239 lines
11 KiB
PHP
239 lines
11 KiB
PHP
<?php
|
|
|
|
include_once __DIR__ . "/../include/simpleldap_functions.php";
|
|
|
|
function HookSimpleldapAllExternalauth($uname, $pword){
|
|
if (!function_exists('ldap_connect'))
|
|
{
|
|
return false;
|
|
}
|
|
global $lang, $simpleldap, $username, $password_hash, $email_attribute, $phone_attribute;
|
|
|
|
// oops - the password is getting escaped earlier in the process, and we don't want that
|
|
// when it goes to the ldap server. So remove the slashes for this purpose.
|
|
$pword = stripslashes($pword);
|
|
|
|
$auth = false;
|
|
$authreturn=array();
|
|
if ($uname != "" && $pword != "")
|
|
{
|
|
$userinfo = simpleldap_authenticate($uname, $pword);
|
|
|
|
debug("LDAP: \$userinfo = " . print_r($userinfo, true));
|
|
|
|
if ($userinfo) { $auth = true; }
|
|
}
|
|
|
|
|
|
|
|
if ($auth)
|
|
{
|
|
$usersuffix = $simpleldap['usersuffix'];
|
|
$addsuffix = ($usersuffix=="") ? "" : (substr($usersuffix,0,1)=="." ? "" : ".") . $usersuffix;
|
|
$username = $uname . $addsuffix;
|
|
$password_hash = rs_password_hash("RSLDAP" . $uname . $addsuffix . $pword);
|
|
$user = ps_query("SELECT ref, approved, account_expires FROM user WHERE username = ?", ['s', $username]);
|
|
|
|
$email = $userinfo["email"];
|
|
$phone = $userinfo["phone"];
|
|
$displayname = $userinfo['displayname'];
|
|
|
|
debug ("LDAP - got user details email: " . $email . ", telephone: " . $phone);
|
|
|
|
// figure out group
|
|
$group = $simpleldap['fallbackusergroup'];
|
|
$groupmatch="";
|
|
$grouplist = ps_query("select * from simpleldap_groupmap");
|
|
if (count($grouplist)>0 && $userinfo['group']!="")
|
|
{
|
|
for ($i = 0; $i < count($grouplist); $i++)
|
|
{
|
|
if (($userinfo['group'] == $grouplist[$i]['ldapgroup']) && is_numeric($grouplist[$i]['rsgroup']))
|
|
{
|
|
$group = $grouplist[$i]['rsgroup'];
|
|
$groupmatch=$userinfo['group'];
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if (count($user) > 0)
|
|
{
|
|
$userid = $user[0]["ref"];
|
|
$expires = $user[0]["account_expires"];
|
|
if ($expires != "" && $expires != "0000-00-00 00:00:00" && strtotime($expires)<=time())
|
|
{
|
|
$result['error']=$lang["accountexpired"];
|
|
return $result;
|
|
}
|
|
if ($user[0]["approved"] != 1)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// user exists, so update info
|
|
if($simpleldap['update_group'])
|
|
{
|
|
ps_query("update user set origin='simpleldap', password = ?, usergroup = ?, fullname= ?, email= ?, telephone= ? where ref = ?",
|
|
[
|
|
's', $password_hash,
|
|
'i', $group,
|
|
's', $displayname,
|
|
's', $email,
|
|
's', $phone,
|
|
'i', $userid
|
|
]
|
|
);
|
|
|
|
}
|
|
else
|
|
{
|
|
ps_query("update user set origin='simpleldap', password = ?, fullname= ?, email= ?, telephone= ? where ref = ?",
|
|
[
|
|
's', $password_hash,
|
|
's', $displayname,
|
|
's', $email,
|
|
's', $phone,
|
|
'i', $userid
|
|
]
|
|
);
|
|
}
|
|
return true;
|
|
}
|
|
else
|
|
{
|
|
// user authenticated, but does not exist, so adopt/create if necessary
|
|
if ($simpleldap['createusers'] || $simpleldap['create_new_match_email'])
|
|
{
|
|
$email_matches= ps_query("select ref, username, fullname from user where email= ?", ['s', $email]);
|
|
|
|
if(count($email_matches)>0)
|
|
{
|
|
if(count($email_matches)==1 && $simpleldap['create_new_match_email'])
|
|
{
|
|
// We want adopt this matching account - update the username and details to match the new login credentials
|
|
debug("LDAP - user authenticated with matching email for existing user . " . $email . ", updating user account " . $email_matches[0]["username"] . " to new username " . $username);
|
|
if($simpleldap['update_group'])
|
|
{
|
|
ps_query("update user set origin='simpleldap',username= ?, password= ?, fullname= ?,email= ?,telephone= ?,usergroup= ?,comments=concat(comments,'\n', ?) where ref= ?",
|
|
[
|
|
's', $username,
|
|
's', $password_hash,
|
|
's', $displayname,
|
|
's', $email,
|
|
's', $phone,
|
|
'i', $group,
|
|
's', date("Y-m-d") . " " . $lang["simpleldap_usermatchcomment"] ,
|
|
'i', $email_matches[0]["ref"]
|
|
]
|
|
);
|
|
}
|
|
else
|
|
{
|
|
ps_query("update user set origin='simpleldap',username= ?, password= ?, fullname= ?,email= ?,telephone= ?,comments=concat(comments,'\n', ?) where ref= ?",
|
|
[
|
|
's', $username,
|
|
's', $password_hash,
|
|
's', $displayname,
|
|
's', $email,
|
|
's', $phone,
|
|
's', date("Y-m-d") . " " . $lang["simpleldap_usermatchcomment"] ,
|
|
'i', $email_matches[0]["ref"]
|
|
]
|
|
);
|
|
}
|
|
return true;
|
|
}
|
|
|
|
if (isset($simpleldap['notification_email']) && $simpleldap['notification_email']!="")
|
|
{
|
|
// Already account(s) with this email address, notify the administrator
|
|
global $lang, $baseurl, $email_from;
|
|
debug("LDAP - user authenticated with matching email for existing users: " . $email);
|
|
$emailtext=$lang['simpleldap_multiple_email_match_text'] . " " . $email . "<br /><br />";
|
|
$emailtext.="<table class=\"InfoTable\" border=1>";
|
|
$emailtext.="<tr><th>" . $lang["property-name"] . "</th><th>" . $lang["property-reference"] . "</th><th>" . $lang["username"] . "</th></tr>";
|
|
foreach($email_matches as $email_match)
|
|
{
|
|
$emailtext.="<tr><td><a href=\"" . $baseurl . "/?u=" . $email_match["ref"] . "\" target=\"_blank\">" . $email_match["fullname"] . "</a></td><td><a href=\"" . $baseurl . "/?u=" . $email_match["ref"] . "\" target=\"_blank\">" . $email_match["ref"] . "</a></td><td>" . $email_match["username"] . "</td></tr>\n";
|
|
}
|
|
|
|
$emailtext.="</table>";
|
|
send_mail($simpleldap['notification_email'],$lang['simpleldap_multiple_email_match_subject'],$emailtext,$email_from);
|
|
}
|
|
|
|
|
|
if(!$simpleldap['allow_duplicate_email'])
|
|
{
|
|
// We are blocking accounts with the same email
|
|
$authreturn["error"]=$lang['simpleldap_duplicate_email_error'];
|
|
return $authreturn;
|
|
}
|
|
}
|
|
|
|
if(!$simpleldap['createusers'])
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// Create the user
|
|
$ref=new_user($username);
|
|
if (!$ref) { echo "returning false!"; exit; return false;} // this shouldn't ever happen
|
|
|
|
if($groupmatch=="" && isset($simpleldap['notification_email']) && $simpleldap['notification_email']!="")
|
|
{
|
|
global $lang, $baseurl, $email_from;
|
|
// send email advising that a new user has been created but that there is no mapping for the groups
|
|
debug("LDAP - new user but no mapping configured");
|
|
$emailtext=$lang['simpleldap_no_group_match'] . "<br /><br />";
|
|
$emailtext.= "<a href=\"" . $baseurl . "/?u=" . $ref . "\" target=\"_blank\">" . $displayname . " (" . $email . ")</a><br /><br />";
|
|
$emailtext.= $lang['simpleldap_usermemberof'] . "<br /><br />";
|
|
if(is_array($userinfo["memberof"]))
|
|
{
|
|
$emailtext.="<ul>";
|
|
foreach($userinfo["memberof"] as $memberofgroup)
|
|
{
|
|
$emailtext.= "<li>" . $memberofgroup . "</li>";
|
|
}
|
|
$emailtext.="</ul>";
|
|
}
|
|
send_mail($simpleldap['notification_email'],$lang['simpleldap_no_group_match_subject'],$emailtext,$email_from);
|
|
}
|
|
|
|
|
|
// Update with information from LDAP
|
|
$rsgroupname=ps_value("select name value from usergroup where ref=?", array("i",$group), '');
|
|
ps_query("update user set origin='simpleldap', password= ?, fullname= ?,email= ?,telephone= ?,usergroup= ?,comments= ? where ref= ?",
|
|
[
|
|
's', $password_hash,
|
|
's', $displayname,
|
|
's', $email,
|
|
's', $phone,
|
|
'i', $group,
|
|
's', $lang["simpleldap_usercomment"] . (($groupmatch!="")?"\r\nLDAP group: " . $groupmatch:"") . "\r\nAdded to RS group " . $rsgroupname . "(" . $group . ")",
|
|
'i', $ref
|
|
]
|
|
);
|
|
|
|
|
|
return true;
|
|
}
|
|
else
|
|
{
|
|
// user creation is disabled, so return false
|
|
return false;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
// user is not authorized
|
|
return false;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|