning if ($LDAPUserGroupType != null) { if ($LDAPUserGroupType == "name") { if (is_array($LDAPUserGroup)) { foreach (array_keys($LDAPUserGroup) as $key) { $groupName = $db->escapeString($LDAPUserGroup[$key]); $groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}"; $groupObject = $db->arrayQuery($groupQuery); if (count($groupObject) > 0 and $key == 0) { $defaultUserPlacement = $groupObject[0]['node_id']; } else { if (count($groupObject) > 0) { $extraNodeAssignments[] = $groupObject[0]['node_id']; } } } } else { $groupName = $db->escapeString($LDAPUserGroup); $groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}"; $groupObject = $db->arrayQuery($groupQuery); if (count($groupObject) > 0) { $defaultUserPlacement = $groupObject[0]['node_id']; } } } else { if ($LDAPUserGroupType == "id") { if (is_array($LDAPUserGroup)) { foreach (array_keys($LDAPUserGroup) as $key) { $groupID = $LDAPUserGroup[$key]; $groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}"; $groupObject = $db->arrayQuery($groupQuery); if (count($groupObject) > 0 and $key == 0) { $defaultUserPlacement = $groupObject[0]['node_id']; } else { if (count($groupObject) > 0) { $extraNodeAssignments[] = $groupObject[0]['node_id']; } } } } else { $groupID = $LDAPUserGroup; $groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}"; $groupObject = $db->arrayQuery($groupQuery); if (count($groupObject) > 0) { $defaultUserPlacement = $groupObject[0]['node_id']; } } } } } // read group mapping LDAP settings $LDAPGroupMappingType = $LDAPIni->variable('LDAPSettings', 'LDAPGroupMappingType'); $LDAPUserGroupMap = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroupMap'); if (!is_array($LDAPUserGroupMap)) { $LDAPUserGroupMap = array(); } // group mapping constants $ByMemberAttribute = 'SimpleMapping'; // by group's member attributes (with mapping) $ByMemberAttributeHierarhicaly = 'GetGroupsTree'; // by group's member attributes hierarhically $ByGroupAttribute = 'UseGroupAttribute'; // by user's group attribute (old style) $groupMappingTypes = array($ByMemberAttribute, $ByMemberAttributeHierarhicaly, $ByGroupAttribute); $userData =& $info[0]; // default mapping using old style if (!in_array($LDAPGroupMappingType, $groupMappingTypes)) { $LDAPGroupMappingType = $ByGroupAttribute; } if ($LDAPDebugTrace) { $debugArray = array('stage' => '4/5: group mapping init', 'LDAPUserGroupType' => $LDAPUserGroupType, 'LDAPGroupMappingType' => $LDAPGroupMappingType, 'LDAPUserGroup' => $LDAPUserGroup, 'defaultUserPlacement' => $defaultUserPlacement, 'extraNodeAssignments' => $extraNodeAssignments); eZDebug::writeNotice(var_export($debugArray, true), __METHOD__); } if ($LDAPGroupMappingType == $ByMemberAttribute or $LDAPGroupMappingType == $ByMemberAttributeHierarhicaly) { $LDAPGroupBaseDN = $LDAPIni->variable('LDAPSettings', 'LDAPGroupBaseDN'); $LDAPGroupBaseDN = str_replace($LDAPEqualSign, '=', $LDAPGroupBaseDN); $LDAPGroupClass = $LDAPIni->variable('LDAPSettings', 'LDAPGroupClass'); $LDAPGroupNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupNameAttribute')); $LDAPGroupMemberAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupMemberAttribute')); $LDAPGroupDescriptionAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupDescriptionAttribute')); $groupSearchingDepth = $LDAPGroupMappingType == '1' ? 1 : 1000; // now, get all parents for currently ldap authenticated user $requiredParams = array(); $requiredParams['LDAPLoginAttribute'] = $LDAPLoginAttribute; $requiredParams['LDAPGroupBaseDN'] = $LDAPGroupBaseDN; $requiredParams['LDAPGroupClass'] = $LDAPGroupClass; $requiredParams['LDAPGroupNameAttribute'] = $LDAPGroupNameAttribute; $requiredParams['LDAPGroupMemberAttribute'] = $LDAPGroupMemberAttribute; $requiredParams['LDAPGroupDescriptionAttribute'] = $LDAPGroupDescriptionAttribute; $requiredParams['ds'] =& $ds; if ($LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId') !== '') { $requiredParams['TopUserGroupNodeID'] = $LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId'); } else { $requiredParams['TopUserGroupNodeID'] = 5; } $groupsTree = array(); $stack = array(); $newfilter = '(&(objectClass=' . $LDAPGroupClass . ')(' . $LDAPGroupMemberAttribute . '=' . $userData['dn'] . '))'; $groupsTree[$userData['dn']] = array('data' => &$userData, 'parents' => array(), 'children' => array()); eZLDAPUser::getUserGroupsTree($requiredParams, $newfilter, $userData['dn'], $groupsTree, $stack, $groupSearchingDepth); $userRecord =& $groupsTree[$userData['dn']]; if ($LDAPGroupMappingType == $ByMemberAttribute) { if (count($userRecord['parents']) > 0) { $remappedGroupNames = array(); foreach (array_keys($userRecord['parents']) as $key) { $parentGroup =& $userRecord['parents'][$key]; if (isset($parentGroup['data'][$LDAPGroupNameAttribute])) { $ldapGroupName = $parentGroup['data'][$LDAPGroupNameAttribute]; if (is_array($ldapGroupName)) { $ldapGroupName = $ldapGroupName['count'] > 0 ? $ldapGroupName[0] : ''; } // remap group name and check that group exists if (array_key_exists($ldapGroupName, $LDAPUserGroupMap)) { $remmapedGroupName = $db->escapeString($LDAPUserGroupMap[$ldapGroupName]); $groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$remmapedGroupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}"; $groupRow = $db->arrayQuery($groupQuery); if (count($groupRow) > 0) { $userRecord['new_parents'][] = $groupRow[0]['node_id']; } } } } } } else { if ($LDAPGroupMappingType == $ByMemberAttributeHierarhicaly) { $stack = array(); self::goAndPublishGroups($requiredParams, $userData['dn'], $groupsTree, $stack, $groupSearchingDepth, true); } } if (isset($userRecord['new_parents']) and count($userRecord['new_parents']) > 0) { $defaultUserPlacement = $userRecord['new_parents'][0]; $extraNodeAssignments = array_merge($extraNodeAssignments, $userRecord['new_parents']); } } else { if ($LDAPGroupMappingType == $ByGroupAttribute) { if ($LDAPUserGroupAttributeType) { // Should we create user groups that are specified in LDAP, but not found in eZ Publish? $createMissingGroups = $LDAPIni->variable('LDAPSettings', 'LDAPCreateMissingGroups') === 'enabled'; if ($LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId') !== '') { $parentNodeID = $LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId'); } else { $parentNodeID = 5; } $groupAttributeCount = $info[0][$LDAPUserGroupAttribute]['count']; if ($LDAPUserGroupAttributeType == "name") { for ($i = 0; $i < $groupAttributeCount; $i++) { if ($isUtf8Encoding) { $groupName = utf8_decode($info[0][$LDAPUserGroupAttribute][$i]); } else { $groupName = $info[0][$LDAPUserGroupAttribute][$i]; } // Save group node id to either defaultUserPlacement or extraNodeAssignments self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID); } } else { if ($LDAPUserGroupAttributeType == "id") { for ($i = 0; $i < $groupAttributeCount; $i++) { if ($isUtf8Encoding) { $groupID = utf8_decode($info[0][$LDAPUserGroupAttribute][$i]); } else { $groupID = $info[0][$LDAPUserGroupAttribute][$i]; } $groupName = "LDAP {$groupID}"; // Save group node id to either defaultUserPlacement or extraNodeAssignments self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID); } } else { if ($LDAPUserGroupAttributeType == "dn") { for ($i = 0; $i < $groupAttributeCount; $i++) { $groupDN = $info[0][$LDAPUserGroupAttribute][$i]; $groupName = self::getGroupNameByDN($ds, $groupDN); if ($groupName) { // Save group node id to either defaultUserPlacement or extraNodeAssignments self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID); } } } else { eZDebug::writeError("Bad LDAPUserGroupAttributeType '{$LDAPUserGroupAttributeType}'. It must be either 'name', 'id' or 'dn'.", __METHOD__); $user = false; return $user; } } } } } } // remove ' last_name' from first_name if cn is used for first name if ($LDAPFirstNameIsCN && isset($userData[$LDAPFirstNameAttribute]) && isset($userData[$LDAPLastNameAttribute])) { $userData[$LDAPFirstNameAttribute][0] = str_replace(' ' . $userData[$LDAPLastNameAttribute][0], '', $userData[$LDAPFirstNameAttribute][0]); } if (isset($userData[$LDAPEmailAttribute])) { $LDAPuserEmail = $userData[$LDAPEmailAttribute][0]; } else { if (trim($LDAPIni->variable('LDAPSettings', 'LDAPEmailEmptyAttributeSuffix'))) { $LDAPuserEmail = $login . $LDAPIni->variable('LDAPSettings', 'LDAPEmailEmptyAttributeSuffix'); } else { $LDAPuserEmail = false; } } $userAttributes = array('login' => $login, 'first_name' => isset($userData[$LDAPFirstNameAttribute]) ? $userData[$LDAPFirstNameAttribute][0] : false, 'last_name' => isset($userData[$LDAPLastNameAttribute]) ? $userData[$LDAPLastNameAttribute][0] : false, 'email' => $LDAPuserEmail); if ($LDAPDebugTrace) { $debugArray = array('stage' => '5/5: storing user', 'userAttributes' => $userAttributes, 'isUtf8Encoding' => $isUtf8Encoding, 'defaultUserPlacement' => $defaultUserPlacement, 'extraNodeAssignments' => $extraNodeAssignments); eZDebug::writeNotice(var_export($debugArray, true), __METHOD__); } $oldUser = clone eZUser::currentUser(); $existingUser = eZLDAPUser::publishUpdateUser($extraNodeAssignments, $defaultUserPlacement, $userAttributes, $isUtf8Encoding); if (is_object($existingUser)) { eZUser::setCurrentlyLoggedInUser($existingUser, $existingUser->attribute('contentobject_id')); } else { eZUser::setCurrentlyLoggedInUser($oldUser, $oldUser->attribute('contentobject_id')); } ldap_close($ds); return $existingUser; } else { eZDebug::writeError('Cannot initialize connection for LDAP server', __METHOD__); $user = false; return $user; } } else { // Increase number of failed login attempts. if (isset($userID)) { eZUser::setFailedLoginAttempts($userID); } eZDebug::writeWarning('User does not exist or LDAP is not enabled in php', __METHOD__); $user = false; return $user; } } }