new auth_ads class:

- only needs host- and domain-name
- needs NO extra account on the ADS host
- can be used with accounts in SQL or LDAP to auto-create autheticated users
- new param to lowercase the user-names before auto-creating them (to deal with case-insensitve and case-sensitive system)
This commit is contained in:
Ralf Becker 2005-05-13 15:58:10 +00:00
parent 53eff000eb
commit b883eca49d
5 changed files with 79 additions and 87 deletions

View File

@ -36,80 +36,68 @@
return False;
}
if(!$ldap = @ldap_connect($GLOBALS['phpgw_info']['server']['ldap_host']))
if(!$ldap = @ldap_connect($GLOBALS['egw_info']['server']['ads_host']))
{
$GLOBALS['phpgw']->log->message('F-Abort, Failed connecting to LDAP server for authenication, execution stopped');
$GLOBALS['phpgw']->log->commit();
//echo "<p>Failed connecting to ADS server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication, execution stopped</p>\n";
$GLOBALS['egw']->log->message('F-Abort, Failed connecting to ADS server for authenication, execution stopped');
$GLOBALS['egw']->log->commit();
return False;
}
//echo "<p>Connected to LDAP server '".$GLOBALS['egw_info']['server']['ads_host']."' for authenication</p>\n";
if($GLOBALS['phpgw_info']['server']['ldap_version3'])
{
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
/* Login with the LDAP Admin. User to find the User DN. */
if(!@ldap_bind($ldap, $GLOBALS['phpgw_info']['server']['ldap_root_dn'], $GLOBALS['phpgw_info']['server']['ldap_root_pw']))
if(!@ldap_bind($ldap,$username.'@'.$GLOBALS['egw_info']['server']['ads_domain'],$passwd))
{
//echo "<p>Cant bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd' !!!</p>\n";
return False;
}
/* find the dn for this uid, the uid is not always in the dn */
#$attributes = array('samaccountname','dn','givenName','sn','mail','uidNumber','gidNumber');
$attributes = array('samaccountname','dn','givenName','sn','mail');
if ($GLOBALS['phpgw_info']['server']['account_repository'] == 'ldap')
{
$filter = "(&(samaccountname=$username)(phpgwaccountstatus=A))";
}
else
{
$filter = "(samaccountname=$username)";
}
//echo "<p>Bind with '$username@".$GLOBALS['egw_info']['server']['ads_domain']."' with PW '$passwd'.</p>\n";
$sri = ldap_search($ldap, $GLOBALS['phpgw_info']['server']['ldap_context'], $filter, $attributes);
$attributes = array('samaccountname','givenName','sn','mail');
$filter = "(samaccountname=$username)";
// automatic create dn from domain: domain.com ==> DC=domain,DC=com
$base_dn = array();
foreach(explode('.',$GLOBALS['egw_info']['server']['ads_domain']) as $dc)
{
$base_dn[] = 'DC='.$dc;
}
$base_dn = implode(',',$base_dn);
//echo "<p>Trying ldap_search(,$base_dn,$filter,".print_r($attributes,true)."</p>\n";
$sri = ldap_search($ldap, $base_dn, $filter, $attributes);
$allValues = ldap_get_entries($ldap, $sri);
//_debug_array($allValues);
if ($allValues['count'] > 0)
{
if($GLOBALS['phpgw_info']['server']['case_sensitive_username'] == true)
if($GLOBALS['egw_info']['server']['case_sensitive_username'] == true)
{
if($allValues[0]['samaccountname'][0] != $username)
{
return false;
}
}
/* we only care about the first dn */
$userDN = $allValues[0]['dn'];
/*
generate a bogus password to pass if the user doesn't give us one
this gets around systems that are anonymous search enabled
*/
if (empty($passwd))
$account = CreateObject('phpgwapi.accounts',$username,'u');
if ($account->account_id)
{
$passwd = crypt(microtime());
return true;
}
/* try to bind as the user with user suplied password */
if (@ldap_bind($ldap, $userDN, $passwd))
if ($GLOBALS['egw_info']['server']['auto_create_acct'])
{
if ($GLOBALS['phpgw_info']['server']['account_repository'] != 'ldap')
// create a global array with all availible info about that account
$GLOBALS['auto_create_acct'] = array();
foreach(array(
'givenname' => 'firstname',
'sn' => 'lastname',
'mail' => 'email',
) as $ldap_name => $acct_name)
{
$account = CreateObject('phpgwapi.accounts',$username,'u');
if (!$account->account_id && $GLOBALS['phpgw_info']['server']['auto_create_acct'])
{
// create a global array with all availible info about that account
$GLOBALS['auto_create_acct'] = array();
foreach(array(
'givenname' => 'firstname',
'sn' => 'lastname',
'mail' => 'email',
) as $ldap_name => $acct_name)
{
$GLOBALS['auto_create_acct'][$acct_name] =
$GLOBALS['phpgw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
}
return True;
}
$data = $account->read_repository();
return $data['status'] == 'A';
$GLOBALS['auto_create_acct'][$acct_name] =
$GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
}
return True;
}
@ -120,40 +108,16 @@
function change_password($old_passwd, $new_passwd, $_account_id='')
{
if ('' == $_account_id)
{
$_account_id = $GLOBALS['phpgw_info']['user']['account_id'];
}
$ds = $GLOBALS['phpgw']->common->ldapConnect();
$sri = ldap_search($ds, $GLOBALS['phpgw_info']['server']['ldap_context'], 'uidnumber=' . (int)$_account_id);
$allValues = ldap_get_entries($ds, $sri);
$entry['userpassword'] = $this->encrypt_password($new_passwd);
$dn = $allValues[0]['dn'];
if (!@ldap_modify($ds, $dn, $entry))
{
return false;
}
$GLOBALS['phpgw']->session->appsession('password','phpgwapi',$new_passwd);
return $entry['userpassword'];
return false; // Cant change passwd in ADS
}
function update_lastlogin($_account_id, $ip)
{
$entry['phpgwaccountlastlogin'] = time();
$entry['phpgwaccountlastloginfrom'] = $ip;
$ds = $GLOBALS['phpgw']->common->ldapConnect();
$sri = ldap_search($ds, $GLOBALS['phpgw_info']['server']['ldap_context'], 'uidnumber=' . (int)$_account_id);
$allValues = ldap_get_entries($ds, $sri);
$dn = $allValues[0]['dn'];
$this->previous_login = $allValues[0]['phpgwaccountlastlogin'][0];
@ldap_modify($ds, $dn, $entry);
$account =& CreateObject('phpgwapi.accounts',$_account_id,'u');
$account->read_repository();
$account->data['lastlogin'] = time();
$account->data['lastloginfrom'] = $ip;
$account->save_repository();
}
}
?>

View File

@ -508,8 +508,12 @@
return False;
}
if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct'] == True)
if (!$this->account_id && $GLOBALS['egw_info']['server']['auto_create_acct'])
{
if ($GLOBALS['egw_info']['server']['auto_create_acct'] == 'lowercase')
{
$this->account_lid = strtolower($this->account_lid);
}
$this->account_id = $GLOBALS['egw']->accounts->auto_add($this->account_lid, $passwd);
}

View File

@ -88,7 +88,7 @@ checking file-permissions of %1 for %2: %3 setup de
checking for gd support... setup de Überprüfe die GD Unterstützung...
checking php.ini setup de Überprüfe die php.ini Datei
checking the egroupware installation setup de Überprüfe die eGroupWare-Installation
click <a href="index.php">here</a> to return to setup. setup de <a href="index.php">Hier klicken</a> um zum Setup zurück zu kommen.
click <a href="index.php?sessionid=f69c6befb6636a1a9501e45ff0176385">here</a> to return to setup. setup de <a href="index.php?sessionid=f69c6befb6636a1a9501e45ff0176385">Hier klicken</a> um zum Setup zurück zu kommen.
click here setup de Hier klicken
click here to re-run the installation tests setup de zum Wiederholen der Installationstests hier klicken
completed setup de Abgeschlossen
@ -153,6 +153,7 @@ do you want persistent connections (higher performance, but consumes more resour
do you want to manage homedirectory and loginshell attributes? setup de Wollen Sie Benutzerverzeichnisse und Login-Shell Attribute verwalten?
does not exist setup de existiert nicht
domain setup de Domain
domain name setup de Name der Domain
domain select box on login setup de Domain-Auswahlbox beim Einloggen
dont touch my data setup de Meine Daten nicht verändern
download setup de Herunterladen
@ -171,7 +172,7 @@ enter the full path for users and group files.<br>examples: /files, e:\files set
enter the full path for users and group files.<br>examples: /files, e:files setup de Vollständiger Pfad für Benutzer- und Gruppendateien.<br>Beispiel: /files, E:\Files
enter the full path to the backup directory.<br>if empty: files directory setup de Vollständiger Pfad für das Datensicherungsverzeichnis.<br>Wenn leer: Dateiverzeichnis
enter the hostname of the machine on which this server is running setup de Hostname des Computers auf dem der Server läuft
enter the location of egroupware's url.<br>example: http://www.domain.com/egroupware &nbsp; or &nbsp; /egroupware<br><b>no trailing slash</b> setup de URL zur eGroupWare Installation.<br>Beispiel: http://www.domain.com/egroupware &nbsp; or &nbsp; /egroupware<br><b>keinen nachfolgenden Slash /</b>
enter the location of egroupware's url.<br>example: http://www.domain.com/egroupware &nbsp; or &nbsp; /egroupware<br><b>no trailing slash</b> setup de URL zur eGroupWare Installation.<br>Beispiel: http://www.domain.com/egroupware or /egroupware<br><b>keinen nachfolgenden Slash /</b>
enter the site password for peer servers setup de Site Passwort für Peer Server
enter the site username for peer servers setup de Site Benutzername für Peer Server
enter the title for your site setup de Titel der eGroupWare Installation
@ -204,6 +205,7 @@ historylog removed setup de Historylog gel
hooks deregistered setup de Haken nicht mehr aktiv
hooks registered setup de Haken registriert
host information setup de Host Informationen
host/ip domain controler setup de Hostname / IP des Domain Controler
hostname/ip of database server setup de Hostname/IP des Datenbank-Servers
hour (0-24) setup de Stunde (0-24)
however, the application is otherwise installed setup de Wie auch immer, die Anwendung ist ansonsten installiert
@ -211,6 +213,7 @@ however, the application may still work setup de Wie auch immer, die Anwendung m
if no acl records for user or any group the user is a member of setup de Wenn es keinen ACL-Eintrag für einen Benutzer oder eine Gruppe, der er angehört gibt
if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup de Wenn safe_mode eingeschaltet ist, kann eGW verschiedene Einstellungen nicht mehr zur Laufzeit ändern, noch können wir nicht geladene Erweiterungen (php extensions) laden.
if the application has no defined tables, selecting upgrade should remedy the problem setup de Wenn die Anwendung keine definierten Tabellen hat, wählen Sie überarbeiten. Das Problem sollte damit behoben werden.
if using ads (active directory) authentication setup de Wenn Sie ADS (Active Directory) Authentifizierung benutzen
if using ldap setup de Wenn Sie LDAP verwenden
if using ldap, do you want to manage homedirectory and loginshell attributes? setup de Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Komandointerpreter verwalten ?
if you did not receive any errors, your applications have been setup de Wenn Sie keine Fehlermeldungen erhalten, wurden Ihre Anwendungen
@ -482,6 +485,7 @@ writable by the webserver setup de schreibar durch den Webserver
write config setup de Konfiguration schreiben
year setup de Jahr
yes setup de Ja
yes, with lowercase usernames setup de Ja, mit kleingeschriebenen Benutzernamen
you appear to be running a pre-beta version of egroupware.<br>these versions are no longer supported, and there is no upgrade path for them in setup.<br> you may wish to first upgrade to 0.9.10 (the last version to support pre-beta upgrades) <br>and then upgrade from there with the current version. setup de Es sieht so aus, als ob Sie eine vor-beta Version von eGroupWare benutzen.<br>Diese Versionen werden nicht länger unterstützt, und es gibt keinen Aktualisierungs-Pfad für Sie im Einrichtung-Programm.<br>Sie möchten vieleicht erst auf
you appear to be running an old version of php <br>it its recommend that you upgrade to a new version. <br>older version of php might not run egroupware correctly, if at all. <br><br>please upgrade to at least version %1 setup de Es sieht so aus als ob Sie eine alte PHP-Version benutzen<br>Es ist notwendig auf eine neue Version zu aktualisieren.<br>Ältere PHP-Versionen könnten eGroupWare (wenn überhaupt) nicht korrekt ausführen. <br><br>Biite aktualisieren Sie mindestens auf Version %1
you appear to be running version %1 of egroupware setup de Es sieht so aus als benutzen Sie Version %1 von eGroupWare
@ -507,7 +511,7 @@ you must enter a username for the admin setup de Sie m
you need to add some domains to your header.inc.php. setup de Sie müssen mindestens eine Domain zu Ihrer header.inc.php hinzufügen.
you need to select your current charset! setup de Sie müssen Ihren aktuellen Zeichensatz auswählen!
you should either uninstall and then reinstall it, or attempt manual repairs setup de Sie sollten entweder de- und neuinstallieren, oder manuelle Reparaturen versuchen
you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup de Sie müssen das entsprechende Schema in Ihren LDAP-Server laden - siehe <a href="../phpgwapi/doc/ldap/README" target="_blank">phpgwapi/doc/ldap/README</a>
you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup de Sie müssen das entsprechende Schema in Ihren LDAP-Server laden - siehe <a href="../phpgwapi/doc/ldap/README?sessionid=f69c6befb6636a1a9501e45ff0176385" target="_blank">phpgwapi/doc/ldap/README</a>
you're using an old configuration file format... setup de Sie verwenden ein altes Format der Konfigurationsdatei ...
you're using an old header.inc.php version... setup de Sie verwenden eine alte header.inc.php Version ...
your applications are current setup de Ihre Anwendungen sind aktuell

View File

@ -87,7 +87,7 @@ checking file-permissions of %1 for %2: %3 setup en Checking file-permissions of
checking for gd support... setup en Checking for GD support...
checking php.ini setup en Checking php.ini
checking the egroupware installation setup en Checking the eGroupWare Installation
click <a href="index.php">here</a> to return to setup. setup en Click <a href="index.php">here</a> to return to setup.
click <a href="index.php?sessionid=f69c6befb6636a1a9501e45ff0176385">here</a> to return to setup. setup en Click <a href="index.php?sessionid=f69c6befb6636a1a9501e45ff0176385">here</a> to return to setup.
click here setup en Click Here
click here to re-run the installation tests setup en Click here to re-run the installation tests
completed setup en Completed
@ -152,6 +152,7 @@ do you want persistent connections (higher performance, but consumes more resour
do you want to manage homedirectory and loginshell attributes? setup en Do you want to manage homedirectory and loginshell attributes?
does not exist setup en does not exist
domain setup en Domain
domain name setup en Domain name
domain select box on login setup en Domain select box on login
dont touch my data setup en Dont touch my data
download setup en Download
@ -200,6 +201,7 @@ historylog removed setup en Historylog removed
hooks deregistered setup en hooks deregistered
hooks registered setup en hooks registered
host information setup en Host information
host/ip domain controler setup en Host/IP Domain controler
hostname/ip of database server setup en Hostname/IP of database server
hour (0-24) setup en hour (0-24)
however, the application is otherwise installed setup en However, the application is otherwise installed
@ -207,6 +209,7 @@ however, the application may still work setup en However, the application may st
if no acl records for user or any group the user is a member of setup en If no ACL records for user or any group the user is a member of
if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup en If safe_mode is turned on, eGW is not able to change certain settings on runtime, nor can we load any not yet loaded module.
if the application has no defined tables, selecting upgrade should remedy the problem setup en If the application has no defined tables, selecting upgrade should remedy the problem
if using ads (active directory) authentication setup en If using ADS (Active Directory) authentication
if using ldap setup en If using LDAP
if using ldap, do you want to manage homedirectory and loginshell attributes? setup en If using LDAP, do you want to manage homedirectory and loginshell attributes?
if you did not receive any errors, your applications have been setup en If you did not receive any errors, your applications have been
@ -477,6 +480,7 @@ writable by the webserver setup en writable by the webserver
write config setup en Write config
year setup en year
yes setup en Yes
yes, with lowercase usernames setup en Yes, with lowercase usernames
you appear to be running a pre-beta version of egroupware.<br>these versions are no longer supported, and there is no upgrade path for them in setup.<br> you may wish to first upgrade to 0.9.10 (the last version to support pre-beta upgrades) <br>and then upgrade from there with the current version. setup en You appear to be running a pre-beta version of eGroupWare.<br>These versions are no longer supported, and there is no upgrade path for them in setup.<br> You may wish to first upgrade to 0.9.10 (the last version to support pre-beta upgrades) <br>and then upgrade from there with the current version.
you appear to be running an old version of php <br>it its recommend that you upgrade to a new version. <br>older version of php might not run egroupware correctly, if at all. <br><br>please upgrade to at least version %1 setup en You appear to be running an old version of PHP <br>It its recommend that you upgrade to a new version. <br>Older version of PHP might not run eGroupWare correctly, if at all. <br><br>Please upgrade to at least version %1
you appear to be running version %1 of egroupware setup en You appear to be running version %1 of eGroupWare
@ -502,7 +506,7 @@ you must enter a username for the admin setup en You must enter a username for t
you need to add some domains to your header.inc.php. setup en You need to add some domains to your header.inc.php.
you need to select your current charset! setup en You need to select your current charset!
you should either uninstall and then reinstall it, or attempt manual repairs setup en You should either uninstall and then reinstall it, or attempt manual repairs
you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup en You will need to load the proper schema into your ldap server - see <a href="../phpgwapi/doc/ldap/README" target="_blank">phpgwapi/doc/ldap/README</a>
you will need to load the proper schema into your ldap server - see phpgwapi/doc/ldap/readme setup en You will need to load the proper schema into your ldap server - see <a href="../phpgwapi/doc/ldap/README?sessionid=f69c6befb6636a1a9501e45ff0176385" target="_blank">phpgwapi/doc/ldap/README</a>
you're using an old configuration file format... setup en You're using an old configuration file format...
you're using an old header.inc.php version... setup en You're using an old header.inc.php version...
your applications are current setup en Your applications are current

View File

@ -230,6 +230,7 @@
<select name="newsettings[auto_create_acct]">
<option value="">{lang_No}</option>
<option value="True"{selected_auto_create_acct_True}>{lang_Yes}</option>
<option value="lowercase"{selected_auto_create_acct_lowercase}>{lang_Yes,_with lowercase_usernames}</option>
</select>
</td>
</tr>
@ -341,10 +342,25 @@
</td>
</tr>
<tr class="row_on">
<tr class="row_off">
<td colspan="2">&nbsp;</td>
</tr>
<tr class="th">
<td colspan="2"><b>{lang_If_using_ADS_(Active_Directory)_authentication}:</b></td>
</tr>
<tr class="row_off">
<td>{lang_Host/IP_Domain_controler}:</td>
<td><input name="newsettings[ads_host]" value="{value_ads_host}" size="40"></td>
</tr>
<tr class="row_on">
<td>{lang_Domain_name}:</td>
<td><input name="newsettings[ads_domain]" value="{value_ads_domain}" size="40"></td>
</tr>
<tr class="row_off">
<td colspan="2">&nbsp;</td>
</tr>
<tr class="th">
<td colspan="2"><b>{lang_Mcrypt_settings_(requires_mcrypt_PHP_extension)}</b></td>