/**
* Checks the group membership of the bound user
*
* @param Zend_Ldap $ldap
* @param string $canonicalName
* @param string $dn
* @param array $adapterOptions
* @return string|true
*/
protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions)
{
if ($adapterOptions['group'] === null) {
return true;
}
if ($adapterOptions['memberIsDn'] === false) {
$user = $canonicalName;
} else {
$user = $dn;
}
/**
* @see Zend_Ldap_Filter
*/
// require_once 'Zend/Ldap/Filter.php';
$groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']);
$membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user);
$group = Zend_Ldap_Filter::andFilter($groupName, $membership);
$groupFilter = $adapterOptions['groupFilter'];
if (!empty($groupFilter)) {
$group = $group->addAnd($groupFilter);
}
/*
* Fixes problem when authenticated user is not allowed to retrieve
* group-membership information.
* This requires that the user specified with "username" and "password"
* in the Zend_Ldap options is able to retrieve the required information.
*/
$ldap->bind();
$result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']);
if ($result === 1) {
return true;
} else {
return 'Failed to verify group membership with ' . $group->toString();
}
}
/**
* Checks the group membership of the bound user
*
* @param Zend_Ldap $ldap
* @param string $canonicalName
* @param string $dn
* @param array $adapterOptions
* @return string|true
*/
protected function _checkGroupMembership(Zend_Ldap $ldap, $canonicalName, $dn, array $adapterOptions)
{
if ($adapterOptions['group'] === null) {
return true;
}
if ($adapterOptions['memberIsDn'] === false) {
$user = $canonicalName;
} else {
$user = $dn;
}
/**
* @see Zend_Ldap_Filter
*/
require_once 'Zend/Ldap/Filter.php';
$groupName = Zend_Ldap_Filter::equals($adapterOptions['groupAttr'], $adapterOptions['group']);
$membership = Zend_Ldap_Filter::equals($adapterOptions['memberAttr'], $user);
$group = Zend_Ldap_Filter::andFilter($groupName, $membership);
$groupFilter = $adapterOptions['groupFilter'];
if (!empty($groupFilter)) {
$group = $group->addAnd($groupFilter);
}
$result = $ldap->count($group, $adapterOptions['groupDn'], $adapterOptions['groupScope']);
if ($result === 1) {
return true;
} else {
return 'Failed to verify group membership with ' . $group->toString();
}
}
protected function autenticateLdap()
{
try {
$container = Core_Registry::getContainers();
$ldap = $container['ldap']->getPersist();
$config = \Zend_Registry::get('configs');
$samAccountNameQuery = "samAccountName={$this->getIdentity()}";
/**
* Modifica o host para o servidor secundário.
*/
if ($this->_secondaryHost && isset($config['resources']['container']['ldap']['host']['secondary'])) {
$options = $ldap->getOptions();
$options['host'] = $config['resources']['container']['ldap']['host']['secondary'];
$ldap = new Zend_Ldap($options);
}
$admUsr = $config['authenticate']['username'];
$admPwd = $config['authenticate']['password'];
$ldap->bind($admUsr, $admPwd);
$userLdapCount = $ldap->count($samAccountNameQuery);
if ($userLdapCount <= 0) {
throw new \Sica_Auth_Exception('MN175');
}
$userLdap = current($ldap->search($samAccountNameQuery)->toArray());
$pwdLastSetLDAPTimestamp = isset($userLdap['pwdlastset'][0]) ? $userLdap['pwdlastset'][0] : 0;
$pwdLastSetLDAPTimestamp_div = bcdiv($pwdLastSetLDAPTimestamp, '10000000');
$pwdLastSetLDAPTimestamp_sub = bcsub($pwdLastSetLDAPTimestamp_div, '11644473600');
$pwdLastSetDate = new \Zend_Date($pwdLastSetLDAPTimestamp_sub, \Zend_Date::TIMESTAMP);
$measureTime = new \Zend_Measure_Time(\Zend_Date::now()->sub($pwdLastSetDate)->toValue(), \Zend_Measure_Time::SECOND);
$measureTime->convertTo(\Zend_Measure_Time::DAY);
$daysLeftToChangePwd = ceil($measureTime->getValue());
if ($daysLeftToChangePwd >= self::LDAP_MAX_PWD_LAST_SET_DAYS) {
throw new \Sica_Auth_Exception('EXPIRED_PWD_MSG');
}
$ldap->bind($this->getIdentity(), $this->getCredential());
return TRUE;
} catch (\Sica_Auth_Exception $authExc) {
$this->_authenticateResultInfo['code'] = Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND;
$this->_authenticateResultInfo['messages'] = $authExc->getMessage();
return false;
} catch (\Zend_Ldap_Exception $ldapExc) {
$ldapCode = $ldapExc->getCode();
$message = sprintf('[SICA-e] LDAP Error in %s: "%s"', __METHOD__, $ldapExc->getMessage());
error_log($message);
$message = sprintf('[Erro no LDAP] %s', $ldapExc->getMessage());
/**
* Se não foi possível contactar o servidor LDAP e se não
* for uma tentativa de autenticação no servidor secundário.
*/
if ($ldapCode == self::LDAP_CONST_CODE_CANT_CONTACT_SERVER && !$this->_secondaryHost) {
#Tentativa de autenticação no servidor secundário.
$this->_secondaryHost = TRUE;
return $this->autenticateLdap();
}
if ($ldapCode > 0) {
$message = sprintf('LDAP0x%02x', $ldapCode);
}
if (false !== strpos($ldapExc->getMessage(), self::LDAP_CONST_NT_STATUS_PASSWORD_EXPIRED)) {
$message = 'EXPIRED_PWD_MSG';
}
$this->_authenticateResultInfo['code'] = Zend_Auth_Result::FAILURE_UNCATEGORIZED;
$this->_authenticateResultInfo['messages'] = $message;
return false;
}
}
