return $hash;
}
+// LDAP related functions
+
+function _pkwk_ldap_escape_callback($matches) {
+ return sprintf('\\%02x', ord($matches[0]));
+}
+
+function pkwk_ldap_escape_filter($value) {
+ if (function_exists('ldap_escape')) {
+ return ldap_escape($value, false, LDAP_ESCAPE_FILTER);
+ }
+ return preg_replace_callback('/[\\\\*()\0]/',
+ '_pkwk_ldap_escape_callback', $value);
+}
+
+function pkwk_ldap_escape_dn($value) {
+ if (function_exists('ldap_escape')) {
+ return ldap_escape($value, false, LDAP_ESCAPE_DN);
+ }
+ return preg_replace_callback('/[\\\\,=+<>;"#]/',
+ '_pkwk_ldap_escape_callback', $value);
+}
+
// Basic-auth related ----
{
global $auth_type, $auth_users, $_msg_auth, $auth_user, $auth_groups;
global $auth_user_groups, $auth_user_fullname;
- global $auth_provider_user_prefix;
+ global $ldap_user_account;
+ global $read_auth, $edit_auth;
+ if ($read_auth || $edit_auth) {
+ switch ($auth_type) {
+ case AUTH_TYPE_BASIC:
+ case AUTH_TYPE_FORM:
+ case AUTH_TYPE_EXTERNAL:
+ case AUTH_TYPE_EXTERNAL_REMOTE_USER:
+ case AUTH_TYPE_EXTERNAL_X_FORWARDED_USER:
+ break;
+ default:
+ // $auth_type is not valid, Set form auth as default
+ $auth_type = AUTH_TYPE_FORM;
+ }
+ }
+ $auth_dynamic_groups = null;
switch ($auth_type) {
case AUTH_TYPE_BASIC:
{
header('HTTP/1.0 401 Unauthorized');
}
$auth_user = '';
- $auth_user_groups = get_groups_from_username($user);
+ $auth_user_groups = array();
return true; // no auth input
}
case AUTH_TYPE_FORM:
session_start();
$user = '';
$fullname = '';
+ $dynamic_groups = array();
if (isset($_SESSION['authenticated_user'])) {
$user = $_SESSION['authenticated_user'];
if (isset($_SESSION['authenticated_user_fullname'])) {
$fullname = $_SESSION['authenticated_user_fullname'];
+ $dynamic_groups = $_SESSION['dynamic_member_groups'];
} else {
+ $fullname = $user;
if ($auth_type === AUTH_TYPE_EXTERNAL && $ldap_user_account) {
$ldap_user_info = ldap_get_simple_user_info($user);
if ($ldap_user_info) {
$fullname = $ldap_user_info['fullname'];
- $_SESSION['authenticated_user_fullname'] = $fullname;
+ $dynamic_groups = $ldap_user_info['dynamic_member_groups'];
}
}
+ $_SESSION['authenticated_user_fullname'] = $fullname;
+ $_SESSION['dynamic_member_groups'] = $dynamic_groups;
}
}
$auth_user = $user;
$auth_user_fullname = $fullname;
+ $auth_dynamic_groups = $dynamic_groups;
break;
}
case AUTH_TYPE_EXTERNAL_REMOTE_USER:
break;
}
$auth_user_groups = get_groups_from_username($auth_user);
+ if ($auth_dynamic_groups && is_array($auth_dynamic_groups)) {
+ $auth_user_groups = array_values(array_merge($auth_user_groups, $auth_dynamic_groups));
+ }
return true; // is not basic auth
}
$groups[] = $group;
}
}
- // Implecit group that has same name as user itself
+ // Implicit group that has same name as user itself
$groups[] = $user;
// 'valid-user' group for
$valid_user = 'valid-user';
function ldap_auth($username, $password)
{
- global $ldap_url, $ldap_bind_dn, $ldap_bind_password;
- if (preg_match('#^(ldap\:\/\/[^/]+/)(.*)$#', $ldap_url, $m)) {
- $ldap_server = $m[1];
- $ldap_base_dn = $m[2];
- $ldapconn = ldap_connect($ldap_server);
- if ($ldapconn) {
- ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
- if (preg_match('#\$login\b#', $ldap_bind_dn)) {
- // Bind by user credential
- $bind_dn_user = preg_replace('#\$login#', $username, $ldap_bind_dn);
- $ldap_bind_user = ldap_bind($ldapconn, $bind_dn_user, $password);
- if ($ldap_bind_user) {
- $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
- if ($user_info) {
+ global $ldap_server, $ldap_base_dn, $ldap_bind_dn, $ldap_bind_password;
+ $ldapconn = ldap_connect($ldap_server);
+ if ($ldapconn) {
+ ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
+ if (preg_match('#\$login\b#', $ldap_bind_dn)) {
+ // Bind by user credential
+ $username_esc = pkwk_ldap_escape_dn($username);
+ $bind_dn_user = preg_replace('#\$login\b#', $username_esc, $ldap_bind_dn);
+ $ldap_bind_user = ldap_bind($ldapconn, $bind_dn_user, $password);
+ if ($ldap_bind_user) {
+ $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
+ if ($user_info) {
+ $ldap_groups = get_ldap_groups_with_user($ldapconn, $username, $user_info['is_ad']);
+ session_regenerate_id(true); // require: PHP5.1+
+ $_SESSION['authenticated_user'] = $user_info['uid'];
+ $_SESSION['authenticated_user_fullname'] = $user_info['fullname'];
+ $_SESSION['dynamic_member_groups'] = $ldap_groups;
+ return true;
+ }
+ }
+ } else {
+ // Bind by bind dn
+ $ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
+ if ($ldap_bind) {
+ $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
+ if ($user_info) {
+ $ldap_bind_user2 = ldap_bind($ldapconn, $user_info['dn'], $password);
+ if ($ldap_bind_user2) {
+ $ldap_groups = get_ldap_groups_with_user($ldapconn, $username, $user_info['is_ad']);
session_regenerate_id(true); // require: PHP5.1+
$_SESSION['authenticated_user'] = $user_info['uid'];
$_SESSION['authenticated_user_fullname'] = $user_info['fullname'];
+ $_SESSION['dynamic_member_groups'] = $ldap_groups;
return true;
}
}
- } else {
- // Bind by bind dn
- $ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
- if ($ldap_bind) {
- $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
- if ($user_info) {
- $ldap_bind_user2 = ldap_bind($ldapconn, $user_info['dn'], $password);
- if ($ldap_bind_user2) {
- session_regenerate_id(true); // require: PHP5.1+
- $_SESSION['authenticated_user'] = $user_info['uid'];
- $_SESSION['authenticated_user_fullname'] = $user_info['fullname'];
- return true;
- }
- }
- }
}
}
}
// Get LDAP user info via bind DN
function ldap_get_simple_user_info($username)
{
- global $ldap_url, $ldap_bind_dn, $ldap_bind_password;
- if (preg_match('#^(ldap\:\/\/[^/]+/)(.*)$#', $ldap_url, $m)) {
- $ldap_server = $m[1];
- $ldap_base_dn = $m[2];
- $ldapconn = ldap_connect($ldap_server);
- if ($ldapconn) {
- ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
- // Bind by bind dn
- $ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
- if ($ldap_bind) {
- $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
- if ($user_info) {
- return $user_info;
- }
+ global $ldap_server, $ldap_base_dn, $ldap_bind_dn, $ldap_bind_password;
+ $ldapconn = ldap_connect($ldap_server);
+ if ($ldapconn) {
+ ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
+ // Bind by bind dn
+ $ldap_bind = ldap_bind($ldapconn, $ldap_bind_dn, $ldap_bind_password);
+ if ($ldap_bind) {
+ $user_info = get_ldap_user_info($ldapconn, $username, $ldap_base_dn);
+ if ($user_info) {
+ $ldap_groups = get_ldap_groups_with_user($ldapconn,
+ $username, $user_info['is_ad']);
+ $user_info['dynamic_member_groups'] = $ldap_groups;
+ return $user_info;
}
}
}
* @return boolean
*/
function get_ldap_user_info($ldapconn, $username, $base_dn) {
- $filter = "(|(uid=$username)(sAMAccountName=$username))";
+ $username_esc = pkwk_ldap_escape_filter($username);
+ $filter = "(|(uid=$username_esc)(sAMAccountName=$username_esc))";
$result1 = ldap_search($ldapconn, $base_dn, $filter, array('dn', 'uid', 'cn', 'samaccountname', 'displayname', 'mail'));
$entries = ldap_get_entries($ldapconn, $result1);
+ if (!isset($entries[0])) {
+ return false;
+ }
$info = $entries[0];
if (isset($info['dn'])) {
$user_dn = $info['dn'];
$cano_username = $username;
+ $is_active_directory = false;
if (isset($info['uid'][0])) {
$cano_username = $info['uid'][0];
} elseif (isset($info['samaccountname'][0])) {
$cano_username = $info['samaccountname'][0];
+ $is_active_directory = true;
}
$cano_fullname = $username;
if (isset($info['displayname'][0])) {
'dn' => $user_dn,
'uid' => $cano_username,
'fullname' => $cano_fullname,
- 'mail' => $info['mail'][0]
+ 'mail' => $info['mail'][0],
+ 'is_ad' => $is_active_directory,
);
}
return false;
. '&url_after_login=' . rawurlencode($url_after_login);
return $url;
}
+
+function get_auth_user_prefix() {
+ global $ldap_user_account, $auth_type;
+ global $auth_provider_user_prefix_default;
+ global $auth_provider_user_prefix_ldap;
+ global $auth_provider_user_prefix_external;
+ $user_prefix = '';
+ switch ($auth_type) {
+ case AUTH_TYPE_BASIC:
+ $user_prefix = $auth_provider_user_prefix_default;
+ break;
+ case AUTH_TYPE_EXTERNAL:
+ case AUTH_TYPE_EXTERNAL_REMOTE_USER:
+ case AUTH_TYPE_EXTERNAL_X_FORWARDED_USER:
+ $user_prefix = $auth_provider_user_prefix_external;
+ break;
+ case AUTH_TYPE_FORM:
+ if ($ldap_user_account) {
+ $user_prefix = $auth_provider_user_prefix_ldap;
+ } else {
+ $user_prefix = $auth_provider_user_prefix_default;
+ }
+ break;
+ }
+ return $user_prefix;
+}
+
+function get_ldap_related_groups() {
+ global $read_auth_pages, $edit_auth_pages;
+ global $auth_provider_user_prefix_ldap;
+ $ldap_groups = array();
+ foreach ($read_auth_pages as $pattern=>$groups) {
+ $sp_groups = explode(',', $groups);
+ foreach ($sp_groups as $group) {
+ if (strpos($group, $auth_provider_user_prefix_ldap) === 0) {
+ $ldap_groups[] = $group;
+ }
+ }
+ }
+ foreach ($edit_auth_pages as $pattern=>$groups) {
+ $sp_groups = explode(',', $groups);
+ foreach ($sp_groups as $group) {
+ if (strpos($group, $auth_provider_user_prefix_ldap) === 0) {
+ $ldap_groups[] = $group;
+ }
+ }
+ }
+ $ldap_groups_unique = array_values(array_unique($ldap_groups));
+ return $ldap_groups_unique;
+}
+
+/**
+ * Get LDAP groups user belongs to
+ *
+ * @param Resource $ldapconn
+ * @param String $user
+ * @param bool $is_ad
+ * @return Array
+ */
+function get_ldap_groups_with_user($ldapconn, $user, $is_ad) {
+ global $auth_provider_user_prefix_ldap;
+ global $ldap_base_dn;
+ $related_groups = get_ldap_related_groups();
+ if (count($related_groups) == 0) {
+ return array();
+ }
+ $gfilter = '(|';
+ foreach ($related_groups as $group_full) {
+ $g = substr($group_full, strlen($auth_provider_user_prefix_ldap));
+ $gfilter .= sprintf('(cn=%s)', pkwk_ldap_escape_filter($g));
+ if ($is_ad) {
+ $gfilter .= sprintf('(sAMAccountName=%s)', pkwk_ldap_escape_filter($g));
+ }
+ }
+ $gfilter .= ')';
+ $result_g = ldap_search($ldapconn, $ldap_base_dn, $gfilter,
+ array('dn', 'uid', 'cn', 'samaccountname'));
+ $entries = ldap_get_entries($ldapconn, $result_g);
+ if (!isset($entries[0])) {
+ return false;
+ }
+ if (!$entries) {
+ return array();
+ }
+ $entry_count = $entries['count'];
+ $group_list = array();
+ for ($i = 0; $i < $entry_count; $i++) {
+ $group_name = $entries[$i]['cn'][0];
+ if ($is_ad) {
+ $group_name = $entries[$i]['samaccountname'][0];
+ }
+ $group_list[] = array(
+ 'name' => $group_name,
+ 'dn' => $entries[$i]['dn']
+ );
+ }
+ $groups_member = array();
+ $groups_nonmember = array();
+ foreach ($group_list as $gp) {
+ $fmt = '(&(uid=%s)(memberOf=%s))';
+ if ($is_ad) {
+ // LDAP_MATCHING_RULE_IN_CHAIN: Active Directory specific rule
+ $fmt = '(&(sAMAccountName=%s)(memberOf:1.2.840.113556.1.4.1941:=%s))';
+ }
+ $user_gfilter = sprintf($fmt,
+ pkwk_ldap_escape_filter($user),
+ pkwk_ldap_escape_filter($gp['dn']));
+ $result_e = ldap_search($ldapconn, $ldap_base_dn, $user_gfilter,
+ array('dn'), 0, 1);
+ $user_e = ldap_get_entries($ldapconn, $result_e);
+ if (isset($user_e['count']) && $user_e['count'] > 0) {
+ $groups_member[] = $gp['name'];
+ } else {
+ $groups_nonmember[] = $gp['name'];
+ }
+ }
+ $groups_full = array();
+ foreach ($groups_member as $g) {
+ $groups_full[] = $auth_provider_user_prefix_ldap . $g;
+ }
+ return $groups_full;
+}
OSDN Git Service
