X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=WEB-INF%2Flib%2Fauth%2FAuth_ldap.class.php;h=e17b6e7c98585fa601bba3e5f0d51fb9f36dea8b;hb=074e8daef75c2b729e75f350b52935a6b7ecfba8;hp=625c47828df7a0b1c13f3151d6fa06d79c3af787;hpb=466c7825f8313f5e3a11c63383537c8bb302a932;p=timetracker.git diff --git a/WEB-INF/lib/auth/Auth_ldap.class.php b/WEB-INF/lib/auth/Auth_ldap.class.php index 625c4782..e17b6e7c 100644 --- a/WEB-INF/lib/auth/Auth_ldap.class.php +++ b/WEB-INF/lib/auth/Auth_ldap.class.php @@ -53,10 +53,9 @@ class Auth_ldap extends Auth { function __construct($params) { + global $smarty; $this->params = $params; - if (isset($GLOBALS['smarty'])) { - $GLOBALS['smarty']->assign('Auth_ldap_params', $this->params); - } + $smarty->assign('Auth_ldap_params', $this->params); } function ldap_escape($str){ @@ -65,7 +64,7 @@ class Auth_ldap extends Auth { foreach ($illegal as $id => $char) { $legal[$id] = "\\".$char; } - $str = str_replace($illegal, $legal,$str); //replace them + $str = str_replace($illegal, $legal, $str); //replace them return $str; } @@ -112,15 +111,14 @@ class Auth_ldap extends Auth { } // We need to handle Windows AD and OpenLDAP differently. - if ($this->params['type'] != 'openldap') { + if ($this->params['type'] == 'ad') { - // check if the user specified full login + // Check if user specified full login. if (strpos($login, '@') === false) { - // append default domain + // Append default domain. $login .= '@' . $this->params['default_domain']; } - if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) { echo '$login='; var_dump($login); echo '
'; } @@ -138,10 +136,10 @@ class Auth_ldap extends Auth { } if ($member_of) { - // get groups + // Get groups the user is a member of from AD LDAP server. - $filter = 'samaccountname='.Auth_ldap::ldap_escape($login); - $fields = array('samaccountname', 'mail', 'memberof', 'department', 'displayname', 'telephonenumber', 'primarygroupid'); + $filter = 'userPrincipalName='.Auth_ldap::ldap_escape($login); + $fields = array('memberof'); $sr = @ldap_search($lc, $this->params['base_dn'], $filter, $fields); if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) { @@ -149,7 +147,6 @@ class Auth_ldap extends Auth { echo 'ldap_error()='; echo ldap_error($lc); echo '
'; } - // if search failed it's likely that account is disabled if (!$sr) { ldap_unbind($lc); return false; @@ -169,8 +166,7 @@ class Auth_ldap extends Auth { $groups = array(); - // extract group names from - // assuming the groups are in format: CN=,... + // Extract group names. Assume the groups are in format: CN=,... for ($i = 0; $i < @$entries[0]['memberof']['count']; $i++) { $grp = $entries[0]['memberof'][$i]; $grp_fields = explode(',', $grp); @@ -181,8 +177,8 @@ class Auth_ldap extends Auth { echo '$member_of'; var_dump($member_of); echo '
'; }; - // check for group membership - foreach ($member_of as $check_grp) { + // Check for group membership. + foreach ($member_of as $check_grp) { if (!in_array($check_grp, $groups)) { ldap_unbind($lc); return false; @@ -191,9 +187,10 @@ class Auth_ldap extends Auth { } ldap_unbind($lc); - return array('login' => $login, 'data' => $entries, 'member_of' => $groups); - } else { + } + + if ($this->params['type'] == 'openldap') { // Assuming OpenLDAP server. $login_oldap = 'uid='.$login.','.$this->params['base_dn']; @@ -221,6 +218,7 @@ class Auth_ldap extends Auth { } if ($member_of) { + // TODO: Fix this for OpenLDAP, as samaccountname has nothing to do with it. // get groups $filter = 'samaccountname='.Auth_ldap::ldap_escape($login_oldap); @@ -262,7 +260,7 @@ class Auth_ldap extends Auth { if (defined('AUTH_DEBUG') && isTrue(AUTH_DEBUG)) { echo '$member_of'; var_dump($member_of); echo '
'; - }; + } // check for group membership foreach ($member_of as $check_grp) { @@ -277,6 +275,9 @@ class Auth_ldap extends Auth { return array('login' => $login, 'data' => $entries, 'member_of' => $groups); } + + // Server type is neither 'ad' or 'openldap'. + return false; } function isPasswordExternal() {