openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit 8b70421bee71d8188c870ec191b03c100918918e
parent d8ca988bcd3cb69af2a4920ee640acbab49c6af3
Author: Jan Dankert <devnull@localhost>
Date:   Tue,  6 Nov 2012 20:53:55 +0100

Fix: Login mit LDAPUserDNAuth.

Diffstat:
action/LoginAction.class.php | 32++++++++++++++++++--------------
auth/LdapAuth.class.php | 88++++++++++++++++++++++++++++++++++++++++---------------------------------------
auth/LdapUserDNAuth.class.php | 6+++---
auth/include.inc.php | 1+
model/User.class.php | 2+-
5 files changed, 68 insertions(+), 61 deletions(-)

diff --git a/action/LoginAction.class.php b/action/LoginAction.class.php @@ -794,14 +794,16 @@ class LoginAction extends Action { $moduleClass = $module.'Auth'; $auth = new $moduleClass; + Logger::info('Trying a login with module '.$moduleClass); $loginOk = $auth->login( $loginName,$loginPassword ); - if ( $loginOk ) - break; // Login erfolgreich. + if ( $loginOk ) + { + Logger::info('Login successful for '.$loginName); + break; // Login erfolgreich. + } } - $this->setTemplateVar('login_name',$username); - /* $loginOk = $this->checkLogin( $loginName, $loginPassword, @@ -812,23 +814,23 @@ class LoginAction extends Action { // Anmeldung nicht erfolgreich sleep(3); - - if ( $this->mustChangePassword ) - { - // Anmeldung gescheitert, Benutzer muss Kennwort ?ndern. - $this->addNotice('user',$loginName,'LOGIN_FAILED_MUSTCHANGEPASSWORD','error' ); + Logger::debug("Login failed for user '$loginName'"); + + if ( $this->mustChangePassword ) + { + // Anmeldung gescheitert, Benutzer muss Kennwort ?ndern. + $this->addNotice('user',$loginName,'LOGIN_FAILED_MUSTCHANGEPASSWORD','error' ); $this->addValidationError('password1',''); $this->addValidationError('password2',''); } - else + else { - // Anmeldung gescheitert. + // Anmeldung gescheitert. $this->addNotice('user',$loginName,'LOGIN_FAILED','error',array('name'=>$loginName) ); $this->addValidationError('login_name' ,''); - $this->addValidationError('login_password',''); + $this->addValidationError('login_password',''); } - Logger::debug("Login failed for user '$loginName'"); //$this->callSubAction('login'); return; @@ -837,11 +839,13 @@ class LoginAction extends Action { Logger::debug("Login successful for user '$loginName'"); + $user = User::loadWithName($loginName); + Session::setUser($user); + // Anmeldung erfolgreich. if ( config('security','renew_session_login') ) $this->recreateSession(); - $user = Session::getUser(); $this->addNotice('user',$user->name,'LOGIN_OK',OR_NOTICE_OK,array('name'=>$user->fullname)); $this->setStyle( $user->style ); diff --git a/auth/LdapAuth.class.php b/auth/LdapAuth.class.php @@ -14,11 +14,11 @@ SELECT * FROM {t_user} WHERE name={name} SQL ); - $sql->setString('name',$this->name); + $sql->setString('name',$username); $row_user = $db->getRow( $sql ); - - Logger::debug( 'checking login via ldap' ); + $userid = $row_user['id']; + $ldap = new Ldap(); $ldap->connect(); @@ -26,7 +26,7 @@ SQL { // Der Benutzername wird im LDAP-Verzeichnis gesucht. // Falls gefunden, wird der DN (=der eindeutige Schl�ssel im Verzeichnis) ermittelt. - $dn = $ldap->searchUser( $this->name ); + $dn = $ldap->searchUser( $username ); if ( empty($dn) ) { @@ -38,7 +38,7 @@ SQL } else { - $dn = str_replace( '{user}',$this->name,$conf['ldap']['dn'] ); + $dn = str_replace( '{user}',$username,$conf['ldap']['dn'] ); } // LDAP-Login versuchen @@ -46,57 +46,59 @@ SQL Logger::debug( 'LDAP bind: '.($ok?'success':'failed') ); - if ( $ok && $conf['security']['authorize']['type'] == 'ldap' ) - { - $sucheAttribut = $conf['ldap']['authorize']['group_name']; - $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']); + if ( !$ok ) + return false; - $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut ); - $sql_ldap_groups = "'".implode("','",$ldap_groups)."'"; - - $sql = new Sql( <<<SQL + $sucheAttribut = $conf['ldap']['authorize']['group_name']; + $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']); + + $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut ); + $sql_ldap_groups = "'".implode("','",$ldap_groups)."'"; + + $sql = new Sql( <<<SQL SELECT id,name FROM {t_group} WHERE name IN($sql_ldap_groups) ORDER BY name ASC SQL - ); - $oldGroups = $this->getGroupIds(); - $this->groups = $db->getAssoc( $sql ); - - foreach( $this->groups as $groupid=>$groupname) - { - if ( ! in_array($groupid,$oldGroups)) - $this->addGroup($groupid); - } - foreach( $oldGroups as $groupid) - { - if ( !isset($this->groups[$groupid]) ) - $this->delGroup($groupid); - } - - - // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen. - if ( $conf['ldap']['authorize']['auto_add'] ) + ); + + $user = new User( $userid ); + $oldGroups = $user->getGroupIds(); + $groups = $db->getAssoc( $sql ); + + foreach( $groups as $groupid=>$groupname) + { + if ( ! in_array($groupid,$oldGroups)) + $this->addGroup($groupid); + } + foreach( $oldGroups as $groupid) + { + if ( !isset($groups[$groupid]) ) + $this->delGroup($groupid); + } + + + // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen. + if ( $conf['ldap']['authorize']['auto_add'] ) + { + foreach( $ldap_groups as $group ) { - foreach( $ldap_groups as $group ) + if ( !in_array($group,$this->groups) ) // Gruppe schon da? { - if ( !in_array($group,$this->groups) ) // Gruppe schon da? - { - $g = new Group(); - $g->name = $group; - $g->add(); // Gruppe hinzuf�gen - - $this->groups[$g->groupid] = $group; - } + $g = new Group(); + $g->name = $group; + $g->add(); // Gruppe hinzuf�gen + + $this->groups[$g->groupid] = $group; } } -// Html::debug($this->groups,'Gruppen/Ids des Benutzers'); } + // Html::debug($this->groups,'Gruppen/Ids des Benutzers'); // Verbindung zum LDAP-Server brav beenden $ldap->close(); - if ( $ok && $autoAdd ) + if ( $autoAdd ) { // Falls die Authentifizierung geklappt hat, wird der // LDAP-Account in die Datenbank �bernommen. @@ -106,7 +108,7 @@ SQL $this->save(); } - return $ok; + return true; } public function username() diff --git a/auth/LdapUserDNAuth.class.php b/auth/LdapUserDNAuth.class.php @@ -5,7 +5,7 @@ * * @author Jan Dankert */ -class LdapAuth implements Auth +class LdapUserDNAuth implements Auth { /** @@ -22,7 +22,7 @@ SELECT * FROM {t_user} WHERE name={name} SQL ); - $sql->setString('name',$this->name); + $sql->setString('name',$username); $row_user = $db->getRow( $sql ); @@ -42,7 +42,7 @@ SQL // Benutzer ist bereits in Datenbank // LDAP-Login mit dem bereits vorhandenen DN versuchen - $ok = $ldap->bind( $this->ldap_dn, $password ); + $ok = $ldap->bind( $ldap_dn, $password ); // Verbindung zum LDAP-Server brav beenden $ldap->close(); diff --git a/auth/include.inc.php b/auth/include.inc.php @@ -7,6 +7,7 @@ require_once( OR_AUTHCLASSES_DIR."HttpAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."IdentAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."InternalAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."LdapAuth.class.".PHP_EXT ); +require_once( OR_AUTHCLASSES_DIR."LdapUserDNAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."OpenIdAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."PersonasAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."SingleSignonAuth.class.".PHP_EXT ); diff --git a/model/User.class.php b/model/User.class.php @@ -225,7 +225,7 @@ SQL * @static * @param name Benutzername */ - function loadWithName( $name ) + public static function loadWithName( $name ) { global $conf; $db = db_connection();