Rev 1288 | Rev 1305 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1288 | Rev 1293 | ||
|---|---|---|---|
| Line 115... | Line 115... | ||
| 115 | } |
115 | } |
| 116 | return -1; |
116 | return -1; |
| 117 | } |
117 | } |
| 118 | 118 | ||
| 119 | /** |
119 | /** |
| 120 | * @param string $actionID |
- | |
| 121 | * @param array $params |
120 | * @param array $params |
| 122 | * @return array |
121 | * @return array |
| 123 | * @throws OIDplusConfigInitializationException |
122 | * @throws OIDplusConfigInitializationException |
| 124 | * @throws OIDplusException |
123 | * @throws OIDplusException |
| 125 | */ |
124 | */ |
| 126 | public function action(string $actionID, array $params): array { |
125 | private function action_Login(array $params): array { |
| 127 | if ($actionID == 'ra_login_ldap') { |
- | |
| 128 | if (!OIDplus::baseConfig()->getValue('LDAP_ENABLED', false)) { |
126 | if (!OIDplus::baseConfig()->getValue('LDAP_ENABLED', false)) { |
| 129 | throw new OIDplusException(_L('LDAP authentication is disabled on this system.')); |
127 | throw new OIDplusException(_L('LDAP authentication is disabled on this system.')); |
| 130 | } |
128 | } |
| 131 | 129 | ||
| 132 | if (!function_exists('ldap_connect')) throw new OIDplusConfigInitializationException(_L('PHP extension "%1" not installed','LDAP')); |
130 | if (!function_exists('ldap_connect')) throw new OIDplusConfigInitializationException(_L('PHP extension "%1" not installed','LDAP')); |
| 133 | 131 | ||
| 134 | OIDplus::getActiveCaptchaPlugin()->captchaVerify($params, 'captcha'); |
132 | OIDplus::getActiveCaptchaPlugin()->captchaVerify($params, 'captcha'); |
| 135 | 133 | ||
| 136 | _CheckParamExists($params, 'email'); |
134 | _CheckParamExists($params, 'email'); |
| 137 | _CheckParamExists($params, 'password'); |
135 | _CheckParamExists($params, 'password'); |
| 138 | 136 | ||
| 139 | $upn = $params['email']; |
137 | $upn = $params['email']; |
| 140 | $password = $params['password']; |
138 | $password = $params['password']; |
| 141 | 139 | ||
| 142 | $domainNumber = $this->getDomainNumber($upn); |
140 | $domainNumber = $this->getDomainNumber($upn); |
| 143 | if ($domainNumber <= 0) { |
141 | if ($domainNumber <= 0) { |
| 144 | throw new OIDplusException(_L('The server is not configured to handle this domain (the part behind the at-sign)')); |
142 | throw new OIDplusException(_L('The server is not configured to handle this domain (the part behind the at-sign)')); |
| 145 | } |
143 | } |
| 146 | $cfgSuffix = $domainNumber == 1 ? '' : "__$domainNumber"; |
144 | $cfgSuffix = $domainNumber == 1 ? '' : "__$domainNumber"; |
| 147 | 145 | ||
| 148 | if (empty($upn)) { |
146 | if (empty($upn)) { |
| 149 | throw new OIDplusException(_L('Please enter a valid username')); |
147 | throw new OIDplusException(_L('Please enter a valid username')); |
| 150 | } |
148 | } |
| 151 | 149 | ||
| 152 | $ldap = new \VtsLDAPUtils(); |
150 | $ldap = new \VtsLDAPUtils(); |
| 153 | 151 | ||
| 154 | try { |
152 | try { |
| 155 | 153 | ||
| 156 | $cfg_ldap_server = OIDplus::baseConfig()->getValue('LDAP_SERVER'.$cfgSuffix); |
154 | $cfg_ldap_server = OIDplus::baseConfig()->getValue('LDAP_SERVER'.$cfgSuffix); |
| 157 | $cfg_ldap_port = OIDplus::baseConfig()->getValue('LDAP_PORT'.$cfgSuffix, 389); |
155 | $cfg_ldap_port = OIDplus::baseConfig()->getValue('LDAP_PORT'.$cfgSuffix, 389); |
| 158 | $cfg_ldap_base_dn = OIDplus::baseConfig()->getValue('LDAP_BASE_DN'.$cfgSuffix); |
156 | $cfg_ldap_base_dn = OIDplus::baseConfig()->getValue('LDAP_BASE_DN'.$cfgSuffix); |
| 159 | 157 | ||
| 160 | // Note: Will throw an Exception if connect fails |
158 | // Note: Will throw an Exception if connect fails |
| 161 | $ldap->connect($cfg_ldap_server, $cfg_ldap_port); |
159 | $ldap->connect($cfg_ldap_server, $cfg_ldap_port); |
| 162 | 160 | ||
| 163 | if (!$ldap->login($upn, $password)) { |
161 | if (!$ldap->login($upn, $password)) { |
| 164 | if (OIDplus::config()->getValue('log_failed_ra_logins', false)) { |
162 | if (OIDplus::config()->getValue('log_failed_ra_logins', false)) { |
| 165 | OIDplus::logger()->log("V2:[WARN]A", "Failed login to RA account '%1' using LDAP", $upn); |
163 | OIDplus::logger()->log("V2:[WARN]A", "Failed login to RA account '%1' using LDAP", $upn); |
| 166 | } |
- | |
| 167 | throw new OIDplusException(_L('Wrong password or user not registered')); |
- | |
| 168 | } |
164 | } |
| - | 165 | throw new OIDplusException(_L('Wrong password or user not registered')); |
|
| - | 166 | } |
|
| 169 | 167 | ||
| 170 | $ldap_userinfo = $ldap->getUserInfo($upn, $cfg_ldap_base_dn); |
168 | $ldap_userinfo = $ldap->getUserInfo($upn, $cfg_ldap_base_dn); |
| 171 | 169 | ||
| 172 | if (!$ldap_userinfo) { |
170 | if (!$ldap_userinfo) { |
| 173 | throw new OIDplusException(_L('The LDAP login was successful, but the own user %1 cannot be found. Please check the base configuration setting %2 and %3', $upn, "LDAP_BASE_DN$cfgSuffix", "LDAP_UPN_SUFFIX$cfgSuffix")); |
171 | throw new OIDplusException(_L('The LDAP login was successful, but the own user %1 cannot be found. Please check the base configuration setting %2 and %3', $upn, "LDAP_BASE_DN$cfgSuffix", "LDAP_UPN_SUFFIX$cfgSuffix")); |
| 174 | } |
172 | } |
| 175 | 173 | ||
| 176 | $foundSomething = false; |
174 | $foundSomething = false; |
| 177 | 175 | ||
| 178 | // --- |
176 | // --- |
| 179 | 177 | ||
| 180 | $cfgAdminGroup = OIDplus::baseConfig()->getValue('LDAP_ADMIN_GROUP'.$cfgSuffix,''); |
178 | $cfgAdminGroup = OIDplus::baseConfig()->getValue('LDAP_ADMIN_GROUP'.$cfgSuffix,''); |
| 181 | if (!empty($cfgAdminGroup)) { |
179 | if (!empty($cfgAdminGroup)) { |
| 182 | $isAdmin = $ldap->isMemberOfRec($ldap_userinfo, $cfgAdminGroup); |
180 | $isAdmin = $ldap->isMemberOfRec($ldap_userinfo, $cfgAdminGroup); |
| 183 | } else { |
181 | } else { |
| 184 | $isAdmin = false; |
182 | $isAdmin = false; |
| 185 | } |
183 | } |
| 186 | if ($isAdmin) { |
184 | if ($isAdmin) { |
| 187 | $foundSomething = true; |
185 | $foundSomething = true; |
| 188 | $remember_me = isset($params['remember_me']) && ($params['remember_me']); |
186 | $remember_me = isset($params['remember_me']) && ($params['remember_me']); |
| 189 | OIDplus::authUtils()->adminLoginEx($remember_me, 'LDAP login'); |
187 | OIDplus::authUtils()->adminLoginEx($remember_me, 'LDAP login'); |
| 190 | } |
188 | } |
| 191 | 189 | ||
| 192 | // --- |
190 | // --- |
| 193 | 191 | ||
| 194 | $cfgRaGroup = OIDplus::baseConfig()->getValue('LDAP_RA_GROUP'.$cfgSuffix,''); |
192 | $cfgRaGroup = OIDplus::baseConfig()->getValue('LDAP_RA_GROUP'.$cfgSuffix,''); |
| 195 | if (!empty($cfgRaGroup)) { |
193 | if (!empty($cfgRaGroup)) { |
| 196 | $isRA = $ldap->isMemberOfRec($ldap_userinfo, $cfgRaGroup); |
194 | $isRA = $ldap->isMemberOfRec($ldap_userinfo, $cfgRaGroup); |
| 197 | } else { |
195 | } else { |
| 198 | $isRA = true; |
196 | $isRA = true; |
| - | 197 | } |
|
| - | 198 | if ($isRA) { |
|
| - | 199 | if (OIDplus::baseConfig()->getValue('LDAP_AUTHENTICATE_UPN'.$cfgSuffix,true)) { |
|
| - | 200 | $mail = \VtsLDAPUtils::getString($ldap_userinfo, 'userprincipalname'); |
|
| - | 201 | $foundSomething = true; |
|
| - | 202 | $remember_me = isset($params['remember_me']) && ($params['remember_me']); |
|
| - | 203 | $this->doLoginRA($remember_me, $mail, $ldap_userinfo); |
|
| 199 | } |
204 | } |
| 200 | if ($isRA) { |
- | |
| 201 | if (OIDplus::baseConfig()->getValue('LDAP_AUTHENTICATE_UPN'.$cfgSuffix,true)) { |
205 | if (OIDplus::baseConfig()->getValue('LDAP_AUTHENTICATE_EMAIL'.$cfgSuffix,false)) { |
| 202 | $mail = \VtsLDAPUtils::getString($ldap_userinfo, 'userprincipalname'); |
206 | $mails = \VtsLDAPUtils::getArray($ldap_userinfo, 'mail'); |
| - | 207 | foreach ($mails as $mail) { |
|
| 203 | $foundSomething = true; |
208 | $foundSomething = true; |
| 204 | $remember_me = isset($params['remember_me']) && ($params['remember_me']); |
209 | $remember_me = isset($params['remember_me']) && ($params['remember_me']); |
| 205 | $this->doLoginRA($remember_me, $mail, $ldap_userinfo); |
210 | $this->doLoginRA($remember_me, $mail, $ldap_userinfo); |
| 206 | } |
211 | } |
| 207 | if (OIDplus::baseConfig()->getValue('LDAP_AUTHENTICATE_EMAIL'.$cfgSuffix,false)) { |
- | |
| 208 | $mails = \VtsLDAPUtils::getArray($ldap_userinfo, 'mail'); |
- | |
| 209 | foreach ($mails as $mail) { |
- | |
| 210 | $foundSomething = true; |
- | |
| 211 | $remember_me = isset($params['remember_me']) && ($params['remember_me']); |
- | |
| 212 | $this->doLoginRA($remember_me, $mail, $ldap_userinfo); |
- | |
| 213 | } |
- | |
| 214 | } |
- | |
| 215 | } |
212 | } |
| 216 | - | ||
| 217 | } finally { |
- | |
| 218 | $ldap->disconnect(); |
- | |
| 219 | $ldap = null; |
- | |
| 220 | } |
213 | } |
| 221 | 214 | ||
| - | 215 | } finally { |
|
| - | 216 | $ldap->disconnect(); |
|
| - | 217 | $ldap = null; |
|
| - | 218 | } |
|
| - | 219 | ||
| 222 | if (!$foundSomething) { |
220 | if (!$foundSomething) { |
| 223 | throw new OIDplusException(_L("Error: These credentials cannot be used with OIDplus. Please check the base configuration.")); |
221 | throw new OIDplusException(_L("Error: These credentials cannot be used with OIDplus. Please check the base configuration.")); |
| 224 | } |
222 | } |
| - | 223 | ||
| - | 224 | return array("status" => 0); |
|
| - | 225 | } |
|
| 225 | 226 | ||
| - | 227 | /** |
|
| - | 228 | * @param string $actionID |
|
| - | 229 | * @param array $params |
|
| - | 230 | * @return array |
|
| - | 231 | * @throws OIDplusConfigInitializationException |
|
| - | 232 | * @throws OIDplusException |
|
| - | 233 | */ |
|
| - | 234 | public function action(string $actionID, array $params): array { |
|
| - | 235 | if ($actionID == 'ra_login_ldap') { |
|
| 226 | return array("status" => 0); |
236 | return $this->action_Login($params); |
| 227 | } else { |
237 | } else { |
| 228 | return parent::action($actionID, $params); |
238 | return parent::action($actionID, $params); |
| 229 | } |
239 | } |
| 230 | } |
240 | } |
| 231 | 241 | ||