mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-27 09:09:04 +01:00
reworked auth classes, to allow them to use each other and a new auth class using a primary backend (ldap) and a fallback (sql)
This commit is contained in:
parent
30e13c4acf
commit
61d26df913
@ -3,6 +3,7 @@
|
|||||||
* eGroupWare API - Authentication baseclass
|
* eGroupWare API - Authentication baseclass
|
||||||
*
|
*
|
||||||
* @link http://www.egroupware.org
|
* @link http://www.egroupware.org
|
||||||
|
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||||
* @author Miles Lott <milos@groupwhere.org>
|
* @author Miles Lott <milos@groupwhere.org>
|
||||||
* @copyright 2004 by Miles Lott <milos@groupwhere.org>
|
* @copyright 2004 by Miles Lott <milos@groupwhere.org>
|
||||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
@ -22,7 +23,6 @@ if(empty($GLOBALS['egw_info']['server']['auth_type']))
|
|||||||
$GLOBALS['egw_info']['server']['auth_type'] = 'sql';
|
$GLOBALS['egw_info']['server']['auth_type'] = 'sql';
|
||||||
}
|
}
|
||||||
//error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']);
|
//error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']);
|
||||||
include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].'.inc.php');
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* eGroupWare API - Authentication baseclass, password auth and crypt functions
|
* eGroupWare API - Authentication baseclass, password auth and crypt functions
|
||||||
@ -32,10 +32,55 @@ include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].'
|
|||||||
*
|
*
|
||||||
* Other functions from class.common.inc.php originally from phpGroupWare
|
* Other functions from class.common.inc.php originally from phpGroupWare
|
||||||
*/
|
*/
|
||||||
class auth extends auth_
|
class auth
|
||||||
{
|
{
|
||||||
static $error;
|
static $error;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds instance of backend
|
||||||
|
*
|
||||||
|
* @var auth_backend
|
||||||
|
*/
|
||||||
|
private $backend;
|
||||||
|
|
||||||
|
function __construct()
|
||||||
|
{
|
||||||
|
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
|
||||||
|
|
||||||
|
$this->backend = new $backend_class;
|
||||||
|
|
||||||
|
if (!is_a($this->backend,'auth_backend'))
|
||||||
|
{
|
||||||
|
throw new egw_exception_assertion_failed("Auth backend class $backend_class is NO auth_backend!");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* password authentication against password stored in sql datababse
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
|
{
|
||||||
|
return $this->backend->authenticate($username, $passwd, $passwd_type);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password in sql datababse
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
{
|
||||||
|
return $this->backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* return a random string of size $size
|
* return a random string of size $size
|
||||||
*
|
*
|
||||||
@ -471,3 +516,29 @@ class auth extends auth_
|
|||||||
return strcmp($md5_hmac,$db_val) == 0;
|
return strcmp($md5_hmac,$db_val) == 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Interface for authentication backend
|
||||||
|
*/
|
||||||
|
interface auth_backend
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* password authentication against password stored in sql datababse
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text');
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password in sql datababse
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0);
|
||||||
|
}
|
||||||
|
@ -1,112 +1,111 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**
|
||||||
* eGroupWare API - Auth from LDAP *
|
* eGroupWare API - ADS Authentication
|
||||||
* This file written by Lars Kneschke <lkneschke@linux-at-work.de> *
|
*
|
||||||
* and Joseph Engo <jengo@phpgroupware.org> *
|
* @link http://www.egroupware.org
|
||||||
* Authentication based on LDAP Server *
|
* @author Ralf Becker <ralfbecker@outdoor-training.de> based on auth_ldap from:
|
||||||
* Copyright (C) 2000, 2001 Joseph Engo *
|
* @author Lars Kneschke <lkneschke@linux-at-work.de>
|
||||||
* Copyright (C) 2002, 2003 Lars Kneschke *
|
* @author Joseph Engo <jengo@phpgroupware.org>
|
||||||
* ------------------------------------------------------------------------ *
|
* Copyright (C) 2000, 2001 Joseph Engo
|
||||||
* This library is part of the eGroupWare API *
|
* Copyright (C) 2002, 2003 Lars Kneschke
|
||||||
* http://www.egroupware.org/api *
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* ------------------------------------------------------------------------ *
|
* @package api
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
* @subpackage authentication
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
* @version $Id$
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
*/
|
||||||
* or any later version. *
|
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
|
||||||
* See the GNU Lesser General Public License for more details. *
|
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
|
||||||
\**************************************************************************/
|
|
||||||
|
|
||||||
/* $Id$ */
|
/**
|
||||||
|
* Authentication agains a ADS Server
|
||||||
|
*/
|
||||||
|
class auth_ads implements auth_backend
|
||||||
|
{
|
||||||
|
var $previous_login = -1;
|
||||||
|
|
||||||
class auth_
|
/**
|
||||||
|
* password authentication
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
var $previous_login = -1;
|
if (preg_match('/[()|&=*,<>!~]/',$username))
|
||||||
|
|
||||||
function authenticate($username, $passwd)
|
|
||||||
{
|
{
|
||||||
if (preg_match('/[()|&=*,<>!~]/',$username))
|
|
||||||
{
|
|
||||||
return False;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(!$ldap = @ldap_connect($GLOBALS['egw_info']['server']['ads_host']))
|
|
||||||
{
|
|
||||||
//echo "<p>Failed connecting to ADS server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication, execution stopped</p>\n";
|
|
||||||
$GLOBALS['egw']->log->message('F-Abort, Failed connecting to ADS server for authenication, execution stopped');
|
|
||||||
$GLOBALS['egw']->log->commit();
|
|
||||||
return False;
|
|
||||||
}
|
|
||||||
//echo "<p>Connected to LDAP server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication</p>\n";
|
|
||||||
|
|
||||||
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
||||||
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
|
|
||||||
|
|
||||||
// bind with username@ads_domain, only if a non-empty password given, in case anonymous search is enabled
|
|
||||||
if(empty($passwd) || !@ldap_bind($ldap,$username.'@'.$GLOBALS['egw_info']['server']['ads_domain'],$passwd))
|
|
||||||
{
|
|
||||||
//echo "<p>Cant bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd' !!!</p>\n";
|
|
||||||
return False;
|
|
||||||
}
|
|
||||||
//echo "<p>Bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd'.</p>\n";
|
|
||||||
|
|
||||||
$attributes = array('samaccountname','givenName','sn','mail');
|
|
||||||
$filter = "(samaccountname=$username)";
|
|
||||||
// automatic create dn from domain: domain.com ==> DC=domain,DC=com
|
|
||||||
$base_dn = array();
|
|
||||||
foreach(explode('.',$GLOBALS['egw_info']['server']['ads_domain']) as $dc)
|
|
||||||
{
|
|
||||||
$base_dn[] = 'DC='.$dc;
|
|
||||||
}
|
|
||||||
$base_dn = implode(',',$base_dn);
|
|
||||||
|
|
||||||
//echo "<p>Trying ldap_search(,$base_dn,$filter,".print_r($attributes,true)."</p>\n";
|
|
||||||
$sri = ldap_search($ldap, $base_dn, $filter, $attributes);
|
|
||||||
$allValues = ldap_get_entries($ldap, $sri);
|
|
||||||
//_debug_array($allValues);
|
|
||||||
|
|
||||||
if ($allValues['count'] > 0)
|
|
||||||
{
|
|
||||||
if($GLOBALS['egw_info']['server']['case_sensitive_username'] == true)
|
|
||||||
{
|
|
||||||
if($allValues[0]['samaccountname'][0] != $username)
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')))
|
|
||||||
{
|
|
||||||
return $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A';
|
|
||||||
}
|
|
||||||
if ($GLOBALS['egw_info']['server']['auto_create_acct'])
|
|
||||||
{
|
|
||||||
// create a global array with all availible info about that account
|
|
||||||
$GLOBALS['auto_create_acct'] = array();
|
|
||||||
foreach(array(
|
|
||||||
'givenname' => 'firstname',
|
|
||||||
'sn' => 'lastname',
|
|
||||||
'mail' => 'email',
|
|
||||||
) as $ldap_name => $acct_name)
|
|
||||||
{
|
|
||||||
$GLOBALS['auto_create_acct'][$acct_name] =
|
|
||||||
$GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
|
|
||||||
}
|
|
||||||
return True;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
/* dn not found or password wrong */
|
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
|
|
||||||
function change_password($old_passwd, $new_passwd, $_account_id='')
|
if(!$ldap = @ldap_connect($GLOBALS['egw_info']['server']['ads_host']))
|
||||||
{
|
{
|
||||||
return false; // Cant change passwd in ADS
|
//echo "<p>Failed connecting to ADS server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication, execution stopped</p>\n";
|
||||||
|
$GLOBALS['egw']->log->message('F-Abort, Failed connecting to ADS server for authenication, execution stopped');
|
||||||
|
$GLOBALS['egw']->log->commit();
|
||||||
|
return False;
|
||||||
}
|
}
|
||||||
|
//echo "<p>Connected to LDAP server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication</p>\n";
|
||||||
|
|
||||||
|
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||||
|
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
|
||||||
|
|
||||||
|
// bind with username@ads_domain, only if a non-empty password given, in case anonymous search is enabled
|
||||||
|
if(empty($passwd) || !@ldap_bind($ldap,$username.'@'.$GLOBALS['egw_info']['server']['ads_domain'],$passwd))
|
||||||
|
{
|
||||||
|
//echo "<p>Cant bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd' !!!</p>\n";
|
||||||
|
return False;
|
||||||
|
}
|
||||||
|
//echo "<p>Bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd'.</p>\n";
|
||||||
|
|
||||||
|
$attributes = array('samaccountname','givenName','sn','mail');
|
||||||
|
$filter = "(samaccountname=$username)";
|
||||||
|
// automatic create dn from domain: domain.com ==> DC=domain,DC=com
|
||||||
|
$base_dn = array();
|
||||||
|
foreach(explode('.',$GLOBALS['egw_info']['server']['ads_domain']) as $dc)
|
||||||
|
{
|
||||||
|
$base_dn[] = 'DC='.$dc;
|
||||||
|
}
|
||||||
|
$base_dn = implode(',',$base_dn);
|
||||||
|
|
||||||
|
//echo "<p>Trying ldap_search(,$base_dn,$filter,".print_r($attributes,true)."</p>\n";
|
||||||
|
$sri = ldap_search($ldap, $base_dn, $filter, $attributes);
|
||||||
|
$allValues = ldap_get_entries($ldap, $sri);
|
||||||
|
//_debug_array($allValues);
|
||||||
|
|
||||||
|
if ($allValues['count'] > 0)
|
||||||
|
{
|
||||||
|
if($GLOBALS['egw_info']['server']['case_sensitive_username'] == true)
|
||||||
|
{
|
||||||
|
if($allValues[0]['samaccountname'][0] != $username)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')))
|
||||||
|
{
|
||||||
|
return $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A';
|
||||||
|
}
|
||||||
|
if ($GLOBALS['egw_info']['server']['auto_create_acct'])
|
||||||
|
{
|
||||||
|
// create a global array with all availible info about that account
|
||||||
|
$GLOBALS['auto_create_acct'] = array();
|
||||||
|
foreach(array(
|
||||||
|
'givenname' => 'firstname',
|
||||||
|
'sn' => 'lastname',
|
||||||
|
'mail' => 'email',
|
||||||
|
) as $ldap_name => $acct_name)
|
||||||
|
{
|
||||||
|
$GLOBALS['auto_create_acct'][$acct_name] =
|
||||||
|
translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||||
|
}
|
||||||
|
return True;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* dn not found or password wrong */
|
||||||
|
return False;
|
||||||
}
|
}
|
||||||
?>
|
|
||||||
|
function change_password($old_passwd, $new_passwd, $_account_id=0)
|
||||||
|
{
|
||||||
|
return false; // Cant change passwd in ADS
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
/**
|
/**
|
||||||
* eGroupWare API - Authentication based on CAS (Central Authetication Service)
|
* eGroupWare API - Authentication based on CAS (Central Authetication Service)
|
||||||
*/
|
*/
|
||||||
class auth_
|
class auth_cas implements auth_backend
|
||||||
{
|
{
|
||||||
var $previous_login = -1;
|
var $previous_login = -1;
|
||||||
|
|
||||||
@ -21,9 +21,10 @@ class auth_
|
|||||||
*
|
*
|
||||||
* @param string $username username of account to authenticate
|
* @param string $username username of account to authenticate
|
||||||
* @param string $passwd corresponding password
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
* @return boolean true if successful authenticated, false otherwise
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
*/
|
*/
|
||||||
function authenticate($username, $passwd)
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
/* if program goes here, authenticate is, normaly, already verified by CAS */
|
/* if program goes here, authenticate is, normaly, already verified by CAS */
|
||||||
if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' &&
|
if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' &&
|
||||||
@ -56,7 +57,7 @@ class auth_
|
|||||||
*
|
*
|
||||||
* @param string $old_passwd must be cleartext or empty to not to be checked
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
* @param string $new_passwd must be cleartext
|
* @param string $new_passwd must be cleartext
|
||||||
* @param int $account_id account id of user whose passwd should be changed
|
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||||
* @return boolean true if password successful changed, false otherwise
|
* @return boolean true if password successful changed, false otherwise
|
||||||
*/
|
*/
|
||||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
85
phpgwapi/inc/class.auth_fallback.inc.php
Normal file
85
phpgwapi/inc/class.auth_fallback.inc.php
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* eGroupWare API - LDAP Authentication with fallback to SQL
|
||||||
|
*
|
||||||
|
* @link http://www.egroupware.org
|
||||||
|
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||||
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
|
* @package api
|
||||||
|
* @subpackage authentication
|
||||||
|
* @version $Id$
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Authentication agains a LDAP Server with fallback to SQL
|
||||||
|
*
|
||||||
|
* For other fallback types, simply change auth backends in constructor call
|
||||||
|
*/
|
||||||
|
class auth_fallback implements auth_backend
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Primary auth backend
|
||||||
|
*
|
||||||
|
* @var auth_backend
|
||||||
|
*/
|
||||||
|
private $primary_backend;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fallback auth backend
|
||||||
|
*
|
||||||
|
* @var auth_backend
|
||||||
|
*/
|
||||||
|
private $fallback_backend;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Constructor
|
||||||
|
*/
|
||||||
|
function __construct($primary='auth_ldap',$fallback='auth_sql')
|
||||||
|
{
|
||||||
|
$this->primary_backend = new $primary;
|
||||||
|
|
||||||
|
$this->fallback_backend = new $fallback;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* authentication against LDAP with fallback to SQL
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
|
{
|
||||||
|
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
|
||||||
|
{
|
||||||
|
egw_cache::setSession(__CLASS__,'backend_used','primary');
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
|
||||||
|
{
|
||||||
|
egw_cache::setSession(__CLASS__,'backend_used','fallback');
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password in LDAP
|
||||||
|
*
|
||||||
|
* If $old_passwd is given, the password change is done binded as user and NOT with the
|
||||||
|
* "root" dn given in the configurations.
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
{
|
||||||
|
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
|
||||||
|
{
|
||||||
|
return $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||||
|
}
|
||||||
|
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||||
|
}
|
||||||
|
}
|
@ -1,47 +1,54 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**
|
||||||
* eGroupWare API - Auth from HTTP *
|
* eGroupWare API - Authentication based on HTTP auth
|
||||||
* This file written by Dan Kuykendall <seek3r@phpgroupware.org> *
|
*
|
||||||
* and Joseph Engo <jengo@phpgroupware.org> *
|
* @link http://www.egroupware.org
|
||||||
* Authentication based on HTTP auth *
|
* @author Dan Kuykendall <seek3r@phpgroupware.org>
|
||||||
* Copyright (C) 2000, 2001 Dan Kuykendall *
|
* @author Joseph Engo <jengo@phpgroupware.org>
|
||||||
* ------------------------------------------------------------------------ *
|
* Copyright (C) 2000, 2001 Dan Kuykendall
|
||||||
* This library is part of the eGroupWare API *
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* http://www.egroupware.org/api *
|
* @package api
|
||||||
* ------------------------------------------------------------------------ *
|
* @subpackage authentication
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
* @version $Id$
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
*/
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
|
||||||
* or any later version. *
|
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
|
||||||
* See the GNU Lesser General Public License for more details. *
|
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
|
||||||
\**************************************************************************/
|
|
||||||
|
|
||||||
/* $Id$ */
|
/**
|
||||||
|
* Authentication based on HTTP auth
|
||||||
|
*/
|
||||||
|
class auth_http implements auth_backend
|
||||||
|
{
|
||||||
|
var $previous_login = -1;
|
||||||
|
|
||||||
class auth_
|
/**
|
||||||
|
* password authentication
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
var $previous_login = -1;
|
if (isset($_SERVER['PHP_AUTH_USER']))
|
||||||
|
|
||||||
function authenticate($username, $passwd)
|
|
||||||
{
|
{
|
||||||
if (isset($_SERVER['PHP_AUTH_USER']))
|
return True;
|
||||||
{
|
|
||||||
return True;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
return False;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
else
|
||||||
function change_password($old_passwd, $new_passwd)
|
|
||||||
{
|
{
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
{
|
||||||
|
return False;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -3,11 +3,12 @@
|
|||||||
* eGroupWare API - LDAP Authentication
|
* eGroupWare API - LDAP Authentication
|
||||||
*
|
*
|
||||||
* @link http://www.egroupware.org
|
* @link http://www.egroupware.org
|
||||||
|
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||||
* @author Lars Kneschke <lkneschke@linux-at-work.de>
|
* @author Lars Kneschke <lkneschke@linux-at-work.de>
|
||||||
* @author Joseph Engo <jengo@phpgroupware.org>
|
* @author Joseph Engo <jengo@phpgroupware.org>
|
||||||
* Copyright (C) 2000, 2001 Joseph Engo
|
* Copyright (C) 2000, 2001 Joseph Engo
|
||||||
* Copyright (C) 2002, 2003 Lars Kneschke
|
* Copyright (C) 2002, 2003 Lars Kneschke
|
||||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* @package api
|
* @package api
|
||||||
* @subpackage authentication
|
* @subpackage authentication
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -16,7 +17,7 @@
|
|||||||
/**
|
/**
|
||||||
* Authentication agains a LDAP Server
|
* Authentication agains a LDAP Server
|
||||||
*/
|
*/
|
||||||
class auth_
|
class auth_ldap implements auth_backend
|
||||||
{
|
{
|
||||||
var $previous_login = -1;
|
var $previous_login = -1;
|
||||||
|
|
||||||
@ -27,13 +28,13 @@ class auth_
|
|||||||
* @param string $passwd corresponding password
|
* @param string $passwd corresponding password
|
||||||
* @return boolean true if successful authenticated, false otherwise
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
*/
|
*/
|
||||||
function authenticate($username, $passwd)
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
// allow non-ascii in username & password
|
// allow non-ascii in username & password
|
||||||
$username = $GLOBALS['egw']->translation->convert($username,$GLOBALS['egw']->translation->charset(),'utf-8');
|
$username = translation::convert($username,translation::charset(),'utf-8');
|
||||||
$passwd = $GLOBALS['egw']->translation->convert($passwd,$GLOBALS['egw']->translation->charset(),'utf-8');
|
$passwd = translation::convert($passwd,translation::charset(),'utf-8');
|
||||||
|
|
||||||
if(!$ldap = $GLOBALS['egw']->common->ldapConnect())
|
if(!$ldap = common::ldapConnect())
|
||||||
{
|
{
|
||||||
$GLOBALS['egw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped');
|
$GLOBALS['egw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped');
|
||||||
$GLOBALS['egw']->log->commit();
|
$GLOBALS['egw']->log->commit();
|
||||||
@ -90,7 +91,7 @@ class auth_
|
|||||||
) as $ldap_name => $acct_name)
|
) as $ldap_name => $acct_name)
|
||||||
{
|
{
|
||||||
$GLOBALS['auto_create_acct'][$acct_name] =
|
$GLOBALS['auto_create_acct'][$acct_name] =
|
||||||
$GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
|
translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||||
}
|
}
|
||||||
return True;
|
return True;
|
||||||
}
|
}
|
||||||
@ -123,15 +124,15 @@ class auth_
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$username = $GLOBALS['egw']->translation->convert($GLOBALS['egw']->accounts->id2name($account_id),
|
$username = translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
|
||||||
$GLOBALS['egw']->translation->charset(),'utf-8');
|
translation::charset(),'utf-8');
|
||||||
}
|
}
|
||||||
//echo "<p>auth_ldap::change_password('$old_password','$new_passwd',$account_id) username='$username'</p>\n";
|
//echo "<p>auth_ldap::change_password('$old_password','$new_passwd',$account_id) username='$username'</p>\n";
|
||||||
|
|
||||||
$filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)';
|
$filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)';
|
||||||
$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter);
|
$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter);
|
||||||
|
|
||||||
$ds = $GLOBALS['egw']->common->ldapConnect();
|
$ds = common::ldapConnect();
|
||||||
$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
|
$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
|
||||||
$allValues = ldap_get_entries($ds, $sri);
|
$allValues = ldap_get_entries($ds, $sri);
|
||||||
|
|
||||||
@ -142,7 +143,7 @@ class auth_
|
|||||||
|
|
||||||
if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw
|
if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw
|
||||||
{
|
{
|
||||||
$ds = $GLOBALS['egw']->common->ldapConnect('',$dn,$old_passwd);
|
$ds = common::ldapConnect('',$dn,$old_passwd);
|
||||||
}
|
}
|
||||||
if (!@ldap_modify($ds, $dn, $entry))
|
if (!@ldap_modify($ds, $dn, $entry))
|
||||||
{
|
{
|
||||||
|
@ -1,92 +1,99 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**
|
||||||
* eGroupWare API - Auth from Mail server *
|
* eGroupWare API - Authentication agains mail server
|
||||||
* This file written by Dan Kuykendall <seek3r@phpgroupware.org> *
|
*
|
||||||
* Authentication based on mail server *
|
* @link http://www.egroupware.org
|
||||||
* Copyright (C) 2000, 2001 Dan Kuykendall *
|
* @author Dan Kuykendall <seek3r@phpgroupware.org>
|
||||||
* ------------------------------------------------------------------------ *
|
* Copyright (C) 2000, 2001 Dan Kuykendall
|
||||||
* This library is part of the eGroupWare API *
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* http://www.egroupware.org/api *
|
* @package api
|
||||||
* ------------------------------------------------------------------------ *
|
* @subpackage authentication
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
* @version $Id$
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
*/
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
|
||||||
* or any later version. *
|
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
|
||||||
* See the GNU Lesser General Public License for more details. *
|
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
|
||||||
\**************************************************************************/
|
|
||||||
|
|
||||||
/* $Id$ */
|
/**
|
||||||
|
* Authentication agains mail server
|
||||||
|
*/
|
||||||
|
class auth_mail implements auth_backend
|
||||||
|
{
|
||||||
|
var $previous_login = -1;
|
||||||
|
|
||||||
class auth_
|
/**
|
||||||
|
* password authentication
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
var $previous_login = -1;
|
$notls = '/notls';
|
||||||
|
if ($GLOBALS['egw_info']['server']['mail_login_type'] == 'vmailmgr')
|
||||||
function authenticate($username, $passwd)
|
|
||||||
{
|
{
|
||||||
$notls = '/notls';
|
$username = $username . '@' . $GLOBALS['egw_info']['server']['mail_suffix'];
|
||||||
if ($GLOBALS['egw_info']['server']['mail_login_type'] == 'vmailmgr')
|
}
|
||||||
{
|
if ($GLOBALS['egw_info']['server']['mail_server_type']=='imap')
|
||||||
$username = $username . '@' . $GLOBALS['egw_info']['server']['mail_suffix'];
|
{
|
||||||
}
|
$GLOBALS['egw_info']['server']['mail_port'] = '143';
|
||||||
if ($GLOBALS['egw_info']['server']['mail_server_type']=='imap')
|
}
|
||||||
{
|
elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3')
|
||||||
$GLOBALS['egw_info']['server']['mail_port'] = '143';
|
{
|
||||||
}
|
$GLOBALS['egw_info']['server']['mail_port'] = '110';
|
||||||
elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3')
|
}
|
||||||
{
|
elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='imaps')
|
||||||
$GLOBALS['egw_info']['server']['mail_port'] = '110';
|
{
|
||||||
}
|
$GLOBALS['egw_info']['server']['mail_port'] = '993';
|
||||||
elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='imaps')
|
$notls = '';
|
||||||
{
|
}
|
||||||
$GLOBALS['egw_info']['server']['mail_port'] = '993';
|
elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3s')
|
||||||
$notls = '';
|
{
|
||||||
}
|
$GLOBALS['egw_info']['server']['mail_port'] = '995';
|
||||||
elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3s')
|
|
||||||
{
|
|
||||||
$GLOBALS['egw_info']['server']['mail_port'] = '995';
|
|
||||||
}
|
|
||||||
|
|
||||||
if( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3')
|
|
||||||
{
|
|
||||||
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server'].'/pop3'
|
|
||||||
.':'.$GLOBALS['egw_info']['server']['mail_port'].'}INBOX', $username , $passwd);
|
|
||||||
}
|
|
||||||
elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='imaps' )
|
|
||||||
{
|
|
||||||
// IMAPS support:
|
|
||||||
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert"
|
|
||||||
.':993}INBOX', $username , $passwd);
|
|
||||||
}
|
|
||||||
elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3s' )
|
|
||||||
{
|
|
||||||
// POP3S support:
|
|
||||||
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert"
|
|
||||||
.':995}INBOX', $username , $passwd);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
/* assume imap */
|
|
||||||
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']
|
|
||||||
.':'.$GLOBALS['egw_info']['server']['mail_port'].$notls.'}INBOX', $username , $passwd);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($mailauth == False)
|
|
||||||
{
|
|
||||||
return False;
|
|
||||||
}
|
|
||||||
imap_close($mailauth);
|
|
||||||
|
|
||||||
return True;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function change_password($old_passwd, $new_passwd)
|
if( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3')
|
||||||
|
{
|
||||||
|
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server'].'/pop3'
|
||||||
|
.':'.$GLOBALS['egw_info']['server']['mail_port'].'}INBOX', $username , $passwd);
|
||||||
|
}
|
||||||
|
elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='imaps' )
|
||||||
|
{
|
||||||
|
// IMAPS support:
|
||||||
|
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert"
|
||||||
|
.':993}INBOX', $username , $passwd);
|
||||||
|
}
|
||||||
|
elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3s' )
|
||||||
|
{
|
||||||
|
// POP3S support:
|
||||||
|
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert"
|
||||||
|
.':995}INBOX', $username , $passwd);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* assume imap */
|
||||||
|
$mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']
|
||||||
|
.':'.$GLOBALS['egw_info']['server']['mail_port'].$notls.'}INBOX', $username , $passwd);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($mailauth == False)
|
||||||
{
|
{
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
|
imap_close($mailauth);
|
||||||
|
|
||||||
|
return True;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
{
|
||||||
|
return False;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -1,60 +1,67 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**
|
||||||
* eGroupWare API - Auth from NIS *
|
* eGroupWare API - Auth from NIS
|
||||||
* Authentication based on NIS maps *
|
*
|
||||||
* by Dylan Adams <dadams@jhu.edu> *
|
* @link http://www.egroupware.org
|
||||||
* Copyright (C) 2001 Dylan Adams *
|
* @author * by Dylan Adams <dadams@jhu.edu>
|
||||||
* ------------------------------------------------------------------------ *
|
* Copyright (C) 2001 Dylan Adams
|
||||||
* This library is part of the eGroupWare API *
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* http://www.egroupware.org/api *
|
* @package api
|
||||||
* ------------------------------------------------------------------------ *
|
* @subpackage authentication
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
* @version $Id$
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
*/
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
|
||||||
* or any later version. *
|
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
|
||||||
* See the GNU Lesser General Public License for more details. *
|
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
|
||||||
\**************************************************************************/
|
|
||||||
|
|
||||||
/* $Id$ */
|
/**
|
||||||
|
* Auth from NIS
|
||||||
class auth_
|
*/
|
||||||
|
class auth_nis implements auth_backend
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* password authentication
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
function authenticate($username, $passwd)
|
$domain = yp_get_default_domain();
|
||||||
|
if(!empty($GLOBALS['egw_info']['server']['nis_domain']))
|
||||||
{
|
{
|
||||||
$domain = yp_get_default_domain();
|
$domain = $GLOBALS['egw_info']['server']['nis_domain'];
|
||||||
if(!empty($GLOBALS['egw_info']['server']['nis_domain']))
|
|
||||||
{
|
|
||||||
$domain = $GLOBALS['egw_info']['server']['nis_domain'];
|
|
||||||
}
|
|
||||||
|
|
||||||
$map = "passwd.byname";
|
|
||||||
if(!empty($GLOBALS['egw_info']['server']['nis_map']))
|
|
||||||
{
|
|
||||||
$map = $GLOBALS['egw_info']['server']['nis_map'];
|
|
||||||
}
|
|
||||||
$entry = yp_match( $domain, $map, $username );
|
|
||||||
|
|
||||||
/*
|
|
||||||
* we assume that the map is structured in the usual
|
|
||||||
* unix passwd flavor
|
|
||||||
*/
|
|
||||||
$entry_array = explode(':', $entry);
|
|
||||||
$stored_passwd = $entry_array[1];
|
|
||||||
|
|
||||||
$encrypted_passwd = crypt($passwd, $stored_passwd);
|
|
||||||
|
|
||||||
return($encrypted_passwd == $stored_passwd);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function change_password($old_passwd, $new_passwd, $account_id='')
|
$map = "passwd.byname";
|
||||||
|
if(!empty($GLOBALS['egw_info']['server']['nis_map']))
|
||||||
{
|
{
|
||||||
// can't change passwords unless server runs as root (bad idea)
|
$map = $GLOBALS['egw_info']['server']['nis_map'];
|
||||||
return( False );
|
|
||||||
}
|
}
|
||||||
|
$entry = yp_match( $domain, $map, $username );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* we assume that the map is structured in the usual
|
||||||
|
* unix passwd flavor
|
||||||
|
*/
|
||||||
|
$entry_array = explode(':', $entry);
|
||||||
|
$stored_passwd = $entry_array[1];
|
||||||
|
|
||||||
|
$encrypted_passwd = crypt($passwd, $stored_passwd);
|
||||||
|
|
||||||
|
return($encrypted_passwd == $stored_passwd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
{
|
||||||
|
// can't change passwords unless server runs as root (bad idea)
|
||||||
|
return( False );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -1,39 +1,49 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**
|
||||||
* eGroupWare API - Auth from PAM *
|
* eGroupWare API - Auth from PAM
|
||||||
* ------------------------------------------------------------------------ *
|
*
|
||||||
* This library is part of the eGroupWare API *
|
* @link http://www.egroupware.org
|
||||||
* http://www.egroupware.org/api *
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* ------------------------------------------------------------------------ *
|
* @package api
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
* @subpackage authentication
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
* @version $Id$
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
*/
|
||||||
* or any later version. *
|
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
|
||||||
* See the GNU Lesser General Public License for more details. *
|
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
|
||||||
\**************************************************************************/
|
|
||||||
|
|
||||||
/* $Id$ */
|
/**
|
||||||
|
* Auth from PAM
|
||||||
class auth_
|
*
|
||||||
|
* Requires php_pam extension!
|
||||||
|
*/
|
||||||
|
class auth_pam implements auth_backend
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* password authentication
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
{
|
{
|
||||||
function authenticate($username, $passwd)
|
if (pam_auth($username, get_magic_quotes_gpc() ? stripslashes($passwd) : $passwd, &$error))
|
||||||
{
|
{
|
||||||
if (pam_auth($username, get_magic_quotes_gpc() ? stripslashes($passwd) : $passwd, &$error))
|
return True;
|
||||||
{
|
|
||||||
return True;
|
|
||||||
}
|
|
||||||
return False;
|
|
||||||
}
|
|
||||||
|
|
||||||
function change_password($old_passwd, $new_passwd, $account_id='')
|
|
||||||
{
|
|
||||||
// deny password changes.
|
|
||||||
return False;
|
|
||||||
}
|
}
|
||||||
|
return False;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||||
|
{
|
||||||
|
// deny password changes.
|
||||||
|
return False;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
* eGroupWare API - Authentication from SQL
|
* eGroupWare API - Authentication from SQL
|
||||||
*
|
*
|
||||||
* @link http://www.egroupware.org
|
* @link http://www.egroupware.org
|
||||||
|
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||||
* @author Dan Kuykendall <seek3r@phpgroupware.org>
|
* @author Dan Kuykendall <seek3r@phpgroupware.org>
|
||||||
* @author Joseph Engo <jengo@phpgroupware.org>
|
* @author Joseph Engo <jengo@phpgroupware.org>
|
||||||
* Copyright (C) 2000, 2001 Dan Kuykendall
|
* Copyright (C) 2000, 2001 Dan Kuykendall
|
||||||
@ -20,7 +21,7 @@
|
|||||||
*
|
*
|
||||||
* Massive code cleanup and added password migration by Cornelius Weiss <egw@von-und-zu-weiss.de
|
* Massive code cleanup and added password migration by Cornelius Weiss <egw@von-und-zu-weiss.de
|
||||||
*/
|
*/
|
||||||
class auth_
|
class auth_sql implements auth_backend
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* Reference to the global db object
|
* Reference to the global db object
|
||||||
@ -31,7 +32,7 @@ class auth_
|
|||||||
var $table = 'egw_accounts';
|
var $table = 'egw_accounts';
|
||||||
var $previous_login = -1;
|
var $previous_login = -1;
|
||||||
|
|
||||||
function auth_()
|
function __construct()
|
||||||
{
|
{
|
||||||
$this->db = $GLOBALS['egw']->db;
|
$this->db = $GLOBALS['egw']->db;
|
||||||
|
|
||||||
@ -141,7 +142,7 @@ class auth_
|
|||||||
}
|
}
|
||||||
|
|
||||||
// old password ok, or admin called the function from the admin application (no old passwd available).
|
// old password ok, or admin called the function from the admin application (no old passwd available).
|
||||||
return $this->_update_passwd($this->encrypt_sql($new_passwd),$new_passwd,$account_id,$admin);
|
return $this->_update_passwd(auth::encrypt_sql($new_passwd),$new_passwd,$account_id,$admin);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -1,88 +1,101 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**
|
||||||
* eGroupWare API - Auth from SQL, with optional SSL authentication *
|
* eGroupWare API - Authentication based on SQL table and X.509 certificates
|
||||||
* This file written by Andreas 'Count' Kotes <count@flatline.de> *
|
*
|
||||||
* Authentication based on SQL table and X.509 certificates *
|
* @link http://www.egroupware.org
|
||||||
* Copyright (C) 2000, 2001 Dan Kuykendall *
|
* @author Andreas 'Count' Kotes <count@flatline.de>
|
||||||
* ------------------------------------------------------------------------ *
|
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||||
* This library is part of the eGroupWare API *
|
* @package api
|
||||||
* http://www.egroupware.org/api *
|
* @subpackage authentication
|
||||||
* ------------------------------------------------------------------------ *
|
* @version $Id$
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
*/
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
|
||||||
* or any later version. *
|
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
|
||||||
* See the GNU Lesser General Public License for more details. *
|
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
|
||||||
\**************************************************************************/
|
|
||||||
|
|
||||||
/* $Id$ */
|
/**
|
||||||
|
* Authentication based on SQL table and X.509 certificates
|
||||||
|
*
|
||||||
|
* @todo rewrite using auth_sql backend class
|
||||||
|
*/
|
||||||
|
class auth_sqlssl implements auth_backend
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @var egw_db
|
||||||
|
*/
|
||||||
|
var $db;
|
||||||
|
var $table = 'egw_accounts';
|
||||||
|
var $previous_login = -1;
|
||||||
|
|
||||||
class auth_
|
/**
|
||||||
|
* Constructor
|
||||||
|
*/
|
||||||
|
function __construct()
|
||||||
{
|
{
|
||||||
var $db = '';
|
$this->db = $GLOBALS['egw']->db;
|
||||||
var $previous_login = -1;
|
|
||||||
|
|
||||||
function auth_()
|
|
||||||
{
|
|
||||||
$this->db = clone($GLOBALS['egw']->db);
|
|
||||||
$this->db->set_app('phpgwapi');
|
|
||||||
$this->table = 'egw_accounts';
|
|
||||||
}
|
|
||||||
|
|
||||||
function authenticate($username, $passwd)
|
|
||||||
{
|
|
||||||
$local_debug = False;
|
|
||||||
|
|
||||||
if($local_debug)
|
|
||||||
{
|
|
||||||
echo "<b>Debug SQL: uid - $username passwd - $passwd</b>";
|
|
||||||
}
|
|
||||||
$this->db->select($this->table,'account_lid,account_pwd',array(
|
|
||||||
'account_lid' => $username,
|
|
||||||
'account_status' => 'A',
|
|
||||||
'account_type' => 'u',
|
|
||||||
),__LINE__,__FILE__);
|
|
||||||
|
|
||||||
if (!$this->db->next_record() || $GLOBALS['egw_info']['server']['case_sensitive_username'] && $this->db->f('account_lid') != $username)
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Apache + mod_ssl provide the data in the environment
|
|
||||||
# Certificate (chain) verification occurs inside mod_ssl
|
|
||||||
# see http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
|
|
||||||
if(!isset($_SERVER['SSL_CLIENT_S_DN']))
|
|
||||||
{
|
|
||||||
# if we're not doing SSL authentication, behave like auth_sql
|
|
||||||
return $this->compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username));
|
|
||||||
}
|
|
||||||
return True;
|
|
||||||
}
|
|
||||||
|
|
||||||
function change_password($old_passwd, $new_passwd, $account_id = '')
|
|
||||||
{
|
|
||||||
if(!$account_id)
|
|
||||||
{
|
|
||||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
|
||||||
}
|
|
||||||
|
|
||||||
$encrypted_passwd = $this->encrypt_sql($new_passwd);
|
|
||||||
|
|
||||||
$GLOBALS['egw']->db->update($this->table,array(
|
|
||||||
'account_pwd' => $encrypted_passwd,
|
|
||||||
'account_lastpwd_change' => time(),
|
|
||||||
),array(
|
|
||||||
'account_id' => $account_id,
|
|
||||||
),__LINE__,__FILE__);
|
|
||||||
|
|
||||||
$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
|
|
||||||
|
|
||||||
return $encrypted_passwd;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* password authentication
|
||||||
|
*
|
||||||
|
* @param string $username username of account to authenticate
|
||||||
|
* @param string $passwd corresponding password
|
||||||
|
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||||
|
* @return boolean true if successful authenticated, false otherwise
|
||||||
|
*/
|
||||||
|
function authenticate($username, $passwd, $passwd_type='text')
|
||||||
|
{
|
||||||
|
$local_debug = False;
|
||||||
|
|
||||||
|
if($local_debug)
|
||||||
|
{
|
||||||
|
echo "<b>Debug SQL: uid - $username passwd - $passwd</b>";
|
||||||
|
}
|
||||||
|
$this->db->select($this->table,'account_lid,account_pwd',array(
|
||||||
|
'account_lid' => $username,
|
||||||
|
'account_status' => 'A',
|
||||||
|
'account_type' => 'u',
|
||||||
|
),__LINE__,__FILE__);
|
||||||
|
|
||||||
|
if (!$this->db->next_record() || $GLOBALS['egw_info']['server']['case_sensitive_username'] && $this->db->f('account_lid') != $username)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Apache + mod_ssl provide the data in the environment
|
||||||
|
# Certificate (chain) verification occurs inside mod_ssl
|
||||||
|
# see http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
|
||||||
|
if(!isset($_SERVER['SSL_CLIENT_S_DN']))
|
||||||
|
{
|
||||||
|
# if we're not doing SSL authentication, behave like auth_sql
|
||||||
|
return auth::compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username));
|
||||||
|
}
|
||||||
|
return True;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id = 0)
|
||||||
|
{
|
||||||
|
if(!$account_id)
|
||||||
|
{
|
||||||
|
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||||
|
}
|
||||||
|
|
||||||
|
$encrypted_passwd = auth::encrypt_sql($new_passwd);
|
||||||
|
|
||||||
|
$GLOBALS['egw']->db->update($this->table,array(
|
||||||
|
'account_pwd' => $encrypted_passwd,
|
||||||
|
'account_lastpwd_change' => time(),
|
||||||
|
),array(
|
||||||
|
'account_id' => $account_id,
|
||||||
|
),__LINE__,__FILE__);
|
||||||
|
|
||||||
|
$GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd);
|
||||||
|
|
||||||
|
return $encrypted_passwd;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -218,6 +218,7 @@
|
|||||||
<option value="nis"{selected_auth_type_nis}>NIS</option>
|
<option value="nis"{selected_auth_type_nis}>NIS</option>
|
||||||
<option value="pam"{selected_auth_type_pam}>PAM</option>
|
<option value="pam"{selected_auth_type_pam}>PAM</option>
|
||||||
<option value="cas"{selected_auth_type_cas}>CAS</option>
|
<option value="cas"{selected_auth_type_cas}>CAS</option>
|
||||||
|
<option value="fallback"{selected_auth_type_fallback}>Fallback LDAP -> SQL</option>
|
||||||
</select>
|
</select>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
@ -235,6 +236,7 @@
|
|||||||
<option value="http"{selected_auth_type_syncml_http}>HTTP</option>
|
<option value="http"{selected_auth_type_syncml_http}>HTTP</option>
|
||||||
<option value="nis"{selected_auth_type_syncml_nis}>NIS</option>
|
<option value="nis"{selected_auth_type_syncml_nis}>NIS</option>
|
||||||
<option value="pam"{selected_auth_type_syncml_pam}>PAM</option>
|
<option value="pam"{selected_auth_type_syncml_pam}>PAM</option>
|
||||||
|
<option value="fallback"{selected_auth_type_fallback}>Fallback LDAP -> SQL</option>
|
||||||
</select>
|
</select>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
@ -252,6 +254,7 @@
|
|||||||
<option value="http"{selected_auth_type_groupdav_http}>HTTP</option>
|
<option value="http"{selected_auth_type_groupdav_http}>HTTP</option>
|
||||||
<option value="nis"{selected_auth_type_groupdav_nis}>NIS</option>
|
<option value="nis"{selected_auth_type_groupdav_nis}>NIS</option>
|
||||||
<option value="pam"{selected_auth_type_groupdav_pam}>PAM</option>
|
<option value="pam"{selected_auth_type_groupdav_pam}>PAM</option>
|
||||||
|
<option value="fallback"{selected_auth_type_fallback}>Fallback LDAP -> SQL</option>
|
||||||
</select>
|
</select>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
Loading…
Reference in New Issue
Block a user