|
From: Luis M <le...@us...> - 2004-10-29 05:21:55
|
Update of /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv11547 Modified Files: slashAuthLDAP.class Log Message: This puts an end to LDAP authentication. It just works for crypt() password schemes so far. Will add other schemes as needed. TODO check what happens when LDAP password is empty (we should not allow these users to authenticate: {CRYPT}*) Index: slashAuthLDAP.class =================================================================== RCS file: /cvsroot/phpslash/phpslash-dev/include/modules/auth/authtypes/slashAuthLDAP.class,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** slashAuthLDAP.class 27 Oct 2004 22:04:38 -0000 1.5 --- slashAuthLDAP.class 29 Oct 2004 05:21:46 -0000 1.6 *************** *** 2,12 **** // vim: ft=php:ts=4:sts=4 : /** $Id$ ! * ! * Mostly taken from Back-End LDAP.class which was: ! * Written by Peter Starowicz <pe...@op...> for OpenConcept.ca ! * * 2004-10-26 00:49 EDT ! * Modified by Luis Mondesi < lems1 at users | sf | net> for PSL 0.8 * */ class slashAuth extends slashAuth_base { --- 2,11 ---- // vim: ft=php:ts=4:sts=4 : /** $Id$ ! * * 2004-10-26 00:49 EDT ! * Written by Luis Mondesi < lems1 at users | sf | net> for PSL 0.8 * + * Inspired by Back-End's LDAP.class which was written by: + * Peter Starowicz <pe...@op...> for OpenConcept.ca */ class slashAuth extends slashAuth_base { *************** *** 22,26 **** var $ds = ""; /** database connection */ var $found = ""; /** search results found */ ! /** PSL LDAP validation @param $username user name to validate (required) --- 21,75 ---- var $ds = ""; /** database connection */ var $found = ""; /** search results found */ ! ! /** ! * PSL LDAP's pre-validation ! * ! * Here we check whether users have been automatically register ! * using PSL SQL db. If so, we use this validation. ! * If not, we re-check against the LDAP db @see psl_validate() ! * ! * @param $username valid username ! * @param $password plain text password ! * @param $user_info array that holds metadata like md5 user/pass combo ! * ! * TODO Should psl_preauth make sure that $username exists in LDAP ! * just to prevent users from guessing? (paranoia too high?) ! */ ! function psl_preauth($username, $password, $user_info) ! { ! global $_PSL,$challenge; ! ! // debug("response", $response); ! // debug("challenge", $challenge); ! ! if ( $_PSL['LDAP_Auth_Register'] != true ) ! { ! debug("return","bailing out"); ! return false; ! } ! $is_user = false; ! ! // generate the expected response ! $md5_pw = $user_info['password']; // this is the raw MD5ed user/pass combo ! ! $expected_response = md5("$md5_pw:$challenge"); ! // debug("expected_response", $expected_response); ! // True when JS is disabled ! if ($response == "") { ! $md5_pw_net = md5("$username:$password"); ! $response = md5("$md5_pw_net:$challenge"); ! } ! ! // Response is set, JS might be enabled... ! // compare the responses ! if ($expected_response == $response) { ! // success ! $is_user = true; ! } else { ! $this->auth["error"] = pslgetText("LDAP preauthentication failed."); ! } ! return $is_user; ! } ! /** PSL LDAP validation @param $username user name to validate (required) *************** *** 32,36 **** @note The parent class loginform uses attempts to use Challenge-Response and the password argument will typically be blank */ ! function psl_validate($username, $password, $response='', $user_info='') { global $challenge,$_PSL; $this->Host = $_PSL['LDAP_Host']; --- 81,87 ---- @note The parent class loginform uses attempts to use Challenge-Response and the password argument will typically be blank */ ! function psl_validate($username, $password, ! $response='', $user_info='') ! { global $challenge,$_PSL; $this->Host = $_PSL['LDAP_Host']; *************** *** 44,63 **** $pw = ""; /** holds passwd from ldap */ ! debug("psl_validate()",$this->found); if ( !empty($this->found[$this->ui]) ) { ! debug("psl_validate()","getting password:"); if ( !empty($this->found[$this->up]) ) { $pw = $this->found[$this->up]; } else { ! /*debug("psl_validate()","password does not exist! re-querying db:"); $pw = $this->psl_ldap_pass($username);*/ ! debug("psl_validate()","user password does not exist! bailing out"); return false; } } else { ! debug("psl_validate()","user does not exist! bailing out"); return false; } --- 95,114 ---- $pw = ""; /** holds passwd from ldap */ ! debug("found",$this->found); if ( !empty($this->found[$this->ui]) ) { ! debug("password","getting password:"); if ( !empty($this->found[$this->up]) ) { $pw = $this->found[$this->up]; } else { ! /*debug("password","password does not exist! re-querying db:"); $pw = $this->psl_ldap_pass($username);*/ ! debug("password","user password does not exist! bailing out"); return false; } } else { ! debug("user","user does not exist! bailing out"); return false; } *************** *** 74,87 **** // try crypt or simply fail with a warning / $my_pass = crypt(""); ! debug("psl_validate()","We don't support this scheme for passwords yet"); }*/ ! $my_pass = $password; /** FIXME crypt()? md5()? */ ! debug("psl_validate()","Passwords: '$pw' == '$my_pass' ??"); /** all comes down to this test: */ if ( $pw == $my_pass ) { $is_user = true; } /* This is only needed for CR: $md5_pw = $this->psl_ldap_pass($username); --- 125,166 ---- // try crypt or simply fail with a warning / $my_pass = crypt(""); ! debug("password","We don't support this scheme for passwords yet"); }*/ ! $my_pass = "$password"; ! if ( $pw = preg_replace("/^{crypt}(.*)$/i","$1",$pw,1) ) /* only 1 match. Removes {crypt} */ ! { ! debug("password","is crypt'ed"); ! /** Instead of assuming what salt is used like: */ ! /*$salt = substr($pw , 0, 2);*/ ! /** Let PHP choose whatever algorithm is needed for crypt's ! salt; do this: */ ! $my_pass = crypt($password,$pw); ! /** Some sample salts are: ! Standard DES: rl ! Extended DES: _J9..rasm ! MD5: $1$rasmusle$ ! Blowfish: $2a$07$rasmuslerd............ ! ! Which means: ! STD DES: 2 char ! EXT DES: 9 char ! MD5: $1$ + 9 char ! Blowfish: $2a$ + 12 char (or $2$ + 13 char) ! */ ! } ! //debug("password","'$pw' == '$my_pass' ??"); /** all comes down to this test: */ if ( $pw == $my_pass ) { + debug("password","passwords matched!"); $is_user = true; + } else { + debug("password","passwords didn't matched!"); + /* No need to go further: */ + $this->auth["error"] = pslgetText("Either your username or password are invalid. Please try again."); + return false; } + /* This is only needed for CR: $md5_pw = $this->psl_ldap_pass($username); *************** *** 96,114 **** } */ ! if ( $is_user == true ) { // success ! debug("psl_validate()","user exists: registering with sql"); ! /** TODO: might be a good thing to register this user? ! in SQL ?*/ ! /* ! $ary['username'] = $username; ! $ary['password'] = $password; ! psl_register_authed($ary); ! */ } else { // failed - return with error message $this->auth["error"] = pslgetText("Either your username or password are invalid. Please try again."); } return $is_user; } --- 175,200 ---- } */ ! if ( $is_user == true && $_PSL['LDAP_Register_Auth'] == true ) { // success ! debug("user","user exists: registering with sql"); ! $ary = array (); ! $ary['author_name'] = $username; ! $ary['username'] = $username; /** NOT NEEDED ? */ ! $ary['uname'] = $username; /** NOT NEEDED ? */ ! $ary['password'] = md5("$username:$password"); /** Plain text? */ ! /** permissions TODO ask if this is right way? */ ! $perms = array('nobody'=>20,'user'=>21); ! $ary['permission'] = $perms; ! if ( $this->psl_register_authed($ary) == false ) ! { ! debug("user","Could not register authenticated user in SQL db"); ! $this->auth["error"] = pslgetText("Could not register authenticated user in SQL db"); ! } } else { // failed - return with error message $this->auth["error"] = pslgetText("Either your username or password are invalid. Please try again."); } + debug("return",$is_user); return $is_user; } *************** *** 214,218 **** debug('psl_ldap_search_user() ', ' failed'); return false; ! } } ?> --- 300,304 ---- debug('psl_ldap_search_user() ', ' failed'); return false; ! } } ?> |
