reworked auth classes, to allow them to use each other and a new auth class using a primary backend (ldap) and a fallback (sql)

This commit is contained in:
Ralf Becker 2010-01-28 04:22:37 +00:00
parent 30e13c4acf
commit 61d26df913
12 changed files with 610 additions and 405 deletions

View File

@ -3,6 +3,7 @@
* eGroupWare API - Authentication baseclass * eGroupWare API - Authentication baseclass
* *
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Ralf Becker <ralfbecker@outdoor-training.de>
* @author Miles Lott <milos@groupwhere.org> * @author Miles Lott <milos@groupwhere.org>
* @copyright 2004 by Miles Lott <milos@groupwhere.org> * @copyright 2004 by Miles Lott <milos@groupwhere.org>
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
@ -22,7 +23,6 @@ if(empty($GLOBALS['egw_info']['server']['auth_type']))
$GLOBALS['egw_info']['server']['auth_type'] = 'sql'; $GLOBALS['egw_info']['server']['auth_type'] = 'sql';
} }
//error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']); //error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']);
include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].'.inc.php');
/** /**
* eGroupWare API - Authentication baseclass, password auth and crypt functions * eGroupWare API - Authentication baseclass, password auth and crypt functions
@ -32,10 +32,55 @@ include(EGW_API_INC.'/class.auth_'.$GLOBALS['egw_info']['server']['auth_type'].'
* *
* Other functions from class.common.inc.php originally from phpGroupWare * Other functions from class.common.inc.php originally from phpGroupWare
*/ */
class auth extends auth_ class auth
{ {
static $error; static $error;
/**
* Holds instance of backend
*
* @var auth_backend
*/
private $backend;
function __construct()
{
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
$this->backend = new $backend_class;
if (!is_a($this->backend,'auth_backend'))
{
throw new egw_exception_assertion_failed("Auth backend class $backend_class is NO auth_backend!");
}
}
/**
* password authentication against password stored in sql datababse
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{
return $this->backend->authenticate($username, $passwd, $passwd_type);
}
/**
* changes password in sql datababse
*
* @param string $old_passwd must be cleartext
* @param string $new_passwd must be cleartext
* @param int $account_id account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
return $this->backend->change_password($old_passwd, $new_passwd, $account_id);
}
/** /**
* return a random string of size $size * return a random string of size $size
* *
@ -471,3 +516,29 @@ class auth extends auth_
return strcmp($md5_hmac,$db_val) == 0; return strcmp($md5_hmac,$db_val) == 0;
} }
} }
/**
* Interface for authentication backend
*/
interface auth_backend
{
/**
* password authentication against password stored in sql datababse
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text');
/**
* changes password in sql datababse
*
* @param string $old_passwd must be cleartext
* @param string $new_passwd must be cleartext
* @param int $account_id account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0);
}

View File

@ -1,35 +1,35 @@
<?php <?php
/**************************************************************************\ /**
* eGroupWare API - Auth from LDAP * * eGroupWare API - ADS Authentication
* This file written by Lars Kneschke <lkneschke@linux-at-work.de> * *
* and Joseph Engo <jengo@phpgroupware.org> * * @link http://www.egroupware.org
* Authentication based on LDAP Server * * @author Ralf Becker <ralfbecker@outdoor-training.de> based on auth_ldap from:
* Copyright (C) 2000, 2001 Joseph Engo * * @author Lars Kneschke <lkneschke@linux-at-work.de>
* Copyright (C) 2002, 2003 Lars Kneschke * * @author Joseph Engo <jengo@phpgroupware.org>
* ------------------------------------------------------------------------ * * Copyright (C) 2000, 2001 Joseph Engo
* This library is part of the eGroupWare API * * Copyright (C) 2002, 2003 Lars Kneschke
* http://www.egroupware.org/api * * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* ------------------------------------------------------------------------ * * @package api
* This library is free software; you can redistribute it and/or modify it * * @subpackage authentication
* under the terms of the GNU Lesser General Public License as published by * * @version $Id$
* the Free Software Foundation; either version 2.1 of the License, * */
* or any later version. *
* This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/
/* $Id$ */ /**
* Authentication agains a ADS Server
class auth_ */
class auth_ads implements auth_backend
{ {
var $previous_login = -1; var $previous_login = -1;
function authenticate($username, $passwd) /**
* password authentication
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{ {
if (preg_match('/[()|&=*,<>!~]/',$username)) if (preg_match('/[()|&=*,<>!~]/',$username))
{ {
@ -95,7 +95,7 @@
) as $ldap_name => $acct_name) ) as $ldap_name => $acct_name)
{ {
$GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['auto_create_acct'][$acct_name] =
$GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); translation::convert($allValues[0][$ldap_name][0],'utf-8');
} }
return True; return True;
} }
@ -104,9 +104,8 @@
return False; return False;
} }
function change_password($old_passwd, $new_passwd, $_account_id='') function change_password($old_passwd, $new_passwd, $_account_id=0)
{ {
return false; // Cant change passwd in ADS return false; // Cant change passwd in ADS
} }
} }
?>

View File

@ -12,7 +12,7 @@
/** /**
* eGroupWare API - Authentication based on CAS (Central Authetication Service) * eGroupWare API - Authentication based on CAS (Central Authetication Service)
*/ */
class auth_ class auth_cas implements auth_backend
{ {
var $previous_login = -1; var $previous_login = -1;
@ -21,9 +21,10 @@ class auth_
* *
* @param string $username username of account to authenticate * @param string $username username of account to authenticate
* @param string $passwd corresponding password * @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise * @return boolean true if successful authenticated, false otherwise
*/ */
function authenticate($username, $passwd) function authenticate($username, $passwd, $passwd_type='text')
{ {
/* if program goes here, authenticate is, normaly, already verified by CAS */ /* if program goes here, authenticate is, normaly, already verified by CAS */
if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' && if ($GLOBALS['egw_info']['server']['account_repository'] != 'ldap' &&
@ -56,7 +57,7 @@ class auth_
* *
* @param string $old_passwd must be cleartext or empty to not to be checked * @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext * @param string $new_passwd must be cleartext
* @param int $account_id account id of user whose passwd should be changed * @param int $account_id=0 account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise * @return boolean true if password successful changed, false otherwise
*/ */
function change_password($old_passwd, $new_passwd, $account_id=0) function change_password($old_passwd, $new_passwd, $account_id=0)

View File

@ -0,0 +1,85 @@
<?php
/**
* eGroupWare API - LDAP Authentication with fallback to SQL
*
* @link http://www.egroupware.org
* @author Ralf Becker <ralfbecker@outdoor-training.de>
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* @package api
* @subpackage authentication
* @version $Id$
*/
/**
* Authentication agains a LDAP Server with fallback to SQL
*
* For other fallback types, simply change auth backends in constructor call
*/
class auth_fallback implements auth_backend
{
/**
* Primary auth backend
*
* @var auth_backend
*/
private $primary_backend;
/**
* Fallback auth backend
*
* @var auth_backend
*/
private $fallback_backend;
/**
* Constructor
*/
function __construct($primary='auth_ldap',$fallback='auth_sql')
{
$this->primary_backend = new $primary;
$this->fallback_backend = new $fallback;
}
/**
* authentication against LDAP with fallback to SQL
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','primary');
return true;
}
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
{
egw_cache::setSession(__CLASS__,'backend_used','fallback');
return true;
}
return false;
}
/**
* changes password in LDAP
*
* If $old_passwd is given, the password change is done binded as user and NOT with the
* "root" dn given in the configurations.
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{
if (egw_cache::getSession(__CLASS__,'backend_used') == 'primary')
{
return $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id);
}
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
}
}

View File

@ -1,34 +1,33 @@
<?php <?php
/**************************************************************************\ /**
* eGroupWare API - Auth from HTTP * * eGroupWare API - Authentication based on HTTP auth
* This file written by Dan Kuykendall <seek3r@phpgroupware.org> * *
* and Joseph Engo <jengo@phpgroupware.org> * * @link http://www.egroupware.org
* Authentication based on HTTP auth * * @author Dan Kuykendall <seek3r@phpgroupware.org>
* Copyright (C) 2000, 2001 Dan Kuykendall * * @author Joseph Engo <jengo@phpgroupware.org>
* ------------------------------------------------------------------------ * * Copyright (C) 2000, 2001 Dan Kuykendall
* This library is part of the eGroupWare API * * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* http://www.egroupware.org/api * * @package api
* ------------------------------------------------------------------------ * * @subpackage authentication
* This library is free software; you can redistribute it and/or modify it * * @version $Id$
* under the terms of the GNU Lesser General Public License as published by * */
* the Free Software Foundation; either version 2.1 of the License, *
* or any later version. *
* This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/
/* $Id$ */ /**
* Authentication based on HTTP auth
class auth_ */
class auth_http implements auth_backend
{ {
var $previous_login = -1; var $previous_login = -1;
function authenticate($username, $passwd) /**
* password authentication
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{ {
if (isset($_SERVER['PHP_AUTH_USER'])) if (isset($_SERVER['PHP_AUTH_USER']))
{ {
@ -40,7 +39,15 @@
} }
} }
function change_password($old_passwd, $new_passwd) /**
* changes password
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{ {
return False; return False;
} }

View File

@ -3,6 +3,7 @@
* eGroupWare API - LDAP Authentication * eGroupWare API - LDAP Authentication
* *
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Ralf Becker <ralfbecker@outdoor-training.de>
* @author Lars Kneschke <lkneschke@linux-at-work.de> * @author Lars Kneschke <lkneschke@linux-at-work.de>
* @author Joseph Engo <jengo@phpgroupware.org> * @author Joseph Engo <jengo@phpgroupware.org>
* Copyright (C) 2000, 2001 Joseph Engo * Copyright (C) 2000, 2001 Joseph Engo
@ -16,7 +17,7 @@
/** /**
* Authentication agains a LDAP Server * Authentication agains a LDAP Server
*/ */
class auth_ class auth_ldap implements auth_backend
{ {
var $previous_login = -1; var $previous_login = -1;
@ -27,13 +28,13 @@ class auth_
* @param string $passwd corresponding password * @param string $passwd corresponding password
* @return boolean true if successful authenticated, false otherwise * @return boolean true if successful authenticated, false otherwise
*/ */
function authenticate($username, $passwd) function authenticate($username, $passwd, $passwd_type='text')
{ {
// allow non-ascii in username & password // allow non-ascii in username & password
$username = $GLOBALS['egw']->translation->convert($username,$GLOBALS['egw']->translation->charset(),'utf-8'); $username = translation::convert($username,translation::charset(),'utf-8');
$passwd = $GLOBALS['egw']->translation->convert($passwd,$GLOBALS['egw']->translation->charset(),'utf-8'); $passwd = translation::convert($passwd,translation::charset(),'utf-8');
if(!$ldap = $GLOBALS['egw']->common->ldapConnect()) if(!$ldap = common::ldapConnect())
{ {
$GLOBALS['egw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped'); $GLOBALS['egw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped');
$GLOBALS['egw']->log->commit(); $GLOBALS['egw']->log->commit();
@ -90,7 +91,7 @@ class auth_
) as $ldap_name => $acct_name) ) as $ldap_name => $acct_name)
{ {
$GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['auto_create_acct'][$acct_name] =
$GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); translation::convert($allValues[0][$ldap_name][0],'utf-8');
} }
return True; return True;
} }
@ -123,15 +124,15 @@ class auth_
} }
else else
{ {
$username = $GLOBALS['egw']->translation->convert($GLOBALS['egw']->accounts->id2name($account_id), $username = translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
$GLOBALS['egw']->translation->charset(),'utf-8'); translation::charset(),'utf-8');
} }
//echo "<p>auth_ldap::change_password('$old_password','$new_passwd',$account_id) username='$username'</p>\n"; //echo "<p>auth_ldap::change_password('$old_password','$new_passwd',$account_id) username='$username'</p>\n";
$filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)'; $filter = $GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)';
$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter); $filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),$filter);
$ds = $GLOBALS['egw']->common->ldapConnect(); $ds = common::ldapConnect();
$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter); $sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
$allValues = ldap_get_entries($ds, $sri); $allValues = ldap_get_entries($ds, $sri);
@ -142,7 +143,7 @@ class auth_
if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw
{ {
$ds = $GLOBALS['egw']->common->ldapConnect('',$dn,$old_passwd); $ds = common::ldapConnect('',$dn,$old_passwd);
} }
if (!@ldap_modify($ds, $dn, $entry)) if (!@ldap_modify($ds, $dn, $entry))
{ {

View File

@ -1,33 +1,32 @@
<?php <?php
/**************************************************************************\ /**
* eGroupWare API - Auth from Mail server * * eGroupWare API - Authentication agains mail server
* This file written by Dan Kuykendall <seek3r@phpgroupware.org> * *
* Authentication based on mail server * * @link http://www.egroupware.org
* Copyright (C) 2000, 2001 Dan Kuykendall * * @author Dan Kuykendall <seek3r@phpgroupware.org>
* ------------------------------------------------------------------------ * * Copyright (C) 2000, 2001 Dan Kuykendall
* This library is part of the eGroupWare API * * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* http://www.egroupware.org/api * * @package api
* ------------------------------------------------------------------------ * * @subpackage authentication
* This library is free software; you can redistribute it and/or modify it * * @version $Id$
* under the terms of the GNU Lesser General Public License as published by * */
* the Free Software Foundation; either version 2.1 of the License, *
* or any later version. *
* This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/
/* $Id$ */ /**
* Authentication agains mail server
class auth_ */
class auth_mail implements auth_backend
{ {
var $previous_login = -1; var $previous_login = -1;
function authenticate($username, $passwd) /**
* password authentication
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{ {
$notls = '/notls'; $notls = '/notls';
if ($GLOBALS['egw_info']['server']['mail_login_type'] == 'vmailmgr') if ($GLOBALS['egw_info']['server']['mail_login_type'] == 'vmailmgr')
@ -85,7 +84,15 @@
return True; return True;
} }
function change_password($old_passwd, $new_passwd) /**
* changes password
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id=0 account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{ {
return False; return False;
} }

View File

@ -1,31 +1,30 @@
<?php <?php
/**************************************************************************\ /**
* eGroupWare API - Auth from NIS * * eGroupWare API - Auth from NIS
* Authentication based on NIS maps * *
* by Dylan Adams <dadams@jhu.edu> * * @link http://www.egroupware.org
* Copyright (C) 2001 Dylan Adams * * @author * by Dylan Adams <dadams@jhu.edu>
* ------------------------------------------------------------------------ * * Copyright (C) 2001 Dylan Adams
* This library is part of the eGroupWare API * * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* http://www.egroupware.org/api * * @package api
* ------------------------------------------------------------------------ * * @subpackage authentication
* This library is free software; you can redistribute it and/or modify it * * @version $Id$
* under the terms of the GNU Lesser General Public License as published by * */
* the Free Software Foundation; either version 2.1 of the License, *
* or any later version. *
* This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/
/* $Id$ */ /**
* Auth from NIS
class auth_ */
class auth_nis implements auth_backend
{ {
function authenticate($username, $passwd) /**
* password authentication
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{ {
$domain = yp_get_default_domain(); $domain = yp_get_default_domain();
if(!empty($GLOBALS['egw_info']['server']['nis_domain'])) if(!empty($GLOBALS['egw_info']['server']['nis_domain']))
@ -52,7 +51,15 @@
return($encrypted_passwd == $stored_passwd); return($encrypted_passwd == $stored_passwd);
} }
function change_password($old_passwd, $new_passwd, $account_id='') /**
* changes password
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id=0 account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{ {
// can't change passwords unless server runs as root (bad idea) // can't change passwords unless server runs as root (bad idea)
return( False ); return( False );

View File

@ -1,28 +1,30 @@
<?php <?php
/**************************************************************************\ /**
* eGroupWare API - Auth from PAM * * eGroupWare API - Auth from PAM
* ------------------------------------------------------------------------ * *
* This library is part of the eGroupWare API * * @link http://www.egroupware.org
* http://www.egroupware.org/api * * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* ------------------------------------------------------------------------ * * @package api
* This library is free software; you can redistribute it and/or modify it * * @subpackage authentication
* under the terms of the GNU Lesser General Public License as published by * * @version $Id$
* the Free Software Foundation; either version 2.1 of the License, * */
* or any later version. *
* This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/
/* $Id$ */ /**
* Auth from PAM
class auth_ *
* Requires php_pam extension!
*/
class auth_pam implements auth_backend
{ {
function authenticate($username, $passwd) /**
* password authentication
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{ {
if (pam_auth($username, get_magic_quotes_gpc() ? stripslashes($passwd) : $passwd, &$error)) if (pam_auth($username, get_magic_quotes_gpc() ? stripslashes($passwd) : $passwd, &$error))
{ {
@ -31,7 +33,15 @@
return False; return False;
} }
function change_password($old_passwd, $new_passwd, $account_id='') /**
* changes password
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id=0 account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id=0)
{ {
// deny password changes. // deny password changes.
return False; return False;

View File

@ -3,6 +3,7 @@
* eGroupWare API - Authentication from SQL * eGroupWare API - Authentication from SQL
* *
* @link http://www.egroupware.org * @link http://www.egroupware.org
* @author Ralf Becker <ralfbecker@outdoor-training.de>
* @author Dan Kuykendall <seek3r@phpgroupware.org> * @author Dan Kuykendall <seek3r@phpgroupware.org>
* @author Joseph Engo <jengo@phpgroupware.org> * @author Joseph Engo <jengo@phpgroupware.org>
* Copyright (C) 2000, 2001 Dan Kuykendall * Copyright (C) 2000, 2001 Dan Kuykendall
@ -20,7 +21,7 @@
* *
* Massive code cleanup and added password migration by Cornelius Weiss <egw@von-und-zu-weiss.de * Massive code cleanup and added password migration by Cornelius Weiss <egw@von-und-zu-weiss.de
*/ */
class auth_ class auth_sql implements auth_backend
{ {
/** /**
* Reference to the global db object * Reference to the global db object
@ -31,7 +32,7 @@ class auth_
var $table = 'egw_accounts'; var $table = 'egw_accounts';
var $previous_login = -1; var $previous_login = -1;
function auth_() function __construct()
{ {
$this->db = $GLOBALS['egw']->db; $this->db = $GLOBALS['egw']->db;
@ -141,7 +142,7 @@ class auth_
} }
// old password ok, or admin called the function from the admin application (no old passwd available). // old password ok, or admin called the function from the admin application (no old passwd available).
return $this->_update_passwd($this->encrypt_sql($new_passwd),$new_passwd,$account_id,$admin); return $this->_update_passwd(auth::encrypt_sql($new_passwd),$new_passwd,$account_id,$admin);
} }
/** /**

View File

@ -1,41 +1,46 @@
<?php <?php
/**************************************************************************\ /**
* eGroupWare API - Auth from SQL, with optional SSL authentication * * eGroupWare API - Authentication based on SQL table and X.509 certificates
* This file written by Andreas 'Count' Kotes <count@flatline.de> * *
* Authentication based on SQL table and X.509 certificates * * @link http://www.egroupware.org
* Copyright (C) 2000, 2001 Dan Kuykendall * * @author Andreas 'Count' Kotes <count@flatline.de>
* ------------------------------------------------------------------------ * * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
* This library is part of the eGroupWare API * * @package api
* http://www.egroupware.org/api * * @subpackage authentication
* ------------------------------------------------------------------------ * * @version $Id$
* This library is free software; you can redistribute it and/or modify it * */
* under the terms of the GNU Lesser General Public License as published by *
* the Free Software Foundation; either version 2.1 of the License, *
* or any later version. *
* This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/
/* $Id$ */ /**
* Authentication based on SQL table and X.509 certificates
class auth_ *
* @todo rewrite using auth_sql backend class
*/
class auth_sqlssl implements auth_backend
{ {
var $db = ''; /**
* @var egw_db
*/
var $db;
var $table = 'egw_accounts';
var $previous_login = -1; var $previous_login = -1;
function auth_() /**
* Constructor
*/
function __construct()
{ {
$this->db = clone($GLOBALS['egw']->db); $this->db = $GLOBALS['egw']->db;
$this->db->set_app('phpgwapi');
$this->table = 'egw_accounts';
} }
function authenticate($username, $passwd) /**
* password authentication
*
* @param string $username username of account to authenticate
* @param string $passwd corresponding password
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
* @return boolean true if successful authenticated, false otherwise
*/
function authenticate($username, $passwd, $passwd_type='text')
{ {
$local_debug = False; $local_debug = False;
@ -60,19 +65,27 @@
if(!isset($_SERVER['SSL_CLIENT_S_DN'])) if(!isset($_SERVER['SSL_CLIENT_S_DN']))
{ {
# if we're not doing SSL authentication, behave like auth_sql # if we're not doing SSL authentication, behave like auth_sql
return $this->compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username)); return auth::compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username));
} }
return True; return True;
} }
function change_password($old_passwd, $new_passwd, $account_id = '') /**
* changes password
*
* @param string $old_passwd must be cleartext or empty to not to be checked
* @param string $new_passwd must be cleartext
* @param int $account_id=0 account id of user whose passwd should be changed
* @return boolean true if password successful changed, false otherwise
*/
function change_password($old_passwd, $new_passwd, $account_id = 0)
{ {
if(!$account_id) if(!$account_id)
{ {
$account_id = $GLOBALS['egw_info']['user']['account_id']; $account_id = $GLOBALS['egw_info']['user']['account_id'];
} }
$encrypted_passwd = $this->encrypt_sql($new_passwd); $encrypted_passwd = auth::encrypt_sql($new_passwd);
$GLOBALS['egw']->db->update($this->table,array( $GLOBALS['egw']->db->update($this->table,array(
'account_pwd' => $encrypted_passwd, 'account_pwd' => $encrypted_passwd,

View File

@ -218,6 +218,7 @@
<option value="nis"{selected_auth_type_nis}>NIS</option> <option value="nis"{selected_auth_type_nis}>NIS</option>
<option value="pam"{selected_auth_type_pam}>PAM</option> <option value="pam"{selected_auth_type_pam}>PAM</option>
<option value="cas"{selected_auth_type_cas}>CAS</option> <option value="cas"{selected_auth_type_cas}>CAS</option>
<option value="fallback"{selected_auth_type_fallback}>Fallback LDAP -> SQL</option>
</select> </select>
</td> </td>
</tr> </tr>
@ -235,6 +236,7 @@
<option value="http"{selected_auth_type_syncml_http}>HTTP</option> <option value="http"{selected_auth_type_syncml_http}>HTTP</option>
<option value="nis"{selected_auth_type_syncml_nis}>NIS</option> <option value="nis"{selected_auth_type_syncml_nis}>NIS</option>
<option value="pam"{selected_auth_type_syncml_pam}>PAM</option> <option value="pam"{selected_auth_type_syncml_pam}>PAM</option>
<option value="fallback"{selected_auth_type_fallback}>Fallback LDAP -> SQL</option>
</select> </select>
</td> </td>
</tr> </tr>
@ -252,6 +254,7 @@
<option value="http"{selected_auth_type_groupdav_http}>HTTP</option> <option value="http"{selected_auth_type_groupdav_http}>HTTP</option>
<option value="nis"{selected_auth_type_groupdav_nis}>NIS</option> <option value="nis"{selected_auth_type_groupdav_nis}>NIS</option>
<option value="pam"{selected_auth_type_groupdav_pam}>PAM</option> <option value="pam"{selected_auth_type_groupdav_pam}>PAM</option>
<option value="fallback"{selected_auth_type_fallback}>Fallback LDAP -> SQL</option>
</select> </select>
</td> </td>
</tr> </tr>