|
From: Luis M <le...@us...> - 2004-10-26 18:05:59
|
Update of /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv25015 Modified Files: slashAuthLDAP.class Log Message: much improved class. ldap doesn't require challenge_response Index: slashAuthLDAP.class =================================================================== RCS file: /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes/slashAuthLDAP.class,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** slashAuthLDAP.class 26 Oct 2004 09:34:27 -0000 1.3 --- slashAuthLDAP.class 26 Oct 2004 18:05:49 -0000 1.4 *************** *** 16,25 **** var $Base_dn = ""; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ var $Search_detail = "uid"; /** uid holds our usernames */ var $ds = ""; /** database connection */ /** PSL LDAP validation @param $username user name to validate (required) ! @param $password plain text of the user's password. needed only when javascript is disabled ! @param $response needed only when javascript is disabled @param $user_info ditto @return boolean true if user is validated false otherwise --- 16,28 ---- var $Base_dn = ""; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ var $Search_detail = "uid"; /** uid holds our usernames */ + var $userpasswd = "userPassword"; /** userpassword holds encoded passwords in ldap db */ + + /* End configuration */ var $ds = ""; /** database connection */ /** PSL LDAP validation @param $username user name to validate (required) ! @param $password plain text of the user's password ! @param $response ditto @param $user_info ditto @return boolean true if user is validated false otherwise *************** *** 27,31 **** @note The parent class loginform uses attempts to use Challenge-Response and the password argument will typically be blank */ ! function psl_validate($username, $password='', $response='', $user_info='') { global $challenge,$_PSL; $this->Host = $_PSL['LDAP_Host']; --- 30,34 ---- @note The parent class loginform uses attempts to use Challenge-Response and the password argument will typically be blank */ ! function psl_validate($username, $password, $response='', $user_info='') { global $challenge,$_PSL; $this->Host = $_PSL['LDAP_Host']; *************** *** 35,39 **** --- 38,72 ---- $is_user = false; /* assumes test will fail */ + $pw = ""; /** string (possibly encrypted) that will hold passwd from ldap */ + debug("psl_validate()","checking if user exists before getting its password:"); + if ( $this->psl_ldap_is_user($username) == true ) + { + debug("psl_validate()","user does exist! getting password:"); + $pw = $this->psl_ldap_pass($username); + } else { + debug("psl_validate()","user does not exist! bailing out"); + return false; + } + /* TODO when setting user's passwords, you might want to try: + if ( preg_match("/{md5}/i",$_PSL[LDAP_scheme]) ) + { + $my_pass = md5("$password"); + } else if ( preg_match("/{ssha}/i",$_PSL[LDAP_scheme]) ) { + mt_srand((double) microtime()*1000000); + $salt=mhash_keygen_s2k(MHASH_SHA1,$password,substr(pack("h*",md5(mt_rand())),0,8),4); + $my_pass="{ssha}".base64_encode(mhash(MHASH_SHA1, $password.$salt).$salt); + } else { + // try crypt or simply fail with a warning / + $my_pass = crypt(""); + debug("psl_validate()","We don't support this scheme for passwords yet"); + }*/ + $my_pass = md5($password); + debug("psl_validate()","$pw == $my_pass ??"); + if ( $pw == $my_pass ) + { + $is_user = true; + } + /* This is only needed for CR: $md5_pw = $this->psl_ldap_pass($username); // generate the expected response *************** *** 46,54 **** $response = md5("$md5_pw_net:$challenge"); } ! ! if ( $expected_response == $response ) { ! // success ! $is_user = true; /** TODO: might be a good thing to register this user? in SQL ?*/ --- 79,86 ---- $response = md5("$md5_pw_net:$challenge"); } ! */ ! if ( $is_user == true ) { ! // success /** TODO: might be a good thing to register this user? in SQL ?*/ *************** *** 66,98 **** } /** * ! * Find and return the MD5 encoded password for the specified user * * @param $username username to lookup ! * @return md5(username:password) * **/ function psl_ldap_pass($username = "") { ! //debug('function psl_ldap_pass()', ""); $passwd = ""; /** get user's password */ ! $ldap_user = $this->psl_ldap_search_user($username,array("userPassword")); if ( $ldap_user != false ) { ! // NOTE: userPassword because we use inetOrgPerson+posixAccount schemas ! foreach ($ldap_user as $key => $val) ! { ! if ( $key == "userpassword" ) ! { ! $passwd = $val; ! break; ! } ! } ! $md5_pw = md5($username .":". $passwd); ! return $md5_pw; } ! //debug('function psl_ldap_pass() ', 'failed'); return false; } --- 98,141 ---- } + /** + * A wrapper for psl_ldap_search_user. + * It checks whether user exists in the db. + * + * @param $username user to look for in "uid" attribute + * @return true if user exist, false otherwise + */ + function psl_ldap_is_user ($username) + { + $uid = $this->psl_ldap_search_user ($username, array($this->Search_detail)); + if ( $uid != false ) + { + return true; + } + debug("psl_ldap_is_user()","failed!"); + return false; + } + /** * ! * Find and return the encoded password for the specified user * * @param $username username to lookup ! * @return ldap passwd scalar * **/ function psl_ldap_pass($username = "") { ! debug("psl_ldap_pass()","looking for user passwd"); $passwd = ""; /** get user's password */ ! $ldap_user = $this->psl_ldap_search_user($username, ! array($this->userpassword)); if ( $ldap_user != false ) { ! // NOTE: userPassword because we use ! // inetOrgPerson+posixAccount schemas ! return $ldap_user[$this->userpassword]; } ! //debug('psl_ldap_pass()', 'failed'); return false; } *************** *** 100,112 **** /** * ! * Find and return the specified LDAP user ! * * **/ function psl_ldap_search_user ($username = "", $attributes="") { global $_PSL; ! $fields = ( is_array ( $attributes ) ) ? $attributes : array("userPassword"); ! //debug('function LDAP_search_user()', ""); ! //debug('HOST: %s && PORT: %s',$this->Host,$this->Port); if (!ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, 3)) { --- 143,157 ---- /** * ! * Find and return the specified LDAP user in ldap db ! * ! * @param $username username to search for using $this->Search_detail (usually 'uid') ! * @return associative array with: $ary[$this->Search_detail], $ary[$this->userpassword] # TODO should return all attributes passed in array() $attributes OR false if fails * **/ function psl_ldap_search_user ($username = "", $attributes="") { global $_PSL; ! $ary = array(); ! $fields = ( is_array ( $attributes ) ) ? $attributes : array($this->userpassword); ! debug('psl_ldap_search_user()', "searching db"); if (!ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, 3)) { *************** *** 118,123 **** return false; } ! // so, use preg_match() to determine if we need this... ideally, ! // we should let users say this from config.ini.php */ /* for now we assume that we are running in the same server or --- 163,169 ---- return false; } ! // so, use preg_match() to determine if we need this from LDAP ! // uri: ldaps:// doesn't need tls... ! // ideally, we should let users say this from config.ini.php */ /* for now we assume that we are running in the same server or *************** *** 125,144 **** this is a major security hole. avoid doing such things if possible*/ /** Bind to ldap host with superuser privileges so that ! we can retrieve userPassword attributes: */ $ldap_bind = ldap_bind($this->ds,$_PSL['LDAP_User'],$_PSL['LDAP_Password']); if ( $ldap_bind ) { $ldap_search_result = ldap_search($this->ds, ! $this->Base_dn, $this->Search_detail."=".$username,$attributes); if ($ldap_search_result) { - //debug("function LDAP_search() ldap_search_result",print_r($ldap_search_result)); $result = ldap_get_entries($this->ds, $ldap_search_result); ! //debug("function LDAP_search() result",print_r($result)); ! return $result; } ! debug('function LDAP_search_user() search', ' failed'); } ! debug('function LDAP_search_user() ', ' failed'); return false; } --- 171,197 ---- this is a major security hole. avoid doing such things if possible*/ /** Bind to ldap host with superuser privileges so that ! we can retrieve $this->userpassword attributes: */ $ldap_bind = ldap_bind($this->ds,$_PSL['LDAP_User'],$_PSL['LDAP_Password']); if ( $ldap_bind ) { $ldap_search_result = ldap_search($this->ds, ! $this->Base_dn, ! $this->Search_detail."=".$username, ! $attributes, ! 0, /** get all values and attributes */ ! 1 /** we only care about 1 return, @see sizelimit */ ! ); if ($ldap_search_result) { $result = ldap_get_entries($this->ds, $ldap_search_result); ! debug("psl_ldap_search_user() result",print_r($result)); ! ldap_free_result($ldap_search_result); ! $ary[$this->Search_detail] = $result[0][$this->Search_detail][0]; ! $ary[$this->Search_detail] = $result[0][$this->userpassword][0]; ! return $ary; } ! debug('function psl_ldap_search_user() search', ' failed'); } ! debug('function psl_ldap_search_user() ', ' failed'); return false; } |
