|
From: Luis M <le...@us...> - 2004-10-26 09:34:38
|
Update of /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv24199 Modified Files: slashAuthLDAP.class Log Message: new improved class. almost able to authenticate, however, since user passwords are usually kept encrypted in the LDAP database, we might need to do things differently when dealing with ldap auth (perhaps we need to use md5 exclusively with a different salting method (same as ldap uses) and match md5 strings instead of $challenge ...) Index: slashAuthLDAP.class =================================================================== RCS file: /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes/slashAuthLDAP.class,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** slashAuthLDAP.class 20 Oct 2004 22:08:49 -0000 1.2 --- slashAuthLDAP.class 26 Oct 2004 09:34:27 -0000 1.3 *************** *** 6,25 **** * Written by Peter Starowicz <pe...@op...> for OpenConcept.ca * ! * This module unfinished and untested - remove this when completed * */ class slashAuth extends slashAuth_base { ! /** PSL LDAP validation ! @param $username user name to validate ! @param $password ... @return boolean true if user is validated false otherwise @note The parent class loginform uses attempts to use Challenge-Response and the password argument will typically be blank */ ! function psl_validate($username, $password, $response='', $user_info='') { ! global $challenge; ! $is_user = false; $md5_pw = $this->psl_ldap_pass($username); --- 6,38 ---- * Written by Peter Starowicz <pe...@op...> for OpenConcept.ca * ! * 2004-10-26 00:49 EDT ! * Modified by Luis Mondesi < lems1 at users | sf | net> for PSL 0.8 * */ class slashAuth extends slashAuth_base { ! /* TODO we might need to test $_PSL vars before passing them to connect */ ! var $Host = ""; ! var $Port = ""; ! var $Base_dn = ""; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ ! var $Search_detail = "uid"; /** uid holds our usernames */ ! var $ds = ""; /** database connection */ ! /** PSL LDAP validation ! @param $username user name to validate (required) ! @param $password plain text of the user's password. needed only when javascript is disabled ! @param $response needed only when javascript is disabled ! @param $user_info ditto @return boolean true if user is validated false otherwise @note The parent class loginform uses attempts to use Challenge-Response and the password argument will typically be blank */ ! function psl_validate($username, $password='', $response='', $user_info='') { ! global $challenge,$_PSL; ! $this->Host = $_PSL['LDAP_Host']; ! $this->Port = $_PSL['LDAP_Port']; ! $this->Base_dn = $_PSL['LDAP_Base']; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ ! $this->ds = ldap_connect($this->Host, $this->Port); /** ds holds our connect socket. it hasn't "connected" yet, just setup some defaults */ ! $is_user = false; /* assumes test will fail */ $md5_pw = $this->psl_ldap_pass($username); *************** *** 28,43 **** // True when JS is disabled ! if ( $response == "" ) { $md5_pw_net = md5("$username:$password"); $response = md5("$md5_pw_net:$challenge"); } ! if ($expected_response != $response) { // failed - return with error message $this->auth["error"] = pslgetText("Either your username or password are invalid. Please try again."); ! $is_user = false; ! } else { ! // success ! $is_user = true; } return $is_user; --- 41,65 ---- // True when JS is disabled ! if ( $response == "" ) ! { $md5_pw_net = md5("$username:$password"); $response = md5("$md5_pw_net:$challenge"); } ! if ( $expected_response == $response ) ! { ! // success ! $is_user = true; ! /** TODO: might be a good thing to register this user? ! in SQL ?*/ ! /* ! $ary['username'] = $username; ! $ary['password'] = $password; ! psl_register_authed($ary); ! */ ! } else { // failed - return with error message $this->auth["error"] = pslgetText("Either your username or password are invalid. Please try again."); ! $is_user = false; /* dup! just making sure... */ } return $is_user; *************** *** 47,62 **** * * Find and return the MD5 encoded password for the specified user ! * * **/ ! function psl_ldap_pass($username = "") { ! // debug('function LDAP_pass()', ""); ! ! $ldap_user = $this->psl_ldap_search_user($username); ! if ($ldap_user) { ! $md5_pw = md5($username .":". $ldap_user[0]["password"][0]; ! // return $ldap_user[0]["password"][0]; } ! //debug('function ldap_pass() ', 'failed'); return false; } --- 69,98 ---- * * Find and return the MD5 encoded password for the specified user ! * ! * @param $username username to lookup ! * @return md5(username:password) * **/ ! function psl_ldap_pass($username = "") ! { ! //debug('function psl_ldap_pass()', ""); ! $passwd = ""; ! /** get user's password */ ! $ldap_user = $this->psl_ldap_search_user($username,array("userPassword")); ! if ( $ldap_user != false ) ! { ! // NOTE: userPassword because we use inetOrgPerson+posixAccount schemas ! foreach ($ldap_user as $key => $val) ! { ! if ( $key == "userpassword" ) ! { ! $passwd = $val; ! break; ! } ! } ! $md5_pw = md5($username .":". $passwd); ! return $md5_pw; } ! //debug('function psl_ldap_pass() ', 'failed'); return false; } *************** *** 68,87 **** * **/ ! function psl_ldap_search_user($username = "") { //debug('function LDAP_search_user()', ""); ! ! $this->ds = @ldap_connect($this->Host, $this->Port); ! $ldap_search_result = @ldap_search($this->ds, $this->Base_dn, $this->Search_detail."=".$username); ! if ($ldap_search_result) { ! //debug("function LDAP_search() ldap_search_result",print_r($ldap_search_result)); ! $result = ldap_get_entries($this->ds, $ldap_search_result); ! //debug("function LDAP_search() result",print_r($result)); ! return $result; } ! ! //debug('function LDAP_search_user() ', ' failed'); ! return false; } } ?> - --- 104,146 ---- * **/ ! function psl_ldap_search_user ($username = "", $attributes="") { ! global $_PSL; ! $fields = ( is_array ( $attributes ) ) ? $attributes : array("userPassword"); //debug('function LDAP_search_user()', ""); ! //debug('HOST: %s && PORT: %s',$this->Host,$this->Port); ! if (!ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, 3)) ! { ! return false; } ! /* FIXME in order to use tls to talk to remote servers, ! we might have to do: ! if (!ldap_start_tls($this->ds)) { ! return false; ! } ! // so, use preg_match() to determine if we need this... ideally, ! // we should let users say this from config.ini.php ! */ ! /* for now we assume that we are running in the same server or ! we can connect to port 389 in plaintext over a LAN/WAN; ! this is a major security hole. avoid doing such things if possible*/ ! /** Bind to ldap host with superuser privileges so that ! we can retrieve userPassword attributes: */ ! $ldap_bind = ldap_bind($this->ds,$_PSL['LDAP_User'],$_PSL['LDAP_Password']); ! if ( $ldap_bind ) ! { ! $ldap_search_result = ldap_search($this->ds, ! $this->Base_dn, $this->Search_detail."=".$username,$attributes); ! if ($ldap_search_result) { ! //debug("function LDAP_search() ldap_search_result",print_r($ldap_search_result)); ! $result = ldap_get_entries($this->ds, ! $ldap_search_result); ! //debug("function LDAP_search() result",print_r($result)); ! return $result; ! } ! debug('function LDAP_search_user() search', ' failed'); ! } ! debug('function LDAP_search_user() ', ' failed'); ! return false; } } ?> |
