X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=WEB-INF%2Flib%2Fauth%2FAuth_ldap.class.php;h=52d4fabe3dce3013810cbe9765fe330fb5a19538;hb=75a1eedb8977b8f2db459128bab9aaf367e3b58b;hp=25d375bc992379c6570e20d9396dbafdc08e1390;hpb=806dde3c7931d1a0d13c4f0469013a79e6198dcc;p=timetracker.git

diff --git a/WEB-INF/lib/auth/Auth_ldap.class.php b/WEB-INF/lib/auth/Auth_ldap.class.php
index 25d375bc..52d4fabe 100644
--- a/WEB-INF/lib/auth/Auth_ldap.class.php
+++ b/WEB-INF/lib/auth/Auth_ldap.class.php
@@ -51,12 +51,11 @@
 class Auth_ldap extends Auth {
   var $params;
 
-  function Auth_ldap($params)
+  function __construct($params)
   {
+    global $smarty;
     $this->params = $params;
-    if (isset($GLOBALS['smarty'])) {
-      $GLOBALS['smarty']->assign('Auth_ldap_params', $this->params);
-    }
+    $smarty->assign('Auth_ldap_params', $this->params);
   }
 
   function ldap_escape($str){
@@ -65,7 +64,7 @@ class Auth_ldap extends Auth {
     foreach ($illegal as $id => $char) {
       $legal[$id] = "\\".$char;
     }
-    $str = str_replace($illegal, $legal,$str); //replace them
+    $str = str_replace($illegal, $legal, $str); //replace them
     return $str;
   }
 
@@ -78,6 +77,13 @@ class Auth_ldap extends Auth {
    */
   function authenticate($login, $password)
   {
+    // Special handling for admin@localhost - authenticate against db, not ldap.
+    // It is a fallback mechanism when admin account in LDAP directory does not exist or is misconfigured.
+    if ($login == 'admin@localhost') {
+        import('auth.Auth_db');
+        return Auth_db::authenticate($login, $password);
+    }
+
     if (!function_exists('ldap_bind')) {
       die ('php_ldap extension not loaded!');
     }
@@ -90,7 +96,7 @@ class Auth_ldap extends Auth {
 
     $lc = ldap_connect($this->params['server']);
 
-    if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+    if (isTrue('AUTH_DEBUG')) {
       echo '<br />';
       echo '$lc='; var_dump($lc); echo '<br />';
       echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
@@ -100,27 +106,26 @@ class Auth_ldap extends Auth {
 
     ldap_set_option($lc, LDAP_OPT_PROTOCOL_VERSION, 3);
     ldap_set_option($lc, LDAP_OPT_REFERRALS, 0);
-    if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+    if (isTrue('AUTH_DEBUG')) {
       ldap_set_option($lc, LDAP_OPT_DEBUG_LEVEL, 7);
     }
 
     // We need to handle Windows AD and OpenLDAP differently.
-    if ($this->params['type'] != 'openldap') {
+    if ($this->params['type'] == 'ad') {
 
-      // check if the user specified full login
+      // Check if user specified full login.
       if (strpos($login, '@') === false) {
-        // append default domain
+        // Append default domain.
         $login .= '@' . $this->params['default_domain'];
       }
 
-
-      if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+      if (isTrue('AUTH_DEBUG')) {
         echo '$login='; var_dump($login); echo '<br />';
       }
 
       $lb = @ldap_bind($lc, $login, $password);
 
-      if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+      if (isTrue('AUTH_DEBUG')) {
         echo '$lb='; var_dump($lb); echo '<br />';
         echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
       }
@@ -131,18 +136,17 @@ class Auth_ldap extends Auth {
       }
 
       if ($member_of) {
-        // get groups
+        // Get groups the user is a member of from AD LDAP server.
 
-        $filter = 'samaccountname='.Auth_ldap::ldap_escape($login);
-        $fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid');
+        $filter = 'userPrincipalName='.Auth_ldap::ldap_escape($login);
+        $fields = array('memberof');
         $sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields);
 
-        if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+        if (isTrue('AUTH_DEBUG')) {
           echo '$sr='; var_dump($sr); echo '<br />';
           echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
         }
 
-        // if search failed it's likely that account is disabled
         if (!$sr) {
           ldap_unbind($lc);
           return false;
@@ -150,7 +154,7 @@ class Auth_ldap extends Auth {
 
         $entries = @ldap_get_entries($lc, $sr);
 
-        if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+        if (isTrue('AUTH_DEBUG')) {
           echo '$entries='; var_dump($entries); echo '<br />';
           echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
         }
@@ -162,20 +166,19 @@ class Auth_ldap extends Auth {
 
         $groups = array();
 
-        // extract group names from
-        // assuming the groups are in format: CN=<group_name>,...
+        // Extract group names. Assume the groups are in format: CN=<group_name>,...
         for ($i = 0; $i < @$entries[0]['memberof']['count']; $i++) {
           $grp = $entries[0]['memberof'][$i];
           $grp_fields = explode(',', $grp);
           $groups[] = substr($grp_fields[0], 3);
         }
 
-        if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+        if (isTrue('AUTH_DEBUG')) {
           echo '$member_of'; var_dump($member_of); echo '<br />';
         };
 
-        // check for group membership
-            foreach ($member_of as $check_grp) {
+        // Check for group membership.
+        foreach ($member_of as $check_grp) {
           if (!in_array($check_grp, $groups)) {
             ldap_unbind($lc);
             return false;
@@ -184,14 +187,15 @@ class Auth_ldap extends Auth {
       }
 
       ldap_unbind($lc);
-
       return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
-    } else {
+    }
+
+    if ($this->params['type'] == 'openldap') {
 
       // Assuming OpenLDAP server.
       $login_oldap = 'uid='.$login.','.$this->params['base_dn'];
 
-      if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+      if (isTrue('AUTH_DEBUG')) {
         echo '$login_oldap='; var_dump($login_oldap); echo '<br />';
       }
 
@@ -203,7 +207,7 @@ class Auth_ldap extends Auth {
 
       $lb = @ldap_bind($lc, $login_oldap, $password);
 
-      if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+      if (isTrue('AUTH_DEBUG')) {
         echo '$lb='; var_dump($lb); echo '<br />';
         echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
       }
@@ -214,13 +218,14 @@ class Auth_ldap extends Auth {
       }
 
       if ($member_of) {
+        // TODO: Fix this for OpenLDAP, as samaccountname has nothing to do with it.
         // get groups
 
         $filter = 'samaccountname='.Auth_ldap::ldap_escape($login_oldap);
         $fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid');
         $sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields);
 
-        if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+        if (isTrue('AUTH_DEBUG')) {
           echo '$sr='; var_dump($sr); echo '<br />';
           echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
         }
@@ -233,7 +238,7 @@ class Auth_ldap extends Auth {
 
         $entries = @ldap_get_entries($lc, $sr);
 
-        if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+        if (isTrue('AUTH_DEBUG')) {
           echo '$entries='; var_dump($entries); echo '<br />';
           echo 'ldap_error()='; echo ldap_error($lc); echo '<br />';
         }
@@ -253,9 +258,9 @@ class Auth_ldap extends Auth {
           $groups[] = substr($grp_fields[0], 3);
         }
 
-        if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) {
+        if (isTrue('AUTH_DEBUG')) {
           echo '$member_of'; var_dump($member_of); echo '<br />';
-        };
+        }
 
         // check for group membership
         foreach ($member_of as $check_grp) {
@@ -270,6 +275,9 @@ class Auth_ldap extends Auth {
 
       return array('login' => $login, 'data' => $entries, 'member_of' => $groups);
     }
+
+    // Server type is neither 'ad' or 'openldap'.
+    return false;
   }
 
   function isPasswordExternal() {