首页 发现 帮助
注册 登录
SKZH
/
ITSSTOOLS
3
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: b5f17f7b37
分支列表 标签列表
ITSSTOOLS
/
modules
/
authent-ldap
/
model.authent-ldap.php

model.authent-ldap.php 6.1 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 
  1. <?php
    2. 

  2. // Copyright (C) 2010 Combodo SARL
    3. 

  3. //
    4. 

  4. //   This program is free software; you can redistribute it and/or modify
    5. 

  5. //   it under the terms of the GNU General Public License as published by
    6. 

  6. //   the Free Software Foundation; version 3 of the License.
    7. 

  7. //
    8. 

  8. //   This program is distributed in the hope that it will be useful,
    9. 

  9. //   but WITHOUT ANY WARRANTY; without even the implied warranty of
    10. 

  10. //   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11. 

  11. //   GNU General Public License for more details.
    12. 

  12. //
    13. 

  13. //   You should have received a copy of the GNU General Public License
    14. 

  14. //   along with this program; if not, write to the Free Software
    15. 

  15. //   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    16. 

  16. 

  17. /**
    18. 

  18.  * Authent LDAP
    19. 

  19.  * User authentication Module, no password at all!
    20. 

  20.  *
    21. 

  21.  * @author      Erwan Taloc <erwan.taloc@combodo.com>
    22. 

  22.  * @author      Romain Quetiez <romain.quetiez@combodo.com>
    23. 

  23.  * @author      Denis Flaven <denis.flaven@combodo.com>
    24. 

  24.  * @license     http://www.opensource.org/licenses/gpl-3.0.html LGPL
    25. 

  25.  */
    26. 

  26. 

  27. 

  28. class UserLDAP extends User
    29. 

  29. {
    30. 

  30. 	public static function Init()
    31. 

  31. 	{
    32. 

  32. 		$aParams = array
    33. 

  33. 		(
    34. 

  34. 			"category" => "addon/authentication",
    35. 

  35. 			"key_type" => "autoincrement",
    36. 

  36. 			"name_attcode" => "login",
    37. 

  37. 			"state_attcode" => "",
    38. 

  38. 			"reconc_keys" => array(),
    39. 

  39. 			"db_table" => "",
    40. 

  40. 			"db_key_field" => "id",
    41. 

  41. 			"db_finalclass_field" => "",
    42. 

  42. 			"display_template" => "",
    43. 

  43. 		);
    44. 

  44. 		MetaModel::Init_Params($aParams);
    45. 

  45. 		MetaModel::Init_InheritAttributes();
    46. 

  46. 

  47. 		// Display lists
    48. 

  48. 		MetaModel::Init_SetZListItems('details', array('contactid', 'first_name', 'email', 'login', 'language', 'profile_list')); // Attributes to be displayed for the complete details
    49. 

  49. 		MetaModel::Init_SetZListItems('list', array('first_name', 'last_name', 'login')); // Attributes to be displayed for a list
    50. 

  50. 		// Search criteria
    51. 

  51. 		MetaModel::Init_SetZListItems('standard_search', array('login', 'contactid')); // Criteria of the std search form
    52. 

  52. 		MetaModel::Init_SetZListItems('advanced_search', array('login', 'contactid')); // Criteria of the advanced search form
    53. 

  53. 	}
    54. 

  54. 

  55. 	/**
    56. 

  56. 	 * Check the user's password against the LDAP server
    57. 

  57. 	 * Algorithm:
    58. 

  58. 	 * 1) Connect to the LDAP server, using a predefined account (or anonymously)
    59. 

  59. 	 * 2) Search for the specified user, based on a specific search query/pattern
    60. 

  60. 	 * 3) If exactly one user is found, continue, otherwise return false (wrong user or wrong query configured)
    61. 

  61. 	 * 3) Bind again to LDAP using the DN of the found user and the password
    62. 

  62. 	 * 4) If the bind is successful return true, otherwise return false (wrong password)
    63. 

  63. 	 * @param string $sPassword The user's password to validate against the LDAP server
    64. 

  64. 	 * @return boolean True if the password is Ok, false otherwise
    65. 

  65. 	 */
    66. 

  66. 	public function CheckCredentials($sPassword)
    67. 

  67. 	{
    68. 

  68. 		$sLDAPHost = MetaModel::GetModuleSetting('authent-ldap', 'host', 'localhost');
    69. 

  69. 		$iLDAPPort = MetaModel::GetModuleSetting('authent-ldap', 'port', 389);
    70. 

  70. 		
    71. 

  71. 		$sDefaultLDAPUser = MetaModel::GetModuleSetting('authent-ldap', 'default_user', '');
    72. 

  72. 		$sDefaultLDAPPwd = MetaModel::GetModuleSetting('authent-ldap', 'default_pwd', '');
    73. 

  73. 		
    74. 

  74. 		$hDS = @ldap_connect($sLDAPHost, $iLDAPPort);
    75. 

  75. 		if ($hDS === false)
    76. 

  76. 		{
    77. 

  77. 			$this->LogMessage("ldap_authentication: can not connect to the LDAP server '$sLDAPHost' (port: $iLDAPPort). Check the configuration file config-itop.php.");
    78. 

  78. 			return false;
    79. 

  79. 		}
    80. 

  80. 		$aOptions = MetaModel::GetModuleSetting('authent-ldap', 'options', array());
    81. 

  81. 		foreach($aOptions as $name => $value)
    82. 

  82. 		{
    83. 

  83. 			ldap_set_option($hDS, $name, $value);
    84. 

  84. 		}
    85. 

  85. 				
    86. 

  86. 		if ($bind = @ldap_bind($hDS, $sDefaultLDAPUser, $sDefaultLDAPPwd))
    87. 

  87. 		{
    88. 

  88. 			// Search for the person, using the specified query expression
    89. 

  89. 			$sLDAPUserQuery = MetaModel::GetModuleSetting('authent-ldap', 'user_query', '');
    90. 

  90. 			$sBaseDN = MetaModel::GetModuleSetting('authent-ldap', 'base_dn', '');
    91. 

  91. 			
    92. 

  92. 			$sQuery = sprintf($sLDAPUserQuery, $this->Get('login'));
    93. 

  93. 			$hSearchResult = @ldap_search($hDS, $sBaseDN, $sQuery);
    94. 

  94. 

  95. 			$iCountEntries = ($hSearchResult !== false) ? @ldap_count_entries($hDS, $hSearchResult) : 0;
    96. 

  96. 			switch($iCountEntries)
    97. 

  97. 			{
    98. 

  98. 				case 1:
    99. 

  99. 				// Exactly one entry found, let's check the password by trying to bind with this user
    100. 

  100. 				$aEntry = ldap_get_entries($hDS, $hSearchResult);
    101. 

  101. 				$sUserDN = $aEntry[0]['dn'];
    102. 

  102. 				$bUserBind =  @ldap_bind($hDS, $sUserDN, $sPassword);
    103. 

  103. 				if ($bUserBind !== false)
    104. 

  104. 				{
    105. 

  105. 					ldap_unbind($hDS);
    106. 

  106. 					return true; // Password Ok
    107. 

  107. 				}
    108. 

  108. 				$this->LogMessage("ldap_authentication: wrong password for user: '$sUserDN'.");
    109. 

  109. 				return false; // Wrong password
    110. 

  110. 				break;
    111. 

  111. 				
    112. 

  112. 				case 0:
    113. 

  113. 				// User not found...
    114. 

  114. 				$this->LogMessage("ldap_authentication: no entry found with the query '$sQuery', base_dn = '$sBaseDN'. User not found in LDAP.");
    115. 

  115. 				break;
    116. 

  116. 				
    117. 

  117. 				default:
    118. 

  118. 				// More than one entry... maybe the query is not specific enough...
    119. 

  119. 				$this->LogMessage("ldap_authentication: several (".ldap_count_entries($hDS, $hSearchResult).") entries match the query '$sQuery', base_dn = '$sBaseDN', check that the query defined in config-itop.php is specific enough.");
    120. 

  120. 			}
    121. 

  121. 			return false;
    122. 

  122. 		}
    123. 

  123. 		else
    124. 

  124. 		{
    125. 

  125. 			// Trace: invalid default user for LDAP initial binding
    126. 

  126. 			$this->LogMessage("ldap_authentication: can not bind to the LDAP server '$sLDAPHost' (port: $iLDAPPort), user='$sDefaultLDAPUser', pwd='$sDefaultLDAPPwd'. Error: '".ldap_error($hDS)."'. Check the configuration file config-itop.php.");
    127. 

  127. 			return false;
    128. 

  128. 		}
    129. 

  129. 	}
    130. 

  130. 

  131. 	public function TrustWebServerContext()
    132. 

  132. 	{
    133. 

  133. 		return false;
    134. 

  134. 	}
    135. 

  135. 

  136. 	public function CanChangePassword()
    137. 

  137. 	{
    138. 

  138. 		return false;
    139. 

  139. 	}
    140. 

  140. 

  141. 	public function ChangePassword($sOldPassword, $sNewPassword)
    142. 

  142. 	{
    143. 

  143. 		return false;
    144. 

  144. 	}
    145. 

  145. 	
    146. 

  146. 	protected function LogMessage($sMessage, $aData = array())
    147. 

  147. 	{
    148. 

  148. 		if (MetaModel::IsLogEnabledIssue())
    149. 

  149. 		{
    150. 

  150. 			if (MetaModel::IsValidClass('EventIssue'))
    151. 

  151. 			{
    152. 

  152. 				$oLog = new EventIssue();
    153. 

  153. 	
    154. 

  154. 				$oLog->Set('message', $sMessage);
    155. 

  155. 				$oLog->Set('userinfo', '');
    156. 

  156. 				$oLog->Set('issue', 'LDAP Authentication');
    157. 

  157. 				$oLog->Set('impact', 'User login rejected');
    158. 

  158. 				$oLog->Set('data', $aData);
    159. 

  159. 				$oLog->DBInsertNoReload();
    160. 

  160. 			}
    161. 

  161. 	
    162. 

  162. 			IssueLog::Error($sMessage);
    163. 

  163. 		}		
    164. 

  164. 	}
    165. 

  165. }
    166. 

  166. 

  167. 

  168. ?>
    169.