alt_auth - make the new features work with AD - thanks to Father Barry for testing (and making them work)

2025-08-05 06:07:32 +02:00 · 2008-12-01 21:47:17 +00:00
parent 1072b355ce
commit 4d1b7c6856
5 changed files with 177 additions and 149 deletions
--- a/e107_plugins/alt_auth/alt_auth_adminmenu.php
+++ b/e107_plugins/alt_auth/alt_auth_adminmenu.php
@@ -27,8 +27,6 @@ function alt_auth_get_authlist()
 // All user fields which might, just possibly, be transferred. The option name must be the corresponding field in the E107 user database, prefixed with 'xf_'
 $alt_auth_user_fields = array(
 //  'user_loginname' 	=> array('prompt' => LAN_ALT_10, 'optname' => 'xf_user_loginname', 'default' => 'user_loginname', 'optional' => FALSE, 'otherdb' =>  TRUE, 'e107db' => TRUE, 'importdb' =>  TRUE, 'ldap' => TRUE, 'ldap_field' => 'cn'),
 //  'user_password' 	=> array('prompt' => LAN_ALT_11, 'optname' => 'xf_user_password', 'default' => 'user_password', 'optional' => FALSE, 'otherdb' =>  TRUE, 'e107db' => TRUE, 'importdb' =>  TRUE, 'ldap' => TRUE, 'ldap_field' => ''),
  'user_email' 		=> array('prompt' => LAN_ALT_12, 'optname' => 'xf_user_email', 'default' => 'user_email', 'optional' =>  TRUE, 'otherdb' =>  TRUE, 'e107db' => TRUE, 'importdb' => FALSE, 'ldap' => TRUE, 'ldap_field' => 'mail'),
  'user_hideemail' 	=> array('prompt' => LAN_ALT_13, 'optname' => 'xf_user_hideemail', 'default' => 'user_hideemail', 'optional' =>  TRUE, 'otherdb' => FALSE, 'e107db' => TRUE, 'importdb' => FALSE, 'ldap' => TRUE, 'ldap_field' => ''),
  'user_name' 		=> array('prompt' => LAN_ALT_14, 'optname' => 'xf_user_name', 'default' => 'user_name', 'optional' => TRUE, 'otherdb' =>  TRUE, 'e107db' => TRUE, 'importdb' => FALSE, 'ldap' => TRUE, 'ldap_field' => ''),
@@ -187,7 +185,7 @@ function alt_auth_test_form($prefix,$frm)
 	$log_result = AUTH_UNKNOWN;
 	$pass_vars = array();
 	$val_name = trim(varset($_POST['nametovalidate'],''));
-	
+
 	if(isset($_login->Available) && ($_login->Available === FALSE))
 	{	// Relevant auth method not available (e.g. PHP extension not loaded)
 	  $log_result = AUTH_NOT_AVAILABLE;
@@ -282,4 +280,4 @@ function alt_auth_adminmenu()
 	}
 	show_admin_menu(LAN_ALT_29, ALT_AUTH_ACTION, $var);
 }
-?>
+?>
--- a/e107_plugins/alt_auth/alt_auth_login_class.php
+++ b/e107_plugins/alt_auth/alt_auth_login_class.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_plugins/alt_auth/alt_auth_login_class.php,v $
-|     $Revision: 1.3 $
+|     $Revision: 1.4 $
-|     $Date: 2008-07-25 19:33:02 $
+|     $Date: 2008-12-01 21:47:17 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -34,9 +34,8 @@ class alt_login
 		return AUTH_NOCONNECT;
 	  }
 	  $login_result = $_login -> login($username, $userpass, $newvals, FALSE);
-		
+
 	  if($login_result === AUTH_SUCCESS )
 	  {
 		if (MAGIC_QUOTES_GPC == FALSE)
@@ -45,7 +44,7 @@ class alt_login
 		}
 		$username = preg_replace("/\sOR\s|\=|\#/", "", $username);
 		$username = substr($username, 0, varset($pref['loginname_maxlength'],30));
-			
+
 		$aa_sql = new db;
 		$uh = new UserHandler;
 		$db_vals = array('user_password' => $aa_sql->escape($uh->HashPassword($userpass,$username)));
@@ -65,10 +64,14 @@ class alt_login
 		}
 		else
 		{  // Just add a new user
-		  if (!isset($db_vals['user_name'])) $db_vals['user_name'] = $username;
+			if (!isset($db_vals['user_name'])) $db_vals['user_name'] = $username;
-		  if (!isset($db_vals['user_loginname'])) $db_vals['user_loginname'] = $username;
+			if (!isset($db_vals['user_loginname'])) $db_vals['user_loginname'] = $username;
-		  if (!isset($db_vals['user_join'])) $db_vals['user_join'] = time();
+			if (!isset($db_vals['user_join'])) $db_vals['user_join'] = time();
-		  $aa_sql->db_Insert('user',$db_vals);
+			$db_vals['user_class'] = varset($pref['initial_user_classes'],'');
 			if (!isset($db_vals['user_signature'])) $db_vals['user_signature'] = '';
 			if (!isset($db_vals['user_prefs'])) $db_vals['user_prefs'] = '';
 			if (!isset($db_vals['user_perms'])) $db_vals['user_perms'] = '';
 			$aa_sql->db_Insert('user',$db_vals);
 		}
 		return LOGIN_CONTINUE;
 	  }
--- a/e107_plugins/alt_auth/languages/English/lan_ldap_conf.php
+++ b/e107_plugins/alt_auth/languages/English/lan_ldap_conf.php
@@ -1,6 +1,6 @@
 <?php
 define("LDAPLAN_1", "Server address");
-define("LDAPLAN_2", "Base DN or Domain<br />If LDAP - Enter BaseDN<br />If AD - Enter domain");
+define("LDAPLAN_2", "Base DN or Domain<br />LDAP - Enter BaseDN<br />AD - enter the fqdn eg ad.mydomain.co.uk");
 define("LDAPLAN_3", "LDAP Browsing user<br />Full context of the user who is able to search the directory.");
 define("LDAPLAN_4", "LDAP Browsing password<br />Password for the LDAP Browsing user.");
 define("LDAPLAN_5", "LDAP Version");
@@ -10,8 +10,9 @@ define("LDAPLAN_8", "This will be used to ensure the username is in the correct
 define("LDAPLAN_9", "Current search filter will be:");
 define("LDAPLAN_10", "Settings Updated");
 define("LDAPLAN_11", "WARNING:  It appears as if the ldap module is not currently available; setting your auth method to LDAP will probably not work!");
-define("LDAPLAN_12", "Server Type");
+define("LDAPLAN_12", 'Server Type');
-define("LDAPLAN_13", "Update settings");
+define("LDAPLAN_13", 'Update settings');
 define('LDAPLAN_14', 'OU for AD (e.g. ou=itdept)');
 define('LAN_AUTHENTICATE_HELP','This method can be used to authenticate against most LDAP servers, including Novell\'s eDirectory and Microsoft\'s Active Directory. Refer to the wiki for further information.');
--- a/e107_plugins/alt_auth/ldap_auth.php
+++ b/e107_plugins/alt_auth/ldap_auth.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_plugins/alt_auth/ldap_auth.php,v $
-|     $Revision: 1.3 $
+|     $Revision: 1.4 $
-|     $Date: 2008-09-02 19:39:12 $
+|     $Date: 2008-12-01 21:47:17 $
 |     $Author: e107steved $
 To do:
@@ -22,9 +22,9 @@ To do:
 class auth_login
 {
 	var $server;
 	var $dn;
 	var $ou;
 	var $usr;
 	var $pwd;
 	var $serverType;
@@ -36,78 +36,77 @@ class auth_login
 	var $ldapVersion;
 	var $Available;
 	var $filter;
-	var $copyAttribs;			// Any attributes which are to be copied on successful login
+	var $copyAttribs; // Any attributes which are to be copied on successful login
 	function auth_login()
 	{
 		$this->copyAttribs = array();
 		$sql = new db;
-		$sql -> db_Select("alt_auth", "*", "auth_type = 'ldap' ");
+		$sql->db_Select("alt_auth", "*", "auth_type = 'ldap' ");
-		while($row = $sql -> db_Fetch())
+		while ($row = $sql->db_Fetch())
 		{
-		  $ldap[$row['auth_parmname']] = base64_decode(base64_decode($row['auth_parmval']));
+			$ldap[$row['auth_parmname']] = base64_decode(base64_decode($row['auth_parmval']));
-		  if ((strpos($row['auth_parmname'],'ldap_xf_') === 0) && $ldap[$row['auth_parmname']])
+			if ((strpos($row['auth_parmname'], 'ldap_xf_') === 0) && $ldap[$row['auth_parmname']]) // Attribute to copy on successful login
-		  {	// Attribute to copy on successful login
+			{
-			$this->copyAttribs[$ldap[$row['auth_parmname']]] = substr($row['auth_parmname'],strlen('ldap_xf_'));	// Key = LDAP attribute. Value = e107 field name
+//				$this->copyAttribs[$ldap[$row['auth_parmname']]] = substr($row['auth_parmname'], strlen('ldap_xf_')); // Key = LDAP attribute. Value = e107 field name
-			unset($row['auth_parmname']);
+				$this->copyAttribs[substr($row['auth_parmname'], strlen('ldap_xf_'))] = $ldap[$row['auth_parmname']]; // Key = LDAP attribute. Value = e107 field name
-		  }
+				unset($row['auth_parmname']);
 			}
 		}
 		$this->server = explode(",", $ldap['ldap_server']);
 		$this->serverType = $ldap['ldap_servertype'];
 		$this->dn = $ldap['ldap_basedn'];
 		$this->ou = $ldap['ldap_ou']; // added by Father Barry Keal
 		$this->usr = $ldap['ldap_user'];
 		$this->pwd = $ldap['ldap_passwd'];
 		$this->ldapVersion = $ldap['ldap_version'];
 		$this->filter = (isset($ldap['ldap_edirfilter']) ? $ldap['ldap_edirfilter'] : "");
-		if(!function_exists('ldap_connect'))
+		if (!function_exists('ldap_connect'))
 		{
-			$this->Available = FALSE;
+			$this->Available = false;
 			return false;
 		}
-		if(!$this -> connect())
+		if (!$this->connect())
 		{
 			return AUTH_NOCONNECT;
 		}
 	}
 	function makeErrorText($extra = '')
 	{
-		$this->ldapErrorCode = ldap_errno( $this->connection);
+		$this->ldapErrorCode = ldap_errno($this->connection);
-		$this->ldapErrorText = ldap_error( $this->connection);
+		$this->ldapErrorText = ldap_error($this->connection);
-		$this->ErrorText = $extra.' '.$this->ldapErrorCode.': '.$this->ldapErrorText;
+		$this->ErrorText = $extra . ' ' . $this->ldapErrorCode . ': ' . $this->ldapErrorText;
 	}
 	function connect()
 	{
 		foreach ($this->server as $key => $host)
 		{
 			$this->connection = ldap_connect($host);
-			if ( $this->connection) {
+			if ($this->connection)
-				if($this -> ldapVersion == 3 || $this->serverType == "ActiveDirectory")
+			{
 				if ($this->ldapVersion == 3 || $this->serverType == "ActiveDirectory")
 				{
-					@ldap_set_option( $this -> connection, LDAP_OPT_PROTOCOL_VERSION, 3 );
+					@ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, 3);
 				}
 				return true;
 			}
 		}
-		
+
 		$this->ldapErrorCode = -1;
 		$this->ldapErrorText = "Unable to connect to any server";
-		$this->ErrorText = $this->ldapErrorCode.': '.$this->ldapErrorText;
+		$this->ErrorText = $this->ldapErrorCode . ': ' . $this->ldapErrorText;
 		return false;
 	}
 	function close()
 	{
-		if ( !@ldap_close( $this->connection))
+		if (!@ldap_close($this->connection))
 		{
-			$this->makeErrorText();				// Read the error code and explanatory string
+			$this->makeErrorText(); // Read the error code and explanatory string
 			return false;
 		}
 		else
@@ -116,125 +115,137 @@ class auth_login
 		}
 	}
-
+	function login($uname, $pass, &$newvals, $connect_only = false)
 	function login($uname, $pass, &$newvals, $connect_only = FALSE)
 	{
 		/* Construct the full DN, eg:-
 		** "uid=username, ou=People, dc=orgname,dc=com"
 		*/
-//		echo "Login to server type: {$this->serverType}<br />";
+		// echo "Login to server type: {$this->serverType}<br />";
 		$current_filter = "";
 		if ($this->serverType == "ActiveDirectory")
 		{
-		  $checkDn = $uname.'@'.$this->dn;
+			$checkDn = $uname . '@' . $this->dn;
 			// added by Father Barry Keal
 			// $current_filter = "(sAMAccountName={$uname})"; for pre windows 2000
 			$current_filter = "(userprincipalname={$uname}@{$this->dn})"; // for 2000 +
 			// end add by Father Barry Keal
 		}
 		else
 		{
-		  if ($this -> usr != '' && $this -> pwd != '')
+			if ($this->usr != '' && $this->pwd != '')
 		  {
 			$this -> result = ldap_bind($this -> connection, $this -> usr, $this -> pwd);
 		  }
 		  else
 		  {
 			$this -> result = ldap_bind($this -> connection);
 		  }
 		  if ($this->result === FALSE)
 		  {
 //		    echo "LDAP bind failed<br />";
 			$this->makeErrorText();				// Read the error code and explanatory string
 			return AUTH_NOCONNECT;
 		  }
 //			In ldap_auth.php, should look like this instead for eDirectory 
 //			$query = ldap_search($this -> connection, $this -> dn, "cn=".$uname);
 		  if($this->serverType == "eDirectory")
 		  {
 			$current_filter = "(&(cn={$uname})".$this->filter.")";
 		  }
 		  else
 		  {
 			$current_filter = "uid=".$uname;
 		  }
 //		  echo "LDAP search: {$this->dn}, {$current_filter}<br />";
 		  $query = ldap_search($this->connection, $this->dn, $current_filter);
 		  if ($query === false)
 		  {
 //				Could not perform query to LDAP directory
 			echo "LDAP - search for user failed<br />";
 			$this->makeErrorText();				// Read the error code and explanatory string
 			return AUTH_NOCONNECT;
 		  }
 		  else
 		  {
 			$query_result = ldap_get_entries($this -> connection, $query);
 			if ($query_result["count"] != 1)
 			{
-			  if ($connect_only) return AUTH_SUCCESS; else return AUTH_NOUSER;
+				$this->result = ldap_bind($this->connection, $this->usr, $this->pwd);
 			}
 			else
 			{
-			  $checkDn = $query_result[0]["dn"];
+				$this->result = ldap_bind($this->connection);
 			  $this -> close();
 			  $this -> connect();
 			}
-		  }
+			if ($this->result === false)
-		}
+			{
 				// echo "LDAP bind failed<br />";
 				$this->makeErrorText(); // Read the error code and explanatory string
 				return AUTH_NOCONNECT;
 			}
 			// In ldap_auth.php, should look like this instead for eDirectory
 			// $query = ldap_search($this -> connection, $this -> dn, "cn=".$uname);
 			if ($this->serverType == "eDirectory")
 			{
 				$current_filter = "(&(cn={$uname})" . $this->filter . ")";
 			}
 			else
 			{
 				$current_filter = "uid=" . $uname;
 			}
 			// echo "LDAP search: {$this->dn}, {$current_filter}<br />";
 			$query = ldap_search($this->connection, $this->dn, $current_filter);
-		// Try and connect...
+			if ($query === false)
-		$this->result = ldap_bind($this -> connection, $checkDn, $pass);
+			{
-		if ( $this->result)
+				// Could not perform query to LDAP directory
-		{
+				echo "LDAP - search for user failed<br />";
-		  // Connected OK - login credentials are fine!
+				$this->makeErrorText(); // Read the error code and explanatory string
-		  // But bind can return success even if no password! Does reject an invalid password, however
+				return AUTH_NOCONNECT;
-		  if ($connect_only) return AUTH_SUCCESS;
+			}
-		  if (trim($pass) == '') return AUTH_BADPASSWORD;				// Pick up a blank password
+			else
-		  if (count($this->copyAttribs) == 0) return AUTH_SUCCESS;		// No attributes required - we're done
+			{
-		  $ldap_attributes = array_keys($this->copyAttribs);
+				$query_result = ldap_get_entries($this->connection, $query);
 //		  echo "Validation search: {$checkDn}, {$current_filter},"; print_a($ldap_attributes); echo "<br />";
 		  $this->result = ldap_search($this -> connection, $checkDn, $current_filter, $ldap_attributes);
-		  if ($this->result)
+				if ($query_result["count"] != 1)
-		  {
+				{
-			$entries = ldap_get_entries($this->connection, $this->result);
+					if ($connect_only) return AUTH_SUCCESS;
-//			print_a($entries);
+					else return AUTH_NOUSER;
 			if (count($entries) == 2)
 			{ // All OK
 			  for ($j = 0; $j < $entries[0]['count']; $j++)
 			  {
 				$k = $entries[0][$j];
 				$tlv = $entries[0][$k];
 				if (is_array($tlv) && isset($this->copyAttribs[$k]))
 				{ // This bit executed if we've successfully got some data. Key is the attribute name, then array of data
 				  $newvals[$this->copyAttribs[$k]] = $tlv[0];				// Just grab the first value
 //				  echo $j.":Key: {$k} (Values: {$tlv['count']})";
 //				  for ($i = 0; $i < $tlv['count']; $i++) { echo '  '.$tlv[$i]; }
 //				  echo "<br />";
 				}
 				else
 				{
-//				  echo " Unexpected non-array value - Key: {$k}   Value: {$tlv}<br />";
+					$checkDn = $query_result[0]["dn"];
-					$this->makeErrorText();				// Read the error code and explanatory string
+					$this->close();
-					return AUTH_NOCONNECT;  		// Not really a suitable return code for this - its an error
+					$this->connect();
 				}
 			  }
 			}
-			else
+		}
 		// Try and connect...
 		$this->result = ldap_bind($this->connection, $checkDn, $pass);
 		if ($this->result)
 		{
 			// Connected OK - login credentials are fine!
 			// But bind can return success even if no password! Does reject an invalid password, however
 			if ($connect_only) return AUTH_SUCCESS;
 			if (trim($pass) == '') return AUTH_BADPASSWORD; // Pick up a blank password
 			if (count($this->copyAttribs) == 0) return AUTH_SUCCESS; // No attributes required - we're done
 			$ldap_attributes = array_values(array_unique($this->copyAttribs));
 			if ($this->serverType == "ActiveDirectory")
 			{	// If we are using AD then build up the full string from the fqdn
 				$altauth_tmp = explode('.', $this->dn);
 				$checkDn='';
 				foreach($altauth_tmp as $$altauth_dc)
 				{
 					$checkDn .= ",DC={$altauth_dc}";
 				}
 				// prefix with the OU
 				$checkDn = $this->ou . $checkDn;
 			}
 			$this->result = ldap_search($this->connection, $checkDn, $current_filter, $ldap_attributes);
 			if ($this->result)
 			{
-//			  echo "Got wrong number of entries<br />";
+				$entries = ldap_get_entries($this->connection, $this->result);
-				$this->makeErrorText();				// Read the error code and explanatory string
+				if (count($entries) == 2) // All OK
-				return AUTH_NOUSER;			// Bit debateable what to return if this happens
+				{
 				echo "Count: {$entries[0]['count']}<br />";
 					for ($j = 0; $j < $entries[0]['count']; $j++)
 					{
 						$k = $entries[0][$j];			// LDAP attribute name
 						$tlv = $entries[0][$k];			// Array of LDAP data
 						if (is_array($tlv) && count($tempKeys = array_keys($this->copyAttribs,$k))) // This bit executed if we've successfully got some data. Key is the attribute name, then array of data
 						{
 							foreach ($tempKeys as $tk)		// Single LDAP attribute may be mapped to several fields
 							{
 								$newvals[$tk] = $this->translate($tlv[0]); // Just grab the first value
 							}
 							// echo $j.":Key: {$k} (Values: {$tlv['count']})";
 							// for ($i = 0; $i < $tlv['count']; $i++) { echo '  '.$tlv[$i]; }
 							// echo "<br />";
 						}
 						else
 						{
 							// echo " Unexpected non-array value - Key: {$k}   Value: {$tlv}<br />";
 							$this->makeErrorText(); // Read the error code and explanatory string
 							return AUTH_NOCONNECT; // Not really a suitable return code for this - its an error
 						}
 					}
 				}
 				else
 				{
 					// echo "Got wrong number of entries<br />";
 					$this->makeErrorText(); // Read the error code and explanatory string
 					return AUTH_NOUSER; // Bit debateable what to return if this happens
 				}
 			}
-		  }
+			else // Probably a bit strange if we don't get any info back - but possible
-		  else
+				{
-		  {	// Probably a bit strange if we don't get any info back - but possible
+					// echo "No results!<br />";
-//			echo "No results!<br />";
+				}
 		  }
-		  return AUTH_SUCCESS;
+				return AUTH_SUCCESS;
 		}
 		else
 		{
@@ -246,18 +257,31 @@ class auth_login
 			** 49 - Wrong password
 			** 53 - Account inactive (manually locked out by administrator)
 			*/
-			$this->makeErrorText();				// Read the error code and explanatory string
+			$this->makeErrorText(); // Read the error code and explanatory string
-			switch ($this -> ldapErrorCode)
+			switch ($this->ldapErrorCode)
 			{
-			  case 32 :
+				case 32 :
-				return AUTH_NOUSER;
+					return AUTH_NOUSER;
-			  case  49 :
+				case 49 :
-				return AUTH_BADPASSWORD;
+					return AUTH_BADPASSWORD;
 			}
 			// return error code as if it never connected, maybe change that in the future
-			return AUTH_NOCONNECT;  
+			return AUTH_NOCONNECT;
 		}
 	}
 	// Function to decode some special values
 	function translate($word)
 	{
 		global $tp;
 		switch ($tp->uStrToUpper($word))
 		{
 			case 'TRUE' : return TRUE;
 			case 'FALSE' : return FALSE;
 		}
 		return $word;
 	}
 }
 ?>
--- a/e107_plugins/alt_auth/ldap_conf.php
+++ b/e107_plugins/alt_auth/ldap_conf.php
@@ -11,8 +11,8 @@
 |     GNU General Public License (http://gnu.org).
 |
 |     $Source: /cvs_backup/e107_0.8/e107_plugins/alt_auth/ldap_conf.php,v $
-|     $Revision: 1.3 $
+|     $Revision: 1.4 $
-|     $Date: 2008-09-02 19:39:12 $
+|     $Date: 2008-12-01 21:47:17 $
 |     $Author: e107steved $
 +----------------------------------------------------------------------------+
 */
@@ -77,10 +77,12 @@ $text .= "</td></tr>";
 $text .= "<tr><td class='forumheader3'>".LDAPLAN_1."</td><td class='forumheader3'>";
 $text .= $frm -> form_text("ldap_server", 35, $ldap['ldap_server'], 120);
 $text .= "</td></tr>";
 $text .= "<tr><td class='forumheader3'>".LDAPLAN_2."</td><td class='forumheader3'>";
 $text .= $frm -> form_text("ldap_basedn", 35, $ldap['ldap_basedn'], 120);
 $text .= "</td></tr>";
 $text .= "<tr><td class='forumheader3'>".LDAPLAN_14."</td><td class='forumheader3'>";
 $text .= $frm -> form_text("ldap_ou", 35, $ldap['ldap_ou'], 60);
 $text .= "</td></tr>";
 $text .= "<tr><td class='forumheader3'>".LDAPLAN_3."</td><td class='forumheader3'>";
 $text .= $frm -> form_text("ldap_user", 35, $ldap['ldap_user'], 120);