CAS (Central Authentication Service) login for eGroupware

This commit is contained in:
Ralf Becker 2008-11-15 10:54:39 +00:00
parent 04502ddc97
commit fde8fc7b27
7 changed files with 312 additions and 99 deletions

111
login.php
View File

@ -1,40 +1,92 @@
<?php
/**************************************************************************\
* eGroupWare login *
* http://www.egroupware.org *
* Originaly written by Dan Kuykendall <seek3r@phpgroupware.org> *
* Joseph Engo <jengo@phpgroupware.org> *
* -------------------------------------------- *
* This program is free software; you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the *
* Free Software Foundation; either version 2 of the License, or (at your *
* option) any later version. *
\**************************************************************************/
/**
* eGroupWare - Login
*
* @link http://www.egroupware.org
* @author Dan Kuykendall <seek3r@phpgroupware.org>
* @author Joseph Engo <jengo@phpgroupware.org>
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* @package api
* @subpackage authentication
* @version $Id$
*/
/* $Id$ */
$submit = False; // set to some initial value
$submit = False; // set to some initial value
$GLOBALS['egw_info'] = array('flags' => array(
'disable_Template_class' => True,
'login' => True,
'currentapp' => 'login',
));
$GLOBALS['egw_info'] = array('flags' => array(
'disable_Template_class' => True,
'login' => True,
'currentapp' => 'login',
));
if(file_exists('./header.inc.php'))
{
include('./header.inc.php');
if(!function_exists('CreateObject'))
{
Header('Location: setup/index.php');
exit;
}
}
else
if(file_exists('./header.inc.php'))
{
include('./header.inc.php');
if(!function_exists('CreateObject'))
{
Header('Location: setup/index.php');
exit;
}
}
else
{
Header('Location: setup/index.php');
exit;
}
// CAS :
if($GLOBALS['egw_info']['server']['auth_type'] == 'cas')
{
ob_end_clean();
require_once('CAS/CAS.php');
//phpCAS::setDebug('/var/log/log_phpcas.php');
if($GLOBALS['egw_info']['server']['cas_authentication_mode'] == 'Proxy')
{
phpCAS::proxy(CAS_VERSION_2_0,
$GLOBALS['egw_info']['server']['cas_server_host_name'],
(int) $GLOBALS['egw_info']['server']['cas_server_port'],
$GLOBALS['egw_info']['server']['cas_server_uri'] );
}
else
{
phpCAS::client(CAS_VERSION_2_0,
$GLOBALS['egw_info']['server']['cas_server_host_name'],
(int) $GLOBALS['egw_info']['server']['cas_server_port'],
$GLOBALS['egw_info']['server']['cas_server_uri'] );
}
if($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'PEMCertificate')
{
// Set the certificate of the CAS server (PEM Certificate)
phpCAS::setCasServerCert($GLOBALS['egw_info']['server']['cas_cert']);
}
elseif($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'CACertificate')
{
// Set the CA certificate of the CAS server
phpCAS::setCasServerCACert($GLOBALS['egw_info']['server']['cas_cert']);
}
elseif($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'No')
{
// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();
}
phpCAS::forceAuthentication();
ob_start();
$login = phpCAS::getUser();
$password = phpCAS::retrievePT("imap://".$GLOBALS['egw_info']['server']['mail_server'],$err_code,$output);
$GLOBALS['sessionid'] = $GLOBALS['egw']->session->create($login,$password,'text','u');
/* set auth_cookie */
$GLOBALS['egw']->redirect_link($forward,$extra_vars);
}
else
{
$GLOBALS['egw_info']['server']['template_dir'] = EGW_SERVER_ROOT . '/phpgwapi/templates/' . $GLOBALS['egw_info']['login_template_set'];
// read the images from the login-template-set, not the (maybe not even set) users template-set
@ -345,3 +397,4 @@
}
$GLOBALS['egw']->framework->login_screen($extra_vars);
}

View File

@ -1,60 +1,69 @@
<?php
/**************************************************************************\
* eGroupWare *
* http://www.egroupware.org *
* Written by Joseph Engo <jengo@phpgroupware.org> *
* -------------------------------------------- *
* This program is free software; you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the *
* Free Software Foundation; either version 2 of the License, or (at your *
* option) any later version. *
\**************************************************************************/
/**
* eGroupWare - Logout
*
* @link http://www.egroupware.org
* @author Joseph Engo <jengo@phpgroupware.org>
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* @package api
* @subpackage authentication
* @version $Id$
*/
/* $Id$ */
$GLOBALS['egw_info'] = array(
'flags' => array(
'disable_Template_class' => True,
'currentapp' => 'logout',
'noheader' => True,
'nofooter' => True,
'nonavbar' => True
)
);
include('./header.inc.php');
$GLOBALS['egw_info'] = array(
'flags' => array(
'disable_Template_class' => True,
'currentapp' => 'logout',
'noheader' => True,
'nofooter' => True,
'nonavbar' => True
)
);
include('./header.inc.php');
$GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE'));
$GLOBALS['kp3'] = get_var('kp3',array('GET','COOKIE'));
$GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE'));
$GLOBALS['kp3'] = get_var('kp3',array('GET','COOKIE'));
$verified = $GLOBALS['egw']->session->verify();
$verified = $GLOBALS['egw']->session->verify();
if(!$redirectTarget = $GLOBALS['egw']->session->appsession('referer', 'login'))
{
$redirectTarget = $GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain'];
}
if(!$redirectTarget = $GLOBALS['egw']->session->appsession('referer', 'login'))
if($verified)
{
$GLOBALS['egw']->hooks->process('logout');
$GLOBALS['egw']->session->destroy($GLOBALS['sessionid'],$GLOBALS['kp3']);
}
else
{
if(is_object($GLOBALS['egw']->log))
{
$redirectTarget = $GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain'];
$GLOBALS['egw']->log->write(array(
'text' => 'W-VerifySession, could not verify session during logout',
'line' => __LINE__,
'file' => __FILE__
));
}
}
$GLOBALS['egw']->session->egw_setcookie('eGW_remember','',0,'/');
$GLOBALS['egw']->session->egw_setcookie('sessionid');
$GLOBALS['egw']->session->egw_setcookie('kp3');
$GLOBALS['egw']->session->egw_setcookie('domain');
if($verified)
{
$GLOBALS['egw']->hooks->process('logout');
$GLOBALS['egw']->session->destroy($GLOBALS['sessionid'],$GLOBALS['kp3']);
}
else
{
if(is_object($GLOBALS['egw']->log))
{
$GLOBALS['egw']->log->write(array(
'text' => 'W-VerifySession, could not verify session during logout',
'line' => __LINE__,
'file' => __FILE__
));
}
}
$GLOBALS['egw']->session->egw_setcookie('eGW_remember','',0,'/');
$GLOBALS['egw']->session->egw_setcookie('sessionid');
$GLOBALS['egw']->session->egw_setcookie('kp3');
$GLOBALS['egw']->session->egw_setcookie('domain');
if($GLOBALS['egw_info']['server']['auth_type'] == 'cas')
{
require_once('CAS/CAS.php');
// $GLOBALS['egw']->redirect($redirectTarget);
phpCAS::client(CAS_VERSION_2_0,
$GLOBALS['egw_info']['server']['cas_server_host_name'],
(int) $GLOBALS['egw_info']['server']['cas_server_port'],
$GLOBALS['egw_info']['server']['cas_server_uri'] );
phpCAS::logout($GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain']);
}
// $GLOBALS['egw']->redirect($redirectTarget);
?>
<head>
<script language="javascript">

View File

@ -0,0 +1,67 @@
<?php
/**
* eGroupWare API - Authentication from CAS
*
* @link http://www.egroupware.org
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* @package api
* @subpackage authentication
* @version $Id$
*/
/**
* eGroupWare API - Authentication based on CAS (Central Authetication Service)
*/
class auth_
{
var $previous_login = -1;
/**
* authentication against CAS
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd)
{
/* if program goes here, authenticate is, normaly, already verified by CAS */
if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' &&
$GLOBALS['egw_info']['server']['account_repository'] != 'ldsq') /* For anonymous LDAP connection */
{
if (!($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u')) &&
$GLOBALS['egw_info']['server']['auto_create_acct'])
{
// create a global array with all availible info about that account
$GLOBALS['auto_create_acct'] = array();
foreach(array(
'givenname' => 'firstname',
'sn' => 'lastname',
'uidnumber' => 'id',
'mail' => 'email',
'gidnumber' => 'primary_group',
) as $ldap_name => $acct_name)
{
$GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
}
return True;
}
return $id && $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A' && phpCAS::checkAuthentication();
}
return phpCAS::checkAuthentication();
}
/**
* changes password in CAS
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
/* Not allowed */
return false;
}
}

View File

@ -75,6 +75,7 @@ at your request, this script is going to take the evil action of uninstalling al
attempt to use correct mimetype for ftp instead of default 'application/octet-stream' setup de Soll versucht werden den korrekten MIME-typ für FTP zu verwenden statt dem Vorgabewert "application/octet-stream"
authentication / accounts setup de Authentifizierung / Benutzerkonten
authentication type for application setup de Authentifizierungstyp für die Anwendung
authentification mode: setup de Art der Authentifizierung:
auto create account records for authenticated users setup de Benutzerkonten für authentifizierte Benutzer automatisch anlegen
auto login anonymous user setup de Anonymen Benutzer automatisch einlogen
auto-created user accounts expire setup de Automatisch angelegte Benutzerkonten laufen ab in
@ -103,12 +104,17 @@ because of a failed upgrade, or the database is newer than the installed version
because the enable flag for this app is set to 0, or is undefined setup de weil der verfügbar-Eintrag für diese Applikation auf 0 gesetzt oder undefiniert ist
bottom setup de unten
but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>these automated scripts can easily destroy your data.</strong> setup de Aber wir <u>raten Ihnen dringend, eine Sicherungskopie</u> anzulegen f&uuml;r den Fall, dass dieses Skript Ihre bestehenden Daten besch&auml;digt!<br /><strong>Diese automatisierten Skripts k&ouml;nnen leicht Ihre Daten besch&auml;digen!.</strong>
ca certificate setup de CA Zertifikat
can not connect to %1 database %2 on host %3 using user %4! setup de Kann nicht zur %1 Datenbank %2 auf Rechner %3 als Benutzer %4 verbinden!
can not connect to ldap server on host %1 using dn %2! setup de Kann nicht zu LDAP Server auf Rechner %1 als DN %2 verbinden!
can not create %1 database %2 on %3 for user %4! setup de Kann keine %1 Datenbank %2 auf Rechner %3 für Benutzer %4 anlegen!
can not create dn %1! setup de Kann DN %1 nicht anlegen!
cancel setup de Abbrechen
cannot create the header.inc.php due to file permission restrictions.<br /> instead you can %1 or %2 the file. setup de Kann die Datei header.inc.php wegen unzureichenden Zugriffsrechten nicht erzeugen.<br />Stattdessen können Sie die Datei %1 oder %2.
cas server host name:<br />example: sso-cas.univ-rennes1.fr setup de CAS Server Host Name: (z.B.: sso-cas-univ-rennes1.fr):
cas server port:<br />example: 443 setup de CAS Server Port (zB. 443):
cas server uri: setup de CAS Server URI:
certificate (pem or ca): setup de Zertifikat (PEM oder CA):
change system-charset setup de Systemzeichensatz wechseln
charset setup de utf-8
charset to convert to setup de Zeichensatz in den konvertiert werden soll
@ -291,6 +297,7 @@ if no acl records for user or any group the user is a member of setup de Wenn es
if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup de Wenn safe_mode eingeschaltet ist, kann eGW verschiedene Einstellungen nicht mehr zur Laufzeit ändern, noch können wir nicht geladene Erweiterungen (php extensions) laden.
if the application has no defined tables, selecting upgrade should remedy the problem setup de Wenn die Anwendung keine definierten Tabellen hat, wählen Sie überarbeiten. Das Problem sollte damit behoben werden.
if using ads (active directory) authentication setup de Wenn Sie ADS (Active Directory) Authentifizierung benutzen
if using cas (central authentication service): setup de Wenn Sie CAS (Central Authentication Service) benutzen
if using ldap setup de Wenn Sie LDAP verwenden
if using ldap, do you want to manage homedirectory and loginshell attributes? setup de Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Komandointerpreter verwalten ?
if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files. setup de Wenn Sie nur die Documentroot erreichen können, wählen Sie bei Inhalt von Dateien speichern <b>Datenbank</b> UND benutzern Sie hier den Pfad für temporäre Dateien.
@ -412,7 +419,10 @@ path to various directories: have to exist and be writeable by the webserver set
pear (%1) is a php repository and is usually in a package called %2. setup de PEAR (%1) ist eine PHP Sammlung und ist überlicherweise in einem Packet namens %2.
pear extensions are required by many egroupware applications, pear itself is the required basis for each extension! setup de PEAR Erweiterungen werden von vielen eGroupware Anwendungen benötigt, PEAR selbst ist die Basis für diese Erweiterungen!
pear%1 is needed by: %2. setup de PEAR%1 wird benötigt von: %2.
pem certificate setup de PEM Zertifikat
persistent connections setup de Permanente Verbindungen
php client setup de PHP Klient
php proxy setup de PHP Proxy
php session handler enabled in php.ini setup de PHP Sitzungshandler aus der php.ini
please check for sql scripts within the application's directory setup de Bitte suchen Sie ein SQL Skript im Verzeichnis der Anwendung
please check read/write permissions on directories, or back up and use another option. setup de Bitte überprüfen Sie die Lese/Schreib-Rechte der Verzeichnisse oder gehen Sie zurück und benutzen eine andere Option.
@ -500,6 +510,7 @@ smtp server port setup de SMTP Server Port
some or all of its tables are missing setup de Einige oder alle Tabellen fehlen
sources deleted/missing setup de Quellen gelöscht/fehlen
sql encryption type setup de SQL-Verschlüsselungstyp für das Passwort (Vorgabe MD5)
ssl validation: setup de SSL Validierung:
standard (login-name identical to egroupware user-name) setup de Standard (Loginname identisch zu eGroupWare Benutzername)
standard mailserver settings (used for mail authentication too) setup de Standard Mailserver Einstellungen (werden auch für die Mail Authentifizierung benutzt)
standard, as defined above setup de Standard, wie darüber definiert

View File

@ -75,6 +75,7 @@ at your request, this script is going to take the evil action of uninstalling al
attempt to use correct mimetype for ftp instead of default 'application/octet-stream' setup en Attempt to use correct mimetype for FTP instead of default 'application/octet-stream'
authentication / accounts setup en Authentication / Accounts
authentication type for application setup en Authentication type for application
authentification mode: setup en Authentification mode:
auto create account records for authenticated users setup en Auto create account records for authenticated users
auto login anonymous user setup en Auto login anonymous user
auto-created user accounts expire setup en Auto-created user accounts expire
@ -103,12 +104,17 @@ because of a failed upgrade, or the database is newer than the installed version
because the enable flag for this app is set to 0, or is undefined setup en because the enable flag for this app is set to 0, or is undefined
bottom setup en bottom
but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>these automated scripts can easily destroy your data.</strong> setup en but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>These automated scripts can easily destroy your data.</strong>
ca certificate setup en CA certificate
can not connect to %1 database %2 on host %3 using user %4! setup en Can not connect to %1 database %2 on host %3 using user %4!
can not connect to ldap server on host %1 using dn %2! setup en Can not connect to LDAP server on host %1 using DN %2!
can not create %1 database %2 on %3 for user %4! setup en Can not create %1 database %2 on %3 for user %4!
can not create dn %1! setup en Can not create DN %1!
cancel setup en Cancel
cannot create the header.inc.php due to file permission restrictions.<br /> instead you can %1 or %2 the file. setup en Cannot create the header.inc.php due to file permission restrictions.<br /> Instead you can %1 or %2 the file.
cas server host name:<br />example: sso-cas.univ-rennes1.fr setup en cas server host name:<br />example: sso-cas.univ-rennes1.fr
cas server port:<br />example: 443 setup en cas server port:<br />Example: 443
cas server uri: setup en cas server uri:
certificate (pem or ca): setup en Certificate (PEM or CA):
change system-charset setup en Change system-charset
charset setup en utf-8
charset to convert to setup en Charset to convert to
@ -289,6 +295,7 @@ if no acl records for user or any group the user is a member of setup en If no A
if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup en If safe_mode is turned on, eGW is not able to change certain settings on runtime, nor can we load any not yet loaded module.
if the application has no defined tables, selecting upgrade should remedy the problem setup en If the application has no defined tables, selecting upgrade should remedy the problem
if using ads (active directory) authentication setup en If using ADS (Active Directory) authentication
if using cas (central authentication service): setup en if using cas (Central Authentication Service):
if using ldap setup en If using LDAP
if using ldap, do you want to manage homedirectory and loginshell attributes? setup en If using LDAP, do you want to manage homedirectory and loginshell attributes?
if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files. setup en If you can only access the docroot choose <b>Database</b> for where to store the file content AND use same path as for temporary files.
@ -410,7 +417,10 @@ path to various directories: have to exist and be writeable by the webserver set
pear (%1) is a php repository and is usually in a package called %2. setup en PEAR (%1) is a PHP repository and is usually in a package called %2.
pear extensions are required by many egroupware applications, pear itself is the required basis for each extension! setup en PEAR extensions are required by many eGroupware applications, PEAR itself is the required basis for each extension!
pear%1 is needed by: %2. setup en PEAR%1 is needed by: %2.
pem certificate setup en PEM certificate
persistent connections setup en Persistent connections
php client setup en PHP client
php proxy setup en PHP proxy
php session handler enabled in php.ini setup en PHP session handler enabled in php.ini
please check for sql scripts within the application's directory setup en Please check for sql scripts within the application's directory
please check read/write permissions on directories, or back up and use another option. setup en Please check read/write permissions on directories, or back up and use another option.
@ -498,6 +508,7 @@ smtp server port setup en SMTP server port
some or all of its tables are missing setup en Some or all of its tables are missing
sources deleted/missing setup en Sources deleted/missing
sql encryption type setup en SQL encryption type for passwords (default - md5)
ssl validation: setup en SSL validation:
standard (login-name identical to egroupware user-name) setup en standard (login-name identical to eGroupWare user-name)
standard mailserver settings (used for mail authentication too) setup en Standard mailserver settings (used for Mail authentication too)
standard, as defined above setup en Standard, as defined above

View File

@ -638,3 +638,15 @@ your tables will be dropped and you will lose data setup fr Vos tables seront su
your temporary directory '%1' %2 setup fr Votre répertoire temporaire '%1' %2
{db | php(default) | php-restore} setup fr {db | php(par défaut) | php-restore}
{off(default) | on} setup fr {off(par défaut) | on}
authentification mode: setup fr Mode d'authentification :
ca certificate setup fr Certificat CA
cas server host name:<br />example: sso-cas.univ-rennes1.fr setup fr Nom du serveur CAS hôte :<br />Exemple : sso-cas.univ-rennes1.fr
cas server port:<br />Example: 443 setup fr Port du serveur CAS :<br />Exemple : 443
cas server uri: setup fr URI du serveur CAS :
certificate (pem or ca): setup fr Certificat (PEM ou CA) :
if using cas (central authentication service): setup fr Si vous utilisez l'authentification CAS (Central Authentication Service) :
pem certificate setup fr Certificat PEM
php client setup fr php Client
php proxy setup fr php Proxy
ssl validation: setup fr Validation SSL :

View File

@ -216,6 +216,7 @@
<option value="http"{selected_auth_type_http}>HTTP</option>
<option value="nis"{selected_auth_type_nis}>NIS</option>
<option value="pam"{selected_auth_type_pam}>PAM</option>
<option value="cas"{selected_auth_type_cas}>CAS</option>
</select>
</td>
</tr>
@ -464,6 +465,55 @@
</td>
</tr>
<tr class="th">
<td colspan="2"><b>{lang_If_using_CAS_(Central_Authentication_Service):}</b></td>
</tr>
<tr class="row_off">
<td>{lang_CAS_server_host_name:<br />Example:_sso-cas.univ-rennes1.fr}</td>
<td><input name="newsettings[cas_server_host_name]" value="{value_cas_server_host_name}" size="40" /></td>
</tr>
<tr class="row_off">
<td>{lang_CAS_server_port:<br />Example:_443}</td>
<td><input name="newsettings[cas_server_port]" value="{value_cas_server_port}" size="40" /></td>
</tr>
<tr class="row_off">
<td>{lang_CAS_server_uri:}</td>
<td><input name="newsettings[cas_server_uri]" value="{value_cas_server_uri}" size="40" /></td>
</tr>
<tr class="row_off">
<td>{lang_Authentification_mode:}</td>
<td>
<select name="newsettings[cas_authentication_mode]">
<option value="Client"{selected_cas_authentication_mode_Client}>{lang_php_Client}</option>
<option value="Proxy"{selected_cas_authentication_mode_Proxy}>{lang_php_Proxy}</option>
</select>
</td>
</tr>
<tr class="row_off">
<td>{lang_SSL_validation:}</td>
<td>
<select name="newsettings[cas_ssl_validation]">
<option value="No"{selected_cas_ssl_validation_No}>{lang_No}</option>
<option value="PEMCertificate"{selected_cas_ssl_validation_PEMCertificate}>{lang_PEM_Certificate}</option>
<option value="CACertificate"{selected_cas_ssl_validation_CACertificate}>{lang_CA_Certificate}</option>
</select>
</td>
</tr>
<tr class="row_off">
<td>{lang_Certificate_(PEM_or_CA):}</td>
<td><input name="newsettings[cas_cert]" value="{value_cas_cert}" size="40" /></td>
</tr>
<tr class="row_on">
<td colspan="2">&nbsp;</td>
</tr>
<tr class="th">
<td colspan="2"><b>{lang_If_using_ADS_(Active_Directory)_authentication}:</b></td>
</tr>