/**
  * Assertion Consumer Service
  *
  * The user gets sent back here after authenticating with the IdP, off-site.
  * The earlier redirection to the IdP can be found in the SAMLAuthenticator::authenticate.
  *
  * After this handler completes, we end up with a rudimentary Member record (which will be created on-the-fly
  * if not existent), with the user already logged in. Login triggers memberLoggedIn hooks, which allows
  * LDAP side of this module to finish off loading Member data.
  *
  * @throws OneLogin_Saml2_Error
  */
 public function acs()
 {
     $auth = Injector::inst()->get('SAMLHelper')->getSAMLAuth();
     $auth->processResponse();
     $error = $auth->getLastErrorReason();
     if (!empty($error)) {
         SS_Log::log($error, SS_Log::ERR);
         Form::messageForForm("SAMLLoginForm_LoginForm", "Authentication error: '{$error}'", 'bad');
         Session::save();
         return $this->getRedirect();
     }
     if (!$auth->isAuthenticated()) {
         Form::messageForForm("SAMLLoginForm_LoginForm", _t('Member.ERRORWRONGCRED'), 'bad');
         Session::save();
         return $this->getRedirect();
     }
     $decodedNameId = base64_decode($auth->getNameId());
     // check that the NameID is a binary string (which signals that it is a guid
     if (ctype_print($decodedNameId)) {
         Form::messageForForm("SAMLLoginForm_LoginForm", "Name ID provided by IdP is not a binary GUID.", 'bad');
         Session::save();
         return $this->getRedirect();
     }
     // transform the NameId to guid
     $guid = LDAPUtil::bin_to_str_guid($decodedNameId);
     if (!LDAPUtil::validGuid($guid)) {
         $errorMessage = "Not a valid GUID '{$guid}' recieved from server.";
         SS_Log::log($errorMessage, SS_Log::ERR);
         Form::messageForForm("SAMLLoginForm_LoginForm", $errorMessage, 'bad');
         Session::save();
         return $this->getRedirect();
     }
     // Write a rudimentary member with basic fields on every login, so that we at least have something
     // if LDAP synchronisation fails.
     $member = Member::get()->filter('GUID', $guid)->limit(1)->first();
     if (!($member && $member->exists())) {
         $member = new Member();
         $member->GUID = $guid;
     }
     $attributes = $auth->getAttributes();
     foreach ($member->config()->claims_field_mappings as $claim => $field) {
         if (!isset($attributes[$claim][0])) {
             SS_Log::log(sprintf('Claim rule \'%s\' configured in LDAPMember.claims_field_mappings, but wasn\'t passed through. Please check IdP claim rules.', $claim), SS_Log::WARN);
             continue;
         }
         $member->{$field} = $attributes[$claim][0];
     }
     $member->SAMLSessionIndex = $auth->getSessionIndex();
     // This will throw an exception if there are two distinct GUIDs with the same email address.
     // We are happy with a raw 500 here at this stage.
     $member->write();
     // This will trigger LDAP update through LDAPMemberExtension::memberLoggedIn.
     // Both SAML and LDAP identify Members by the GUID field.
     $member->logIn();
     return $this->getRedirect();
 }
Пример #2
0
 public function handleForm($context, $action)
 {
     if ($action == "login") {
         $ldapAuthed = LDAPUtil::authLDAPUser($_POST['username'], $_POST['password']);
         if ($ldapAuthed) {
             $user = WebAdUserDao::getWebAdUserByUsername($_POST['username']);
             if ($user != null && $user instanceof WebAdUser) {
                 SessionUtil::setUsername($user->getUsername());
                 $context->setPageID("home");
             } else {
                 $context->addError("Incorrect Login");
             }
         } else {
             $context->addError("Incorrect Login");
         }
     } else {
         $context->addError("Incorrect Action.");
     }
 }
 public function handleForm($context, $action)
 {
     if ($action == "login") {
         $authed = false;
         if (Config::login_type == LOGIN_TYPE_LDAP) {
             $authed = false;
             if (Config::ldap_type == LDAP_TYPE_REMOTE) {
                 $authed = RemoteLDAPUtil::auth($_POST['username'], $_POST['password']);
             } else {
                 if (Config::ldap_type == LDAP_TYPE_LOCAL) {
                     $authed = LDAPUtil::authLDAPUser($_POST['username'], $_POST['password']);
                 }
             }
         } else {
             if (Config::login_type == LOGIN_TYPE_DB) {
                 $authed = UserDao::authUser($_POST['username'], $_POST['password']);
             }
         }
         if ($authed) {
             $user = UserDao::getUserByUsername($_POST['username']);
             if ($user != null && $user instanceof User) {
                 SessionUtil::setUsername($user->username);
                 SessionUtil::setUserlevel($user->userlevel);
                 if (isset($_POST['redir']) && $_POST['redir'] != '' && !strpos($_POST['redir'], 'login') && !strpos($_POST['redir'], 'logout')) {
                     header("location: " . $_POST['redir']);
                 } else {
                     $context->setPageID("home");
                 }
             } else {
                 $context->addError("Incorrect Login");
             }
         } else {
             $context->addError("Incorrect Login");
         }
     } else {
         $context->addError("Incorrect Action.");
     }
 }
Пример #4
0
 public static function authLDAPUser($username, $password)
 {
     return LDAPUtil::checkNTuser($username, $password, Config::ldap_domain, Config::ldap_server);
 }
 /**
  * Return a particular LDAP user by objectGUID value.
  *
  * @param string $guid
  * @return array
  */
 public function getUserByGUID($guid, $baseDn = null, $scope = Zend\Ldap\Ldap::SEARCH_SCOPE_SUB, $attributes = array())
 {
     return $this->search(sprintf('(&(objectClass=user)(objectGUID=%s))', LDAPUtil::str_to_hex_guid($guid, true)), $baseDn, $scope, $attributes);
 }
Пример #6
0
 public static function authLDAPUser($username, $password)
 {
     return LDAPUtil::checkNTuser($username, $password, Config::getVariable('ldap_domain'), Config::getVariable('ldap_server'));
 }