|
From: Luis M <le...@us...> - 2004-10-27 22:04:48
|
Update of /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30336 Modified Files: slashAuthLDAP.class Log Message: very close to completion. eliminated useless calls and other nuances. Now only needs to compare passwords with strings returned from DB. need to figure out if passwd is {CRYPT} or whatever other schemes. Index: slashAuthLDAP.class =================================================================== RCS file: /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes/slashAuthLDAP.class,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** slashAuthLDAP.class 26 Oct 2004 18:05:49 -0000 1.4 --- slashAuthLDAP.class 27 Oct 2004 22:04:38 -0000 1.5 *************** *** 15,23 **** var $Port = ""; var $Base_dn = ""; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ ! var $Search_detail = "uid"; /** uid holds our usernames */ ! var $userpasswd = "userPassword"; /** userpassword holds encoded passwords in ldap db */ /* End configuration */ var $ds = ""; /** database connection */ /** PSL LDAP validation --- 15,25 ---- var $Port = ""; var $Base_dn = ""; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ ! /** Make sure these values are all lowercase: */ ! var $ui = "uid"; /** uid holds our usernames */ ! var $up = "userpassword"; /** userpassword holds encoded passwords in ldap db */ /* End configuration */ var $ds = ""; /** database connection */ + var $found = ""; /** search results found */ /** PSL LDAP validation *************** *** 36,47 **** $this->Base_dn = $_PSL['LDAP_Base']; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ $this->ds = ldap_connect($this->Host, $this->Port); /** ds holds our connect socket. it hasn't "connected" yet, just setup some defaults */ $is_user = false; /* assumes test will fail */ ! $pw = ""; /** string (possibly encrypted) that will hold passwd from ldap */ ! debug("psl_validate()","checking if user exists before getting its password:"); ! if ( $this->psl_ldap_is_user($username) == true ) { ! debug("psl_validate()","user does exist! getting password:"); ! $pw = $this->psl_ldap_pass($username); } else { debug("psl_validate()","user does not exist! bailing out"); --- 38,61 ---- $this->Base_dn = $_PSL['LDAP_Base']; /** base_dn holds our base for lookups. i.e. dc=host,dc=domain,dc=rootdomain */ $this->ds = ldap_connect($this->Host, $this->Port); /** ds holds our connect socket. it hasn't "connected" yet, just setup some defaults */ + $this->found = $this->psl_ldap_search_user($username, + array($this->ui,$this->up)); $is_user = false; /* assumes test will fail */ ! $pw = ""; /** holds passwd from ldap */ ! ! debug("psl_validate()",$this->found); ! ! if ( !empty($this->found[$this->ui]) ) { ! debug("psl_validate()","getting password:"); ! if ( !empty($this->found[$this->up]) ) ! { ! $pw = $this->found[$this->up]; ! } else { ! /*debug("psl_validate()","password does not exist! re-querying db:"); ! $pw = $this->psl_ldap_pass($username);*/ ! debug("psl_validate()","user password does not exist! bailing out"); ! return false; ! } } else { debug("psl_validate()","user does not exist! bailing out"); *************** *** 62,67 **** debug("psl_validate()","We don't support this scheme for passwords yet"); }*/ ! $my_pass = md5($password); ! debug("psl_validate()","$pw == $my_pass ??"); if ( $pw == $my_pass ) { --- 76,83 ---- debug("psl_validate()","We don't support this scheme for passwords yet"); }*/ ! $my_pass = $password; /** FIXME crypt()? md5()? */ ! debug("psl_validate()","Passwords: '$pw' == '$my_pass' ??"); ! ! /** all comes down to this test: */ if ( $pw == $my_pass ) { *************** *** 82,86 **** if ( $is_user == true ) { ! // success /** TODO: might be a good thing to register this user? in SQL ?*/ --- 98,103 ---- if ( $is_user == true ) { ! // success ! debug("psl_validate()","user exists: registering with sql"); /** TODO: might be a good thing to register this user? in SQL ?*/ *************** *** 93,97 **** // failed - return with error message $this->auth["error"] = pslgetText("Either your username or password are invalid. Please try again."); - $is_user = false; /* dup! just making sure... */ } return $is_user; --- 110,113 ---- *************** *** 105,118 **** * @return true if user exist, false otherwise */ ! function psl_ldap_is_user ($username) { ! $uid = $this->psl_ldap_search_user ($username, array($this->Search_detail)); if ( $uid != false ) { return true; } debug("psl_ldap_is_user()","failed!"); return false; ! } /** --- 121,136 ---- * @return true if user exist, false otherwise */ ! /*function psl_ldap_is_user ($username) { ! $uid = $this->psl_ldap_search_user($username, ! array($this->ui,$this->up)); if ( $uid != false ) { + debug("psl_ldap_is_user()",$uid[$this->ui]); return true; } debug("psl_ldap_is_user()","failed!"); return false; ! }*/ /** *************** *** 124,143 **** * **/ ! function psl_ldap_pass($username = "") { ! debug("psl_ldap_pass()","looking for user passwd"); ! $passwd = ""; ! /** get user's password */ ! $ldap_user = $this->psl_ldap_search_user($username, ! array($this->userpassword)); if ( $ldap_user != false ) { ! // NOTE: userPassword because we use ! // inetOrgPerson+posixAccount schemas ! return $ldap_user[$this->userpassword]; } ! //debug('psl_ldap_pass()', 'failed'); return false; ! } /** --- 142,157 ---- * **/ ! /*function psl_ldap_pass($username = "") { ! $passwd = $this->psl_ldap_search_user($username, ! array($this->ui,$this->up)); if ( $ldap_user != false ) { ! debug("psl_ldap_is_user() passwd:",$passwd[$this->up]); ! return $ldap_user[$this->up]; } ! debug('psl_ldap_pass()', 'failed!'); return false; ! }*/ /** *************** *** 145,161 **** * Find and return the specified LDAP user in ldap db * ! * @param $username username to search for using $this->Search_detail (usually 'uid') ! * @return associative array with: $ary[$this->Search_detail], $ary[$this->userpassword] # TODO should return all attributes passed in array() $attributes OR false if fails * **/ ! function psl_ldap_search_user ($username = "", $attributes="") { global $_PSL; $ary = array(); ! $fields = ( is_array ( $attributes ) ) ? $attributes : array($this->userpassword); ! debug('psl_ldap_search_user()', "searching db"); ! if (!ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, 3)) { return false; } /* FIXME in order to use tls to talk to remote servers, we might have to do: --- 159,178 ---- * Find and return the specified LDAP user in ldap db * ! * @param $username username to search for using $this->ui (usually 'uid') ! * @return associative array with: $ary[$this->ui], $ary[$this->up] # TODO should return all attributes passed in array() $attributes OR false if fails * **/ ! function psl_ldap_search_user ($username = "", $attributes="") ! { global $_PSL; $ary = array(); ! ! debug('psl_ldap_search_user() attributes:', $attributes); ! ! if ( !ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, 3) ) { return false; } + /* FIXME in order to use tls to talk to remote servers, we might have to do: *************** *** 171,197 **** this is a major security hole. avoid doing such things if possible*/ /** Bind to ldap host with superuser privileges so that ! we can retrieve $this->userpassword attributes: */ $ldap_bind = ldap_bind($this->ds,$_PSL['LDAP_User'],$_PSL['LDAP_Password']); if ( $ldap_bind ) { ! $ldap_search_result = ldap_search($this->ds, $this->Base_dn, ! $this->Search_detail."=".$username, $attributes, 0, /** get all values and attributes */ 1 /** we only care about 1 return, @see sizelimit */ ); ! if ($ldap_search_result) { ! $result = ldap_get_entries($this->ds, ! $ldap_search_result); ! debug("psl_ldap_search_user() result",print_r($result)); ! ldap_free_result($ldap_search_result); ! $ary[$this->Search_detail] = $result[0][$this->Search_detail][0]; ! $ary[$this->Search_detail] = $result[0][$this->userpassword][0]; return $ary; } - debug('function psl_ldap_search_user() search', ' failed'); } ! debug('function psl_ldap_search_user() ', ' failed'); return false; } --- 188,216 ---- this is a major security hole. avoid doing such things if possible*/ /** Bind to ldap host with superuser privileges so that ! we can retrieve $this->up attributes: */ $ldap_bind = ldap_bind($this->ds,$_PSL['LDAP_User'],$_PSL['LDAP_Password']); if ( $ldap_bind ) { ! $s_result = ldap_search($this->ds, $this->Base_dn, ! $this->ui."=".$username, $attributes, 0, /** get all values and attributes */ 1 /** we only care about 1 return, @see sizelimit */ ); ! if ( $s_result > 0 ) ! { ! $result = ldap_get_entries($this->ds, $s_result); ! debug("psl_ldap_search_user() LDAP result+++: ",$result); ! $ary[$this->ui] = $result[0][$this->ui][0]; ! $ary[$this->up] = $result[0][$this->up][0]; ! ldap_free_result($s_result); ! debug("psl_ldap_search_user() formatted: ",$ary); return $ary; + } else { + debug('psl_ldap_search_user()', 's_result failed'); } } ! debug('psl_ldap_search_user() ', ' failed'); return false; } |
