Root/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 | <?php /* -*- tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* # ***** BEGIN LICENSE BLOCK ***** # This file is part of Plume Framework, a simple PHP Application Framework. # Copyright (C) 2001-2007 Loic d'Anterroches and contributors. # # Plume Framework is free software; you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # Plume Framework is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # ***** END LICENSE BLOCK ***** */ /** * Backend to authenticate against a LDAP server. * * Configuration is done with the 'auth_ldap_*' keys. */ class Pluf_Auth_LdapBackend { /** * Given a user id, retrieve it. * * Here we get the against the model database. */ public static function getUser( $user_id ) { $user_model = Pluf::f( 'pluf_custom_user' , 'Pluf_User' ); $sql = new Pluf_SQL( 'login=%s' , array ( $user_id )); return Pluf::factory( $user_model )->getOne( $sql ->gen()); } /** * Given an array with the authentication data, auth the user and return it. */ public static function authenticate( $auth_data ) { $password = $auth_data [ 'password' ]; $login = $auth_data [ 'login' ]; // Small security check against the login if (preg_match( '/[^A-Za-z0-9\-\_]/' , $login )) { return false; } // We check the user against the LDAP server, if it works we // are happy, if not return false. $ldap_dn = Pluf::f( 'auth_ldap_dn' , 'ou=users,dc=example,dc=com' ); $ldap_user = Pluf::f( 'auth_ldap_user' , null); $ldap_password = Pluf::f( 'auth_ldap_password' , null); $ldap_version = Pluf::f( 'auth_ldap_version' , 3); $ldap_user_key = Pluf::f( 'auth_ldap_user_key' , 'uid' ); // If auth_ldap_password_key, it will use crypt hash control // to test the login password, else it will bind. $ldap_password_key = Pluf::f( 'auth_ldap_password_key' , null); $ldap_surname_key = Pluf::f( 'auth_ldap_surname_key' , 'sn' ); $ldap_givenname_key = Pluf::f( 'auth_ldap_givenname_key' , 'cn' ); $ldap_email_key = Pluf::f( 'auth_ldap_email_key' , 'mail' ); $ldap = ldap_connect(Pluf::f( 'auth_ldap_host' , 'localhost' )); ldap_set_option( $ldap , LDAP_OPT_PROTOCOL_VERSION, Pluf::f( 'auth_ldap_version' , 3)); if (!ldap_bind( $ldap , $ldap_user , $ldap_password )) { Pluf_Log::warn(sprintf( 'Cannot bind to the ldap server, user:%s, password:***' , $ldap_user )); ldap_close( $ldap ); return false; } // Go for a search $search = ldap_search( $ldap , $ldap_dn , '(' . $ldap_user_key . '=' . $login . ')' , array ( $ldap_user_key , $ldap_surname_key , $ldap_givenname_key , $ldap_email_key )); $n = ldap_get_entries( $ldap , $search ); if ( $n [ 'count' ] != 1) { ldap_close( $ldap ); return false; } $entry = ldap_first_entry( $ldap , $search ); // We get all the data first, the bind or hash control is done // later. If we control with bind now, we need to search again // to have an $entry resource to get the values. list( $family_name ,) = @ldap_get_values( $ldap , $entry , $ldap_surname_key ); list( $first_name ,) = @ldap_get_values( $ldap , $entry , $ldap_givenname_key ); list( $email ,) = @ldap_get_values( $ldap , $entry , $ldap_email_key ); $user_dn = ldap_get_dn( $ldap , $entry ); if ( $ldap_password_key ) { // Password authentication. list( $ldap_hash ,) = ldap_get_values( $ldap , $entry , $ldap_password_key ); $ldap_hash = substr ( $ldap_hash , 7); $salt = substr ( $ldap_hash , 0, 12); $hash = crypt( $password , $salt ); if ( $ldap_hash != $hash ) { ldap_close( $ldap ); return false; } } else { // Bind authentication if (!@ldap_bind( $ldap , $user_dn , $password )) { ldap_close( $ldap ); return false; } } // We get the user values as the // Now we get the user and we create it if not available $user = self::getUser( $login ); if ( $user ) { ldap_close( $ldap ); return $user ; } // Need to create it ldap_close( $ldap ); $user_model = Pluf::f( 'pluf_custom_user' , 'Pluf_User' ); $user = new $user_model (); $user ->active = true; $user ->login = $login ; $user ->password = $password ; $user ->last_name = $family_name ; $user ->first_name = $first_name ; $user ->email = $email ; $user ->create(); return $user ; } } |