Source for file authldap.php
Documentation is available at authldap.php
<?php // $Id: authldap.php 15253 2008-05-09 03:00:19Z yannoo $ ============================================================================== Dokeos - elearning and course management software Copyright (c) 2004 Dokeos SPRL Copyright (c) 2003 Ghent University (UGent) Copyright (c) 2001 Universite catholique de Louvain (UCL) Copyright (c) Universite Jean Monnet de Saint Etienne Copyright (c) Roan Embrechts (Vrije Universiteit Brussel) For a full list of contributors, see "credits.txt". The full license can be read in "license.txt". This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See the GNU General Public License for more details. Contact address: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium ============================================================================== ======================================================================= * If the application uses LDAP, these functions are used * for logging in, searching user info, adding this info * to the Dokeos database... ======================================================================= - function ldap_authentication_check() - function ldap_find_user_info() - function ldap_put_user_info_locally() - (fixed 18 june 2003) code has been internationalized - (fixed 07/05/2003) fixed some non-relative urls or includes - (fixed 28/04/2003) we now use global config.inc variables instead of local ones - (fixed 22/04/2003) the last name of a user was restricted to the first part - (fixed 11/04/2003) the user was never registered as a course manager 3.2 - updated to allow for specific term search for teachers identification 3.1 - updated code to use database settings, to respect coding conventions as much as possible (camel-case removed) and to allow for non-anonymous login 3.0 - updated to use ldap_var.inc.php instead of ldap_var.inc (deprecated) 2.9 - further changes for new login procedure - (busy) translating french functions to english 2.8 - adapted for new Claroline login procedure - ldap package now becomes a standard, in auth/ldap 2.7 - uses more standard LDAP field names: mail, sn, givenname instead of mail, preferredsn, preferredgivenname - fixed bug: dc = xx, dc = yy was configured for UGent and put literally in the code, this is now a variable in configuration.php ($LDAPbasedn) - Stefan De Wannemacker (Ghent University) - Universite Jean Monet (J Dubois / Michel Courbon) - Michel Panckoucke for reporting and fixing a bug - Patrick Cool: fixing security hole * @package dokeos.auth.ldap ======================================================================= require ('ldap_var.inc.php');=============================================================== CHECK LOGIN & PASSWORD WITH LDAP * @return true when login & password both OK, false otherwise =============================================================== * @author Roan Embrechts (based on code from Universit� Jean Monet) //require_once(api_get_path(INCLUDE_PATH).'../connect/authldap.php'); //error_log('Entering ldap_login('.$login.','.$password.')',0); // res=-1 -> the user does not exist in the ldap database // res=1 -> invalid password (user does exist) if ($res== 1) //WRONG PASSWORD //$errorMessage = "LDAP Username or password incorrect, please try again.<br>"; if (isset ($log)) unset ($log); if (isset ($uid)) unset ($uid); $loginLdapSucces = false; if ($res==- 1) //WRONG USERNAME //$errorMessage = "LDAP Username or password incorrect, please try again.<br>"; $login_ldap_success = false; if ($res== 0) //LOGIN & PASSWORD OK - SUCCES //$errorMessage = "Successful login w/ LDAP.<br>"; $login_ldap_success = true; //$result = "This is the result: $errorMessage"; $result = $login_ldap_success; =============================================================== * @return an array with positions "firstname", "name", "email", "employeenumber" =============================================================== * @author Stefan De Wannemacker //error_log('Entering ldap_find_user_info('.$login.')',0); global $ldap_host, $ldap_port, $ldap_basedn, $ldap_rdn, $ldap_pass, $ldap_search_dn; // basic sequence with LDAP is connect, bind, search, // interpret search result, close connection //echo " Connect to LDAP server successful "; //echo " LDAP bind successful... "; //echo " Searching for uid... "; //OLD: $sr=ldap_search($ldapconnect,"dc=rug, dc=ac, dc=be", "uid=$login"); //echo "<p> ldapDc = '$LDAPbasedn' </p>"; if(!empty($ldap_search_dn)) $sr= ldap_search($ldap_connect, $ldap_search_dn, "uid=$login"); $sr= ldap_search($ldap_connect, $ldap_basedn, "uid=$login"); //echo " Search result is ".$sr; //echo " Number of entries returned is ".ldap_count_entries($ldapconnect,$sr); //echo " Getting entries ..."; //echo "Data for ".$info["count"]." items returned:<p>"; //echo "LDAP bind failed..."; //echo "Closing LDAP connection<hr>"; //echo "<h3>Unable to connect to LDAP server</h3>"; //DEBUG: $result["firstname"] = "Jan"; $result["name"] = "De Test"; $result["email"] = "email@ugent.be"; $result["firstname"] = $info[0]["givenname"][0]; $result["name"] = $info[0]["sn"][0]; $result["email"] = $info[0]["mail"][0]; $result[$tutor_field] = $info[0][$tutor_field]; //employeenumber by default * This function uses the data from ldap_find_user_info() * to add the userdata to Dokeos * "firstname", "name", "email", "isEmployee" =============================================================== //error_log('Entering ldap_put_user_info_locally('.$login.',info_array)',0); global $ldap_pass_placeholder; global $submitRegistration, $submit, $uname, $email, $nom, $prenom, $password, $password1, $status; global $platformLanguage; global $loginFailed, $uidReset, $_user; /*---------------------------------------------------------- 1. set the necessary variables ------------------------------------------------------------ */ $email = $info_array["email"]; $nom = $info_array["name"]; $prenom = $info_array["firstname"]; $password = $ldap_pass_placeholder; $password1 = $ldap_pass_placeholder; //in this case, we are assuming that the admin didn't give a criteria // so that if the field is not empty, it is a tutor if(!empty($info_array[$tutor_field])) //the tutor_value is filled, so we need to check the contents of the LDAP field if (is_array($info_array[$tutor_field]) && in_array($tutor_value,$info_array[$tutor_field])) //$official_code = xxx; //example: choose an attribute /*---------------------------------------------------------- ------------------------------------------------------------ */ $email, $uname, $password, $official_code, 'english','', '', 'ldap'); //echo "new user added to Dokeos, id = $_userId"; //user_id, username, password, auth_source /*---------------------------------------------------------- ------------------------------------------------------------ */ $uData['user_id'] = $_userId; $uData['username'] = $uname; $uData['auth_source'] = "ldap"; $_user['user_id'] = $uData['user_id']; /* >>>>>>>>>>>>>>>> end of UGent LDAP routines <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< */ /* >>>>> Older but necessary code of Universite Jean-Monet <<<<< */ =========================================================== The code of UGent uses these functions to authenticate. * function AuthVerifEnseignant ($uname, $passwd) * function AuthVerifEtudiant ($uname, $passwd) * function Authentif ($uname, $passwd) =========================================================== * translate the comments and code to english * let these functions use the variables in config.inc instead of ldap_var.inc //*** variables en entree // $uname : username entre au clavier // $passwd : password fournit par l'utilisateur //*** en sortie : 3 valeurs possibles // 0 -> authentif reussie // 1 -> password incorrect // -1 -> ne fait partie du LDAP //--------------------------------------------------- // verification de l'existence du membre dans le LDAP //error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); global $ldap_host, $ldap_port, $ldap_basedn, $ldap_host2, $ldap_port2,$ldap_rdn,$ldap_pass; //error_log('Entering ldap_authentication_check('.$uname.','.$passwd.')',0); // Establish anonymous connection with LDAP server // Etablissement de la connexion anonyme avec le serveur LDAP //en cas de probleme on utlise le replica if($test_bind_res=== false){ //error_log('Connected to server '.$ldap_host); // Creation du filtre contenant les valeurs saisies par l'utilisateur // Open anonymous LDAP connection // Ouverture de la connection anonyme ldap // Execution de la recherche avec $filtre en parametre //error_log('Searching for '.$filter.' on LDAP server',0); // La variable $info recoit le resultat de la requete //affichage debug !! echo"<br> dn = $dn<br> pass = $passwd<br>"; // fermeture de la 1ere connexion // teste le Distinguish Name de la 1ere connection return (- 1); // ne fait pas partie de l'annuaire //bug ldap.. si password vide.. retourne vrai !! // Ouverture de la 2em connection Ldap : connexion user pour verif mot de passe // retour en cas d'erreur de connexion password incorrecte if (@ldap_bind( $ds, $dn , $passwd) === false) { return (1); // mot passe invalide * Set the protocol version with version from config file (enables LDAP version 3) * @param resource The LDAP connexion resource, passed by reference. //error_log('Entering ldap_set_version(&$resource)',0); //failure - should switch back to version 2 by default * Handle bind (whether authenticated or not) * @param resource The LDAP handler to which we are connecting (by reference) * @param resource The LDAP bind handler we will be modifying * @return boolean Status of the bind assignment. True for success, false for failure. //error_log('Entering ldap_handle_bind(&$ldap_handler,&$ldap_bind)',0); global $ldap_rdn,$ldap_pass; if(!empty($ldap_rdn) and !empty($ldap_pass)) //error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0); $ldap_bind = ldap_bind($ldap_handler,$ldap_rdn,$ldap_pass); //error_log('Authenticated login failed',0); //try in anonymous mode, you never know... // this is an "anonymous" bind, typically read-only access: //error_log('Login finally OK',0); * Get the total number of users on the platform * @see SortableTable#get_total_number_of_items() * @author Mustapha Alouani global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass; if ($keyword_username != "") { $ldap_query[]= "(uid=". $keyword_username. "*)"; } else if ($keyword_lastname!= ""){ $ldap_query[]= "(sn=". $keyword_lastname. "*)"; if ($keyword_firstname!= "") { $ldap_query[]= "(givenName=". $keyword_firstname. "*)"; if ($keyword_type != "" && $keyword_type != "all") { $ldap_query[]= "(employeeType=". $keyword_type. ")"; if (count($ldap_query)> 1){ foreach ($ldap_query as $query){ $str_query= $ldap_query[0]; if ($ds && count($ldap_query)> 0) { //$sr = ldap_search($ds, "ou=test-ou,$ldap_basedn", $str_query); //echo "Le nombre de resultats est : ".ldap_count_entries($ds,$sr)."<p>"; if (count($ldap_query)!= 0) * Get the total number of users on the platform * @see SortableTable#get_total_number_of_items() * @author Mustapha Alouani * Get the users to display on the current page. * @see SortableTable#get_table_data($from) * @author Mustapha Alouani if (isset ($_GET['submit'])) for ($key = 0; $key < $info["count"]; $key ++ ) //YW: this might be a variation between LDAP 2 and LDAP 3, but in LDAP 3, the uid is in //the corresponding index of the array //$dn_array=ldap_explode_dn($info[$key]["dn"],1); //$user[] = $dn_array[0]; // uid is first key //$user[] = $dn_array[0]; // uid is first key $user[] = $info[$key]['uid'][0]; $user[] = $info[$key]['uid'][0]; $user[] = $info[$key]['mail'][0]; $outab[] = $info[$key]['eduPersonPrimaryAffiliation'][0]; // Ici "student" * Build the modify-column of the table * @param int $user_id The user id * @param string $url_params * @return string Some HTML-code with modify-buttons * @author Mustapha Alouani $url_params_id= "id[]=". $row[0]; //$url_params_id="id=".$row[0]; $result .= '<a href="ldap_users_list.php?action=add_user&user_id='. $user_id. '&id_session='. Security::remove_XSS($_GET['id_session']). '&'. $url_params_id. '&sec_token='. $_SESSION['sec_token']. '" onclick="javascript:if(!confirm('. "'". addslashes(htmlentities(get_lang("ConfirmYourChoice"))). "'". ')) return false;"><img src="../img/add_user.gif" border="0" style="vertical-align: middle;" title="'. get_lang('AddUsers'). '" alt="'. get_lang('AddUsers'). '"/></a>'; * Adds a user to the Dokeos database or updates its data * @param string username (and uid inside LDAP) * @author Mustapha Alouani global $ldap_basedn, $ldap_host, $ldap_port, $ldap_rdn, $ldap_pass; $str_query= "(uid=". $login. ")"; //echo "Le nombre de resultats est : ".ldap_count_entries($ds,$sr)."<p>"; for ($key = 0; $key < $info['count']; $key ++ ) $email = $info[$key]['mail'][0]; $username = $dn_array[0]; // uid is first key $outab[] = $info[$key]['edupersonprimaryaffiliation'][0]; // Ici "student" //$val = ldap_get_values_len($ds, $entry, "userPassword"); //$val = ldap_get_values_len($ds, $info[$key], "userPassword"); // TODO the password, if encrypted at the source, will be encrypted twice, which makes it useless. Try to fix that. $password = $info[$key]['userPassword'][0]; $structure= $info[$key]['edupersonprimaryorgunitdn'][0]; $array_structure= explode(",", $structure); $array_val= explode("=", $array_structure[0]); $array_val= explode("=", $array_structure[1]); // Pour faciliter la gestion on ajoute le code "etape-annee" $official_code= $etape. "-". $annee; // Pas de date d'expiration d'etudiant (a recuperer par rapport au shadow expire LDAP) $expiration_date= '0000-00-00 00:00:00'; if(empty($status)){$status = 5;} if(empty($phone)){$phone = '';} if(empty($picture_uri)){$picture_uri = '';} // Ajout de l'utilisateur $user_id = UserManager::create_user($firstname,$lastname,$status,$email,$username,$password,$official_code,api_get_setting('platformLanguage'),$phone,$picture_uri,$auth_source,$expiration_date,$active); $user_id= $user['user_id']; UserManager::update_user($user_id, $firstname, $lastname, $username, null, null, $email, $status, $official_code, $phone, $picture_uri, $expiration_date, $active); * Adds a list of users to one session * @param array Array of user ids * @param string Course code // Database Table Definitions $id_session = (int) $id_session; // Une fois les utilisateurs importer dans la base des utilisateurs, on peux les affecter a� la session $result= api_sql_query("SELECT course_code FROM $tbl_session_rel_course " . "WHERE id_session='$id_session'",__FILE__ ,__LINE__ ); $CourseList[]= $row['course_code']; foreach($CourseList as $enreg_course) foreach($UserList as $enreg_user) $enreg_user = (int) $enreg_user; api_sql_query("INSERT IGNORE INTO $tbl_session_rel_course_rel_user(id_session,course_code,id_user) VALUES('$id_session','$enreg_course','$enreg_user')",__FILE__ ,__LINE__ ); $sql = "SELECT COUNT(id_user) as nbUsers FROM $tbl_session_rel_course_rel_user " . "WHERE id_session='$id_session' AND course_code='$enreg_course'"; api_sql_query("UPDATE $tbl_session_rel_course SET nbr_users=$nbr_users " . "WHERE id_session='$id_session' AND course_code='$enreg_course'",__FILE__ ,__LINE__ ); foreach($UserList as $enreg_user) $enreg_user = (int) $enreg_user; api_sql_query("INSERT IGNORE INTO $tbl_session_rel_user(id_session, id_user) " . "VALUES('$id_session','$enreg_user')",__FILE__ ,__LINE__ ); // On mets a jour le nombre d'utilisateurs dans la session $sql = "SELECT COUNT(id_user) as nbUsers FROM $tbl_session_rel_user WHERE id_session='$id_session'"; api_sql_query("UPDATE $tbl_session SET nbr_users=$nbr_users WHERE id='$id_session'",__FILE__ ,__LINE__ );
|
