From 61d26df9139ccfc623a8d48ff190a0b12fea88a7 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Thu, 28 Jan 2010 04:22:37 +0000 Subject: [PATCH] reworked auth classes, to allow them to use each other and a new auth class using a primary backend (ldap) and a fallback (sql) --- phpgwapi/inc/class.auth.inc.php | 75 ++++++++- phpgwapi/inc/class.auth_ads.inc.php | 201 +++++++++++------------ phpgwapi/inc/class.auth_cas.inc.php | 7 +- phpgwapi/inc/class.auth_fallback.inc.php | 85 ++++++++++ phpgwapi/inc/class.auth_http.inc.php | 81 ++++----- phpgwapi/inc/class.auth_ldap.inc.php | 23 +-- phpgwapi/inc/class.auth_mail.inc.php | 169 ++++++++++--------- phpgwapi/inc/class.auth_nis.inc.php | 109 ++++++------ phpgwapi/inc/class.auth_pam.inc.php | 76 +++++---- phpgwapi/inc/class.auth_sql.inc.php | 7 +- phpgwapi/inc/class.auth_sqlssl.inc.php | 179 ++++++++++---------- setup/templates/default/config.tpl | 3 + 12 files changed, 610 insertions(+), 405 deletions(-) create mode 100644 phpgwapi/inc/class.auth_fallback.inc.php diff --git a/phpgwapi/inc/class.auth.inc.php b/phpgwapi/inc/class.auth.inc.php index 03e62a2ff1..a44866eecc 100644 --- a/phpgwapi/inc/class.auth.inc.php +++ b/phpgwapi/inc/class.auth.inc.php @@ -3,6 +3,7 @@ * eGroupWare API - Authentication baseclass * * @link http://www.egroupware.org + * @author Ralf Becker * @author Miles Lott * @copyright 2004 by Miles Lott * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License @@ -22,7 +23,6 @@ if(empty($GLOBALS['egw_info']['server']['auth_type'])) $GLOBALS['egw_info']['server']['auth_type'] = 'sql'; } //error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']); -include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].'.inc.php'); /** * eGroupWare API - Authentication baseclass, password auth and crypt functions @@ -32,10 +32,55 @@ include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].' * * Other functions from class.common.inc.php originally from phpGroupWare */ -class auth extends auth_ +class auth { static $error; + + /** + * Holds instance of backend + * + * @var auth_backend + */ + private $backend; + + function __construct() + { + $backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type']; + + $this->backend = new $backend_class; + + if (!is_a($this->backend,'auth_backend')) + { + throw new egw_exception_assertion_failed("Auth backend class $backend_class is NO auth_backend!"); + } + } + /** + * password authentication against password stored in sql datababse + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') + { + return $this->backend->authenticate($username, $passwd, $passwd_type); + } + + /** + * changes password in sql datababse + * + * @param string $old_passwd must be cleartext + * @param string $new_passwd must be cleartext + * @param int $account_id account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0) + { + return $this->backend->change_password($old_passwd, $new_passwd, $account_id); + } + /** * return a random string of size $size * @@ -471,3 +516,29 @@ class auth extends auth_ return strcmp($md5_hmac,$db_val) == 0; } } + +/** + * Interface for authentication backend + */ +interface auth_backend +{ + /** + * password authentication against password stored in sql datababse + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text'); + + /** + * changes password in sql datababse + * + * @param string $old_passwd must be cleartext + * @param string $new_passwd must be cleartext + * @param int $account_id account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0); +} diff --git a/phpgwapi/inc/class.auth_ads.inc.php b/phpgwapi/inc/class.auth_ads.inc.php index bf649ba79d..ad77dbd8e0 100644 --- a/phpgwapi/inc/class.auth_ads.inc.php +++ b/phpgwapi/inc/class.auth_ads.inc.php @@ -1,112 +1,111 @@ * - * and Joseph Engo * - * Authentication based on LDAP Server * - * Copyright (C) 2000, 2001 Joseph Engo * - * Copyright (C) 2002, 2003 Lars Kneschke * - * ------------------------------------------------------------------------ * - * This library is part of the eGroupWare API * - * http://www.egroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ +/** + * eGroupWare API - ADS Authentication + * + * @link http://www.egroupware.org + * @author Ralf Becker based on auth_ldap from: + * @author Lars Kneschke + * @author Joseph Engo + * Copyright (C) 2000, 2001 Joseph Engo + * Copyright (C) 2002, 2003 Lars Kneschke + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ +/** + * Authentication agains a ADS Server + */ +class auth_ads implements auth_backend +{ + var $previous_login = -1; - class auth_ + /** + * password authentication + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') { - var $previous_login = -1; - - function authenticate($username, $passwd) + if (preg_match('/[()|&=*,<>!~]/',$username)) { - if (preg_match('/[()|&=*,<>!~]/',$username)) - { - return False; - } - - if(!$ldap = @ldap_connect($GLOBALS['egw_info']['server']['ads_host'])) - { - //echo "

Failed connecting to ADS server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication, execution stopped

\n"; - $GLOBALS['egw']->log->message('F-Abort, Failed connecting to ADS server for authenication, execution stopped'); - $GLOBALS['egw']->log->commit(); - return False; - } - //echo "

Connected to LDAP server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication

\n"; - - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - - // bind with username@ads_domain, only if a non-empty password given, in case anonymous search is enabled - if(empty($passwd) || !@ldap_bind($ldap,$username.'@'.$GLOBALS['egw_info']['server']['ads_domain'],$passwd)) - { - //echo "

Cant bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd' !!!

\n"; - return False; - } - //echo "

Bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd'.

\n"; - - $attributes = array('samaccountname','givenName','sn','mail'); - $filter = "(samaccountname=$username)"; - // automatic create dn from domain: domain.com ==> DC=domain,DC=com - $base_dn = array(); - foreach(explode('.',$GLOBALS['egw_info']['server']['ads_domain']) as $dc) - { - $base_dn[] = 'DC='.$dc; - } - $base_dn = implode(',',$base_dn); - - //echo "

Trying ldap_search(,$base_dn,$filter,".print_r($attributes,true)."

\n"; - $sri = ldap_search($ldap, $base_dn, $filter, $attributes); - $allValues = ldap_get_entries($ldap, $sri); - //_debug_array($allValues); - - if ($allValues['count'] > 0) - { - if($GLOBALS['egw_info']['server']['case_sensitive_username'] == true) - { - if($allValues[0]['samaccountname'][0] != $username) - { - return false; - } - } - if (($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u'))) - { - return $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A'; - } - if ($GLOBALS['egw_info']['server']['auto_create_acct']) - { - // create a global array with all availible info about that account - $GLOBALS['auto_create_acct'] = array(); - foreach(array( - 'givenname' => 'firstname', - 'sn' => 'lastname', - 'mail' => 'email', - ) as $ldap_name => $acct_name) - { - $GLOBALS['auto_create_acct'][$acct_name] = - $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); - } - return True; - } - } - /* dn not found or password wrong */ return False; } - function change_password($old_passwd, $new_passwd, $_account_id='') + if(!$ldap = @ldap_connect($GLOBALS['egw_info']['server']['ads_host'])) { - return false; // Cant change passwd in ADS + //echo "

Failed connecting to ADS server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication, execution stopped

\n"; + $GLOBALS['egw']->log->message('F-Abort, Failed connecting to ADS server for authenication, execution stopped'); + $GLOBALS['egw']->log->commit(); + return False; } + //echo "

Connected to LDAP server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication

\n"; + + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + + // bind with username@ads_domain, only if a non-empty password given, in case anonymous search is enabled + if(empty($passwd) || !@ldap_bind($ldap,$username.'@'.$GLOBALS['egw_info']['server']['ads_domain'],$passwd)) + { + //echo "

Cant bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd' !!!

\n"; + return False; + } + //echo "

Bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd'.

\n"; + + $attributes = array('samaccountname','givenName','sn','mail'); + $filter = "(samaccountname=$username)"; + // automatic create dn from domain: domain.com ==> DC=domain,DC=com + $base_dn = array(); + foreach(explode('.',$GLOBALS['egw_info']['server']['ads_domain']) as $dc) + { + $base_dn[] = 'DC='.$dc; + } + $base_dn = implode(',',$base_dn); + + //echo "

Trying ldap_search(,$base_dn,$filter,".print_r($attributes,true)."

\n"; + $sri = ldap_search($ldap, $base_dn, $filter, $attributes); + $allValues = ldap_get_entries($ldap, $sri); + //_debug_array($allValues); + + if ($allValues['count'] > 0) + { + if($GLOBALS['egw_info']['server']['case_sensitive_username'] == true) + { + if($allValues[0]['samaccountname'][0] != $username) + { + return false; + } + } + if (($id = $GLOBALS['egw']->accounts->name2id($username,'account_lid','u'))) + { + return $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A'; + } + if ($GLOBALS['egw_info']['server']['auto_create_acct']) + { + // create a global array with all availible info about that account + $GLOBALS['auto_create_acct'] = array(); + foreach(array( + 'givenname' => 'firstname', + 'sn' => 'lastname', + 'mail' => 'email', + ) as $ldap_name => $acct_name) + { + $GLOBALS['auto_create_acct'][$acct_name] = + translation::convert($allValues[0][$ldap_name][0],'utf-8'); + } + return True; + } + } + /* dn not found or password wrong */ + return False; } -?> + + function change_password($old_passwd, $new_passwd, $_account_id=0) + { + return false; // Cant change passwd in ADS + } +} diff --git a/phpgwapi/inc/class.auth_cas.inc.php b/phpgwapi/inc/class.auth_cas.inc.php index b8df74a4ce..f0f7496a49 100644 --- a/phpgwapi/inc/class.auth_cas.inc.php +++ b/phpgwapi/inc/class.auth_cas.inc.php @@ -12,7 +12,7 @@ /** * eGroupWare API - Authentication based on CAS (Central Authetication Service) */ -class auth_ +class auth_cas implements auth_backend { var $previous_login = -1; @@ -21,9 +21,10 @@ class auth_ * * @param string $username username of account to authenticate * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) * @return boolean true if successful authenticated, false otherwise */ - function authenticate($username, $passwd) + function authenticate($username, $passwd, $passwd_type='text') { /* if program goes here, authenticate is, normaly, already verified by CAS */ if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' && @@ -56,7 +57,7 @@ class auth_ * * @param string $old_passwd must be cleartext or empty to not to be checked * @param string $new_passwd must be cleartext - * @param int $account_id account id of user whose passwd should be changed + * @param int $account_id=0 account id of user whose passwd should be changed * @return boolean true if password successful changed, false otherwise */ function change_password($old_passwd, $new_passwd, $account_id=0) diff --git a/phpgwapi/inc/class.auth_fallback.inc.php b/phpgwapi/inc/class.auth_fallback.inc.php new file mode 100644 index 0000000000..3008430664 --- /dev/null +++ b/phpgwapi/inc/class.auth_fallback.inc.php @@ -0,0 +1,85 @@ + + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ + +/** + * Authentication agains a LDAP Server with fallback to SQL + * + * For other fallback types, simply change auth backends in constructor call + */ +class auth_fallback implements auth_backend +{ + /** + * Primary auth backend + * + * @var auth_backend + */ + private $primary_backend; + + /** + * Fallback auth backend + * + * @var auth_backend + */ + private $fallback_backend; + + /** + * Constructor + */ + function __construct($primary='auth_ldap',$fallback='auth_sql') + { + $this->primary_backend = new $primary; + + $this->fallback_backend = new $fallback; + } + + /** + * authentication against LDAP with fallback to SQL + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') + { + if ($this->primary_backend->authenticate($username, $passwd, $passwd_type)) + { + egw_cache::setSession(__CLASS__,'backend_used','primary'); + return true; + } + if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type)) + { + egw_cache::setSession(__CLASS__,'backend_used','fallback'); + return true; + } + return false; + } + + /** + * changes password in LDAP + * + * If $old_passwd is given, the password change is done binded as user and NOT with the + * "root" dn given in the configurations. + * + * @param string $old_passwd must be cleartext or empty to not to be checked + * @param string $new_passwd must be cleartext + * @param int $account_id account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0) + { + if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary') + { + return $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id); + } + return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id); + } +} diff --git a/phpgwapi/inc/class.auth_http.inc.php b/phpgwapi/inc/class.auth_http.inc.php index 328b15e844..5e79fff1e3 100644 --- a/phpgwapi/inc/class.auth_http.inc.php +++ b/phpgwapi/inc/class.auth_http.inc.php @@ -1,47 +1,54 @@ * - * and Joseph Engo * - * Authentication based on HTTP auth * - * Copyright (C) 2000, 2001 Dan Kuykendall * - * ------------------------------------------------------------------------ * - * This library is part of the eGroupWare API * - * http://www.egroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ +/** + * eGroupWare API - Authentication based on HTTP auth + * + * @link http://www.egroupware.org + * @author Dan Kuykendall + * @author Joseph Engo + * Copyright (C) 2000, 2001 Dan Kuykendall + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ +/** + * Authentication based on HTTP auth + */ +class auth_http implements auth_backend +{ + var $previous_login = -1; - class auth_ + /** + * password authentication + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') { - var $previous_login = -1; - - function authenticate($username, $passwd) + if (isset($_SERVER['PHP_AUTH_USER'])) { - if (isset($_SERVER['PHP_AUTH_USER'])) - { - return True; - } - else - { - return False; - } + return True; } - - function change_password($old_passwd, $new_passwd) + else { return False; } } + + /** + * changes password + * + * @param string $old_passwd must be cleartext or empty to not to be checked + * @param string $new_passwd must be cleartext + * @param int $account_id account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0) + { + return False; + } +} diff --git a/phpgwapi/inc/class.auth_ldap.inc.php b/phpgwapi/inc/class.auth_ldap.inc.php index babf99e236..fabe93f530 100644 --- a/phpgwapi/inc/class.auth_ldap.inc.php +++ b/phpgwapi/inc/class.auth_ldap.inc.php @@ -3,11 +3,12 @@ * eGroupWare API - LDAP Authentication * * @link http://www.egroupware.org + * @author Ralf Becker * @author Lars Kneschke * @author Joseph Engo * Copyright (C) 2000, 2001 Joseph Engo * Copyright (C) 2002, 2003 Lars Kneschke - * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License * @package api * @subpackage authentication * @version $Id$ @@ -16,7 +17,7 @@ /** * Authentication agains a LDAP Server */ -class auth_ +class auth_ldap implements auth_backend { var $previous_login = -1; @@ -27,13 +28,13 @@ class auth_ * @param string $passwd corresponding password * @return boolean true if successful authenticated, false otherwise */ - function authenticate($username, $passwd) + function authenticate($username, $passwd, $passwd_type='text') { // allow non-ascii in username & password - $username = $GLOBALS['egw']->translation->convert($username,$GLOBALS['egw']->translation->charset(),'utf-8'); - $passwd = $GLOBALS['egw']->translation->convert($passwd,$GLOBALS['egw']->translation->charset(),'utf-8'); + $username = translation::convert($username,translation::charset(),'utf-8'); + $passwd = translation::convert($passwd,translation::charset(),'utf-8'); - if(!$ldap = $GLOBALS['egw']->common->ldapConnect()) + if(!$ldap = common::ldapConnect()) { $GLOBALS['egw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped'); $GLOBALS['egw']->log->commit(); @@ -90,7 +91,7 @@ class auth_ ) as $ldap_name => $acct_name) { $GLOBALS['auto_create_acct'][$acct_name] = - $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); + translation::convert($allValues[0][$ldap_name][0],'utf-8'); } return True; } @@ -123,15 +124,15 @@ class auth_ } else { - $username = $GLOBALS['egw']->translation->convert($GLOBALS['egw']->accounts->id2name($account_id), - $GLOBALS['egw']->translation->charset(),'utf-8'); + $username = translation::convert($GLOBALS['egw']->accounts->id2name($account_id), + translation::charset(),'utf-8'); } //echo "

auth_ldap::change_password('$old_password','$new_passwd',$account_id) username='$username'

\n"; $filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)'; $filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter); - $ds = $GLOBALS['egw']->common->ldapConnect(); + $ds = common::ldapConnect(); $sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter); $allValues = ldap_get_entries($ds, $sri); @@ -142,7 +143,7 @@ class auth_ if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw { - $ds = $GLOBALS['egw']->common->ldapConnect('',$dn,$old_passwd); + $ds = common::ldapConnect('',$dn,$old_passwd); } if (!@ldap_modify($ds, $dn, $entry)) { diff --git a/phpgwapi/inc/class.auth_mail.inc.php b/phpgwapi/inc/class.auth_mail.inc.php index 349ecd6e57..2f3893553a 100644 --- a/phpgwapi/inc/class.auth_mail.inc.php +++ b/phpgwapi/inc/class.auth_mail.inc.php @@ -1,92 +1,99 @@ * - * Authentication based on mail server * - * Copyright (C) 2000, 2001 Dan Kuykendall * - * ------------------------------------------------------------------------ * - * This library is part of the eGroupWare API * - * http://www.egroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ +/** + * eGroupWare API - Authentication agains mail server + * + * @link http://www.egroupware.org + * @author Dan Kuykendall + * Copyright (C) 2000, 2001 Dan Kuykendall + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ +/** + * Authentication agains mail server + */ +class auth_mail implements auth_backend +{ + var $previous_login = -1; - class auth_ + /** + * password authentication + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') { - var $previous_login = -1; - - function authenticate($username, $passwd) + $notls = '/notls'; + if ($GLOBALS['egw_info']['server']['mail_login_type'] == 'vmailmgr') { - $notls = '/notls'; - if ($GLOBALS['egw_info']['server']['mail_login_type'] == 'vmailmgr') - { - $username = $username . '@' . $GLOBALS['egw_info']['server']['mail_suffix']; - } - if ($GLOBALS['egw_info']['server']['mail_server_type']=='imap') - { - $GLOBALS['egw_info']['server']['mail_port'] = '143'; - } - elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3') - { - $GLOBALS['egw_info']['server']['mail_port'] = '110'; - } - elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='imaps') - { - $GLOBALS['egw_info']['server']['mail_port'] = '993'; - $notls = ''; - } - elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3s') - { - $GLOBALS['egw_info']['server']['mail_port'] = '995'; - } - - if( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3') - { - $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server'].'/pop3' - .':'.$GLOBALS['egw_info']['server']['mail_port'].'}INBOX', $username , $passwd); - } - elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='imaps' ) - { - // IMAPS support: - $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert" - .':993}INBOX', $username , $passwd); - } - elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3s' ) - { - // POP3S support: - $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert" - .':995}INBOX', $username , $passwd); - } - else - { - /* assume imap */ - $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server'] - .':'.$GLOBALS['egw_info']['server']['mail_port'].$notls.'}INBOX', $username , $passwd); - } - - if ($mailauth == False) - { - return False; - } - imap_close($mailauth); - - return True; + $username = $username . '@' . $GLOBALS['egw_info']['server']['mail_suffix']; + } + if ($GLOBALS['egw_info']['server']['mail_server_type']=='imap') + { + $GLOBALS['egw_info']['server']['mail_port'] = '143'; + } + elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3') + { + $GLOBALS['egw_info']['server']['mail_port'] = '110'; + } + elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='imaps') + { + $GLOBALS['egw_info']['server']['mail_port'] = '993'; + $notls = ''; + } + elseif ($GLOBALS['egw_info']['server']['mail_server_type']=='pop3s') + { + $GLOBALS['egw_info']['server']['mail_port'] = '995'; } - function change_password($old_passwd, $new_passwd) + if( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3') + { + $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server'].'/pop3' + .':'.$GLOBALS['egw_info']['server']['mail_port'].'}INBOX', $username , $passwd); + } + elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='imaps' ) + { + // IMAPS support: + $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert" + .':993}INBOX', $username , $passwd); + } + elseif ( $GLOBALS['egw_info']['server']['mail_server_type']=='pop3s' ) + { + // POP3S support: + $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server']."/ssl/novalidate-cert" + .':995}INBOX', $username , $passwd); + } + else + { + /* assume imap */ + $mailauth = imap_open('{'.$GLOBALS['egw_info']['server']['mail_server'] + .':'.$GLOBALS['egw_info']['server']['mail_port'].$notls.'}INBOX', $username , $passwd); + } + + if ($mailauth == False) { return False; } + imap_close($mailauth); + + return True; } + + /** + * changes password + * + * @param string $old_passwd must be cleartext or empty to not to be checked + * @param string $new_passwd must be cleartext + * @param int $account_id=0 account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0) + { + return False; + } +} diff --git a/phpgwapi/inc/class.auth_nis.inc.php b/phpgwapi/inc/class.auth_nis.inc.php index 26e74ce2b4..529e015444 100644 --- a/phpgwapi/inc/class.auth_nis.inc.php +++ b/phpgwapi/inc/class.auth_nis.inc.php @@ -1,60 +1,67 @@ * - * Copyright (C) 2001 Dylan Adams * - * ------------------------------------------------------------------------ * - * This library is part of the eGroupWare API * - * http://www.egroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ +/** + * eGroupWare API - Auth from NIS + * + * @link http://www.egroupware.org + * @author * by Dylan Adams + * Copyright (C) 2001 Dylan Adams + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ - - class auth_ +/** + * Auth from NIS + */ +class auth_nis implements auth_backend +{ + /** + * password authentication + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') { - function authenticate($username, $passwd) + $domain = yp_get_default_domain(); + if(!empty($GLOBALS['egw_info']['server']['nis_domain'])) { - $domain = yp_get_default_domain(); - if(!empty($GLOBALS['egw_info']['server']['nis_domain'])) - { - $domain = $GLOBALS['egw_info']['server']['nis_domain']; - } - - $map = "passwd.byname"; - if(!empty($GLOBALS['egw_info']['server']['nis_map'])) - { - $map = $GLOBALS['egw_info']['server']['nis_map']; - } - $entry = yp_match( $domain, $map, $username ); - - /* - * we assume that the map is structured in the usual - * unix passwd flavor - */ - $entry_array = explode(':', $entry); - $stored_passwd = $entry_array[1]; - - $encrypted_passwd = crypt($passwd, $stored_passwd); - - return($encrypted_passwd == $stored_passwd); + $domain = $GLOBALS['egw_info']['server']['nis_domain']; } - function change_password($old_passwd, $new_passwd, $account_id='') + $map = "passwd.byname"; + if(!empty($GLOBALS['egw_info']['server']['nis_map'])) { - // can't change passwords unless server runs as root (bad idea) - return( False ); + $map = $GLOBALS['egw_info']['server']['nis_map']; } + $entry = yp_match( $domain, $map, $username ); + + /* + * we assume that the map is structured in the usual + * unix passwd flavor + */ + $entry_array = explode(':', $entry); + $stored_passwd = $entry_array[1]; + + $encrypted_passwd = crypt($passwd, $stored_passwd); + + return($encrypted_passwd == $stored_passwd); } + + /** + * changes password + * + * @param string $old_passwd must be cleartext or empty to not to be checked + * @param string $new_passwd must be cleartext + * @param int $account_id=0 account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0) + { + // can't change passwords unless server runs as root (bad idea) + return( False ); + } +} diff --git a/phpgwapi/inc/class.auth_pam.inc.php b/phpgwapi/inc/class.auth_pam.inc.php index 4892ce675a..c48718b254 100644 --- a/phpgwapi/inc/class.auth_pam.inc.php +++ b/phpgwapi/inc/class.auth_pam.inc.php @@ -1,39 +1,49 @@ * @author Dan Kuykendall * @author Joseph Engo * Copyright (C) 2000, 2001 Dan Kuykendall @@ -20,7 +21,7 @@ * * Massive code cleanup and added password migration by Cornelius Weiss db = $GLOBALS['egw']->db; @@ -141,7 +142,7 @@ class auth_ } // old password ok, or admin called the function from the admin application (no old passwd available). - return $this->_update_passwd($this->encrypt_sql($new_passwd),$new_passwd,$account_id,$admin); + return $this->_update_passwd(auth::encrypt_sql($new_passwd),$new_passwd,$account_id,$admin); } /** diff --git a/phpgwapi/inc/class.auth_sqlssl.inc.php b/phpgwapi/inc/class.auth_sqlssl.inc.php index 70b2c61bab..d2a50f0ef7 100644 --- a/phpgwapi/inc/class.auth_sqlssl.inc.php +++ b/phpgwapi/inc/class.auth_sqlssl.inc.php @@ -1,88 +1,101 @@ * - * Authentication based on SQL table and X.509 certificates * - * Copyright (C) 2000, 2001 Dan Kuykendall * - * ------------------------------------------------------------------------ * - * This library is part of the eGroupWare API * - * http://www.egroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ +/** + * eGroupWare API - Authentication based on SQL table and X.509 certificates + * + * @link http://www.egroupware.org + * @author Andreas 'Count' Kotes + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ +/** + * Authentication based on SQL table and X.509 certificates + * + * @todo rewrite using auth_sql backend class + */ +class auth_sqlssl implements auth_backend +{ + /** + * @var egw_db + */ + var $db; + var $table = 'egw_accounts'; + var $previous_login = -1; - class auth_ + /** + * Constructor + */ + function __construct() { - var $db = ''; - var $previous_login = -1; - - function auth_() - { - $this->db = clone($GLOBALS['egw']->db); - $this->db->set_app('phpgwapi'); - $this->table = 'egw_accounts'; - } - - function authenticate($username, $passwd) - { - $local_debug = False; - - if($local_debug) - { - echo "Debug SQL: uid - $username passwd - $passwd"; - } - $this->db->select($this->table,'account_lid,account_pwd',array( - 'account_lid' => $username, - 'account_status' => 'A', - 'account_type' => 'u', - ),__LINE__,__FILE__); - - if (!$this->db->next_record() || $GLOBALS['egw_info']['server']['case_sensitive_username'] && $this->db->f('account_lid') != $username) - { - return false; - } - - # Apache + mod_ssl provide the data in the environment - # Certificate (chain) verification occurs inside mod_ssl - # see http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 - if(!isset($_SERVER['SSL_CLIENT_S_DN'])) - { - # if we're not doing SSL authentication, behave like auth_sql - return $this->compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username)); - } - return True; - } - - function change_password($old_passwd, $new_passwd, $account_id = '') - { - if(!$account_id) - { - $account_id = $GLOBALS['egw_info']['user']['account_id']; - } - - $encrypted_passwd = $this->encrypt_sql($new_passwd); - - $GLOBALS['egw']->db->update($this->table,array( - 'account_pwd' => $encrypted_passwd, - 'account_lastpwd_change' => time(), - ),array( - 'account_id' => $account_id, - ),__LINE__,__FILE__); - - $GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd); - - return $encrypted_passwd; - } + $this->db = $GLOBALS['egw']->db; } + + /** + * password authentication + * + * @param string $username username of account to authenticate + * @param string $passwd corresponding password + * @param string $passwd_type='text' 'text' for cleartext passwords (default) + * @return boolean true if successful authenticated, false otherwise + */ + function authenticate($username, $passwd, $passwd_type='text') + { + $local_debug = False; + + if($local_debug) + { + echo "Debug SQL: uid - $username passwd - $passwd"; + } + $this->db->select($this->table,'account_lid,account_pwd',array( + 'account_lid' => $username, + 'account_status' => 'A', + 'account_type' => 'u', + ),__LINE__,__FILE__); + + if (!$this->db->next_record() || $GLOBALS['egw_info']['server']['case_sensitive_username'] && $this->db->f('account_lid') != $username) + { + return false; + } + + # Apache + mod_ssl provide the data in the environment + # Certificate (chain) verification occurs inside mod_ssl + # see http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 + if(!isset($_SERVER['SSL_CLIENT_S_DN'])) + { + # if we're not doing SSL authentication, behave like auth_sql + return auth::compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username)); + } + return True; + } + + /** + * changes password + * + * @param string $old_passwd must be cleartext or empty to not to be checked + * @param string $new_passwd must be cleartext + * @param int $account_id=0 account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id = 0) + { + if(!$account_id) + { + $account_id = $GLOBALS['egw_info']['user']['account_id']; + } + + $encrypted_passwd = auth::encrypt_sql($new_passwd); + + $GLOBALS['egw']->db->update($this->table,array( + 'account_pwd' => $encrypted_passwd, + 'account_lastpwd_change' => time(), + ),array( + 'account_id' => $account_id, + ),__LINE__,__FILE__); + + $GLOBALS['egw']->session->appsession('password','phpgwapi',$new_passwd); + + return $encrypted_passwd; + } +} diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl index 94104f483b..5cba618da7 100644 --- a/setup/templates/default/config.tpl +++ b/setup/templates/default/config.tpl @@ -218,6 +218,7 @@ + @@ -235,6 +236,7 @@ + @@ -252,6 +254,7 @@ +