/**
* decide if a username is excluded or not
*
* @param string $name as proposed drupal username
* @param array $ldap_user where top level keys are 'dn','attr','mail'
* @return boolean FALSE means NOT allow; TRUE means allow
*
* @todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter
* and most of this function should go in ldap_authentication_allowuser_results_alter
*/
public function allowUser($name, $ldap_user)
{
/**
* do one of the exclude attribute pairs match
*/
$ldap_user_conf = ldap_user_conf();
// if user does not already exists and deferring to user settings AND user settings only allow
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
foreach ($this->excludeIfTextInDn as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
return FALSE;
// if a match, return FALSE;
}
}
/**
* evaluate php if it exists
*/
if ($this->allowTestPhp) {
if (module_exists('php')) {
global $_name, $_ldap_user_entry;
$_name = $name;
$_ldap_user_entry = $ldap_user;
$code = '<?php ' . "global \$_name; \n global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
$code_result = php_eval($code);
$_name = NULL;
$_ldap_user_entry = NULL;
if ((bool) $code_result == FALSE) {
return FALSE;
}
} else {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
return FALSE;
}
}
/**
* do one of the allow attribute pairs match
*/
if (count($this->allowOnlyIfTextInDn)) {
$fail = TRUE;
foreach ($this->allowOnlyIfTextInDn as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
$fail = FALSE;
}
}
if ($fail) {
return FALSE;
}
}
/**
* is excludeIfNoAuthorizations option enabled and user not granted any groups
*/
if ($this->excludeIfNoAuthorizations) {
if (!module_exists('ldap_authorization')) {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
return FALSE;
}
$user = new stdClass();
$user->name = $name;
$user->ldap_authenticated = TRUE;
// fake user property added for query
$consumers = ldap_authorization_get_consumers();
$has_enabled_consumers = FALSE;
$has_ldap_authorizations = FALSE;
foreach ($consumers as $consumer_type => $consumer_config) {
$consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
if ($consumer_obj->consumerConf->status) {
$has_enabled_consumers = TRUE;
list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
if (isset($authorizations[$consumer_type]) && count($authorizations[$consumer_type]) > 0) {
$has_ldap_authorizations = TRUE;
}
}
}
if (!$has_enabled_consumers) {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = array('!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'));
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens);
return FALSE;
} elseif (!$has_ldap_authorizations) {
return FALSE;
}
}
// allow other modules to hook in and refuse if they like
$hook_result = TRUE;
drupal_alter('ldap_authentication_allowuser_results', $ldap_user, $name, $hook_result);
if ($hook_result === FALSE) {
watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", array('%name' => $name), WATCHDOG_NOTICE);
return FALSE;
}
/**
* default to allowed
*/
return TRUE;
}
/**
* decide if a username is excluded or not
*
* return boolean
*/
public function allowUser($name, $ldap_user_entry)
{
/**
* do one of the exclude attribute pairs match
*/
$exclude = FALSE;
foreach ($this->excludeIfTextInDn as $test) {
if (strpos(drupal_strtolower($ldap_user_entry['dn']), drupal_strtolower($test)) !== FALSE) {
return FALSE;
// if a match, return FALSE;
}
}
/**
* evaluate php if it exists
*/
if ($this->allowTestPhp) {
if (module_exists('php')) {
global $_name, $_ldap_user_entry;
$_name = $name;
$_ldap_user_entry = $ldap_user_entry;
$code = '<?php ' . "global \$_name; \n global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
$code_result = php_eval($code);
$_name = NULL;
$_ldap_user_entry = NULL;
if ((bool) $code_result == FALSE) {
return FALSE;
}
} else {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
watchdog('warning', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
return FALSE;
}
}
/**
* do one of the allow attribute pairs match
*/
if (count($this->allowOnlyIfTextInDn)) {
$fail = TRUE;
foreach ($this->allowOnlyIfTextInDn as $test) {
if (strpos(drupal_strtolower($ldap_user_entry['dn']), drupal_strtolower($test)) !== FALSE) {
$fail = FALSE;
}
}
if ($fail) {
return FALSE;
}
}
/**
* is excludeIfNoAuthorizations option enabled and user not granted any groups
*/
if ($this->excludeIfNoAuthorizations) {
if (!module_exists('ldap_authorization')) {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
return FALSE;
}
$user = new stdClass();
$user->name = $name;
$user->ldap_authenticated = TRUE;
// fake user property added for query
$consumers = ldap_authorization_get_consumers();
$has_enabled_consumers = FALSE;
foreach ($consumers as $consumer_type => $consumer_config) {
$consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
if ($consumer_obj->consumerConf->status) {
$has_enabled_consumers = TRUE;
list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
if (count(array_filter(array_values($authorizations))) > 0) {
return TRUE;
}
}
}
if (!$has_enabled_consumers) {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = array('!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'));
watchdog('warning', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens);
return FALSE;
}
return FALSE;
}
/**
* default to allowed
*/
return TRUE;
}
