ldap_auth.php changes

Developers
2007-07-06
2013-04-25
  • Brandon Blackmoor

    The following changes need to be made to ldap_auth.php in OpenIT 3.0.1 in order for it to authenticate with Active Directory:

    After each ldap_connect statement, the LDAP_OPT_PROTOCOL_VERSION and LDAP_OPT_REFERRALS settings need to be configured.

    Here is the modified ldap_auth.php:

    <?php
    /**
    * ldap_auth.php
    *
    * Accepts the user's login credentials, checks those credentials
    * against the LDAP server, and then grants or denies the user
    * access to the system.
    * @package OpenIT
    */

    if (empty ($_POST['Employee']) or empty ($_POST['Password']))
    {
        // username or password missing
        $redirect = 'login.php';
        $_SESSION['Login_Text'] = 'Please fill in username and password';
    }
    else
    {
        if ($settings['Login']['login_field'] == 'text')
        {
            $login_name = $_POST['Employee'];
        }
        else
        {
            // if using the pull down menu, find the user's data from the DB
            // for the login.
            // $query = 'SELECT FirstName, LastName, GroupID, EmployeeID
            //     FROM Employees
            //     WHERE EmployeeID = ' . $_POST['Employee'];

            // $res =& $db->query($query);
            // $row =& $res->fetchRow();
            // $login_name = $row['FirstName'] . " " . $row['LastName'];

            $row = DB_DataObject :: factory('Employees');
            $row->get($_POST['Employee']);
            $login_name = $row->FirstName.' '.$row->LastName;
        }

        // connect to the LDAP Server
        $ad = @ ldap_connect($settings['LDAP']['server']) or die("Could not connect to LDAP Server");

        // set version number
        ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3)
                or die ("Could not set ldap protocol");
        ldap_set_option($ad, LDAP_OPT_REFERRALS, 0)
                or die ("Could not set ldap protocol");

        if ($settings['LDAP']['usedummy'])
        {
            // if the login system is using the LDAP dummy account, bind to
            // that and search for the real login name of the user in the
            // LDAP structure

            $bd = @ ldap_bind($ad, $settings['LDAP']['dummylogin'], $settings['LDAP']['dummypassword']) or die('Dummy account LDAP login failed.');
            $sr = ldap_search($ad, $settings['LDAP']['context'], '('.$settings['LDAP']['loginfield'].'='.$login_name.')');

            if (ldap_count_entries($ad, $sr) == 0)
            {
                // invalid username
                $redirect = 'login.php';
                $_SESSION['Login_Text'] = 'User unknown in LDAP';
            }
            else
            {
                $entries = ldap_first_entry($ad, $sr);
                $username = ldap_get_values($ad, $entries, $settings['LDAP']['truelogin']);

                // make another connection to the LDAP server and bind to
                // test the password

                $ad2 = @ ldap_connect($settings['LDAP']['server']) or die("Could not connect to LDAP Server");

                // set version number
                ldap_set_option($ad2, LDAP_OPT_PROTOCOL_VERSION, 3)
                        or die ("Could not set ldap protocol");
                ldap_set_option($ad2, LDAP_OPT_REFERRALS, 0)
                        or die ("Could not set ldap protocol");

                if (!$bd = @ ldap_bind($ad2, $username[0], $_POST['Password']))
                {
                    // invalid password
                    $redirect = 'login.php';
                    $_SESSION['Login_Text'] = 'Incorrect password.';
                }
                else
                {
                    // if this new bind is successful, grab the email address
                    // to match the user up with the OpenIT user in the DB

                    $sr = ldap_search($ad2, $settings['LDAP']['context'], '('.$settings['LDAP']['loginfield'].'='.$login_name.')');
                    $entries = ldap_first_entry($ad2, $sr);

                    // to avoid a php error if there is no "mail" attribute
                    if (array_search('mail', ldap_get_attributes($ad2, $entries)))
                    {
                        $mail = ldap_get_values($ad2, $entries, "mail");
                    }
                    else
                    {
                        // no email in LDAP
                        $redirect = 'login.php';
                        $_SESSION['Login_Text'] = 'No email address in LDAP for '.$login_name;
                    }
                }

                ldap_unbind($ad2);
            }
        }
        else
        {
            // if no dummy account is used, bind using the entered username
            // and password

            $bd = @ ldap_bind($ad, $login_name, $_POST['Password']);

            if ($bd)
            {
                // if this bind is successful, grab the email address to match
                // the user up with the OpenIT user in the DB

                $sr = ldap_search($ad, $settings['LDAP']['context'], '('.$settings['LDAP']['loginfield'].'='.$login_name.')');
                $entries = ldap_first_entry($ad, $sr);

                // to avoid a php error if there is no "mail" attribute
                if (array_search('mail', ldap_get_attributes($ad, $entries)))
                {
                    $mail = ldap_get_values($ad, $entries, "mail");
                }
                else
                {
                    // no email in LDAP
                    $redirect = 'login.php';
                    $_SESSION['Login_Text'] = 'No email address in LDAP for '.$login_name;
                }
            }
        }

        // this is repeated    because if
        // ($settings['Login']['login_field'] == 'text')
        // the employee name for openit is unknown until here

        if (isset ($mail) && $settings['Login']['login_field'] == 'text')
        {
            // if using the text field for the login, pull the user's data
            // from the DB using the email address pulled from the LDAP server

            $row = DB_DataObject :: factory('Employees');
            $row->get('EmailAddress', $mail[0]);
            $login_name = $row->FirstName.' '.$row->LastName;
        }

        if (isset ($row->GroupID) && $mail != "")
        {
            // login succeeded
            $_SESSION['EmployeeID'] = $row->EmployeeID;
            $_SESSION['EmployeeName'] = $login_name;
            $_SESSION['Group'] = $row->GroupID;
            $_SESSION['Department'] = $row->Department;
            $_SESSION['SignedOn'] = time();
            $_SESSION['Login_Text'] = 'Already logged in as '.$_SESSION['EmployeeName'].'.';

            $redirect = '';
        }
        else
        {
            // login failed
            $redirect = 'login.php';
        }
    }
    ?>

     
    • Brandon Blackmoor

      SourceForge removed all of the indentation, but it's standard 4-spaces per indent. I can email it to anyone who wants it with the correct formatting.

       
    • Brandon Blackmoor

      Entered in Subversion.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks