commit 8b70421bee71d8188c870ec191b03c100918918e
parent d8ca988bcd3cb69af2a4920ee640acbab49c6af3
Author: Jan Dankert <devnull@localhost>
Date: Tue, 6 Nov 2012 20:53:55 +0100
Fix: Login mit LDAPUserDNAuth.
Diffstat:
5 files changed, 68 insertions(+), 61 deletions(-)
diff --git a/action/LoginAction.class.php b/action/LoginAction.class.php
@@ -794,14 +794,16 @@ class LoginAction extends Action
{
$moduleClass = $module.'Auth';
$auth = new $moduleClass;
+ Logger::info('Trying a login with module '.$moduleClass);
$loginOk = $auth->login( $loginName,$loginPassword );
- if ( $loginOk )
- break; // Login erfolgreich.
+ if ( $loginOk )
+ {
+ Logger::info('Login successful for '.$loginName);
+ break; // Login erfolgreich.
+ }
}
- $this->setTemplateVar('login_name',$username);
-
/*
$loginOk = $this->checkLogin( $loginName,
$loginPassword,
@@ -812,23 +814,23 @@ class LoginAction extends Action
{
// Anmeldung nicht erfolgreich
sleep(3);
-
- if ( $this->mustChangePassword )
- {
- // Anmeldung gescheitert, Benutzer muss Kennwort ?ndern.
- $this->addNotice('user',$loginName,'LOGIN_FAILED_MUSTCHANGEPASSWORD','error' );
+ Logger::debug("Login failed for user '$loginName'");
+
+ if ( $this->mustChangePassword )
+ {
+ // Anmeldung gescheitert, Benutzer muss Kennwort ?ndern.
+ $this->addNotice('user',$loginName,'LOGIN_FAILED_MUSTCHANGEPASSWORD','error' );
$this->addValidationError('password1','');
$this->addValidationError('password2','');
}
- else
+ else
{
- // Anmeldung gescheitert.
+ // Anmeldung gescheitert.
$this->addNotice('user',$loginName,'LOGIN_FAILED','error',array('name'=>$loginName) );
$this->addValidationError('login_name' ,'');
- $this->addValidationError('login_password','');
+ $this->addValidationError('login_password','');
}
- Logger::debug("Login failed for user '$loginName'");
//$this->callSubAction('login');
return;
@@ -837,11 +839,13 @@ class LoginAction extends Action
{
Logger::debug("Login successful for user '$loginName'");
+ $user = User::loadWithName($loginName);
+ Session::setUser($user);
+
// Anmeldung erfolgreich.
if ( config('security','renew_session_login') )
$this->recreateSession();
- $user = Session::getUser();
$this->addNotice('user',$user->name,'LOGIN_OK',OR_NOTICE_OK,array('name'=>$user->fullname));
$this->setStyle( $user->style );
diff --git a/auth/LdapAuth.class.php b/auth/LdapAuth.class.php
@@ -14,11 +14,11 @@ SELECT * FROM {t_user}
WHERE name={name}
SQL
);
- $sql->setString('name',$this->name);
+ $sql->setString('name',$username);
$row_user = $db->getRow( $sql );
-
- Logger::debug( 'checking login via ldap' );
+ $userid = $row_user['id'];
+
$ldap = new Ldap();
$ldap->connect();
@@ -26,7 +26,7 @@ SQL
{
// Der Benutzername wird im LDAP-Verzeichnis gesucht.
// Falls gefunden, wird der DN (=der eindeutige Schl�ssel im Verzeichnis) ermittelt.
- $dn = $ldap->searchUser( $this->name );
+ $dn = $ldap->searchUser( $username );
if ( empty($dn) )
{
@@ -38,7 +38,7 @@ SQL
}
else
{
- $dn = str_replace( '{user}',$this->name,$conf['ldap']['dn'] );
+ $dn = str_replace( '{user}',$username,$conf['ldap']['dn'] );
}
// LDAP-Login versuchen
@@ -46,57 +46,59 @@ SQL
Logger::debug( 'LDAP bind: '.($ok?'success':'failed') );
- if ( $ok && $conf['security']['authorize']['type'] == 'ldap' )
- {
- $sucheAttribut = $conf['ldap']['authorize']['group_name'];
- $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']);
+ if ( !$ok )
+ return false;
- $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut );
- $sql_ldap_groups = "'".implode("','",$ldap_groups)."'";
-
- $sql = new Sql( <<<SQL
+ $sucheAttribut = $conf['ldap']['authorize']['group_name'];
+ $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']);
+
+ $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut );
+ $sql_ldap_groups = "'".implode("','",$ldap_groups)."'";
+
+ $sql = new Sql( <<<SQL
SELECT id,name FROM {t_group}
WHERE name IN($sql_ldap_groups)
ORDER BY name ASC
SQL
- );
- $oldGroups = $this->getGroupIds();
- $this->groups = $db->getAssoc( $sql );
-
- foreach( $this->groups as $groupid=>$groupname)
- {
- if ( ! in_array($groupid,$oldGroups))
- $this->addGroup($groupid);
- }
- foreach( $oldGroups as $groupid)
- {
- if ( !isset($this->groups[$groupid]) )
- $this->delGroup($groupid);
- }
-
-
- // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen.
- if ( $conf['ldap']['authorize']['auto_add'] )
+ );
+
+ $user = new User( $userid );
+ $oldGroups = $user->getGroupIds();
+ $groups = $db->getAssoc( $sql );
+
+ foreach( $groups as $groupid=>$groupname)
+ {
+ if ( ! in_array($groupid,$oldGroups))
+ $this->addGroup($groupid);
+ }
+ foreach( $oldGroups as $groupid)
+ {
+ if ( !isset($groups[$groupid]) )
+ $this->delGroup($groupid);
+ }
+
+
+ // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen.
+ if ( $conf['ldap']['authorize']['auto_add'] )
+ {
+ foreach( $ldap_groups as $group )
{
- foreach( $ldap_groups as $group )
+ if ( !in_array($group,$this->groups) ) // Gruppe schon da?
{
- if ( !in_array($group,$this->groups) ) // Gruppe schon da?
- {
- $g = new Group();
- $g->name = $group;
- $g->add(); // Gruppe hinzuf�gen
-
- $this->groups[$g->groupid] = $group;
- }
+ $g = new Group();
+ $g->name = $group;
+ $g->add(); // Gruppe hinzuf�gen
+
+ $this->groups[$g->groupid] = $group;
}
}
-// Html::debug($this->groups,'Gruppen/Ids des Benutzers');
}
+ // Html::debug($this->groups,'Gruppen/Ids des Benutzers');
// Verbindung zum LDAP-Server brav beenden
$ldap->close();
- if ( $ok && $autoAdd )
+ if ( $autoAdd )
{
// Falls die Authentifizierung geklappt hat, wird der
// LDAP-Account in die Datenbank �bernommen.
@@ -106,7 +108,7 @@ SQL
$this->save();
}
- return $ok;
+ return true;
}
public function username()
diff --git a/auth/LdapUserDNAuth.class.php b/auth/LdapUserDNAuth.class.php
@@ -5,7 +5,7 @@
*
* @author Jan Dankert
*/
-class LdapAuth implements Auth
+class LdapUserDNAuth implements Auth
{
/**
@@ -22,7 +22,7 @@ SELECT * FROM {t_user}
WHERE name={name}
SQL
);
- $sql->setString('name',$this->name);
+ $sql->setString('name',$username);
$row_user = $db->getRow( $sql );
@@ -42,7 +42,7 @@ SQL
// Benutzer ist bereits in Datenbank
// LDAP-Login mit dem bereits vorhandenen DN versuchen
- $ok = $ldap->bind( $this->ldap_dn, $password );
+ $ok = $ldap->bind( $ldap_dn, $password );
// Verbindung zum LDAP-Server brav beenden
$ldap->close();
diff --git a/auth/include.inc.php b/auth/include.inc.php
@@ -7,6 +7,7 @@ require_once( OR_AUTHCLASSES_DIR."HttpAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."IdentAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."InternalAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."LdapAuth.class.".PHP_EXT );
+require_once( OR_AUTHCLASSES_DIR."LdapUserDNAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."OpenIdAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."PersonasAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."SingleSignonAuth.class.".PHP_EXT );
diff --git a/model/User.class.php b/model/User.class.php
@@ -225,7 +225,7 @@ SQL
* @static
* @param name Benutzername
*/
- function loadWithName( $name )
+ public static function loadWithName( $name )
{
global $conf;
$db = db_connection();