* @version $id SVN * @access public * @license http://opensource.org/licenses/gpl-3.0.html * Plugin Management */ class LDAPauth extends auth { protected $attributes = array('givenName', 'name', 'mail', 'sAMAccountName', 'sn'); public function __construct() { $this->dispatcher = $GLOBALS['dispatcher']; } /** * AuthenthificationProcess() * Authentification d'un utilisateur * * @param $login * @param $pass * @param $type ='PUBLIC' || 'ADMIN' * @return boolean (true) ou message d'erreur */ public function logIn($login, $pass, $type, $rememberme) { // Notify the beginning of the current method $this->dispatcher->notify(new sfEvent(__FUNCTION__, 'auth.logIn', array('login' => $login, 'password' => $pass, 'type' => $type))); return $this->ldapAuth($login, $pass, $type, $rememberme); } protected function ldapAuth($login, $pass, $type, $rememberme) { // include_once('../plugins/'.basename(dirname (__FILE__)).'/SimpleLDAP.php'); include_once ('../lib/vendor/SimpleLDAP/SimpleLDAP.php'); $src = realpath(LOG_ACCESS); $ldap = new SimpleLDAP(LDAP_HOST, LDAP_PORT, LDAP_VERSION); // Host, port and version protocol $ldap->dn = LDAP_DN; // The default DN (Distinguished Name) // The set the admin DN if(defined('LDAP_ADM_SUFFIX')) $ldap->adn = LDAP_USER. LDAP_ADM_SUFFIX; else $ldap->adn = LDAP_USER. LDAP_SUFFIX; // The admin DN $ldap->apass = LDAP_PASS; // The admin password // 0 - we check first if the user already exists in linea21 database // without checking password $data = $GLOBALS['sql_object']->DBSelect(SQL_get_UserInfo($login)); // 1 - user already exists in Linea21 database if (is_array($data) && isset($data[0]['user_login'])) { // a) authentication DO NOT rely on LDAP // we use built-in authentication method if ($data[0]['user_password'] != '@ldap_forward') { return $this->builtInAuth($login, $pass, $type, $rememberme); // b) password field is equal to '@ldap_forward', we rely on LDAP } else { // we authentify user through LDAP $r = $ldap->auth($login . LDAP_SUFFIX, $pass); // authentication succeed ! if($r !== false) { // we get user data from Linea21 database $userdata = $GLOBALS['sql_object']->DBSelect(SQL_Get_UserInfo4Auth($login, '@ldap_forward')); // we overwrite password since value is empty $userdata['user_password'] = password_hash($pass, PASSWORD_BCRYPT); $this->initSession($userdata, $login); $_SESSION['LDAPauthentication'] = true; if($rememberme) { parent::setCookieRememberMe(); } if ($type == 'ADMIN') { // est simple utilisateur, n'est pas autorisé if (!array_search ('A' , $_SESSION['userright']) && !array_search ('O' , $_SESSION['userright'])) { parent::logOut(); logfile($src, array($type, $login, 'unauthorized', __METHOD__, $_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_REFERER'], $_SERVER['REQUEST_METHOD'], $_SERVER['REQUEST_URI'], $_SERVER['QUERY_STRING'], $_SERVER['HTTP_COOKIE'], i2c_realip())); return _t('ldap', 'norights_error'); } } logfile($src, array($type, $login, 'success', __METHOD__, $_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_REFERER'], $_SERVER['REQUEST_METHOD'], $_SERVER['REQUEST_URI'], $_SERVER['QUERY_STRING'], $_SERVER['HTTP_COOKIE'], i2c_realip())); return true; } // authentication failed // password input may be incorrect or ldap entry does not exist anymore if( $r === false ) { // if user does not exist anymore in LDAP, we remove entry from Linea21 database if(!$ldap->hasUser(sprintf(LDAP_SEARCH_FILTER, $login), $this->attributes)) { include_once('../class/class.user.php'); $user_object = new user; $user_object->DeleteUser($data[0]['user_id'], $GLOBALS['sql_object']); } logfile($src, array($type, $login, 'failed', __METHOD__, $_SERVER['HTTP_USER_AGENT'], $_SERVER['HTTP_REFERER'], $_SERVER['REQUEST_METHOD'], $_SERVER['REQUEST_URI'], $_SERVER['QUERY_STRING'], $_SERVER['HTTP_COOKIE'], i2c_realip())); return _t('divers','errorauth') . '. ' . _t('ldap', 'rights_error'); } } // 2 - user does not exist in linea21 database // we search for given user in LDAP } else { // we try to authentify user through LDAP $r = $ldap->auth($login . LDAP_SUFFIX, $pass); // _debug('auth() login : '. $login . LDAP_SUFFIX . ' - pass : '. $pass, 'LDAP'); // success, user is authenticated in LDAP // we create it in Linea21 if($r !== false) { _debug('ldap->auth : ok', 'LDAP'); include_once('../class/class.user.php'); $user_object = new user; //we retrieve attributes from user $ldapuser = $ldap->getUsers(sprintf(LDAP_SEARCH_FILTER, $login), $this->attributes); // IMPORTANT : Auth() function can return OK but user is maybe not in the group ! In that case, we return an explicit message and exit if($ldapuser['count'] == 0) return _t('divers','errorauth'). '. ' . _t('ldap', 'nogroup_error'); // print_r($ldapuser); // exit; // prevent bug when testing if($ldapuser[0]['mail'][0] == '') $ldapuser[0]['mail'][0] = 'simon@linea21.com'; if($ldapuser[0]['givenname'][0] == '') $ldapuser[0]['givenname'][0] = 'non renseigné'; if($ldapuser[0]['sn'][0] == '') $ldapuser[0]['sn'][0] = 'non renseigné'; // we set an array with desired informations $a = array('login' => strtolower(trim($ldapuser[0]['samaccountname'][0])), 'email' => strtolower(trim($ldapuser[0]['mail'][0])),'first_name' => trim($ldapuser[0]['givenname'][0]),'last_name' => trim($ldapuser[0]['sn'][0])); // FOR TEST $a = array('login' => 'logement', 'email' => 'simon@linea21.com','first_name' => 'georget','last_name' => 'simon'); $user[0] = $a['login']; $user[1] = $a['email']; $user[2] = 'N'; // Affichage public de l'email (par défaut Non) $user[3] = $a['first_name']; $user[4] = $a['last_name']; $user[5] = '@ldap_forward'; // password field should be empty - LDAP marker $a_right = $user_object->InitUserRight('SIMPLE_USER'); $result = $user_object->CheckDataIntegrity($user, $GLOBALS['sql_object']); // $result = implode ( ' ## ' , $user ); # @simo // we send mail to new user if($result === true) { /** include envoi de mail */ if(defined('LDAP_SEND_EMAIL') && LDAP_SEND_EMAIL == 1) { $u_login = $user[0]; $u_mail = $user[1]; $u_password = _t('user', 'ldap_password'); $todo_mail='add_user'; include_once(override('../user/mail_actions.php')); include_once(override('../mail/template.php')); } /** end mail */ $result = $user_object->AddUser($user, $a_right, $GLOBALS['sql_object'], true); // All process went well, we get back user info // from Linea21 database and return true if(is_numeric($result)) { // we get user data from Linea21 database $userdata = $GLOBALS['sql_object']->DBSelect(SQL_Get_UserInfo4Auth($login, '@ldap_forward')); // we overwrite password since value is empty $userdata['user_password'] = password_hash($pass, PASSWORD_BCRYPT); parent::initSession($userdata, $login); if($rememberme) { parent::setCookieRememberMe(); } if ($type == 'ADMIN') { // est simple utilisateur, n'est pas autorisé if (!array_search ('A' , $_SESSION['userright']) && !array_search ('O' , $_SESSION['userright'])) { return _t('ldap', 'norights_error'); } } return true; } } else { // checkdata integrity return an error return $result; } // authentication failed, we return error message } else { return _t('divers','errorauth'). '. ' . _t('ldap', 'rights_error'); } } } } ?>