public static function authenticate($ps_username, $ps_password = '', $pa_options = null)
{
$po_auth_config = Configuration::load(Configuration::load()->get('authentication_config'));
if (!function_exists("ldap_connect")) {
throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!"));
}
if (!$ps_username) {
return false;
}
// ldap config
$vs_ldaphost = $po_auth_config->get("ldap_host");
$vs_ldapport = $po_auth_config->get("ldap_port");
$vs_base_dn = $po_auth_config->get("ldap_base_dn");
$vs_user_ou = $po_auth_config->get("ldap_user_ou");
$vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn);
$va_default_roles = $po_auth_config->get("ldap_users_default_roles");
if (!is_array($va_default_roles)) {
$va_default_roles = array();
}
$va_default_groups = $po_auth_config->get("ldap_users_default_groups");
if (!is_array($va_default_groups)) {
$va_default_groups = array();
}
$vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport);
ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!$vo_ldap) {
return false;
}
$vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn);
if (strlen($vs_bind_rdn_filter) > 0) {
$vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter);
$va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results);
if (isset($va_dn_search_results[0]['dn'])) {
$vs_bind_rdn = $va_dn_search_results[0]['dn'];
}
}
// log in
$vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password);
if (!$vo_bind) {
// wrong credentials
if (ldap_get_option($vo_ldap, 0x32, $extended_error)) {
caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate");
}
ldap_unbind($vo_ldap);
return false;
}
// check group membership
if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) {
ldap_unbind($vo_ldap);
return false;
}
// user role and group membership syncing with directory
$t_user = new ca_users();
if ($t_user->load($ps_username)) {
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if ($po_auth_config->get('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($po_auth_config->get('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
ldap_unbind($vo_ldap);
return true;
}
function register()
{
if ($this->request->config->get('dont_allow_registration_and_login')) {
$this->notification->addNotification(_t("Registration is not enabled"), __NOTIFICATION_TYPE_ERROR__);
$this->redirect(caNavUrl($this->request, '', 'Front', 'Index'));
return;
}
MetaTagManager::setWindowTitle($this->request->config->get("app_display_name") . ": " . _t("Register"));
# logout user in case is already logged in
$this->request->deauthenticate();
$t_user = new ca_users();
$t_user->purify(true);
# --- process incoming registration attempt
$ps_email = $this->request->getParameter("email", pString);
$ps_fname = $this->request->getParameter("fname", pString);
$ps_lname = $this->request->getParameter("lname", pString);
$ps_password = $this->request->getParameter("password", pString);
$ps_password2 = $this->request->getParameter("password2", pString);
$ps_security = $this->request->getParameter("security", pString);
$va_errors = array();
if (!caCheckEmailAddress($ps_email)) {
$va_errors["email"] = _t("E-mail address is not valid.");
} else {
$t_user->set("email", $ps_email);
}
if (!$ps_fname) {
$va_errors["fname"] = _t("Please enter your first name");
} else {
$t_user->set("fname", $ps_fname);
}
if (!$ps_lname) {
$va_errors["lname"] = _t("Please enter your last name");
} else {
$t_user->set("lname", $ps_lname);
}
if (!$ps_password || !$ps_password2) {
$va_errors["password"] = _t("Please enter and re-type your password.");
} else {
if ($ps_password != $ps_password2) {
$va_errors["password"] = _t("Passwords do not match");
} else {
$t_user->set("password", $ps_password);
}
}
if (!$ps_security) {
$va_errors["security"] = _t("Please answer the security question.");
} else {
if ($ps_security != $_REQUEST["sum"]) {
$va_errors["security"] = _t("Your answer was incorrect, please try again");
}
}
// Check user profile responses
$va_profile_prefs = $t_user->getValidPreferences('profile');
if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) {
foreach ($va_profile_prefs as $vs_pref) {
$vs_pref_value = $this->request->getParameter('pref_' . $vs_pref, pString);
if (!$t_user->isValidPreferenceValue($vs_pref, $vs_pref_value)) {
$va_errors[$vs_pref] = join("; ", $t_user->getErrors());
$t_user->clearErrors();
}
}
}
# --- does deleted user login record for this user already exist?
# --- (look for active records only; inactive records will effectively block reregistration)
$vb_user_exists_but_is_deleted = false;
if ($t_user->load(array('user_name' => $ps_email))) {
if ((int) $t_user->get('userclass') == 255) {
if ($t_user->get('active') == 1) {
// yeah... so allow registration
$vb_user_exists_but_is_deleted = true;
} else {
// existing inactive user record blocks registration
$va_errors["email"] = _t("User cannot register");
}
} else {
// already valid login with this user name
$va_errors["email"] = _t("A user has already registered with this email address");
}
}
# get names of form fields
$va_fields = $t_user->getFormFields();
# loop through fields
foreach ($va_fields as $vs_f => $va_attr) {
switch ($vs_f) {
case "user_name":
if (!$vb_user_exists_but_is_deleted && !sizeof($va_errors)) {
# set field value
$t_user->set("user_name", $ps_email);
if ($t_user->numErrors() > 0) {
$va_errors[$vs_f] = join("; ", $t_user->getErrors());
}
}
break;
# -------------
# -------------
case "active":
if ($this->request->config->get('dont_approve_logins_on_registration')) {
$t_user->set("active", 0);
} else {
$t_user->set("active", 1);
}
break;
# -------------
# -------------
case "userclass":
$t_user->set("userclass", 1);
// 1=public-only
break;
# -------------
# -------------
default:
if (!$va_errors[$vs_f]) {
$t_user->set($vs_f, $_REQUEST[$vs_f]);
# set field values
if ($t_user->numErrors() > 0) {
$va_errors[$vs_f] = join("; ", $t_user->getErrors());
}
}
break;
# -------------
}
}
// Save user profile responses
if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) {
foreach ($va_profile_prefs as $vs_pref) {
$t_user->setPreference($vs_pref, $this->request->getParameter('pref_' . $vs_pref, pString));
}
}
if (sizeof($va_errors) == 0) {
# --- there are no errors so make new user record
$t_user->setMode(ACCESS_WRITE);
if ($vb_user_exists_but_is_deleted) {
$t_user->update();
} else {
$t_user->insert();
}
$pn_user_id = $t_user->get("user_id");
if ($t_user->numErrors()) {
$va_errors["register"] = join("; ", $t_user->getErrors());
} else {
# --- add default roles
if (($va_default_roles = $this->request->config->getList('registration_default_roles')) && sizeof($va_default_roles)) {
$t_user->addRoles($va_default_roles);
}
# --- user is joining a user group from a supplied link
if ($this->request->session->getVar("join_user_group_id")) {
if (!$t_user->inGroup($this->request->session->getVar("join_user_group_id"))) {
$t_user->addToGroups($this->request->session->getVar("join_user_group_id"));
$this->request->session->setVar("join_user_group_id", "");
$vs_group_message = _t(" You were added to the group");
} else {
$this->request->session->setVar("join_user_group_id", "");
$vs_group_message = _t(" You are already a member of the group");
}
}
# --- send email confirmation
$o_view = new View($this->request, array($this->request->getViewsDirectoryPath()));
# -- generate email subject line from template
$vs_subject_line = $o_view->render("mailTemplates/reg_conf_subject.tpl");
# -- generate mail text from template - get both the text and the html versions
$vs_mail_message_text = $o_view->render("mailTemplates/reg_conf.tpl");
$vs_mail_message_html = $o_view->render("mailTemplates/reg_conf_html.tpl");
caSendmail($t_user->get('email'), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html);
if ($this->request->config->get("email_notification_for_new_registrations")) {
# --- send email to admin
$o_view = new View($this->request, array($this->request->getViewsDirectoryPath()));
$o_view->setVar("t_user", $t_user);
# -- generate email subject line from template
$vs_subject_line = $o_view->render("mailTemplates/reg_admin_notification_subject.tpl");
# -- generate mail text from template - get both the text and the html versions
$vs_mail_message_text = $o_view->render("mailTemplates/reg_admin_notification.tpl");
$vs_mail_message_html = $o_view->render("mailTemplates/reg_admin_notification_html.tpl");
caSendmail($this->request->config->get("ca_admin_email"), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html);
}
$t_user = new ca_users();
$vs_action = $vs_controller = $vs_module_path = '';
if ($vs_default_action = $this->request->config->get('default_action')) {
$va_tmp = explode('/', $vs_default_action);
$vs_action = array_pop($va_tmp);
if (sizeof($va_tmp)) {
$vs_controller = array_pop($va_tmp);
}
if (sizeof($va_tmp)) {
$vs_module_path = join('/', $va_tmp);
}
} else {
$vs_controller = 'Splash';
$vs_action = 'Index';
}
$vs_url = caNavUrl($this->request, $vs_module_path, $vs_controller, $vs_action);
if ($t_user->get("active")) {
# log in the new user
$this->request->doAuthentication(array('dont_redirect' => true, 'user_name' => $ps_email, 'password' => $ps_password));
if ($this->request->isLoggedIn()) {
if ($this->request->isAjax()) {
$this->view->setVar("message", _t('Thank you for registering! You are now logged in.') . $vs_group_message);
$this->render("Form/reload_html.php");
return;
} else {
$this->notification->addNotification(_t('Thank you for registering! You are now logged in.') . $vs_group_message, __NOTIFICATION_TYPE_INFO__);
$this->response->setRedirect($vs_url);
}
} else {
$va_errors["register"] = _t("Login failed.");
}
} else {
# --- registration needs approval
$this->notification->addNotification(_t('Thank you for registering! Your account will be activated after review.') . $vs_group_message, __NOTIFICATION_TYPE_INFO__);
$this->response->setRedirect($vs_url);
}
}
}
if (sizeof($va_errors) > 0) {
$this->view->setVar('errors', $va_errors);
$this->registerForm($t_user);
}
}
private function syncWithDirectory($ps_username)
{
$va_default_roles = $this->getConfigValue("ldap_users_default_roles", array());
$va_default_groups = $this->getConfigValue("ldap_users_default_groups", array());
$t_user = new ca_users();
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if (!$t_user->load($ps_username)) {
return;
}
if ($this->getConfigValue('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($this->getConfigValue('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
