lordnazgul - 2010-08-11

We wanted Active Directory LDAP Auth for our users.  I came up with a kind of hack that does the job.  There if anyone else needs it…  Make sure that you change the appropriate fields for your domain controller and domain.  The diff file is below, apply it to /filemanage/classes/login.class.php

--- login.class.php 2010-08-11 09:53:22.346497600 -0500
+++ login.class.php 2010-08-11 12:15:17.000000000 -0500
@@ -53,7 +53,17 @@

     if (isset($_POST['login']) && isset($_POST['user']) && isset($_POST['pw']) && $bad_login_count < $GLOBALS['sets']['BAD_LOGIN_LIMIT']) {
       $user = @substr($_POST['user'], 0, 32);
-      $pw = sha1($GLOBALS['sets']['SHA1_SALT1'].@substr($_POST['pw'], 0, 128).$GLOBALS['sets']['SHA1_SALT2']);
+      //Change made for LDAP Auth
+      //J. Pastin 8-11-10
+      //
+      //If the user is 'admin', they still auth through MySQL, so hash the password
+      if ($user == 'admin') {
+           $pw = sha1($GLOBALS['sets']['SHA1_SALT1'].@substr($_POST['pw'], 0, 128).$GLOBALS['sets']['SHA1_SALT2']);
+      } else {
+      //For all other users, the password is being sent to LDAP, so leave it alone
+           $pw=$_POST['pw'];
+      }
+      //End Changes
       addlog(5, 'logintest', __LINE__, 'User attempted to log in');
       $login_type = 1;
     } elseif ($bad_login_count >= $GLOBALS['sets']['BAD_LOGIN_LIMIT']) {
@@ -76,12 +86,44 @@

     if (isset($user) && isset($pw)) {
       $user = preg_replace('/[^a-zA-Z0-9s]/', '', $user);
-      $pw = preg_replace('/[^a-zA-Z0-9s]/', '', $pw);
+      //Change made for LDAP Auth
+      //J. Pastin 8-11-10
+      //
+      //The password only needs to be sanitized if the user is 'admin',
+      //because it is going to MySQL, not LDAP.  LDAP passwords should not be sanitized.
+      if ($user == 'admin'){
+           $pw = preg_replace('/[^a-zA-Z0-9s]/', '', $pw);
+      }
       /*echo $user.'<br />';
       echo $pw.'<br />';*/
-      $query = 'SELECT id, perm, ullimit, rootdir, ip, sessname, bypassusers, bypasswords, totlogins FROM '.TABLE_PREFIX.'users WHERE user = "'.mysql_real_escape_string($user).'" AND password = "'.mysql_real_escape_string($pw).'" AND deleted = 0 LIMIT 1';
+      //If the user is 'admin' use the original MySQL select that includes password validation.
+      if ($user == 'admin'){
+           $query = 'SELECT id, perm, ullimit, rootdir, ip, sessname, bypassusers, bypasswords, totlogins FROM '.TABLE_PREFIX.'users WHERE user = "'.mysql_real_escape_string($user).'" AND password = "'.mysql_real_escape_string($pw).'" AND deleted = 0 LIMIT 1';
+      } else {
+      //Otherwise just select the user information from MySQL
+           $query = 'SELECT id, perm, ullimit, rootdir, ip, sessname, bypassusers, bypasswords, totlogins FROM '.TABLE_PREFIX.'users WHERE user = "'.mysql_real_escape_string($user).'" AND deleted = 0 LIMIT 1';
+      //Prepare for LDAP auth by estaplishing a connection to the server
+      //Change to reflect your domain controller
+           $ds=ldap_connect('ldap://mydc.mydomain.com') or die("Could not bind to AD!");
+
+      //Change to reflect your domain
+           $domain="AD";
+      
+      //Authenticate the user against LDAP
+           if (!@ldap_bind($ds, $domain."\\".$user, $pw)) {
+           $ldapAuth=FALSE;
+           } else {
+           $ldapAuth=TRUE;
+           }
+      }
       $result = $this->myquery($query, __LINE__, true);
-      if (mysql_num_rows($result) > 0) {
+
+      //If the user exists in MySQL the number of rows fetched will be greater
+      //than zero.  Also ensure that the user has authenticated either
+      //through LDAP or the original query in the case of 'admin'
+      //if (mysql_num_rows($result) > 0) {
+      if (mysql_num_rows($result) > 0 && ($ldapAuth || $user == 'admin')) {
+      //End Changes
         list($userid, $perm, $GLOBALS['ullimit'], $rootdir, $ip, $sessname, $bypassusers, $bypasswords, $totlogins) = mysql_fetch_row($result);
         if ($userid == 1)
           $perm = 255;
@@ -97,7 +139,11 @@
         $this->perms($perm);
         $this->login = $userid;

-        if ($totlogins > 0) {
+   //Change to enable LDAP Auth
+   //J. Pastin 8-11-10
+   //
+   //Need to remove the mandatory password change if the user is new.
+        //if ($totlogins > 0) {
           if ($login_type == 1) {
             $query = 'UPDATE '.TABLE_PREFIX.'users SET ip = "'.mysql_real_escape_string($_SERVER['REMOTE_ADDR']).'", sessname = "'.mysql_real_escape_string(session_id()).'", lastlogin = '.time().', totlogins = totlogins + 1 WHERE id = '.$userid.' LIMIT 1';
             $this->myquery($query, __LINE__, true);
@@ -108,17 +154,18 @@
               return 0;
             }
           }
-        } else {
+        /*} else {
           if (isset($_POST['npw']) && $_POST['npw'] != NULL && $_POST['confirmpw'] == $_POST['npw']) {
             $pw = sha1($GLOBALS['sets']['SHA1_SALT1'].@substr($_POST['npw'], 0, 128).$GLOBALS['sets']['SHA1_SALT2']);
             $query = 'UPDATE '.TABLE_PREFIX.'users SET password = "'.mysql_real_escape_string($pw).'", ip = "'.mysql_real_escape_string($_SERVER['REMOTE_ADDR']).'", sessname = "'.mysql_real_escape_string(session_id()).'", lastlogin = '.time().', totlogins = totlogins + 1 WHERE id = '.$userid.' LIMIT 1';
             $this->myquery($query, __LINE__, true);
             $_SESSION['pw'] = $pw;
-          } else {
+          } else {*/
             /*****[ NEED TO INTEGRATE SMARTY HTML START/END HERE ]*************/
-            die($this->change_password());
+            /*die($this->change_password());
           }
-        }
+        }*/
+   //End Changes
         if (false !== strpos('..', $rootdir))
           die('<font color="red">ROOT must be a literal path (cannot contrain ".."). Notify an admin or moderator.');
         if (substr($rootdir, -1) == '/' || substr($rootdir, -1) == '\\')