From fde8fc7b27aa9019745c310131054a3907906c0c Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sat, 15 Nov 2008 10:54:39 +0000 Subject: [PATCH] CAS (Central Authentication Service) login for eGroupware --- login.php | 111 +++++++++++++++------ logout.php | 149 +++++++++++++++------------- phpgwapi/inc/class.auth_cas.inc.php | 67 +++++++++++++ setup/lang/egw_de.lang | 11 ++ setup/lang/egw_en.lang | 11 ++ setup/lang/egw_fr.lang | 12 +++ setup/templates/default/config.tpl | 50 ++++++++++ 7 files changed, 312 insertions(+), 99 deletions(-) create mode 100644 phpgwapi/inc/class.auth_cas.inc.php diff --git a/login.php b/login.php index 6c509a2e01..2e8c93a1e8 100755 --- a/login.php +++ b/login.php @@ -1,40 +1,92 @@ * - * Joseph Engo * - * -------------------------------------------- * - * This program is free software; you can redistribute it and/or modify it * - * under the terms of the GNU General Public License as published by the * - * Free Software Foundation; either version 2 of the License, or (at your * - * option) any later version. * - \**************************************************************************/ +/** + * eGroupWare - Login + * + * @link http://www.egroupware.org + * @author Dan Kuykendall + * @author Joseph Engo + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ +$submit = False; // set to some initial value - $submit = False; // set to some initial value +$GLOBALS['egw_info'] = array('flags' => array( + 'disable_Template_class' => True, + 'login' => True, + 'currentapp' => 'login', +)); - $GLOBALS['egw_info'] = array('flags' => array( - 'disable_Template_class' => True, - 'login' => True, - 'currentapp' => 'login', - )); - - if(file_exists('./header.inc.php')) - { - include('./header.inc.php'); - if(!function_exists('CreateObject')) - { - Header('Location: setup/index.php'); - exit; - } - } - else +if(file_exists('./header.inc.php')) +{ + include('./header.inc.php'); + if(!function_exists('CreateObject')) { Header('Location: setup/index.php'); exit; } +} +else +{ + Header('Location: setup/index.php'); + exit; +} + +// CAS : +if($GLOBALS['egw_info']['server']['auth_type'] == 'cas') +{ + ob_end_clean(); + + require_once('CAS/CAS.php'); + + //phpCAS::setDebug('/var/log/log_phpcas.php'); + + if($GLOBALS['egw_info']['server']['cas_authentication_mode'] == 'Proxy') + { + phpCAS::proxy(CAS_VERSION_2_0, + $GLOBALS['egw_info']['server']['cas_server_host_name'], + (int) $GLOBALS['egw_info']['server']['cas_server_port'], + $GLOBALS['egw_info']['server']['cas_server_uri'] ); + } + else + { + phpCAS::client(CAS_VERSION_2_0, + $GLOBALS['egw_info']['server']['cas_server_host_name'], + (int) $GLOBALS['egw_info']['server']['cas_server_port'], + $GLOBALS['egw_info']['server']['cas_server_uri'] ); + } + + if($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'PEMCertificate') + { + // Set the certificate of the CAS server (PEM Certificate) + phpCAS::setCasServerCert($GLOBALS['egw_info']['server']['cas_cert']); + } + elseif($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'CACertificate') + { + // Set the CA certificate of the CAS server + phpCAS::setCasServerCACert($GLOBALS['egw_info']['server']['cas_cert']); + } + elseif($GLOBALS['egw_info']['server']['cas_ssl_validation'] == 'No') + { + // no SSL validation for the CAS server + phpCAS::setNoCasServerValidation(); + } + + phpCAS::forceAuthentication(); + + ob_start(); + + $login = phpCAS::getUser(); + $password = phpCAS::retrievePT("imap://".$GLOBALS['egw_info']['server']['mail_server'],$err_code,$output); + $GLOBALS['sessionid'] = $GLOBALS['egw']->session->create($login,$password,'text','u'); + + /* set auth_cookie */ + $GLOBALS['egw']->redirect_link($forward,$extra_vars); +} +else +{ $GLOBALS['egw_info']['server']['template_dir'] = EGW_SERVER_ROOT . '/phpgwapi/templates/' . $GLOBALS['egw_info']['login_template_set']; // read the images from the login-template-set, not the (maybe not even set) users template-set @@ -345,3 +397,4 @@ } $GLOBALS['egw']->framework->login_screen($extra_vars); +} diff --git a/logout.php b/logout.php index 27c0e72555..423425023d 100755 --- a/logout.php +++ b/logout.php @@ -1,77 +1,86 @@ * - * -------------------------------------------- * - * This program is free software; you can redistribute it and/or modify it * - * under the terms of the GNU General Public License as published by the * - * Free Software Foundation; either version 2 of the License, or (at your * - * option) any later version. * - \**************************************************************************/ +/** + * eGroupWare - Logout + * + * @link http://www.egroupware.org + * @author Joseph Engo + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage authentication + * @version $Id$ + */ - /* $Id$ */ +$GLOBALS['egw_info'] = array( + 'flags' => array( + 'disable_Template_class' => True, + 'currentapp' => 'logout', + 'noheader' => True, + 'nofooter' => True, + 'nonavbar' => True + ) +); +include('./header.inc.php'); - $GLOBALS['egw_info'] = array( - 'flags' => array( - 'disable_Template_class' => True, - 'currentapp' => 'logout', - 'noheader' => True, - 'nofooter' => True, - 'nonavbar' => True - ) - ); - include('./header.inc.php'); +$GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE')); +$GLOBALS['kp3'] = get_var('kp3',array('GET','COOKIE')); - $GLOBALS['sessionid'] = get_var('sessionid',array('GET','COOKIE')); - $GLOBALS['kp3'] = get_var('kp3',array('GET','COOKIE')); +$verified = $GLOBALS['egw']->session->verify(); - $verified = $GLOBALS['egw']->session->verify(); +if(!$redirectTarget = $GLOBALS['egw']->session->appsession('referer', 'login')) +{ + $redirectTarget = $GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain']; +} - if(!$redirectTarget = $GLOBALS['egw']->session->appsession('referer', 'login')) +if($verified) +{ + $GLOBALS['egw']->hooks->process('logout'); + $GLOBALS['egw']->session->destroy($GLOBALS['sessionid'],$GLOBALS['kp3']); +} +else +{ + if(is_object($GLOBALS['egw']->log)) { - $redirectTarget = $GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain']; + $GLOBALS['egw']->log->write(array( + 'text' => 'W-VerifySession, could not verify session during logout', + 'line' => __LINE__, + 'file' => __FILE__ + )); } +} +$GLOBALS['egw']->session->egw_setcookie('eGW_remember','',0,'/'); +$GLOBALS['egw']->session->egw_setcookie('sessionid'); +$GLOBALS['egw']->session->egw_setcookie('kp3'); +$GLOBALS['egw']->session->egw_setcookie('domain'); - if($verified) - { - $GLOBALS['egw']->hooks->process('logout'); - $GLOBALS['egw']->session->destroy($GLOBALS['sessionid'],$GLOBALS['kp3']); - } - else - { - if(is_object($GLOBALS['egw']->log)) - { - $GLOBALS['egw']->log->write(array( - 'text' => 'W-VerifySession, could not verify session during logout', - 'line' => __LINE__, - 'file' => __FILE__ - )); - } - } - $GLOBALS['egw']->session->egw_setcookie('eGW_remember','',0,'/'); - $GLOBALS['egw']->session->egw_setcookie('sessionid'); - $GLOBALS['egw']->session->egw_setcookie('kp3'); - $GLOBALS['egw']->session->egw_setcookie('domain'); +if($GLOBALS['egw_info']['server']['auth_type'] == 'cas') +{ + require_once('CAS/CAS.php'); - // $GLOBALS['egw']->redirect($redirectTarget); + phpCAS::client(CAS_VERSION_2_0, + $GLOBALS['egw_info']['server']['cas_server_host_name'], + (int) $GLOBALS['egw_info']['server']['cas_server_port'], + $GLOBALS['egw_info']['server']['cas_server_uri'] ); + phpCAS::logout($GLOBALS['egw_info']['server']['webserver_url'].'/login.php?cd=1&domain='.$GLOBALS['egw_info']['user']['domain']); +} + +// $GLOBALS['egw']->redirect($redirectTarget); ?> diff --git a/phpgwapi/inc/class.auth_cas.inc.php b/phpgwapi/inc/class.auth_cas.inc.php new file mode 100644 index 0000000000..b8df74a4ce --- /dev/null +++ b/phpgwapi/inc/class.auth_cas.inc.php @@ -0,0 +1,67 @@ +accounts->name2id($username,'account_lid','u')) && + $GLOBALS['egw_info']['server']['auto_create_acct']) + { + // create a global array with all availible info about that account + $GLOBALS['auto_create_acct'] = array(); + foreach(array( + 'givenname' => 'firstname', + 'sn' => 'lastname', + 'uidnumber' => 'id', + 'mail' => 'email', + 'gidnumber' => 'primary_group', + ) as $ldap_name => $acct_name) + { + $GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8'); + } + return True; + } + return $id && $GLOBALS['egw']->accounts->id2name($id,'account_status') == 'A' && phpCAS::checkAuthentication(); + } + return phpCAS::checkAuthentication(); + } + + /** + * changes password in CAS + * + * @param string $old_passwd must be cleartext or empty to not to be checked + * @param string $new_passwd must be cleartext + * @param int $account_id account id of user whose passwd should be changed + * @return boolean true if password successful changed, false otherwise + */ + function change_password($old_passwd, $new_passwd, $account_id=0) + { + /* Not allowed */ + return false; + } +} \ No newline at end of file diff --git a/setup/lang/egw_de.lang b/setup/lang/egw_de.lang index 75178f0860..1dcec8e09a 100644 --- a/setup/lang/egw_de.lang +++ b/setup/lang/egw_de.lang @@ -75,6 +75,7 @@ at your request, this script is going to take the evil action of uninstalling al attempt to use correct mimetype for ftp instead of default 'application/octet-stream' setup de Soll versucht werden den korrekten MIME-typ für FTP zu verwenden statt dem Vorgabewert "application/octet-stream" authentication / accounts setup de Authentifizierung / Benutzerkonten authentication type for application setup de Authentifizierungstyp für die Anwendung +authentification mode: setup de Art der Authentifizierung: auto create account records for authenticated users setup de Benutzerkonten für authentifizierte Benutzer automatisch anlegen auto login anonymous user setup de Anonymen Benutzer automatisch einlogen auto-created user accounts expire setup de Automatisch angelegte Benutzerkonten laufen ab in @@ -103,12 +104,17 @@ because of a failed upgrade, or the database is newer than the installed version because the enable flag for this app is set to 0, or is undefined setup de weil der verfügbar-Eintrag für diese Applikation auf 0 gesetzt oder undefiniert ist bottom setup de unten but we highly recommend backing up your tables in case the script causes damage to your data.
these automated scripts can easily destroy your data. setup de Aber wir raten Ihnen dringend, eine Sicherungskopie anzulegen für den Fall, dass dieses Skript Ihre bestehenden Daten beschädigt!
Diese automatisierten Skripts können leicht Ihre Daten beschädigen!. +ca certificate setup de CA Zertifikat can not connect to %1 database %2 on host %3 using user %4! setup de Kann nicht zur %1 Datenbank %2 auf Rechner %3 als Benutzer %4 verbinden! can not connect to ldap server on host %1 using dn %2! setup de Kann nicht zu LDAP Server auf Rechner %1 als DN %2 verbinden! can not create %1 database %2 on %3 for user %4! setup de Kann keine %1 Datenbank %2 auf Rechner %3 für Benutzer %4 anlegen! can not create dn %1! setup de Kann DN %1 nicht anlegen! cancel setup de Abbrechen cannot create the header.inc.php due to file permission restrictions.
instead you can %1 or %2 the file. setup de Kann die Datei header.inc.php wegen unzureichenden Zugriffsrechten nicht erzeugen.
Stattdessen können Sie die Datei %1 oder %2. +cas server host name:
example: sso-cas.univ-rennes1.fr setup de CAS Server Host Name: (z.B.: sso-cas-univ-rennes1.fr): +cas server port:
example: 443 setup de CAS Server Port (zB. 443): +cas server uri: setup de CAS Server URI: +certificate (pem or ca): setup de Zertifikat (PEM oder CA): change system-charset setup de Systemzeichensatz wechseln charset setup de utf-8 charset to convert to setup de Zeichensatz in den konvertiert werden soll @@ -291,6 +297,7 @@ if no acl records for user or any group the user is a member of setup de Wenn es if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup de Wenn safe_mode eingeschaltet ist, kann eGW verschiedene Einstellungen nicht mehr zur Laufzeit ändern, noch können wir nicht geladene Erweiterungen (php extensions) laden. if the application has no defined tables, selecting upgrade should remedy the problem setup de Wenn die Anwendung keine definierten Tabellen hat, wählen Sie überarbeiten. Das Problem sollte damit behoben werden. if using ads (active directory) authentication setup de Wenn Sie ADS (Active Directory) Authentifizierung benutzen +if using cas (central authentication service): setup de Wenn Sie CAS (Central Authentication Service) benutzen if using ldap setup de Wenn Sie LDAP verwenden if using ldap, do you want to manage homedirectory and loginshell attributes? setup de Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Komandointerpreter verwalten ? if you can only access the docroot choose database for where to store the file content and use same path as for temporary files. setup de Wenn Sie nur die Documentroot erreichen können, wählen Sie bei Inhalt von Dateien speichern Datenbank UND benutzern Sie hier den Pfad für temporäre Dateien. @@ -412,7 +419,10 @@ path to various directories: have to exist and be writeable by the webserver set pear (%1) is a php repository and is usually in a package called %2. setup de PEAR (%1) ist eine PHP Sammlung und ist überlicherweise in einem Packet namens %2. pear extensions are required by many egroupware applications, pear itself is the required basis for each extension! setup de PEAR Erweiterungen werden von vielen eGroupware Anwendungen benötigt, PEAR selbst ist die Basis für diese Erweiterungen! pear%1 is needed by: %2. setup de PEAR%1 wird benötigt von: %2. +pem certificate setup de PEM Zertifikat persistent connections setup de Permanente Verbindungen +php client setup de PHP Klient +php proxy setup de PHP Proxy php session handler enabled in php.ini setup de PHP Sitzungshandler aus der php.ini please check for sql scripts within the application's directory setup de Bitte suchen Sie ein SQL Skript im Verzeichnis der Anwendung please check read/write permissions on directories, or back up and use another option. setup de Bitte überprüfen Sie die Lese/Schreib-Rechte der Verzeichnisse oder gehen Sie zurück und benutzen eine andere Option. @@ -500,6 +510,7 @@ smtp server port setup de SMTP Server Port some or all of its tables are missing setup de Einige oder alle Tabellen fehlen sources deleted/missing setup de Quellen gelöscht/fehlen sql encryption type setup de SQL-Verschlüsselungstyp für das Passwort (Vorgabe MD5) +ssl validation: setup de SSL Validierung: standard (login-name identical to egroupware user-name) setup de Standard (Loginname identisch zu eGroupWare Benutzername) standard mailserver settings (used for mail authentication too) setup de Standard Mailserver Einstellungen (werden auch für die Mail Authentifizierung benutzt) standard, as defined above setup de Standard, wie darüber definiert diff --git a/setup/lang/egw_en.lang b/setup/lang/egw_en.lang index dd34f98585..9d95a70953 100644 --- a/setup/lang/egw_en.lang +++ b/setup/lang/egw_en.lang @@ -75,6 +75,7 @@ at your request, this script is going to take the evil action of uninstalling al attempt to use correct mimetype for ftp instead of default 'application/octet-stream' setup en Attempt to use correct mimetype for FTP instead of default 'application/octet-stream' authentication / accounts setup en Authentication / Accounts authentication type for application setup en Authentication type for application +authentification mode: setup en Authentification mode: auto create account records for authenticated users setup en Auto create account records for authenticated users auto login anonymous user setup en Auto login anonymous user auto-created user accounts expire setup en Auto-created user accounts expire @@ -103,12 +104,17 @@ because of a failed upgrade, or the database is newer than the installed version because the enable flag for this app is set to 0, or is undefined setup en because the enable flag for this app is set to 0, or is undefined bottom setup en bottom but we highly recommend backing up your tables in case the script causes damage to your data.
these automated scripts can easily destroy your data. setup en but we highly recommend backing up your tables in case the script causes damage to your data.
These automated scripts can easily destroy your data. +ca certificate setup en CA certificate can not connect to %1 database %2 on host %3 using user %4! setup en Can not connect to %1 database %2 on host %3 using user %4! can not connect to ldap server on host %1 using dn %2! setup en Can not connect to LDAP server on host %1 using DN %2! can not create %1 database %2 on %3 for user %4! setup en Can not create %1 database %2 on %3 for user %4! can not create dn %1! setup en Can not create DN %1! cancel setup en Cancel cannot create the header.inc.php due to file permission restrictions.
instead you can %1 or %2 the file. setup en Cannot create the header.inc.php due to file permission restrictions.
Instead you can %1 or %2 the file. +cas server host name:
example: sso-cas.univ-rennes1.fr setup en cas server host name:
example: sso-cas.univ-rennes1.fr +cas server port:
example: 443 setup en cas server port:
Example: 443 +cas server uri: setup en cas server uri: +certificate (pem or ca): setup en Certificate (PEM or CA): change system-charset setup en Change system-charset charset setup en utf-8 charset to convert to setup en Charset to convert to @@ -289,6 +295,7 @@ if no acl records for user or any group the user is a member of setup en If no A if safe_mode is turned on, egw is not able to change certain settings on runtime, nor can we load any not yet loaded module. setup en If safe_mode is turned on, eGW is not able to change certain settings on runtime, nor can we load any not yet loaded module. if the application has no defined tables, selecting upgrade should remedy the problem setup en If the application has no defined tables, selecting upgrade should remedy the problem if using ads (active directory) authentication setup en If using ADS (Active Directory) authentication +if using cas (central authentication service): setup en if using cas (Central Authentication Service): if using ldap setup en If using LDAP if using ldap, do you want to manage homedirectory and loginshell attributes? setup en If using LDAP, do you want to manage homedirectory and loginshell attributes? if you can only access the docroot choose database for where to store the file content and use same path as for temporary files. setup en If you can only access the docroot choose Database for where to store the file content AND use same path as for temporary files. @@ -410,7 +417,10 @@ path to various directories: have to exist and be writeable by the webserver set pear (%1) is a php repository and is usually in a package called %2. setup en PEAR (%1) is a PHP repository and is usually in a package called %2. pear extensions are required by many egroupware applications, pear itself is the required basis for each extension! setup en PEAR extensions are required by many eGroupware applications, PEAR itself is the required basis for each extension! pear%1 is needed by: %2. setup en PEAR%1 is needed by: %2. +pem certificate setup en PEM certificate persistent connections setup en Persistent connections +php client setup en PHP client +php proxy setup en PHP proxy php session handler enabled in php.ini setup en PHP session handler enabled in php.ini please check for sql scripts within the application's directory setup en Please check for sql scripts within the application's directory please check read/write permissions on directories, or back up and use another option. setup en Please check read/write permissions on directories, or back up and use another option. @@ -498,6 +508,7 @@ smtp server port setup en SMTP server port some or all of its tables are missing setup en Some or all of its tables are missing sources deleted/missing setup en Sources deleted/missing sql encryption type setup en SQL encryption type for passwords (default - md5) +ssl validation: setup en SSL validation: standard (login-name identical to egroupware user-name) setup en standard (login-name identical to eGroupWare user-name) standard mailserver settings (used for mail authentication too) setup en Standard mailserver settings (used for Mail authentication too) standard, as defined above setup en Standard, as defined above diff --git a/setup/lang/egw_fr.lang b/setup/lang/egw_fr.lang index 5c7afd1cbb..f55587c5bf 100644 --- a/setup/lang/egw_fr.lang +++ b/setup/lang/egw_fr.lang @@ -638,3 +638,15 @@ your tables will be dropped and you will lose data setup fr Vos tables seront su your temporary directory '%1' %2 setup fr Votre répertoire temporaire '%1' %2 {db | php(default) | php-restore} setup fr {db | php(par défaut) | php-restore} {off(default) | on} setup fr {off(par défaut) | on} +authentification mode: setup fr Mode d'authentification : +ca certificate setup fr Certificat CA +cas server host name:
example: sso-cas.univ-rennes1.fr setup fr Nom du serveur CAS hôte :
Exemple : sso-cas.univ-rennes1.fr +cas server port:
Example: 443 setup fr Port du serveur CAS :
Exemple : 443 +cas server uri: setup fr URI du serveur CAS : +certificate (pem or ca): setup fr Certificat (PEM ou CA) : +if using cas (central authentication service): setup fr Si vous utilisez l'authentification CAS (Central Authentication Service) : +pem certificate setup fr Certificat PEM +php client setup fr php Client +php proxy setup fr php Proxy +ssl validation: setup fr Validation SSL : + diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl index 624fab541b..60865ee78e 100644 --- a/setup/templates/default/config.tpl +++ b/setup/templates/default/config.tpl @@ -216,6 +216,7 @@ + @@ -464,6 +465,55 @@ + + {lang_If_using_CAS_(Central_Authentication_Service):} + + + + {lang_CAS_server_host_name:
Example:_sso-cas.univ-rennes1.fr} + + + + + {lang_CAS_server_port:
Example:_443} + + + + + {lang_CAS_server_uri:} + + + + + {lang_Authentification_mode:} + + + + + + + {lang_SSL_validation:} + + + + + + + {lang_Certificate_(PEM_or_CA):} + + + + +   + + {lang_If_using_ADS_(Active_Directory)_authentication}: