-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstart.php
291 lines (239 loc) · 8.56 KB
/
start.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
<?php
/**
* Elgg LDAP authentication
*
* @package ElggLDAPAuth
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
* @link http://elgg.com
*/
/**
* LDAP Authentication init
*
* These parameters are required for the event API, but we won't use them:
*
* @param unknown_type $event
* @param unknown_type $object_type
* @param unknown_type $object
*/
function ldap_auth_init()
{
global $CONFIG;
// Register the authentication handler
register_pam_handler('ldap_auth_authenticate');
register_translations($CONFIG->pluginspath . "ldap_auth/languages/");
}
// Register the initialisation function
elgg_register_event_handler('init','system','ldap_auth_init');
/**
* LDAP authentication
*
* @param mixed $credentials PAM handler specific credentials
* @return boolean
*/
function ldap_auth_authenticate($credentials = null)
{
// Nothing to do if LDAP module not installed
if (!function_exists('ldap_connect')) return false;
// Get configuration settings
$config = find_plugin_settings('ldap_auth');
// Nothing to do if not configured
if (!$config)
{
return false;
}
$username = null;
$password = null;
if (is_array($credentials) && ($credentials['username']) && ($credentials['password']))
{
$username = $credentials['username'];
$password = $credentials['password'];
}
else
{
return false;
}
// Perform the authentication
return ldap_auth_check($config, $username, $password);
}
/**
* Perform an LDAP authentication check
*
* @param ElggPlugin $config
* @param string $username
* @param string $password
* @return boolean
*/
function ldap_auth_check($config, $username, $password)
{
$host = elgg_get_plugin_setting('hostname', 'ldap_auth');
// No point continuing
if(empty($host))
{
elgg_log("LDAP error: no host configured.",'ERROR');
return;
}
$port = elgg_get_plugin_setting('port', 'ldap_auth');
$version = elgg_get_plugin_setting('version', 'ldap_auth');
$basedn = elgg_get_plugin_setting('basedn', 'ldap_auth');
$filter_attr = elgg_get_plugin_setting('filter_attr', 'ldap_auth');
$search_attr = elgg_get_plugin_setting('search_attr', 'ldap_auth');
$bind_dn = elgg_get_plugin_setting('ldap_bind_dn', 'ldap_auth');
$bind_pwd = elgg_get_plugin_setting('ldap_bind_pwd', 'ldap_auth');
$user_create = elgg_get_plugin_setting('user_create', 'ldap_auth');
$start_tls = elgg_get_plugin_setting('start_tls', 'ldap_auth');
($user_create == 'on') ? $user_create = true : $user_create = false;
($start_tls == 'on') ? $start_tls = true : $start_tls = false;
$port ? $port : $port = 389;
$version ? $version : $version = 3;
$filter_attr ? $filter_attr : $filter_attr = 'uid';
$basedn ? $basedn = array_map('trim', explode(':', $basedn)) : $basedn = array();
if (!empty($search_attr))
{
// $search_attr as in "email:email_address, name:name_name";
$pairs = array_map('trim',explode(',', $search_attr));
$values = array();
foreach ($pairs as $pair)
{
$parts = array_map('trim', explode(':', $pair));
$values[$parts[0]] = $parts[1];
}
$search_attr = $values;
}
else
{
$search_attr = array('dn' => 'dn');
}
// Create a connection
if ($ds = ldap_auth_connect($host, $port, $version, $bind_dn, $bind_pwd))
{
if ($start_tls and !ldap_start_tls($ds)) return false;
// Perform a search
foreach ($basedn as $this_ldap_basedn)
{
$ldap_user_info = ldap_auth_do_auth($ds, $this_ldap_basedn, $username, $password, $filter_attr, $search_attr);
if($ldap_user_info)
{
// LDAP login successful
if ($user = get_user_by_username($username))
{
// User exists, login
return login($user);
}
else
{
// Valid login but user doesn't exist
if ($user_create)
{
$name = $ldap_user_info['lastname'];
if (isset($ldap_user_info['firstname']))
{
$name = $ldap_user_info['firstname']." ".$name;
}
($ldap_user_info['mail']) ? $email = $ldap_user_info['mail'] : $email = null;
if ($user_guid = register_user($username, $password, $name, $email))
{
// Success, credentials valid and account has been created
return true;
}
else
{
register_error(elgg_echo('ldap_auth:no_register'));
return false;
}
}
else
{
register_error(elgg_echo("ldap_auth:no_account"));
return false;
}
}
}
}
// Close the connection
ldap_close($ds);
return false;
}
else
{
return false;
}
}
/**
* Create an LDAP connection
*
* @param string $host
* @param int $port
* @param int $version
* @param string $bind_dn
* @param string $bind_pwd
* @return mixed LDAP link identifier on success, or false on error
*/
function ldap_auth_connect($host, $port, $version, $bind_dn, $bind_pwd)
{
$ds = ldap_connect($host, $port);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version);
// Start the LDAP bind process
$ldapbind = null;
if ($ds)
{
if ($bind_dn != '')
{
$ldapbind = ldap_bind($ds, $bind_dn, $bind_pwd);
}
else
{
// Anonymous bind
$ldapbind = ldap_bind($ds);
}
}
else
{
// Unable to connect
elgg_log('Unable to connect to the LDAP server: '.ldap_error($ds),'ERROR');
return false;
}
if (!$ldapbind)
{
elgg_log('Unable to bind to the LDAP server with provided credentials: '.ldap_error($ds),'ERROR');
ldap_close($ds);
return false;
}
return $ds;
}
/**
* Performs actual LDAP authentication
*
* @param object $ds LDAP link identifier
* @param string $basedn
* @param string $username
* @param string $password
* @param string $filter_attr
* @param string $search_attr
* @return mixed array with search attributes or false on error
*/
function ldap_auth_do_auth($ds, $basedn, $username, $password, $filter_attr, $search_attr)
{
$sr = ldap_search($ds, $basedn, $filter_attr ."=". $username, array_values($search_attr));
if(!$sr)
{
elgg_log('Unable to perform LDAP search: '.ldap_error($ds),'ERROR');
return false;
}
$entry = ldap_get_entries($ds, $sr);
if(!$entry or !$entry[0])
{
return false; // didn't find username
}
// Username exists, perform a bind for testing credentials
if (ldap_bind($ds, $entry[0]['dn'], $password) )
{
// We have a bind, a valid login
foreach (array_keys($search_attr) as $attr)
{
$ldap_user_info[$attr] = $entry[0][$search_attr[$attr]][0];
}
return $ldap_user_info;
}
return false;
}
?>