From b883eca49dab571b7ec7521447c46d5c34e1e6e9 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Fri, 13 May 2005 15:58:10 +0000 Subject: [PATCH] new auth_ads class: - only needs host- and domain-name - needs NO extra account on the ADS host - can be used with accounts in SQL or LDAP to auto-create autheticated users - new param to lowercase the user-names before auto-creating them (to deal with case-insensitve and case-sensitive system) --- phpgwapi/inc/class.auth_ads.inc.php | 124 ++++++++++------------------ phpgwapi/inc/class.sessions.inc.php | 6 +- setup/lang/phpgw_de.lang | 10 ++- setup/lang/phpgw_en.lang | 8 +- setup/templates/default/config.tpl | 18 +++- 5 files changed, 79 insertions(+), 87 deletions(-) diff --git a/phpgwapi/inc/class.auth_ads.inc.php b/phpgwapi/inc/class.auth_ads.inc.php index daf6db97a2..5531a9d991 100644 --- a/phpgwapi/inc/class.auth_ads.inc.php +++ b/phpgwapi/inc/class.auth_ads.inc.php @@ -36,80 +36,68 @@ return False; } - if(!$ldap = @ldap_connect($GLOBALS['phpgw_info']['server']['ldap_host'])) + if(!$ldap = @ldap_connect($GLOBALS['egw_info']['server']['ads_host'])) { - $GLOBALS['phpgw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped'); - $GLOBALS['phpgw']->log->commit(); + //echo "

Failed connecting to ADS server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication, execution stopped

\n"; + $GLOBALS['egw']->log->message('F-Abort, Failed connecting to ADS server for authenication, execution stopped'); + $GLOBALS['egw']->log->commit(); return False; } + //echo "

Connected to LDAP server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication

\n"; - if($GLOBALS['phpgw_info']['server']['ldap_version3']) - { - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - } + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); /* Login with the LDAP Admin. User to find the User DN. */ - if(!@ldap_bind($ldap, $GLOBALS['phpgw_info']['server']['ldap_root_dn'], $GLOBALS['phpgw_info']['server']['ldap_root_pw'])) + if(!@ldap_bind($ldap,$username.'@'.$GLOBALS['egw_info']['server']['ads_domain'],$passwd)) { + //echo "

Cant bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd' !!!

\n"; return False; } - /* find the dn for this uid, the uid is not always in the dn */ - #$attributes = array('samaccountname','dn','givenName','sn','mail','uidNumber','gidNumber'); - $attributes = array('samaccountname','dn','givenName','sn','mail'); - if ($GLOBALS['phpgw_info']['server']['account_repository'] == 'ldap') - { - $filter = "(&(samaccountname=$username)(phpgwaccountstatus=A))"; - } - else - { - $filter = "(samaccountname=$username)"; - } + //echo "

Bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd'.

\n"; - $sri = ldap_search($ldap, $GLOBALS['phpgw_info']['server']['ldap_context'], $filter, $attributes); + $attributes = array('samaccountname','givenName','sn','mail'); + $filter = "(samaccountname=$username)"; + // automatic create dn from domain: domain.com ==> DC=domain,DC=com + $base_dn = array(); + foreach(explode('.',$GLOBALS['egw_info']['server']['ads_domain']) as $dc) + { + $base_dn[] = 'DC='.$dc; + } + $base_dn = implode(',',$base_dn); + + //echo "

Trying ldap_search(,$base_dn,$filter,".print_r($attributes,true)."

\n"; + $sri = ldap_search($ldap, $base_dn, $filter, $attributes); $allValues = ldap_get_entries($ldap, $sri); + //_debug_array($allValues); if ($allValues['count'] > 0) { - if($GLOBALS['phpgw_info']['server']['case_sensitive_username'] == true) + if($GLOBALS['egw_info']['server']['case_sensitive_username'] == true) { if($allValues[0]['samaccountname'][0] != $username) { return false; } } - /* we only care about the first dn */ - $userDN = $allValues[0]['dn']; - /* - generate a bogus password to pass if the user doesn't give us one - this gets around systems that are anonymous search enabled - */ - if (empty($passwd)) + + $account = CreateObject('phpgwapi.accounts',$username,'u'); + if ($account->account_id) { - $passwd = crypt(microtime()); + return true; } - /* try to bind as the user with user suplied password */ - if (@ldap_bind($ldap, $userDN, $passwd)) + if ($GLOBALS['egw_info']['server']['auto_create_acct']) { - if ($GLOBALS['phpgw_info']['server']['account_repository'] != 'ldap') + // create a global array with all availible info about that account + $GLOBALS['auto_create_acct'] = array(); + foreach(array( + 'givenname' => 'firstname', + 'sn' => 'lastname', + 'mail' => 'email', + ) as $ldap_name => $acct_name) { - $account = CreateObject('phpgwapi.accounts',$username,'u'); - if (!$account->account_id && $GLOBALS['phpgw_info']['server']['auto_create_acct']) - { - // create a global array with all availible info about that account - $GLOBALS['auto_create_acct'] = array(); - foreach(array( - 'givenname' => 'firstname', - 'sn' => 'lastname', - 'mail' => 'email', - ) as $ldap_name => $acct_name) - { - $GLOBALS['auto_create_acct'][$acct_name] = - $GLOBALS['phpgw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); - } - return True; - } - $data = $account->read_repository(); - return $data['status'] == 'A'; + $GLOBALS['auto_create_acct'][$acct_name] = + $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); } return True; } @@ -120,40 +108,16 @@ function change_password($old_passwd, $new_passwd, $_account_id='') { - if ('' == $_account_id) - { - $_account_id = $GLOBALS['phpgw_info']['user']['account_id']; - } - - $ds = $GLOBALS['phpgw']->common->ldapConnect(); - $sri = ldap_search($ds, $GLOBALS['phpgw_info']['server']['ldap_context'], 'uidnumber=' . (int)$_account_id); - $allValues = ldap_get_entries($ds, $sri); - - $entry['userpassword'] = $this->encrypt_password($new_passwd); - $dn = $allValues[0]['dn']; - - if (!@ldap_modify($ds, $dn, $entry)) - { - return false; - } - $GLOBALS['phpgw']->session->appsession('password','phpgwapi',$new_passwd); - - return $entry['userpassword']; + return false; // Cant change passwd in ADS } function update_lastlogin($_account_id, $ip) { - $entry['phpgwaccountlastlogin'] = time(); - $entry['phpgwaccountlastloginfrom'] = $ip; - - $ds = $GLOBALS['phpgw']->common->ldapConnect(); - $sri = ldap_search($ds, $GLOBALS['phpgw_info']['server']['ldap_context'], 'uidnumber=' . (int)$_account_id); - $allValues = ldap_get_entries($ds, $sri); - - $dn = $allValues[0]['dn']; - $this->previous_login = $allValues[0]['phpgwaccountlastlogin'][0]; - - @ldap_modify($ds, $dn, $entry); + $account =& CreateObject('phpgwapi.accounts',$_account_id,'u'); + $account->read_repository(); + $account->data['lastlogin'] = time(); + $account->data['lastloginfrom'] = $ip; + $account->save_repository(); } } ?> diff --git a/phpgwapi/inc/class.sessions.inc.php b/phpgwapi/inc/class.sessions.inc.php index adf3e77b4b..20baa1c7b8 100644 --- a/phpgwapi/inc/class.sessions.inc.php +++ b/phpgwapi/inc/class.sessions.inc.php @@ -508,8 +508,12 @@ return False; } - if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct'] == True) + if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct']) { + if ($GLOBALS['egw_info']['server']['auto_create_acct'] == 'lowercase') + { + $this->account_lid = strtolower($this->account_lid); + } $this->account_id = $GLOBALS['egw']->accounts->auto_add($this->account_lid, $passwd); } diff --git a/setup/lang/phpgw_de.lang b/setup/lang/phpgw_de.lang index 6dbcd243d1..3f75621b0d 100644 --- a/setup/lang/phpgw_de.lang +++ b/setup/lang/phpgw_de.lang @@ -88,7 +88,7 @@ checking file-permissions of %1 for %2: %3 setup de checking for gd support... setup de Überprüfe die GD Unterstützung... checking php.ini setup de Überprüfe die php.ini Datei checking the egroupware installation setup de Überprüfe die eGroupWare-Installation -click here to return to setup. setup de Hier klicken um zum Setup zurück zu kommen. +click here to return to setup. setup de Hier klicken um zum Setup zurück zu kommen. click here setup de Hier klicken click here to re-run the installation tests setup de zum Wiederholen der Installationstests hier klicken completed setup de Abgeschlossen @@ -153,6 +153,7 @@ do you want persistent connections (higher performance, but consumes more resour do you want to manage homedirectory and loginshell attributes? setup de Wollen Sie Benutzerverzeichnisse und Login-Shell Attribute verwalten? does not exist setup de existiert nicht domain setup de Domain +domain name setup de Name der Domain domain select box on login setup de Domain-Auswahlbox beim Einloggen dont touch my data setup de Meine Daten nicht verändern download setup de Herunterladen @@ -171,7 +172,7 @@ enter the full path for users and group files.
examples: /files, e:\files set enter the full path for users and group files.
examples: /files, e:files setup de Vollständiger Pfad für Benutzer- und Gruppendateien.
Beispiel: /files, E:\Files enter the full path to the backup directory.
if empty: files directory setup de Vollständiger Pfad für das Datensicherungsverzeichnis.
Wenn leer: Dateiverzeichnis enter the hostname of the machine on which this server is running setup de Hostname des Computers auf dem der Server läuft -enter the location of egroupware's url.
example: http://www.domain.com/egroupware   or   /egroupware
no trailing slash setup de URL zur eGroupWare Installation.
Beispiel: http://www.domain.com/egroupware   or   /egroupware
keinen nachfolgenden Slash / +enter the location of egroupware's url.
example: http://www.domain.com/egroupware   or   /egroupware
no trailing slash setup de URL zur eGroupWare Installation.
Beispiel: http://www.domain.com/egroupware or /egroupware
keinen nachfolgenden Slash / enter the site password for peer servers setup de Site Passwort für Peer Server enter the site username for peer servers setup de Site Benutzername für Peer Server enter the title for your site setup de Titel der eGroupWare Installation @@ -204,6 +205,7 @@ historylog removed setup de Historylog gel hooks deregistered setup de Haken nicht mehr aktiv hooks registered setup de Haken registriert host information setup de Host Informationen +host/ip domain controler setup de Hostname / IP des Domain Controler hostname/ip of database server setup de Hostname/IP des Datenbank-Servers hour (0-24) setup de Stunde (0-24) however, the application is otherwise installed setup de Wie auch immer, die Anwendung ist ansonsten installiert @@ -211,6 +213,7 @@ however, the application may still work setup de Wie auch immer, die Anwendung m if no acl records for user or any group the user is a member of setup de Wenn es keinen ACL-Eintrag für einen Benutzer oder eine Gruppe, der er angehört gibt if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup de Wenn safe_mode eingeschaltet ist, kann eGW verschiedene Einstellungen nicht mehr zur Laufzeit ändern, noch können wir nicht geladene Erweiterungen (php extensions) laden. if the application has no defined tables, selecting upgrade should remedy the problem setup de Wenn die Anwendung keine definierten Tabellen hat, wählen Sie überarbeiten. Das Problem sollte damit behoben werden. +if using ads (active directory) authentication setup de Wenn Sie ADS (Active Directory) Authentifizierung benutzen if using ldap setup de Wenn Sie LDAP verwenden if using ldap, do you want to manage homedirectory and loginshell attributes? setup de Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Komandointerpreter verwalten ? if you did not receive any errors, your applications have been setup de Wenn Sie keine Fehlermeldungen erhalten, wurden Ihre Anwendungen @@ -482,6 +485,7 @@ writable by the webserver setup de schreibar durch den Webserver write config setup de Konfiguration schreiben year setup de Jahr yes setup de Ja +yes, with lowercase usernames setup de Ja, mit kleingeschriebenen Benutzernamen you appear to be running a pre-beta version of egroupware.
these versions are no longer supported, and there is no upgrade path for them in setup.
you may wish to first upgrade to 0.9.10 (the last version to support pre-beta upgrades)
and then upgrade from there with the current version. setup de Es sieht so aus, als ob Sie eine vor-beta Version von eGroupWare benutzen.
Diese Versionen werden nicht länger unterstützt, und es gibt keinen Aktualisierungs-Pfad für Sie im Einrichtung-Programm.
Sie möchten vieleicht erst auf you appear to be running an old version of php
it its recommend that you upgrade to a new version.
older version of php might not run egroupware correctly, if at all.

please upgrade to at least version %1 setup de Es sieht so aus als ob Sie eine alte PHP-Version benutzen
Es ist notwendig auf eine neue Version zu aktualisieren.
Ältere PHP-Versionen könnten eGroupWare (wenn überhaupt) nicht korrekt ausführen.

Biite aktualisieren Sie mindestens auf Version %1 you appear to be running version %1 of egroupware setup de Es sieht so aus als benutzen Sie Version %1 von eGroupWare @@ -507,7 +511,7 @@ you must enter a username for the admin setup de Sie m you need to add some domains to your header.inc.php. setup de Sie müssen mindestens eine Domain zu Ihrer header.inc.php hinzufügen. you need to select your current charset! setup de Sie müssen Ihren aktuellen Zeichensatz auswählen! you should either uninstall and then reinstall it, or attempt manual repairs setup de Sie sollten entweder de- und neuinstallieren, oder manuelle Reparaturen versuchen -you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup de Sie müssen das entsprechende Schema in Ihren LDAP-Server laden - siehe phpgwapi/doc/ldap/README +you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup de Sie müssen das entsprechende Schema in Ihren LDAP-Server laden - siehe phpgwapi/doc/ldap/README you're using an old configuration file format... setup de Sie verwenden ein altes Format der Konfigurationsdatei ... you're using an old header.inc.php version... setup de Sie verwenden eine alte header.inc.php Version ... your applications are current setup de Ihre Anwendungen sind aktuell diff --git a/setup/lang/phpgw_en.lang b/setup/lang/phpgw_en.lang index 9b32fdfdb1..ab73961a32 100644 --- a/setup/lang/phpgw_en.lang +++ b/setup/lang/phpgw_en.lang @@ -87,7 +87,7 @@ checking file-permissions of %1 for %2: %3 setup en Checking file-permissions of checking for gd support... setup en Checking for GD support... checking php.ini setup en Checking php.ini checking the egroupware installation setup en Checking the eGroupWare Installation -click here to return to setup. setup en Click here to return to setup. +click here to return to setup. setup en Click here to return to setup. click here setup en Click Here click here to re-run the installation tests setup en Click here to re-run the installation tests completed setup en Completed @@ -152,6 +152,7 @@ do you want persistent connections (higher performance, but consumes more resour do you want to manage homedirectory and loginshell attributes? setup en Do you want to manage homedirectory and loginshell attributes? does not exist setup en does not exist domain setup en Domain +domain name setup en Domain name domain select box on login setup en Domain select box on login dont touch my data setup en Dont touch my data download setup en Download @@ -200,6 +201,7 @@ historylog removed setup en Historylog removed hooks deregistered setup en hooks deregistered hooks registered setup en hooks registered host information setup en Host information +host/ip domain controler setup en Host/IP Domain controler hostname/ip of database server setup en Hostname/IP of database server hour (0-24) setup en hour (0-24) however, the application is otherwise installed setup en However, the application is otherwise installed @@ -207,6 +209,7 @@ however, the application may still work setup en However, the application may st if no acl records for user or any group the user is a member of setup en If no ACL records for user or any group the user is a member of if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup en If safe_mode is turned on, eGW is not able to change certain settings on runtime, nor can we load any not yet loaded module. if the application has no defined tables, selecting upgrade should remedy the problem setup en If the application has no defined tables, selecting upgrade should remedy the problem +if using ads (active directory) authentication setup en If using ADS (Active Directory) authentication if using ldap setup en If using LDAP if using ldap, do you want to manage homedirectory and loginshell attributes? setup en If using LDAP, do you want to manage homedirectory and loginshell attributes? if you did not receive any errors, your applications have been setup en If you did not receive any errors, your applications have been @@ -477,6 +480,7 @@ writable by the webserver setup en writable by the webserver write config setup en Write config year setup en year yes setup en Yes +yes, with lowercase usernames setup en Yes, with lowercase usernames you appear to be running a pre-beta version of egroupware.
these versions are no longer supported, and there is no upgrade path for them in setup.
you may wish to first upgrade to 0.9.10 (the last version to support pre-beta upgrades)
and then upgrade from there with the current version. setup en You appear to be running a pre-beta version of eGroupWare.
These versions are no longer supported, and there is no upgrade path for them in setup.
You may wish to first upgrade to 0.9.10 (the last version to support pre-beta upgrades)
and then upgrade from there with the current version. you appear to be running an old version of php
it its recommend that you upgrade to a new version.
older version of php might not run egroupware correctly, if at all.

please upgrade to at least version %1 setup en You appear to be running an old version of PHP
It its recommend that you upgrade to a new version.
Older version of PHP might not run eGroupWare correctly, if at all.

Please upgrade to at least version %1 you appear to be running version %1 of egroupware setup en You appear to be running version %1 of eGroupWare @@ -502,7 +506,7 @@ you must enter a username for the admin setup en You must enter a username for t you need to add some domains to your header.inc.php. setup en You need to add some domains to your header.inc.php. you need to select your current charset! setup en You need to select your current charset! you should either uninstall and then reinstall it, or attempt manual repairs setup en You should either uninstall and then reinstall it, or attempt manual repairs -you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup en You will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/README +you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup en You will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/README you're using an old configuration file format... setup en You're using an old configuration file format... you're using an old header.inc.php version... setup en You're using an old header.inc.php version... your applications are current setup en Your applications are current diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl index 0b95f533e3..a295395823 100644 --- a/setup/templates/default/config.tpl +++ b/setup/templates/default/config.tpl @@ -230,6 +230,7 @@ @@ -341,10 +342,25 @@ - +   + + {lang_If_using_ADS_(Active_Directory)_authentication}: + + + {lang_Host/IP_Domain_controler}: + + + + {lang_Domain_name}: + + + + +   + {lang_Mcrypt_settings_(requires_mcrypt_PHP_extension)}