Added special auth handling for admin@localhost.

[timetracker.git] / WEB-INF / lib / auth / Auth_ldap.class.php

diff --git a/WEB-INF/lib/auth/Auth_ldap.class.php b/WEB-INF/lib/auth/Auth_ldap.class.php
index 93fdebf..b3f5d52 100644 (file)
--- a/WEB-INF/lib/auth/Auth_ldap.class.php
+++ b/WEB-INF/lib/auth/Auth_ldap.class.php
@@ -78,6 +78,13 @@ class Auth_ldap extends Auth {
    */
   function authenticate($login, $password)
   {
+    // Special handling for admin@localhost - authenticate against db, not ldap.
+    // It is a fallback mechanism when admin account in LDAP directory does not exist or is misconfigured.
+    if ($login == 'admin@localhost') {
+        import('auth.Auth_db');
+        return Auth_db::authenticate($login, $password);
+    }
+
     if (!function_exists('ldap_bind')) {
       die ('php_ldap extension not loaded!');
     }
@@ -97,16 +104,16 @@ class Auth_ldap extends Auth {
     }
 
     if (!$lc) return false;
-    
+
     ldap_set_option($lc, LDAP_OPT_PROTOCOL_VERSION, 3);
     ldap_set_option($lc, LDAP_OPT_REFERRALS, 0);
     if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
       ldap_set_option($lc, LDAP_OPT_DEBUG_LEVEL, 7);
     }
-    
+
     // We need to handle Windows AD and OpenLDAP differently.
     if ($this->params['type'] != 'openldap') {
-      
+
       // check if the user specified full login
       if (strpos($login, '@') === false) {
         // append default domain
@@ -119,7 +126,7 @@ class Auth_ldap extends Auth {
       }
 
       $lb = @ldap_bind($lc, $login, $password);
-    
+
       if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
         echo '$lb='; var_dump($lb); echo '<br />';
         echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
@@ -130,7 +137,7 @@ class Auth_ldap extends Auth {
         return false;
       }
 
-         if ($member_of) {
+      if ($member_of) {
         // get groups
 
         $filter = 'samaccountname='.Auth_ldap::ldap_escape($login);
@@ -185,21 +192,16 @@ class Auth_ldap extends Auth {
 
       ldap_unbind($lc);
 
-      // handle special case - admin account, strip domain part
-      if (strpos($login, 'admin@') !== false) {
-        $login = substr($login, 0, 5);
-      }
-
       return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
     } else {
-       
+
       // Assuming OpenLDAP server.
       $login_oldap = 'uid='.$login.','.$this->params['base_dn'];
 
       if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
         echo '$login_oldap='; var_dump($login_oldap); echo '<br />';
       }
-      
+
       // check if the user specified full login
       if (strpos($login, '@') === false) {
         // append default domain
@@ -207,7 +209,7 @@ class Auth_ldap extends Auth {
       }
 
       $lb = @ldap_bind($lc, $login_oldap, $password);
-    
+
       if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
         echo '$lb='; var_dump($lb); echo '<br />';
         echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
@@ -218,7 +220,7 @@ class Auth_ldap extends Auth {
         return false;
       }
 
-         if ($member_of) {
+      if ($member_of) {
         // get groups
 
         $filter = 'samaccountname='.Auth_ldap::ldap_escape($login_oldap);
@@ -273,11 +275,6 @@ class Auth_ldap extends Auth {
 
       ldap_unbind($lc);
 
-      // handle special case - admin account, strip domain part
-      if (strpos($login, 'admin@') !== false) {
-        $login = substr($login, 0, 5);
-      }
-
       return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
     }
   }
@@ -285,4 +282,4 @@ class Auth_ldap extends Auth {
   function isPasswordExternal() {
     return true;
   }
-}
\ No newline at end of file
+}