openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit d8ca988bcd3cb69af2a4920ee640acbab49c6af3
parent c9910f26768b34545538ec858b20c359e7ddda45
Author: Jan Dankert <devnull@localhost>
Date:   Tue,  6 Nov 2012 20:16:23 +0100

Preselect-Auth-Module eingebunden, Bugfix für Ident-Abfrage.

Diffstat:
action/LoginAction.class.php | 50+++++++++++++++++++++++++++++++++++++++++++-------
auth/CookieAuth.class.php | 31+++++++++++++++++++++++++++++++
auth/IdentAuth.class.php | 27++++++++++-----------------
auth/LdapAuth.class.php | 253++++++++++++++++++++++---------------------------------------------------------
auth/LdapUserDNAuth.class.php | 61+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
auth/include.inc.php | 5++---
config/config-default.php | 15+++++++++------
themes/default/js/openrat.js | 2+-
util/Http.class.php | 14++++++++++++++
9 files changed, 241 insertions(+), 217 deletions(-)

diff --git a/action/LoginAction.class.php b/action/LoginAction.class.php @@ -186,6 +186,7 @@ class LoginAction extends Action function loginView() { global $conf; + $sso = $conf['security']['sso']; $ssl = $conf['security']['ssl']; @@ -352,6 +353,26 @@ class LoginAction extends Action $this->setTemplateVar('register' ,$conf['login' ]['register' ]); $this->setTemplateVar('send_password',$conf['login' ]['send_password']); + + // Versuchen, einen Benutzernamen zu ermitteln, der im Eingabeformular vorausgewählt wird. + $modules = explode(',',$conf['security']['modules']['preselect']); + + $username = ''; + foreach( $modules as $module) + { + Logger::debug('Preselecting module: '.$module); + $moduleClass = $module.'Auth'; + $auth = new $moduleClass; + $username = $auth->username(); + + if ( !empty($username) ) + { + Logger::debug('Preselecting User '.$username); + break; // Benutzername gefunden. + } + } + + $this->setTemplateVar('login_name',$username); } @@ -409,6 +430,7 @@ class LoginAction extends Action $this->setTemplateVar('projectid' ,$this->getRequestVar('projectid' ,OR_FILTER_NUMBER) ); $this->setTemplateVar('modelid' ,$this->getRequestVar('modelid' ,OR_FILTER_NUMBER) ); $this->setTemplateVar('languageid',$this->getRequestVar('languageid',OR_FILTER_NUMBER) ); + } @@ -760,18 +782,32 @@ class LoginAction extends Action $newPassword2 = $this->getRequestVar('password2' ,OR_FILTER_ALPHANUM); // Cookie setzen - setcookie('or_username',$loginName,time()+(60*60*24*30*12*2) ); - setcookie('or_dbid',$this->getRequestVar('dbid'),time()+(60*60*24*30*12*2) ); - - // Ermitteln, ob der Baum angezeigt werden soll - // Ist die Breite zu klein, dann wird der Baum nicht angezeigt - //Session::set('showtree',intval($this->getRequestVar('screenwidth')) > $conf['interface']['min_width'] ); + $cookieLifetime = 60*60*24*30*12*2; // 2 Jahre. + setcookie('or_username',$loginName ,time()+$cookieLifetime ); + setcookie('or_dbid' ,$this->getRequestVar('dbid'),time()+$cookieLifetime ); + // Authentifzierung. + $modules = explode(',',$conf['security']['modules']['authenticate']); + + $loginOk = false; + foreach( $modules as $module) + { + $moduleClass = $module.'Auth'; + $auth = new $moduleClass; + $loginOk = $auth->login( $loginName,$loginPassword ); + + if ( $loginOk ) + break; // Login erfolgreich. + } + + $this->setTemplateVar('login_name',$username); + + /* $loginOk = $this->checkLogin( $loginName, $loginPassword, $newPassword1, $newPassword2 ); - + */ if ( !$loginOk ) { // Anmeldung nicht erfolgreich diff --git a/auth/CookieAuth.class.php b/auth/CookieAuth.class.php @@ -0,0 +1,30 @@ +<?php + +/** + * Authentifizierung als Gast-User. + * + * Falls konfiguriert, wird der Gast-Benutzer voreingestellt. + * + * @author dankert + */ +class CookieAuth implements Auth +{ + public function username() + { + if ( isset($_COOKIE['or_username']) ) + return $_COOKIE['or_username']; + else + return null; + } + + + /** + * Ueberpruefen des Kennwortes ist über Ident nicht möglich. + */ + public function login( $user, $password ) + { + return false; + } +} + +?>+ \ No newline at end of file diff --git a/auth/IdentAuth.class.php b/auth/IdentAuth.class.php @@ -13,9 +13,9 @@ class IdentAuth implements Auth public function username() { $ip = Http::getClientIP(); - $port = 113; - - if ( !$socket = @fsockopen($ip,$port,$errno, $errstr,10 )) + $port = Http::getClientPort(); + $identPort = 113; + if ( !$socket = @fsockopen($ip,$identPort,$errno, $errstr,10 )) { return null; } @@ -25,23 +25,16 @@ class IdentAuth implements Auth $line = @fgets($socket, 1000); // 1000 octets according to RFC 1413 fclose($socket); - $array = explode(':', $string, 4); - if (count($array) > 1 && ! strcasecmp(trim($array[1]), 'USERID')) + $array = explode(':', $line, 4); + if (count($array) >= 4 && ! strcasecmp(trim($array[1]), 'USERID')) { - if ( isset($array[3]) ) - return trim($array[3]); - else - Logger::warn('Ident: Invalid ident server response: '.$line); - - return null; + $username = trim($array[3]); + Logger::debug('Ident: User-Id: '.$username ); + return $username; } - elseif (count($array) > 1 && ! strcasecmp(trim($array[1]), 'ERROR')) + elseif (count($array) >= 3 && ! strcasecmp(trim($array[1]), 'ERROR')) { - if ( isset($array[2]) ) - Logger::warn('Ident: '.trim($array[2]) ); - else - Logger::warn('Ident: Invalid ident server response: '.$line); - + Logger::debug('Ident: Error: '.trim($array[2]) ); return null; } else diff --git a/auth/LdapAuth.class.php b/auth/LdapAuth.class.php @@ -18,208 +18,95 @@ SQL $row_user = $db->getRow( $sql ); - $check = false; - $authType = $conf['security']['auth']['type']; // Entweder 'ldap', 'authdb', 'http', oder 'database' + Logger::debug( 'checking login via ldap' ); + $ldap = new Ldap(); + $ldap->connect(); - if ( !empty($row_user) ) + if ( empty($conf['ldap']['dn']) ) { - // Benutzername ist bereits in der Datenbank. - $this->userid = $row_user['id']; - $this->ldap_dn = $row_user['ldap_dn']; - $check = true; - $autoAdd = false; // Darf nicht hinzugef�gt werden, da schon vorhanden. - } - elseif( $authType == 'ldap' && $conf['ldap']['search']['add'] ) - { - // Benutzer noch nicht in der Datenbank vorhanden. - // Falls ein LDAP-Account gefunden wird, wird dieser �bernommen. - $check = true; - $autoAdd = true; - } - elseif( $authType == 'authdb' && $conf['security']['authdb']['add'] ) - { - $check = true; - $autoAdd = true; + // Der Benutzername wird im LDAP-Verzeichnis gesucht. + // Falls gefunden, wird der DN (=der eindeutige Schl�ssel im Verzeichnis) ermittelt. + $dn = $ldap->searchUser( $this->name ); + + if ( empty($dn) ) + { + Logger::debug( 'User not found in LDAP directory' ); + return false; // Kein LDAP-Account gefunden. + } + + Logger::debug( 'User found: '.$dn ); } - elseif( $authType == 'http' && $conf['security']['http']['add'] ) + else { - $check = true; - $autoAdd = true; + $dn = str_replace( '{user}',$this->name,$conf['ldap']['dn'] ); } - - if ( $check ) + + // LDAP-Login versuchen + $ok = $ldap->bind( $dn, $password ); + + Logger::debug( 'LDAP bind: '.($ok?'success':'failed') ); + + if ( $ok && $conf['security']['authorize']['type'] == 'ldap' ) { - // Falls benutzerspezifischer LDAP-dn vorhanden wird Benutzer per LDAP authentifiziert - if ( $conf['security']['auth']['userdn'] && !empty($this->ldap_dn ) ) - { - Logger::debug( 'checking login via ldap' ); - $ldap = new Ldap(); - $ldap->connect(); - - // Benutzer ist bereits in Datenbank - // LDAP-Login mit dem bereits vorhandenen DN versuchen - $ok = $ldap->bind( $this->ldap_dn, $password ); - - // Verbindung zum LDAP-Server brav beenden - $ldap->close(); - - return $ok; - } - elseif( $authType == 'ldap' ) - { - Logger::debug( 'checking login via ldap' ); - $ldap = new Ldap(); - $ldap->connect(); - - if ( empty($conf['ldap']['dn']) ) - { - // Der Benutzername wird im LDAP-Verzeichnis gesucht. - // Falls gefunden, wird der DN (=der eindeutige Schl�ssel im Verzeichnis) ermittelt. - $dn = $ldap->searchUser( $this->name ); - - if ( empty($dn) ) - { - Logger::debug( 'User not found in LDAP directory' ); - return false; // Kein LDAP-Account gefunden. - } - - Logger::debug( 'User found: '.$dn ); - } - else - { - $dn = str_replace( '{user}',$this->name,$conf['ldap']['dn'] ); - } - - // LDAP-Login versuchen - $ok = $ldap->bind( $dn, $password ); - - Logger::debug( 'LDAP bind: '.($ok?'success':'failed') ); - - if ( $ok && $conf['security']['authorize']['type'] == 'ldap' ) - { - $sucheAttribut = $conf['ldap']['authorize']['group_name']; - $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']); - - $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut ); - $sql_ldap_groups = "'".implode("','",$ldap_groups)."'"; - - $sql = new Sql( <<<SQL + $sucheAttribut = $conf['ldap']['authorize']['group_name']; + $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']); + + $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut ); + $sql_ldap_groups = "'".implode("','",$ldap_groups)."'"; + + $sql = new Sql( <<<SQL SELECT id,name FROM {t_group} WHERE name IN($sql_ldap_groups) ORDER BY name ASC SQL - ); - $oldGroups = $this->getGroupIds(); - $this->groups = $db->getAssoc( $sql ); - - foreach( $this->groups as $groupid=>$groupname) - { - if ( ! in_array($groupid,$oldGroups)) - $this->addGroup($groupid); - } - foreach( $oldGroups as $groupid) - { - if ( !isset($this->groups[$groupid]) ) - $this->delGroup($groupid); - } - - - // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen. - if ( $conf['ldap']['authorize']['auto_add'] ) - { - foreach( $ldap_groups as $group ) - { - if ( !in_array($group,$this->groups) ) // Gruppe schon da? - { - $g = new Group(); - $g->name = $group; - $g->add(); // Gruppe hinzuf�gen - - $this->groups[$g->groupid] = $group; - } - } - } -// Html::debug($this->groups,'Gruppen/Ids des Benutzers'); - } - - // Verbindung zum LDAP-Server brav beenden - $ldap->close(); - - if ( $ok && $autoAdd ) - { - // Falls die Authentifizierung geklappt hat, wird der - // LDAP-Account in die Datenbank �bernommen. - $this->ldap_dn = $dn; - $this->fullname = $this->name; - $this->add(); - $this->save(); - } - - return $ok; + ); + $oldGroups = $this->getGroupIds(); + $this->groups = $db->getAssoc( $sql ); + + foreach( $this->groups as $groupid=>$groupname) + { + if ( ! in_array($groupid,$oldGroups)) + $this->addGroup($groupid); } - elseif( $authType == 'database' ) + foreach( $oldGroups as $groupid) { - // Pruefen ob Kennwort mit Datenbank uebereinstimmt - if ( $row_user['password'] == $password ) - { - // Kennwort stimmt mit Datenbank �berein, aber nur im Klartext. - // Das Kennwort muss ge�ndert werden - $this->mustChangePassword = true; - - // Login nicht erfolgreich - return false; - } - elseif ( $row_user['password'] == md5( $this->saltPassword($password) ) ) - { - // Die Kennwort-Pr�fsumme stimmt mit dem aus der Datenbank �berein. - // Juchuu, Login ist erfolgreich. - return true; - } - else - { - // Kennwort stimmt garnicht �berein. - return false; - } + if ( !isset($this->groups[$groupid]) ) + $this->delGroup($groupid); } - elseif( $authType == 'authdb' ) + + + // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen. + if ( $conf['ldap']['authorize']['auto_add'] ) { - $authdb = new DB( $conf['security']['authdb'] ); - $sql = new Sql( $conf['security']['authdb']['sql'] ); - $sql->setString('username',$this->name); - $sql->setString('password',$password); - $row = $authdb->getRow( $sql ); - $ok = !empty($row); - - if ( $ok && $autoAdd ) + foreach( $ldap_groups as $group ) { - // Falls die Authentifizierung geklappt hat, wird der - // Benutzername in der eigenen Datenbank eingetragen. - $this->fullname = $this->name; - $this->add(); - $this->save(); + if ( !in_array($group,$this->groups) ) // Gruppe schon da? + { + $g = new Group(); + $g->name = $group; + $g->add(); // Gruppe hinzuf�gen + + $this->groups[$g->groupid] = $group; + } } - // noch nicht implementiert: $authdb->close(); - - return $ok; - } - elseif( $authType == 'http' ) - { - $http = new Http( $conf['security']['http']['url'] ); - $http->method = 'HEAD'; - $http->setBasicAuthentication( $this->name, $password ); - - $ok = $http->request(); - - return $ok; - } - else - { - die( 'unknown authentication-type in configuration: '.$authType ); } +// Html::debug($this->groups,'Gruppen/Ids des Benutzers'); } + + // Verbindung zum LDAP-Server brav beenden + $ldap->close(); - // Benutzername nicht in Datenbank. - return false; + if ( $ok && $autoAdd ) + { + // Falls die Authentifizierung geklappt hat, wird der + // LDAP-Account in die Datenbank �bernommen. + $this->ldap_dn = $dn; + $this->fullname = $this->name; + $this->add(); + $this->save(); + } + + return $ok; } public function username() diff --git a/auth/LdapUserDNAuth.class.php b/auth/LdapUserDNAuth.class.php @@ -0,0 +1,60 @@ +<?php + +/** + * Authentifizierung gegen einen LDAP-Server. + * + * @author Jan Dankert + */ +class LdapAuth implements Auth +{ + + /** + * @see Auth::login() + */ + public function login($username, $password) + { + $db = db_connection(); + $this->mustChangePassword = false; + + // Lesen des Benutzers aus der DB-Tabelle + $sql = new Sql( <<<SQL +SELECT * FROM {t_user} + WHERE name={name} +SQL + ); + $sql->setString('name',$this->name); + + $row_user = $db->getRow( $sql ); + + if ( empty($row_user) ) + return false; + + // Benutzername ist bereits in der Datenbank. + $userid = $row_user['id']; + $ldap_dn = $row_user['ldap_dn']; + + if ( empty($ldap_dn ) ) + return false; + + Logger::debug( 'checking login via ldap' ); + $ldap = new Ldap(); + $ldap->connect(); + + // Benutzer ist bereits in Datenbank + // LDAP-Login mit dem bereits vorhandenen DN versuchen + $ok = $ldap->bind( $this->ldap_dn, $password ); + + // Verbindung zum LDAP-Server brav beenden + $ldap->close(); + + return $ok; + } + + public function username() + { + return null; + } + +} + +?>+ \ No newline at end of file diff --git a/auth/include.inc.php b/auth/include.inc.php @@ -1,6 +1,8 @@ <?php require_once( OR_AUTHCLASSES_DIR."Auth.class.".PHP_EXT ); +require_once( OR_AUTHCLASSES_DIR."CookieAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."DatabaseAuth.class.".PHP_EXT ); +require_once( OR_AUTHCLASSES_DIR."GuestAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."HttpAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."IdentAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."InternalAuth.class.".PHP_EXT ); @@ -9,7 +11,4 @@ require_once( OR_AUTHCLASSES_DIR."OpenIdAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."PersonasAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."SingleSignonAuth.class.".PHP_EXT ); require_once( OR_AUTHCLASSES_DIR."SSLAuth.class.".PHP_EXT ); -require_once( OR_AUTHCLASSES_DIR."GuestAuth.class.".PHP_EXT ); -/* -*/ ?> \ No newline at end of file diff --git a/config/config-default.php b/config/config-default.php @@ -730,10 +730,15 @@ $conf['security']['auth']['userdn']=false; $conf['security']['authorize'] = array(); $conf['security']['authorize']['type']='database'; $conf['security']['authorize']['type']='ldap'; -$conf['security']['modules']['autologin']='ident,guest,SingleSignon'; -$conf['security']['modules']['preselect']='cookie'; -$conf['security']['modules']['select']='SSL'; -$conf['security']['modules']['authenticate']='Internal,'; + +$conf['security']['modules'] = array(); +$conf['security']['modules']['autologin']='Guest,SingleSignon'; +$conf['security']['modules']['preselect']='Ident,SSL,Cookie'; +$conf['security']['modules']['authenticate']='LdapUserDN,Database,Internal'; + +$conf['security']['newuser'] = array(); +$conf['security']['newuser']['autoadd'] = true; +$conf['security']['newuser']['autogroups'] = ""; $conf['security']['password'] = array(); $conf['security']['password']['random_length']='8'; @@ -785,8 +790,6 @@ $conf['security']['sso']['force']=true; $conf['security']['sso']['expect']='0'; $conf['security']['sso']['expect_regexp']="/running on/"; $conf['security']['sso']['username_regexp']="/running on localhost as ([a-z]+)@localhost/"; -$conf['security']['newuser'] = array(); -$conf['security']['newuser']['groups']="YourGroup,AnotherGroup"; $conf['security']['logout'] = array(); $conf['security']['logout']['redirect_url']="http://your.intranet.example/"; $conf['security']['logout']['redirect_url']='0'; diff --git a/themes/default/js/openrat.js b/themes/default/js/openrat.js @@ -269,7 +269,7 @@ function registerViewEvents( viewEl ) else $formInput.addClass('invisible'); - if ( $('div.window form input[type=password]').length>0 ) + if ( $('div.window form input[type=password]').length>0 && $('#uname').attr('value')!='' ) { $('div.window form input[name=login_name] ').attr('value',$('#uname' ).attr('value')); $('div.window form input[name=login_password]').attr('value',$('#upassword').attr('value')); diff --git a/util/Http.class.php b/util/Http.class.php @@ -547,6 +547,20 @@ HTML; return $ip; } + + + + public static function getClientPort() + { + $ip = ''; + + if ( isset($_SERVER["REMOTE_PORT"]) ) + { + $ip = $_SERVER["REMOTE_PORT"]; + } + + return $ip; + } } ?> \ No newline at end of file