/** * Event handler: called when a user attemps to login. * * This function will check if the user exists in the LDAP directory and create it locally if it does not. * * @param array 'login', 'pass' and 'pass_md5' */ function LoginAttempt(&$params) { global $localtimenow; global $Settings, $Hit, $evo_charset; // Check if LDAP is available: if (!function_exists('ldap_connect')) { $this->debug_log('This PHP installation does not support LDAP functions.'); return false; // Login failed! } // Get ready to go through ALL LDAP Servers configured in the plugin: $search_sets = $this->Settings->get('search_sets'); if (empty($search_sets)) { $this->debug_log('No LDAP servers have been configured in the LDAP plugin settings.'); return false; // Login failed! } // Detect if we already have a local user with the same login: $UserCache =& get_Cache('UserCache'); if ($local_User =& $UserCache->get_by_login($params['login'])) { $this->debug_log('User <b>' . $params['login'] . '</b> already exists locally. We will UPDATE it with the latest LDAP attibutes.'); $update_mode = true; // Try to find a number of a search set which was used on successful logging previous time by current user: $user_search_set_num = intval($this->UserSettings->get('search_set_num', $local_User->ID)); if ($user_search_set_num > 0 && isset($search_sets[$user_search_set_num])) { // We have found this, Reorder the array to use the successful set firstly: $success_search_set = $search_sets[$user_search_set_num]; unset($search_sets[$user_search_set_num]); $search_sets = array($user_search_set_num => $success_search_set) + $search_sets; } } else { $update_mode = false; } $this->debug_log(sprintf('LDAP plugin will attempt to login with login=<b>%s</b> / pass=<b>%s</b> / MD5 pass=<b>%s</b>', $params['login'], $params['pass'], $params['pass_md5'])); // ------ Loop through list of configured LDAP Servers: ------ foreach ($search_sets as $l_id => $l_set) { $this->debug_log('Step 1 : STARTING LDAP AUTH WITH SERVER #' . $l_id); // --- CONNECT TO SERVER --- $server_port = explode(':', $l_set['server']); $server = $server_port[0]; $port = isset($server_port[1]) ? $server_port[1] : 389; if (!empty($l_set['disabled'])) { $this->debug_log('Skipping disabled LDAP server «' . $server . ':' . $port . '»!'); continue; } if (!($ldap_conn = @ldap_connect($server, $port))) { $this->debug_log('Could not connect to LDAP server «' . $server . ':' . $port . '»!'); continue; } $this->debug_log('Connected to server «' . $server . ':' . $port . '»..'); $ldap_rdn = str_replace('%s', $params['login'], $l_set['rdn']); $this->debug_log('Using RDN «' . $ldap_rdn . '» for binding...'); // --- SET PROTOCOL VERSION --- // Get protocol version to use: if (!ldap_get_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $initial_protocol_version)) { $this->debug_log('Failed to get LDAP_OPT_PROTOCOL_VERSION.'); $initial_protocol_version = null; } $protocol_version = isset($l_set['protocol_version']) ? $l_set['protocol_version'] : 'auto'; // new setting in 2.01 if ($protocol_version[0] == 'v') { // transform "vX" => "X" $try_versions = array(substr($protocol_version, 1)); } else { // "auto" $try_versions = array(3, 2); if (isset($initial_protocol_version)) { array_unshift($try_versions, $initial_protocol_version); } $try_versions = array_unique($try_versions); } $this->debug_log('We will try protocol versions: ' . implode(', ', $try_versions)); // --- VERIFY USER CREDENTIALS BY BINDING TO SERVER --- // you might use this for testing with Apache DS: if( !@ldap_bind($ldap_conn, 'uid=admin,ou=system', 'secret') ) // Bind: $bound = false; $bind_errors = array(); foreach ($try_versions as $try_version) { $this->debug_log(sprintf('Trying to connect with protocol version: %s / RDN: %s / pass: %s', $try_version, $ldap_rdn, $params['pass'])); ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $try_version); if (@ldap_bind($ldap_conn, $ldap_rdn, $params['pass'])) { // Success $this->debug_log('Binding worked.'); $bound = true; break; } else { $this->debug_log('Binding failed. Errno: ' . ldap_errno($ldap_conn) . ' Error: ' . ldap_error($ldap_conn)); } } if (!$bound) { if (isset($initial_protocol_version)) { // Reset this for the next search set: ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $initial_protocol_version); } continue; } $this->debug_log('User successfully bound to server.'); // --- STEP 2 : TRY TO OBTAIN MORE INFO ABOUT USER --- // Search user info $filter = str_replace('%s', $params['login'], $l_set['search_filter']); $this->debug_log(sprintf('Step 2 : Now querying for additional user info. base_dn: <b>%s</b>, filter: <b>%s</b>', $l_set['base_dn'], $filter)); $search_result = @ldap_search($ldap_conn, $l_set['base_dn'], $filter); if (!$search_result) { // this may happen with an empty base_dn $this->debug_log('Invalid ldap_search result. Skipping to next search set. Errno: ' . ldap_errno($ldap_conn) . ' Error: ' . ldap_error($ldap_conn)); continue; } $search_info = ldap_get_entries($ldap_conn, $search_result); //$this->debug_log( 'Results returned by LDAP Server: <pre>'.var_export( $search_info, true ).'</pre>' ); if ($search_info['count'] != 1) { // We have found 0 or more than 1 users, which is a problem... $this->debug_log('# of entries found with search: ' . $search_info['count'] . ' - Skipping...'); /* for ($i=0; $i<$search_info["count"]; $i++) { echo "dn: ". $search_info[$i]["dn"] ."<br>"; echo "first cn entry: ". $search_info[$i]["cn"][0] ."<br>"; echo "first email entry: ". $search_info[$i]["mail"][0] ."<p>"; } */ continue; } $this->debug_log('User info has been found.'); // --- CREATE OR UPDATE USER ACCOUNT IN B2EVO --- if ($update_mode == false) { $this->debug_log('Step 3 : Creating a local user in b2evolution...'); $local_User = new User(); $local_User->set('login', $params['login']); $local_User->set('locale', locale_from_httpaccept()); // use the browser's locale $local_User->set_datecreated($localtimenow); // $local_User->set( 'level', 1 ); } else { // User exists already exists $this->debug_log('Step 3 : Updating the existing local user.'); } $this->debug_log('Randomize password in b2evolution DB and autoactivate user.'); // Generate a random password (we never want LDAP users to be able to login without a prior LDAP check) (also on update, just in case... $local_User->set_password(generate_random_passwd(32)); // $params['pass'] ); $local_User->set('status', 'autoactivated'); // Activate the user automatically (no email activation necessary) // Convert each input string to current server encoding: $exclude_encoding_fields = array('uid', 'mail', 'jpegphoto'); if (isset($search_info[0]) && is_array($search_info[0])) { foreach ($search_info[0] as $search_info_key => $search_info_data) { if (isset($search_info_data[0]) && is_string($search_info_data[0]) && !in_array($search_info_key, $exclude_encoding_fields)) { // Convert string from LDAP server encoding to current server encoding: $search_info[0][$search_info_key][0] = convert_charset($search_info_data[0], $l_set['encoding'], $evo_charset); } } } // Make some updates: // mail -> email: if (isset($search_info[0]['mail'][0])) { $local_User->set_email($search_info[0]['mail'][0]); } // uid -> nickname if (isset($search_info[0]['uid'][0])) { $this->debug_log('UID: <b>' . $search_info[0]['uid'][0] . '</b>'); $local_User->set('nickname', $search_info[0]['uid'][0]); } else { // if not found, use login. $local_User->set('nickname', $params['login']); } // givenname -> Firstname: if (isset($search_info[0]['givenname'][0])) { $this->debug_log('First name (givenname): <b>' . $search_info[0]['givenname'][0] . '</b>'); $local_User->set('firstname', $search_info[0]['givenname'][0]); } // sn -> Lastname: if (isset($search_info[0]['sn'][0])) { $this->debug_log('Last name (sn): <b>' . $search_info[0]['sn'][0] . '</b>'); $local_User->set('lastname', $search_info[0]['sn'][0]); } // roomnumber -> user field "roomnumber" (if not found, autocreate it in group "Address") if (isset($search_info[0]['roomnumber'][0])) { $this->debug_log('Room number: <b>' . $search_info[0]['roomnumber'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'roomnumber', $search_info[0]['roomnumber'][0], 'Address', 'Room Number', 'word'); } // businesscategory -> user field "businesscategory" (if not found, autocreate it in group "About me") if (isset($search_info[0]['businesscategory'][0])) { $this->debug_log('Business Category: <b>' . $search_info[0]['businesscategory'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'businesscategory', $search_info[0]['businesscategory'][0], 'About me', 'Business Category', 'text'); } // telephonenumber -> user field "officephone" (if not found, autocreate it in group "Phone") if (isset($search_info[0]['telephonenumber'][0])) { $this->debug_log('Office phone: <b>' . $search_info[0]['telephonenumber'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'officephone', $search_info[0]['telephonenumber'][0], 'Phone', 'Office phone', 'phone'); } // mobile -> user field "cellphone" (if not found, autocreate it in group "Phone") if (isset($search_info[0]['mobile'][0])) { $this->debug_log('Cell phone: <b>' . $search_info[0]['mobile'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'cellphone', $search_info[0]['mobile'][0], 'Phone', 'Cell phone', 'phone'); } // employeenumber -> user field "employeenumber" (if not found, autocreate it in group "About me") if (isset($search_info[0]['employeenumber'][0])) { $this->debug_log('Employee number: <b>' . $search_info[0]['employeenumber'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'employeenumber', $search_info[0]['employeenumber'][0], 'About me', 'Employee number', 'word'); } // title -> user field "title" (if not found, autocreate it in group "About me") if (isset($search_info[0]['title'][0])) { $this->debug_log('Title: <b>' . $search_info[0]['title'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'title', $search_info[0]['title'][0], 'About me', 'Title', 'word'); $userfield_title = $search_info[0]['title'][0]; // Use this as role for all organizations below } else { $userfield_title = ''; } // departmentnumber -> join Organization with the same name (create if doesn't exist) if (isset($search_info[0]['departmentnumber'][0])) { $this->debug_log('Department Number: <b>' . $search_info[0]['departmentnumber'][0] . '</b>'); $this->userorg_update_by_name($local_User, $search_info[0]['departmentnumber'][0], $userfield_title); } // o -> join Organization with the same name (create if doesn't exist) if (isset($search_info[0]['o'][0])) { $this->debug_log('Organization: <b>' . $search_info[0]['o'][0] . '</b>'); $this->userorg_update_by_name($local_User, $search_info[0]['o'][0], $userfield_title); } // telexnumber -> user field "officefax" (if not found, autocreate it in group "Phone") if (isset($search_info[0]['telexnumber'][0])) { $this->debug_log('Office FAX: <b>' . $search_info[0]['telexnumber'][0] . '</b>'); $this->userfield_update_by_code($local_User, 'officefax', $search_info[0]['telexnumber'][0], 'Phone', 'Office FAX', 'phone'); } // ---- GROUP STUFF ---- if ($update_mode == true) { // Updating existing user $this->debug_log('Updating existing user: we do NOT touch the primary group.'); $local_User->dbupdate(); $this->debug_log('OK -- User has been updated.'); } else { // Try to assign prilary group from the search results: $assigned_group = false; if (!empty($l_set['assign_user_to_group_by'])) { $this->debug_log('Plugin is configured to assign the Primary Group by the ' . $l_set['assign_user_to_group_by'] . ' key...'); if (isset($search_info[0][$l_set['assign_user_to_group_by']]) && isset($search_info[0][$l_set['assign_user_to_group_by']][0])) { // There is info we want to assign by $assign_by_value = $search_info[0][$l_set['assign_user_to_group_by']][0]; $this->debug_log('User info says has ' . $l_set['assign_user_to_group_by'] . ' = "<b>' . $assign_by_value . '</b>"'); $GroupCache =& get_Cache('GroupCache'); if ($users_Group =& $GroupCache->get_by_name($assign_by_value, false)) { // A group with the users value returned exists. $local_User->set_Group($users_Group); $assigned_group = true; $this->debug_log('Assigning User to existing Primary Group.'); } else { $this->debug_log('Group with that name does not exist...'); if ($new_Group =& $this->usergroup_create($l_set['tpl_new_grp_ID'], $assign_by_value)) { // Link the user to new created group: $local_User->set_Group($new_Group); $assigned_group = true; $this->debug_log('Assigned User to new Primary Group.'); } } } } if (!$assigned_group) { // Default group: $this->debug_log('Falling back to default primary group...'); $users_Group = NULL; $fallback_grp_ID = $this->Settings->get('fallback_grp_ID'); if (empty($fallback_grp_ID)) { $this->debug_log('No default/fallback primary group configured.'); $this->debug_log('User NOT created, try next LDAP server...'); //Continue to next LDAP server: continue; } else { $GroupCache =& get_Cache('GroupCache'); $users_Group =& $GroupCache->get_by_ID($fallback_grp_ID); if ($users_Group) { // either $this->default_group_name is not given or wrong $local_User->set_Group($users_Group); $assigned_group = true; $this->debug_log('Using default/fallback primary group: <b>' . $users_Group->get('name') . '</b>'); } else { $this->debug_log('Default/fallback primary group does not exist (' . $fallback_grp_ID . ').'); $this->debug_log('User NOT created, try next LDAP server...'); //Continue to next LDAP server: continue; } } } $local_User->dbinsert(); $UserCache->add($local_User); $this->debug_log('OK -- User has been created.'); } // Remember this settings number in order use this first in next logging time by current user: $this->UserSettings->set('search_set_num', $l_id, $local_User->ID); $this->UserSettings->dbupdate(); // Assign user to organizations: $this->userorg_assign_to_user($local_User); // jpegphoto -> Save as profile pictue "ldap.jpeg" and associate with user if (isset($search_info[0]['jpegphoto'][0])) { $this->debug_log('Photo: <img src="data:image/jpeg;base64,' . base64_encode($search_info[0]['jpegphoto'][0]) . '" />'); // Save to disk and attach to user: $this->userimg_attach_photo($local_User, $search_info[0]['jpegphoto'][0], !empty($l_set['expand_pics'])); } // --- EXTRA GROUPS --- if (!empty($l_set['secondary_grp_search_filter'])) { global $app_version; if (evo_version_compare($app_version, '6.7.0-alpha') < 0) { // The plugin is used on b2evo 6.6 $this->debug_log('Secondary groups not handled. This feature requires b2evolution v6.7.0-alpha or newer.'); } elseif (empty($l_set['secondary_grp_name_attribute'])) { $this->debug_log('Missing name attribute for secondary groups'); } else { $filter = str_replace('%s', $params['login'], $l_set['secondary_grp_search_filter']); $grp_name_attribute = $l_set['secondary_grp_name_attribute']; $this->debug_log(sprintf('Step 4 : Now querying for secondary groups. base_dn: <b>%s</b>, filter: <b>%s</b>, name attribue=<b>%s</b>', $l_set['secondary_grp_base_dn'], $filter, $grp_name_attribute)); $search_result = @ldap_search($ldap_conn, $l_set['secondary_grp_base_dn'], $filter, array($grp_name_attribute)); if (!$search_result) { // this may happen with an empty base_dn $this->debug_log('Invalid ldap_search result. No secondary groups will be assigned. Errno: ' . ldap_errno($ldap_conn) . ' Error: ' . ldap_error($ldap_conn)); } else { $search_info = ldap_get_entries($ldap_conn, $search_result); // $this->debug_log( 'Results returned by LDAP Server: <pre>'.var_export( $search_info, true ).'</pre>' ); $secondary_groups = array(); // $this->debug_log( 'Secondary groups name prefix: <pre>'.var_export( $l_set['secondary_grp_name_prefix'], true ).'</pre>' ); // Walk through results: foreach ($search_info as $group_candidate) { if (is_array($group_candidate) && isset($group_candidate[$grp_name_attribute][0])) { $group_candidate_cn = $group_candidate[$grp_name_attribute][0]; if (empty($l_set['secondary_grp_name_prefix']) || strpos($group_candidate_cn, $l_set['secondary_grp_name_prefix']) === 0) { // prefix is ok $this->debug_log('Accepted Secondary Group: ' . $group_candidate_cn); $secondary_groups[] = $group_candidate_cn; } else { // prefix is NOT ok $this->debug_log('REJECTED Secondary Group: ' . $group_candidate_cn); } } } // Hardcode two secondary groups: // $secondary_groups = array( 'Blog B members', 'Blog D Members' ); $this->debug_log('Secondary groups to be assigned: <pre>' . var_export($secondary_groups, true) . '</pre>'); // Update secondary groups for the User: $this->usersecgroup_update($local_User, $secondary_groups, $l_set['tpl_new_secondary_grp_ID']); } } } if (isset($initial_protocol_version)) { ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $initial_protocol_version); } // --- CONSIDER THE LOGIN ATTEMPT TO BE SUCCESSFUL AND WE ACCEPT IT --- // Update this value which has been passed by REFERENCE: $params['pass_ok'] = true; return true; // Login was a success (but return "true" does not trigger anything special in b2evolution) } if (isset($initial_protocol_version)) { ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $initial_protocol_version); } return false; // Login failed! }
} if ($registration_require_lastname) { $paramsList['lastname'] = $lastname; } if ($registration_require_gender == 'required') { $paramsList['gender'] = $gender; } if ($Settings->get('newusers_canregister') == 'invite') { // Invitation code must be not empty when user can register ONLY with this code $paramsList['invitation'] = get_param('invitation'); } // Check profile params: profile_check_params($paramsList); if ($is_quick && !$Messages->has_errors()) { // Generate a login and password for quick registration $pass1 = generate_random_passwd(10); // Get the login from email address: $login = preg_replace('/^([^@]+)@(.+)$/', '$1', utf8_strtolower($email)); $login = preg_replace('/[\'"><@\\s]/', '', $login); if ($Settings->get('strict_logins')) { // We allow only the plain ACSII characters, digits, the chars _ and . $login = preg_replace('/[^A-Za-z0-9_.]/', '', $login); } else { // We allow any character that is not explicitly forbidden in Step 1 // Enforce additional limitations $login = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '', $login); // Kill octets $login = preg_replace('/&.+?;/', '', $login); // Kill entities } $login = preg_replace('/^usr_/i', '', $login);
/** * Create sample users and display a process of creating * * @param integer Group ID * @param integer Number of users */ function tool_create_sample_users($group_ID, $num_users) { global $Messages, $DB, $Debuglog; echo T_('Creating of the sample users...'); evo_flush(); /** * Disable log queries because it increases the memory and stops the process with error "Allowed memory size of X bytes exhausted..." */ $DB->log_queries = false; $count = 1; for ($i = 1; $i <= $num_users; $i++) { $login = generate_random_passwd(); while (user_exists($login)) { // Generate new unique login $login = generate_random_passwd(); } $User = new User(); // Create out of range hashes for better security $User->set('pass', generate_random_passwd()); $User->set('login', $login); $User->set('email', 'test_' . $i . '@test.com'); $User->set('firstname', 'Test user ' . $i); $User->set('url', 'http://www.test-' . rand(1, 3) . '.com/test_user_' . $i); $User->set('grp_ID', $group_ID); $User->dbinsert(); $count++; if ($count % 100 == 0) { // Display a process of creating by one dot for 100 users echo ' .'; evo_flush(); } // Clear all debug messages, To avoid an error about full memory $Debuglog->clear('all'); } echo ' OK.'; $Messages->add(sprintf(T_('Created %d users.'), $num_users), 'success'); }