cmdbAbstractObject UserInternal /** * LDAP Authentication * User authentication Module, no password at all! * * @copyright Copyright (C) 2010-2020 Combodo SARL * @license http://opensource.org/licenses/AGPL-3.0 */ addon/authentication,grant_by_profile,silo false autoincrement priv_user_ldap id %1$s ldap_server true false public OQLMenuNode Get('ldap_server'); if (empty($sServer)) { $sLDAPHost = MetaModel::GetModuleSetting('authent-ldap', 'host', 'localhost'); $iLDAPPort = MetaModel::GetModuleSetting('authent-ldap', 'port', 389); $sDefaultLDAPUser = MetaModel::GetModuleSetting('authent-ldap', 'default_user', ''); $sDefaultLDAPPwd = MetaModel::GetModuleSetting('authent-ldap', 'default_pwd', ''); $bLDAPStartTLS = MetaModel::GetModuleSetting('authent-ldap', 'start_tls', false); $aOptions = MetaModel::GetModuleSetting('authent-ldap', 'options', array()); $sLDAPUserQuery = MetaModel::GetModuleSetting('authent-ldap', 'user_query', ''); $sBaseDN = MetaModel::GetModuleSetting('authent-ldap', 'base_dn', ''); $bDebug = MetaModel::GetModuleSetting('authent-ldap', 'debug', false); } else { $aServers = MetaModel::GetModuleSetting('authent-ldap', 'servers', array()); if (!array_key_exists($sServer, $aServers)) { $bDebug = MetaModel::GetModuleSetting('authent-ldap', 'debug', false); $this->LogIssue($bDebug, "ldap_authentication: bad LDAP server configuration: '$sServer' not found"); return false; } $aServerParams = $aServers[$sServer]; $sLDAPHost = isset($aServerParams['host']) ? $aServerParams['host'] : 'localhost'; $iLDAPPort = isset($aServerParams['port']) ? $aServerParams['port'] : 389; $sDefaultLDAPUser = isset($aServerParams['default_user']) ? $aServerParams['default_user'] : ''; $sDefaultLDAPPwd = isset($aServerParams['default_pwd']) ? $aServerParams['default_pwd'] : ''; $bLDAPStartTLS = isset($aServerParams['start_tls']) ? $aServerParams['start_tls'] : false; $aOptions = isset($aServerParams['options']) ? $aServerParams['options'] : array(); $sLDAPUserQuery = isset($aServerParams['user_query']) ? $aServerParams['user_query'] : ''; $sBaseDN = isset($aServerParams['base_dn']) ? $aServerParams['base_dn'] : ''; $bDebug = isset($aServerParams['debug']) ? $aServerParams['debug'] : false; } $hDS = @ldap_connect($sLDAPHost, $iLDAPPort); if ($hDS === false) { $this->LogIssue($bDebug, "ldap_authentication: can not connect to the LDAP server '$sLDAPHost' (port: $iLDAPPort). Check the configuration file config-itop.php."); return false; } if (array_key_exists(LDAP_OPT_DEBUG_LEVEL, $aOptions)) { // Set debug level before trying to connect, so that debug info appear in the PHP error log if ldap_connect goes wrong $bRet = ldap_set_option($hDS, LDAP_OPT_DEBUG_LEVEL, $aOptions[LDAP_OPT_DEBUG_LEVEL]); $this->LogInfo($bDebug, "ldap_set_option('LDAP_OPT_DEBUG_LEVEL', '{$aOptions[LDAP_OPT_DEBUG_LEVEL]}') returned ".($bRet ? 'true' : 'false')); } foreach($aOptions as $name => $value) { $bRet = ldap_set_option($hDS, $name, $value); $this->LogInfo($bDebug, "ldap_set_option('$name', '$value') returned ".($bRet ? 'true' : 'false')); } if ($bLDAPStartTLS) { $this->LogInfo($bDebug, "ldap_authentication: start tls required."); $hStartTLS = ldap_start_tls($hDS); //$this->LogIssue($bDebug, "ldap_authentication: hStartTLS = '$hStartTLS'"); if (!$hStartTLS) { $this->LogIssue($bDebug, "ldap_authentication: start tls failed."); return false; } } if ($bind = @ldap_bind($hDS, $sDefaultLDAPUser, $sDefaultLDAPPwd)) { // Search for the person, using the specified query expression $sLogin = $this->Get('login'); $iContactId = $this->Get('contactid'); $sFirstName = ''; $sLastName = ''; $sEMail = ''; if ($iContactId > 0) { $oPerson = MetaModel::GetObject('Person', $iContactId); if (is_object($oPerson)) { $sFirstName = $oPerson->Get('first_name'); $sLastName = $oPerson->Get('name'); $sEMail = $oPerson->Get('email'); } } // %1$s => login // %2$s => first name // %3$s => last name // %4$s => email $sQuery = sprintf($sLDAPUserQuery, $sLogin, $sFirstName, $sLastName, $sEMail); $hSearchResult = @ldap_search($hDS, $sBaseDN, $sQuery); $iCountEntries = ($hSearchResult !== false) ? @ldap_count_entries($hDS, $hSearchResult) : 0; switch($iCountEntries) { case 1: // Exactly one entry found, let's check the password by trying to bind with this user $aEntry = @ldap_get_entries($hDS, $hSearchResult); $sUserDN = $aEntry[0]['dn']; $bUserBind = @ldap_bind($hDS, $sUserDN, $sPassword); if (($bUserBind !== false) && !empty($sPassword)) { @ldap_unbind($hDS); return true; // Password Ok } $this->LogIssue($bDebug, "ldap_authentication: wrong password for user: '$sUserDN'."); return false; // Wrong password break; case 0: // User not found... $this->LogIssue($bDebug, "ldap_authentication: no entry found with the query '$sQuery', base_dn = '$sBaseDN'. User not found in LDAP."); break; default: // More than one entry... maybe the query is not specific enough... $this->LogIssue($bDebug, "ldap_authentication: several (".@ldap_count_entries($hDS, $hSearchResult).") entries match the query '$sQuery', base_dn = '$sBaseDN', check that the query defined in config-itop.php is specific enough."); } return false; } else { // Trace: invalid default user for LDAP initial binding $this->LogIssue($bDebug, "ldap_authentication: cannot bind to the LDAP server '$sLDAPHost' (port: $iLDAPPort), user='$sDefaultLDAPUser', pwd='****'. Error: '".ldap_error($hDS)."'. Check the configuration file config-itop.php."); return false; } }]]> false public OQLMenuNode public function TrustWebServerContext() { return false; } false public OQLMenuNode public function CanChangePassword() { return false; } false public OQLMenuNode public function ChangePassword($sOldPassword, $sNewPassword) { return false; } false protected OQLMenuNode Set('message', $sMessage); $oLog->Set('userinfo', ''); $oLog->Set('issue', 'LDAP Authentication'); $oLog->Set('impact', 'User login rejected'); $oLog->Set('data', $aData); $oLog->DBInsertNoReload(); } } IssueLog::Error($sMessage); }]]> false protected OQLMenuNode

10 20 30 40 50 60 70 80 90

10 20 30 40 50 10 20 30 40 50