commit d8ca988bcd3cb69af2a4920ee640acbab49c6af3
parent c9910f26768b34545538ec858b20c359e7ddda45
Author: Jan Dankert <devnull@localhost>
Date: Tue, 6 Nov 2012 20:16:23 +0100
Preselect-Auth-Module eingebunden, Bugfix für Ident-Abfrage.
Diffstat:
9 files changed, 241 insertions(+), 217 deletions(-)
diff --git a/action/LoginAction.class.php b/action/LoginAction.class.php
@@ -186,6 +186,7 @@ class LoginAction extends Action
function loginView()
{
global $conf;
+
$sso = $conf['security']['sso'];
$ssl = $conf['security']['ssl'];
@@ -352,6 +353,26 @@ class LoginAction extends Action
$this->setTemplateVar('register' ,$conf['login' ]['register' ]);
$this->setTemplateVar('send_password',$conf['login' ]['send_password']);
+
+ // Versuchen, einen Benutzernamen zu ermitteln, der im Eingabeformular vorausgewählt wird.
+ $modules = explode(',',$conf['security']['modules']['preselect']);
+
+ $username = '';
+ foreach( $modules as $module)
+ {
+ Logger::debug('Preselecting module: '.$module);
+ $moduleClass = $module.'Auth';
+ $auth = new $moduleClass;
+ $username = $auth->username();
+
+ if ( !empty($username) )
+ {
+ Logger::debug('Preselecting User '.$username);
+ break; // Benutzername gefunden.
+ }
+ }
+
+ $this->setTemplateVar('login_name',$username);
}
@@ -409,6 +430,7 @@ class LoginAction extends Action
$this->setTemplateVar('projectid' ,$this->getRequestVar('projectid' ,OR_FILTER_NUMBER) );
$this->setTemplateVar('modelid' ,$this->getRequestVar('modelid' ,OR_FILTER_NUMBER) );
$this->setTemplateVar('languageid',$this->getRequestVar('languageid',OR_FILTER_NUMBER) );
+
}
@@ -760,18 +782,32 @@ class LoginAction extends Action
$newPassword2 = $this->getRequestVar('password2' ,OR_FILTER_ALPHANUM);
// Cookie setzen
- setcookie('or_username',$loginName,time()+(60*60*24*30*12*2) );
- setcookie('or_dbid',$this->getRequestVar('dbid'),time()+(60*60*24*30*12*2) );
-
- // Ermitteln, ob der Baum angezeigt werden soll
- // Ist die Breite zu klein, dann wird der Baum nicht angezeigt
- //Session::set('showtree',intval($this->getRequestVar('screenwidth')) > $conf['interface']['min_width'] );
+ $cookieLifetime = 60*60*24*30*12*2; // 2 Jahre.
+ setcookie('or_username',$loginName ,time()+$cookieLifetime );
+ setcookie('or_dbid' ,$this->getRequestVar('dbid'),time()+$cookieLifetime );
+ // Authentifzierung.
+ $modules = explode(',',$conf['security']['modules']['authenticate']);
+
+ $loginOk = false;
+ foreach( $modules as $module)
+ {
+ $moduleClass = $module.'Auth';
+ $auth = new $moduleClass;
+ $loginOk = $auth->login( $loginName,$loginPassword );
+
+ if ( $loginOk )
+ break; // Login erfolgreich.
+ }
+
+ $this->setTemplateVar('login_name',$username);
+
+ /*
$loginOk = $this->checkLogin( $loginName,
$loginPassword,
$newPassword1,
$newPassword2 );
-
+ */
if ( !$loginOk )
{
// Anmeldung nicht erfolgreich
diff --git a/auth/CookieAuth.class.php b/auth/CookieAuth.class.php
@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * Authentifizierung als Gast-User.
+ *
+ * Falls konfiguriert, wird der Gast-Benutzer voreingestellt.
+ *
+ * @author dankert
+ */
+class CookieAuth implements Auth
+{
+ public function username()
+ {
+ if ( isset($_COOKIE['or_username']) )
+ return $_COOKIE['or_username'];
+ else
+ return null;
+ }
+
+
+ /**
+ * Ueberpruefen des Kennwortes ist über Ident nicht möglich.
+ */
+ public function login( $user, $password )
+ {
+ return false;
+ }
+}
+
+?>+
\ No newline at end of file
diff --git a/auth/IdentAuth.class.php b/auth/IdentAuth.class.php
@@ -13,9 +13,9 @@ class IdentAuth implements Auth
public function username()
{
$ip = Http::getClientIP();
- $port = 113;
-
- if ( !$socket = @fsockopen($ip,$port,$errno, $errstr,10 ))
+ $port = Http::getClientPort();
+ $identPort = 113;
+ if ( !$socket = @fsockopen($ip,$identPort,$errno, $errstr,10 ))
{
return null;
}
@@ -25,23 +25,16 @@ class IdentAuth implements Auth
$line = @fgets($socket, 1000); // 1000 octets according to RFC 1413
fclose($socket);
- $array = explode(':', $string, 4);
- if (count($array) > 1 && ! strcasecmp(trim($array[1]), 'USERID'))
+ $array = explode(':', $line, 4);
+ if (count($array) >= 4 && ! strcasecmp(trim($array[1]), 'USERID'))
{
- if ( isset($array[3]) )
- return trim($array[3]);
- else
- Logger::warn('Ident: Invalid ident server response: '.$line);
-
- return null;
+ $username = trim($array[3]);
+ Logger::debug('Ident: User-Id: '.$username );
+ return $username;
}
- elseif (count($array) > 1 && ! strcasecmp(trim($array[1]), 'ERROR'))
+ elseif (count($array) >= 3 && ! strcasecmp(trim($array[1]), 'ERROR'))
{
- if ( isset($array[2]) )
- Logger::warn('Ident: '.trim($array[2]) );
- else
- Logger::warn('Ident: Invalid ident server response: '.$line);
-
+ Logger::debug('Ident: Error: '.trim($array[2]) );
return null;
}
else
diff --git a/auth/LdapAuth.class.php b/auth/LdapAuth.class.php
@@ -18,208 +18,95 @@ SQL
$row_user = $db->getRow( $sql );
- $check = false;
- $authType = $conf['security']['auth']['type']; // Entweder 'ldap', 'authdb', 'http', oder 'database'
+ Logger::debug( 'checking login via ldap' );
+ $ldap = new Ldap();
+ $ldap->connect();
- if ( !empty($row_user) )
+ if ( empty($conf['ldap']['dn']) )
{
- // Benutzername ist bereits in der Datenbank.
- $this->userid = $row_user['id'];
- $this->ldap_dn = $row_user['ldap_dn'];
- $check = true;
- $autoAdd = false; // Darf nicht hinzugef�gt werden, da schon vorhanden.
- }
- elseif( $authType == 'ldap' && $conf['ldap']['search']['add'] )
- {
- // Benutzer noch nicht in der Datenbank vorhanden.
- // Falls ein LDAP-Account gefunden wird, wird dieser �bernommen.
- $check = true;
- $autoAdd = true;
- }
- elseif( $authType == 'authdb' && $conf['security']['authdb']['add'] )
- {
- $check = true;
- $autoAdd = true;
+ // Der Benutzername wird im LDAP-Verzeichnis gesucht.
+ // Falls gefunden, wird der DN (=der eindeutige Schl�ssel im Verzeichnis) ermittelt.
+ $dn = $ldap->searchUser( $this->name );
+
+ if ( empty($dn) )
+ {
+ Logger::debug( 'User not found in LDAP directory' );
+ return false; // Kein LDAP-Account gefunden.
+ }
+
+ Logger::debug( 'User found: '.$dn );
}
- elseif( $authType == 'http' && $conf['security']['http']['add'] )
+ else
{
- $check = true;
- $autoAdd = true;
+ $dn = str_replace( '{user}',$this->name,$conf['ldap']['dn'] );
}
-
- if ( $check )
+
+ // LDAP-Login versuchen
+ $ok = $ldap->bind( $dn, $password );
+
+ Logger::debug( 'LDAP bind: '.($ok?'success':'failed') );
+
+ if ( $ok && $conf['security']['authorize']['type'] == 'ldap' )
{
- // Falls benutzerspezifischer LDAP-dn vorhanden wird Benutzer per LDAP authentifiziert
- if ( $conf['security']['auth']['userdn'] && !empty($this->ldap_dn ) )
- {
- Logger::debug( 'checking login via ldap' );
- $ldap = new Ldap();
- $ldap->connect();
-
- // Benutzer ist bereits in Datenbank
- // LDAP-Login mit dem bereits vorhandenen DN versuchen
- $ok = $ldap->bind( $this->ldap_dn, $password );
-
- // Verbindung zum LDAP-Server brav beenden
- $ldap->close();
-
- return $ok;
- }
- elseif( $authType == 'ldap' )
- {
- Logger::debug( 'checking login via ldap' );
- $ldap = new Ldap();
- $ldap->connect();
-
- if ( empty($conf['ldap']['dn']) )
- {
- // Der Benutzername wird im LDAP-Verzeichnis gesucht.
- // Falls gefunden, wird der DN (=der eindeutige Schl�ssel im Verzeichnis) ermittelt.
- $dn = $ldap->searchUser( $this->name );
-
- if ( empty($dn) )
- {
- Logger::debug( 'User not found in LDAP directory' );
- return false; // Kein LDAP-Account gefunden.
- }
-
- Logger::debug( 'User found: '.$dn );
- }
- else
- {
- $dn = str_replace( '{user}',$this->name,$conf['ldap']['dn'] );
- }
-
- // LDAP-Login versuchen
- $ok = $ldap->bind( $dn, $password );
-
- Logger::debug( 'LDAP bind: '.($ok?'success':'failed') );
-
- if ( $ok && $conf['security']['authorize']['type'] == 'ldap' )
- {
- $sucheAttribut = $conf['ldap']['authorize']['group_name'];
- $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']);
-
- $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut );
- $sql_ldap_groups = "'".implode("','",$ldap_groups)."'";
-
- $sql = new Sql( <<<SQL
+ $sucheAttribut = $conf['ldap']['authorize']['group_name'];
+ $sucheFilter = str_replace('{dn}',$dn,$conf['ldap']['authorize']['group_filter']);
+
+ $ldap_groups = $ldap->searchAttribute( $sucheFilter, $sucheAttribut );
+ $sql_ldap_groups = "'".implode("','",$ldap_groups)."'";
+
+ $sql = new Sql( <<<SQL
SELECT id,name FROM {t_group}
WHERE name IN($sql_ldap_groups)
ORDER BY name ASC
SQL
- );
- $oldGroups = $this->getGroupIds();
- $this->groups = $db->getAssoc( $sql );
-
- foreach( $this->groups as $groupid=>$groupname)
- {
- if ( ! in_array($groupid,$oldGroups))
- $this->addGroup($groupid);
- }
- foreach( $oldGroups as $groupid)
- {
- if ( !isset($this->groups[$groupid]) )
- $this->delGroup($groupid);
- }
-
-
- // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen.
- if ( $conf['ldap']['authorize']['auto_add'] )
- {
- foreach( $ldap_groups as $group )
- {
- if ( !in_array($group,$this->groups) ) // Gruppe schon da?
- {
- $g = new Group();
- $g->name = $group;
- $g->add(); // Gruppe hinzuf�gen
-
- $this->groups[$g->groupid] = $group;
- }
- }
- }
-// Html::debug($this->groups,'Gruppen/Ids des Benutzers');
- }
-
- // Verbindung zum LDAP-Server brav beenden
- $ldap->close();
-
- if ( $ok && $autoAdd )
- {
- // Falls die Authentifizierung geklappt hat, wird der
- // LDAP-Account in die Datenbank �bernommen.
- $this->ldap_dn = $dn;
- $this->fullname = $this->name;
- $this->add();
- $this->save();
- }
-
- return $ok;
+ );
+ $oldGroups = $this->getGroupIds();
+ $this->groups = $db->getAssoc( $sql );
+
+ foreach( $this->groups as $groupid=>$groupname)
+ {
+ if ( ! in_array($groupid,$oldGroups))
+ $this->addGroup($groupid);
}
- elseif( $authType == 'database' )
+ foreach( $oldGroups as $groupid)
{
- // Pruefen ob Kennwort mit Datenbank uebereinstimmt
- if ( $row_user['password'] == $password )
- {
- // Kennwort stimmt mit Datenbank �berein, aber nur im Klartext.
- // Das Kennwort muss ge�ndert werden
- $this->mustChangePassword = true;
-
- // Login nicht erfolgreich
- return false;
- }
- elseif ( $row_user['password'] == md5( $this->saltPassword($password) ) )
- {
- // Die Kennwort-Pr�fsumme stimmt mit dem aus der Datenbank �berein.
- // Juchuu, Login ist erfolgreich.
- return true;
- }
- else
- {
- // Kennwort stimmt garnicht �berein.
- return false;
- }
+ if ( !isset($this->groups[$groupid]) )
+ $this->delGroup($groupid);
}
- elseif( $authType == 'authdb' )
+
+
+ // Pr�fen, ob Gruppen fehlen. Diese dann ggf. in der OpenRat-Datenbank hinzuf�gen.
+ if ( $conf['ldap']['authorize']['auto_add'] )
{
- $authdb = new DB( $conf['security']['authdb'] );
- $sql = new Sql( $conf['security']['authdb']['sql'] );
- $sql->setString('username',$this->name);
- $sql->setString('password',$password);
- $row = $authdb->getRow( $sql );
- $ok = !empty($row);
-
- if ( $ok && $autoAdd )
+ foreach( $ldap_groups as $group )
{
- // Falls die Authentifizierung geklappt hat, wird der
- // Benutzername in der eigenen Datenbank eingetragen.
- $this->fullname = $this->name;
- $this->add();
- $this->save();
+ if ( !in_array($group,$this->groups) ) // Gruppe schon da?
+ {
+ $g = new Group();
+ $g->name = $group;
+ $g->add(); // Gruppe hinzuf�gen
+
+ $this->groups[$g->groupid] = $group;
+ }
}
- // noch nicht implementiert: $authdb->close();
-
- return $ok;
- }
- elseif( $authType == 'http' )
- {
- $http = new Http( $conf['security']['http']['url'] );
- $http->method = 'HEAD';
- $http->setBasicAuthentication( $this->name, $password );
-
- $ok = $http->request();
-
- return $ok;
- }
- else
- {
- die( 'unknown authentication-type in configuration: '.$authType );
}
+// Html::debug($this->groups,'Gruppen/Ids des Benutzers');
}
+
+ // Verbindung zum LDAP-Server brav beenden
+ $ldap->close();
- // Benutzername nicht in Datenbank.
- return false;
+ if ( $ok && $autoAdd )
+ {
+ // Falls die Authentifizierung geklappt hat, wird der
+ // LDAP-Account in die Datenbank �bernommen.
+ $this->ldap_dn = $dn;
+ $this->fullname = $this->name;
+ $this->add();
+ $this->save();
+ }
+
+ return $ok;
}
public function username()
diff --git a/auth/LdapUserDNAuth.class.php b/auth/LdapUserDNAuth.class.php
@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * Authentifizierung gegen einen LDAP-Server.
+ *
+ * @author Jan Dankert
+ */
+class LdapAuth implements Auth
+{
+
+ /**
+ * @see Auth::login()
+ */
+ public function login($username, $password)
+ {
+ $db = db_connection();
+ $this->mustChangePassword = false;
+
+ // Lesen des Benutzers aus der DB-Tabelle
+ $sql = new Sql( <<<SQL
+SELECT * FROM {t_user}
+ WHERE name={name}
+SQL
+ );
+ $sql->setString('name',$this->name);
+
+ $row_user = $db->getRow( $sql );
+
+ if ( empty($row_user) )
+ return false;
+
+ // Benutzername ist bereits in der Datenbank.
+ $userid = $row_user['id'];
+ $ldap_dn = $row_user['ldap_dn'];
+
+ if ( empty($ldap_dn ) )
+ return false;
+
+ Logger::debug( 'checking login via ldap' );
+ $ldap = new Ldap();
+ $ldap->connect();
+
+ // Benutzer ist bereits in Datenbank
+ // LDAP-Login mit dem bereits vorhandenen DN versuchen
+ $ok = $ldap->bind( $this->ldap_dn, $password );
+
+ // Verbindung zum LDAP-Server brav beenden
+ $ldap->close();
+
+ return $ok;
+ }
+
+ public function username()
+ {
+ return null;
+ }
+
+}
+
+?>+
\ No newline at end of file
diff --git a/auth/include.inc.php b/auth/include.inc.php
@@ -1,6 +1,8 @@
<?php
require_once( OR_AUTHCLASSES_DIR."Auth.class.".PHP_EXT );
+require_once( OR_AUTHCLASSES_DIR."CookieAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."DatabaseAuth.class.".PHP_EXT );
+require_once( OR_AUTHCLASSES_DIR."GuestAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."HttpAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."IdentAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."InternalAuth.class.".PHP_EXT );
@@ -9,7 +11,4 @@ require_once( OR_AUTHCLASSES_DIR."OpenIdAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."PersonasAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."SingleSignonAuth.class.".PHP_EXT );
require_once( OR_AUTHCLASSES_DIR."SSLAuth.class.".PHP_EXT );
-require_once( OR_AUTHCLASSES_DIR."GuestAuth.class.".PHP_EXT );
-/*
-*/
?>
\ No newline at end of file
diff --git a/config/config-default.php b/config/config-default.php
@@ -730,10 +730,15 @@ $conf['security']['auth']['userdn']=false;
$conf['security']['authorize'] = array();
$conf['security']['authorize']['type']='database';
$conf['security']['authorize']['type']='ldap';
-$conf['security']['modules']['autologin']='ident,guest,SingleSignon';
-$conf['security']['modules']['preselect']='cookie';
-$conf['security']['modules']['select']='SSL';
-$conf['security']['modules']['authenticate']='Internal,';
+
+$conf['security']['modules'] = array();
+$conf['security']['modules']['autologin']='Guest,SingleSignon';
+$conf['security']['modules']['preselect']='Ident,SSL,Cookie';
+$conf['security']['modules']['authenticate']='LdapUserDN,Database,Internal';
+
+$conf['security']['newuser'] = array();
+$conf['security']['newuser']['autoadd'] = true;
+$conf['security']['newuser']['autogroups'] = "";
$conf['security']['password'] = array();
$conf['security']['password']['random_length']='8';
@@ -785,8 +790,6 @@ $conf['security']['sso']['force']=true;
$conf['security']['sso']['expect']='0';
$conf['security']['sso']['expect_regexp']="/running on/";
$conf['security']['sso']['username_regexp']="/running on localhost as ([a-z]+)@localhost/";
-$conf['security']['newuser'] = array();
-$conf['security']['newuser']['groups']="YourGroup,AnotherGroup";
$conf['security']['logout'] = array();
$conf['security']['logout']['redirect_url']="http://your.intranet.example/";
$conf['security']['logout']['redirect_url']='0';
diff --git a/themes/default/js/openrat.js b/themes/default/js/openrat.js
@@ -269,7 +269,7 @@ function registerViewEvents( viewEl )
else
$formInput.addClass('invisible');
- if ( $('div.window form input[type=password]').length>0 )
+ if ( $('div.window form input[type=password]').length>0 && $('#uname').attr('value')!='' )
{
$('div.window form input[name=login_name] ').attr('value',$('#uname' ).attr('value'));
$('div.window form input[name=login_password]').attr('value',$('#upassword').attr('value'));
diff --git a/util/Http.class.php b/util/Http.class.php
@@ -547,6 +547,20 @@ HTML;
return $ip;
}
+
+
+
+ public static function getClientPort()
+ {
+ $ip = '';
+
+ if ( isset($_SERVER["REMOTE_PORT"]) )
+ {
+ $ip = $_SERVER["REMOTE_PORT"];
+ }
+
+ return $ip;
+ }
}
?>
\ No newline at end of file