X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=WEB-INF%2Flib%2Fauth%2FAuth_ldap.class.php;h=23ea127e6b692aa416b0843c2a7b9ed6dd051de9;hb=bacdf3405307cfc27832db00b09bbf52d4b9f72c;hp=93fdebf4aafabec99625acca72f6ec12f4168181;hpb=9a23a8c0a51b7ec38a96f525484134f3cb85dc7e;p=timetracker.git
diff --git a/WEB-INF/lib/auth/Auth_ldap.class.php b/WEB-INF/lib/auth/Auth_ldap.class.php
index 93fdebf4..23ea127e 100644
--- a/WEB-INF/lib/auth/Auth_ldap.class.php
+++ b/WEB-INF/lib/auth/Auth_ldap.class.php
@@ -51,12 +51,11 @@
class Auth_ldap extends Auth {
var $params;
- function Auth_ldap($params)
+ function __construct($params)
{
+ global $smarty;
$this->params = $params;
- if (isset($GLOBALS['smarty'])) {
- $GLOBALS['smarty']->assign('Auth_ldap_params', $this->params);
- }
+ $smarty->assign('Auth_ldap_params', $this->params);
}
function ldap_escape($str){
@@ -65,7 +64,7 @@ class Auth_ldap extends Auth {
foreach ($illegal as $id => $char) {
$legal[$id] = "\\".$char;
}
- $str = str_replace($illegal, $legal,$str); //replace them
+ $str = str_replace($illegal, $legal, $str); //replace them
return $str;
}
@@ -78,6 +77,13 @@ class Auth_ldap extends Auth {
*/
function authenticate($login, $password)
{
+ // Special handling for admin@localhost - authenticate against db, not ldap.
+ // It is a fallback mechanism when admin account in LDAP directory does not exist or is misconfigured.
+ if ($login == 'admin@localhost') {
+ import('auth.Auth_db');
+ return Auth_db::authenticate($login, $password);
+ }
+
if (!function_exists('ldap_bind')) {
die ('php_ldap extension not loaded!');
}
@@ -90,37 +96,36 @@ class Auth_ldap extends Auth {
$lc = ldap_connect($this->params['server']);
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '
';
echo '$lc='; var_dump($lc); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
if (!$lc) return false;
-
+
ldap_set_option($lc, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($lc, LDAP_OPT_REFERRALS, 0);
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
ldap_set_option($lc, LDAP_OPT_DEBUG_LEVEL, 7);
}
-
+
// We need to handle Windows AD and OpenLDAP differently.
- if ($this->params['type'] != 'openldap') {
-
- // check if the user specified full login
+ if ($this->params['type'] == 'ad') {
+
+ // Check if user specified full login.
if (strpos($login, '@') === false) {
- // append default domain
+ // Append default domain.
$login .= '@' . $this->params['default_domain'];
}
-
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$login='; var_dump($login); echo '
';
}
$lb = @ldap_bind($lc, $login, $password);
-
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+
+ if (isTrue(AUTH_DEBUG)) {
echo '$lb='; var_dump($lb); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
@@ -130,19 +135,18 @@ class Auth_ldap extends Auth {
return false;
}
- if ($member_of) {
- // get groups
+ if ($member_of) {
+ // Get groups the user is a member of from AD LDAP server.
- $filter = 'samaccountname='.Auth_ldap::ldap_escape($login);
- $fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid');
+ $filter = 'userPrincipalName='.Auth_ldap::ldap_escape($login);
+ $fields = array('memberof');
$sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields);
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$sr='; var_dump($sr); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
- // if search failed it's likely that account is disabled
if (!$sr) {
ldap_unbind($lc);
return false;
@@ -150,7 +154,7 @@ class Auth_ldap extends Auth {
$entries = @ldap_get_entries($lc, $sr);
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$entries='; var_dump($entries); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
@@ -162,20 +166,19 @@ class Auth_ldap extends Auth {
$groups = array();
- // extract group names from
- // assuming the groups are in format: CN=,...
+ // Extract group names. Assume the groups are in format: CN=,...
for ($i = 0; $i < @$entries[0]['memberof']['count']; $i++) {
$grp = $entries[0]['memberof'][$i];
$grp_fields = explode(',', $grp);
$groups[] = substr($grp_fields[0], 3);
}
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$member_of'; var_dump($member_of); echo '
';
};
- // check for group membership
- foreach ($member_of as $check_grp) {
+ // Check for group membership.
+ foreach ($member_of as $check_grp) {
if (!in_array($check_grp, $groups)) {
ldap_unbind($lc);
return false;
@@ -184,22 +187,18 @@ class Auth_ldap extends Auth {
}
ldap_unbind($lc);
+ return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
+ }
- // handle special case - admin account, strip domain part
- if (strpos($login, 'admin@') !== false) {
- $login = substr($login, 0, 5);
- }
+ if ($this->params['type'] == 'openldap') {
- return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
- } else {
-
// Assuming OpenLDAP server.
$login_oldap = 'uid='.$login.','.$this->params['base_dn'];
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$login_oldap='; var_dump($login_oldap); echo '
';
}
-
+
// check if the user specified full login
if (strpos($login, '@') === false) {
// append default domain
@@ -207,8 +206,8 @@ class Auth_ldap extends Auth {
}
$lb = @ldap_bind($lc, $login_oldap, $password);
-
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+
+ if (isTrue(AUTH_DEBUG)) {
echo '$lb='; var_dump($lb); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
@@ -218,14 +217,15 @@ class Auth_ldap extends Auth {
return false;
}
- if ($member_of) {
+ if ($member_of) {
+ // TODO: Fix this for OpenLDAP, as samaccountname has nothing to do with it.
// get groups
$filter = 'samaccountname='.Auth_ldap::ldap_escape($login_oldap);
$fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid');
$sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields);
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$sr='; var_dump($sr); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
@@ -238,7 +238,7 @@ class Auth_ldap extends Auth {
$entries = @ldap_get_entries($lc, $sr);
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$entries='; var_dump($entries); echo '
';
echo 'ldap_error()='; echo ldap_error($lc); echo '
';
}
@@ -258,9 +258,9 @@ class Auth_ldap extends Auth {
$groups[] = substr($grp_fields[0], 3);
}
- if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+ if (isTrue(AUTH_DEBUG)) {
echo '$member_of'; var_dump($member_of); echo '
';
- };
+ }
// check for group membership
foreach ($member_of as $check_grp) {
@@ -273,16 +273,14 @@ class Auth_ldap extends Auth {
ldap_unbind($lc);
- // handle special case - admin account, strip domain part
- if (strpos($login, 'admin@') !== false) {
- $login = substr($login, 0, 5);
- }
-
return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
}
+
+ // Server type is neither 'ad' or 'openldap'.
+ return false;
}
function isPasswordExternal() {
return true;
}
-}
\ No newline at end of file
+}