public function authenticate($username, $password)
{
if (empty(\GO::config()->ldap_peopledn)) {
\GO::debug('LDAPAUTH: Aborting because the following required value is not set: $config["ldap_peopledn"]');
return true;
}
$record = \GO\Ldapauth\Model\Person::findByUsername($username);
if (!$record) {
\GO::debug("LDAPAUTH: No LDAP entry found for " . $username);
//return true here because this should not block normal authentication
return true;
}
//$authenticated = $ldapConn->bind($record->getDn(), $password);
if (!$record->authenticate($password)) {
$str = "LOGIN FAILED for user: \"" . $username . "\" from IP: ";
if (isset($_SERVER['REMOTE_ADDR'])) {
$str .= $_SERVER['REMOTE_ADDR'];
} else {
$str .= 'unknown';
}
\GO::infolog($str);
return false;
}
\GO::debug("LDAPAUTH: LDAP authentication SUCCESS for " . $username);
if (!empty(GO::config()->ldap_create_mailbox_domains)) {
if (!GO::modules()->serverclient) {
throw new Exception("The serverclient module must be installed and configured when using \$config['GO::config()->ldap_create_mailbox_domains']. See https://www.group-office.com/wiki/Mailserver#Optionally_install_the_serverclient");
}
$_POST['serverclient_domains'] = GO::config()->ldap_create_mailbox_domains;
} else {
GO::debug("LDAPAUTH: Found LDAP entry found for " . $username);
// GO::debug($record->getAttributes());
}
$user = $this->syncUserWithLdapRecord($record, $password);
if (!$user) {
return false;
}
try {
$this->_checkEmailAccounts($user, $password);
} catch (Exception $e) {
// GO::debug("LDAPAUTH: Failed to create or update e-mail account!\n\n".(string) $e);
trigger_error("LDAPAUTH: Failed to create or update e-mail account for user " . $user->username . "\n\n" . $e->getMessage());
}
}
protected function actionSwitch($params)
{
//
// if(!\GO::user()->isAdmin())
// throw new \Exception("This feature is for admins only!");
$oldUsername = \GO::user()->username;
$debug = !empty(\GO::session()->values['debug']);
$user = \GO\Base\Model\User::model()->findByPk($params['user_id']);
\GO::session()->values = array();
//clear session
\GO::session()->setCurrentUser($user->id);
//\GO::session()->setCompatibilitySessionVars();
if ($debug) {
\GO::session()->values['debug'] = $debug;
}
\GO::infolog("ADMIN logged-in as user: \"" . $user->username . "\" from IP: " . $_SERVER['REMOTE_ADDR']);
if (\GO::modules()->isInstalled('log')) {
\GO\Log\Model\Log::create('switchuser', "'" . $oldUsername . "' logged in as '" . $user->username . "'");
}
$this->redirect();
}
/**
* Logs a user in.
*
* @param string $username
* @param string $password
* @return Model\User or false on failure.
*/
public function login($username, $password, $countLogin = true)
{
if (!$this->fireEvent('beforelogin', array($username, $password, $countLogin))) {
return false;
}
$user = Model\User::model()->findSingleByAttribute('username', $username);
$success = true;
if (!$user) {
\GO::debug("LOGIN: User " . $username . " not found");
$success = false;
} elseif (!$user->enabled) {
\GO::debug("LOGIN: User " . $username . " is disabled");
$success = false;
} elseif (!$user->checkPassword($password)) {
\GO::debug("LOGIN: Incorrect password for " . $username);
$success = false;
}
$str = "LOGIN ";
$str .= $success ? "SUCCESS" : "FAILED";
$str .= " for user: \"" . $username . "\" from IP: ";
if (isset($_SERVER['REMOTE_ADDR'])) {
$str .= $_SERVER['REMOTE_ADDR'];
} else {
$str .= 'unknown';
}
\GO::infolog($str);
\GO::debug($str);
if (!$success) {
return false;
} else {
$this->_user = $user;
$this->setCurrentUser($user->id);
if ($countLogin) {
$user->lastlogin = time();
$user->logins++;
$user->save(true);
$this->clearUserTempFiles();
}
$this->fireEvent('login', array($username, $password, $user, $countLogin));
//A PHP variable named “session.use_only_cookies” controls the behaviour
//of session_start(). When this variable is enabled (true) then session_start() on-
//ly uses the cookies of a request for retrieving the session ID. If this variable is disa-
//bled, then GET or POST requests can contain the session ID and can be used for
//session fixation. This PHP variable was added in PHP 4.3.0 but is enabled by default
//only since PHP 5.3.0. Environments with previous PHP versions, as well as non-
//default PHP configurations are vulnerable to the session fixation attack described in
//this finding if further measures are not taken.
//In addition to only accepting session IDs in the form of cookies, the application
//should force the re-generation of session IDs upon successful user authentication.
//This way, an attacker would not be able to create a session ID that will be reused by
//the application to identify a valid authenticated session. This is possible in PHP by
//using the session_regenerate_id() function.
if (PHP_SAPI != 'cli' && !defined('GO_NO_SESSION')) {
session_regenerate_id();
}
if ($countLogin) {
$this->_log(\GO\Log\Model\Log::ACTION_LOGIN);
}
\GO::session()->values['countLogin'] = $countLogin;
return $user;
}
}
}
//check if GO is installed
if (empty($_REQUEST['r']) && PHP_SAPI != 'cli') {
if (\GO::user() && isset($_SESSION['GO_SESSION']['after_login_url'])) {
$url = \GO::session()->values['after_login_url'];
unset(\GO::session()->values['after_login_url']);
header('Location: ' . $url);
exit;
}
$installed = true;
if (!\GO::config()->get_config_file() || empty(\GO::config()->db_user)) {
$installed = false;
} else {
$stmt = \GO::getDbConnection()->query("SHOW TABLES");
if (!$stmt->rowCount()) {
$installed = false;
}
}
if (!$installed) {
header('Location: ' . \GO::config()->host . 'install/');
exit;
}
//check for database upgrades
$mtime = \GO::config()->get_setting('upgrade_mtime');
if ($mtime != \GO::config()->mtime) {
\GO::infolog("Running system update");
header('Location: ' . \GO::url('maintenance/upgrade'));
exit;
}
}
\GO::router()->runController();
