LdapAuthenticationConf.class.php in Lightweight Directory Access Protocol (LDAP) 7.2
Same filename and directory in other branches
File
ldap_authentication/LdapAuthenticationConf.class.phpView source
<?php
/**
* @file
* This class represents an ldap_authentication module's configuration
* It is extended by LdapAuthenticationConfAdmin for configuration and other admin functions.
*/
module_load_include('php', 'ldap_user', 'LdapUserConf.class');
/**
*
*/
class LdapAuthenticationConf {
/**
* Server configuration ids being used for authentication.
*
* @var array
*
* @see LdapServer->sid()
*/
public $sids = [];
/**
* Server configuration ids being used for authentication.
*
* @var associativearrayofLdapServerobjectskeyedonsids
*
* @see LdapServer->sid()
* @see LdapServer
*/
public $enabledAuthenticationServers = [];
/**
* LdapUser configuration object.
*
* @var LdapUserobject
*/
/**
* Ldap_user configuration object.
*/
public $ldapUser = NULL;
/**
* Has current object been saved to the database?
*
* @var bool
*/
public $inDatabase = FALSE;
/**
* Choice of authentication modes.
*
* @var int
* LDAP_AUTHENTICATION_MODE_DEFAULT (LDAP_AUTHENTICATION_MIXED)
* LDAP_AUTHENTICATION_MIXED - signifies both LDAP and Drupal authentication are allowed
* Drupal authentication is attempted first.
* LDAP_AUTHENTICATION_EXCLUSIVE - signifies only LDAP authenication is allowed
*/
public $authenticationMode = LDAP_AUTHENTICATION_MODE_DEFAULT;
/**
* The following are used to alter the logon interface to direct users
* to local LDAP specific authentication help.
*/
/**
* Text describing username to use, such as "Hogwarts Username"
* which will be inserted on logon forms to help users figure out which
* username to use.
*
* @var string
*/
public $loginUIUsernameTxt;
/**
* Text describing password to use, such as "Hogwards LDAP Password"
* which will be inserted on logon forms. Useful in organizations with
* multiple account types for authentication.
*
* @var string
*/
public $loginUIPasswordTxt;
/**
* Text and Url to provide help link for password such as:
* ldapUserHelpLinkUrl: https://passwords.hogwarts.edu
* ldapUserHelpLinkText: Hogwarts IT Password Support Page.
*
* @var string
*/
public $ldapUserHelpLinkUrl;
public $ldapUserHelpLinkText = LDAP_AUTHENTICATION_HELP_LINK_TEXT_DEFAULT;
/**
* Email handling option
* LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE -- don't show email on user forms
* LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE (default) -- disable email on user forms
* LDAP_AUTHENTICATION_EMAIL_FIELD_ALLOW -- allow editing of email on user forms.
*
* @var int
*/
public $emailOption = LDAP_AUTHENTICATION_EMAIL_FIELD_DEFAULT;
/**
* Email handling option
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY -- (default) Update stored email if LDAP email differs at login and notify user
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE -- Update stored email if LDAP email differs at login but don\'t notify user
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE -- Don\'t update stored email if LDAP email differs at login.
*
* @var int
*/
public $emailUpdate = LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DEFAULT;
/**
* Email default handling option.
*
* This affects how email addresses that are empty are handled by
* the authentication process.
*
* LDAP_AUTHENTICATION_EMAIL_TEMPLATE_NONE -- leaves the email empty
* LDAP_AUTHENTICATION_EMAIL_TEMPLATE_IF_EMPTY (default) -- if the email is empty, it will be replaced
* LDAP_AUTHENTICATION_EMAIL_TEMPLATE_ALWAYS -- always use the template
*
* @var int
*/
public $emailTemplateHandling = LDAP_AUTHENTICATION_EMAIL_TEMPLATE_DEFAULT;
/**
* Email template.
*
* @var string
*/
public $emailTemplate = LDAP_AUTHENTICATION_DEFAULT_TEMPLATE;
/**
* Whether or not to display a notification to the user on login, prompting
* them to change their email.
*
* @var bool
*/
public $templateUsagePromptUser = LDAP_AUTHENTICATION_TEMPLATE_USAGE_PROMPT_USER_DEFAULT;
/**
* Whether or not to avoid updating the email address of the user if the
* template was used to generate it.
*
* @var bool
*/
public $templateUsageNeverUpdate = LDAP_AUTHENTICATION_TEMPLATE_USAGE_NEVER_UPDATE_DEFAULT;
/**
* Whether or not to use the email template if there is a user with a different
* login name but same email address in the system.
*
* @var bool
*/
public $templateUsageResolveConflict = LDAP_AUTHENTICATION_TEMPLATE_USAGE_RESOLVE_CONFLICT_DEFAULT;
/**
* A PCRE regular expression (minus the delimiter and flags) that will be used
* if $templateUsagePromptUser is set to true to determine if the email
* address is a fake one or not.
*
* By allowing this to be customized, we let the administrators handle older
* patterns should they decide to change the existing one, as well as avoiding
* the complexity of determining a proper regex from the template.
*
* @var string
*/
public $templateUsagePromptRegex = LDAP_AUTHENTICATION_DEFAULT_TEMPLATE_REGEX;
/**
* Controls whether or not we should check on login if the email template was
* used and redirect the user if needed.
*
* @var bool
*/
public $templateUsageRedirectOnLogin = LDAP_AUTHENTICATION_REDIRECT_ON_LOGIN_DEFAULT;
/**
* Password handling option
* LDAP_AUTHENTICATION_PASSWORD_FIELD_SHOW -- show field disabled on user forms
* LDAP_AUTHENTICATION_PASSWORD_FIELD_HIDE (default) -- disable password on user forms
* LDAP_AUTHENTICATION_PASSWORD_FIELD_ALLOW -- allow editing of password on user forms.
*
* @var int
*/
public $passwordOption = LDAP_AUTHENTICATION_PASSWORD_FIELD_DEFAULT;
public $ssoEnabled = FALSE;
public $ssoRemoteUserStripDomainName = FALSE;
public $ssoExcludedPaths = NULL;
public $ssoExcludedHosts = NULL;
public $seamlessLogin = FALSE;
public $ssoNotifyAuthentication = FALSE;
public $ldapImplementation = FALSE;
public $cookieExpire = LDAP_AUTHENTICATION_COOKIE_EXPIRE;
public $apiPrefs = [];
/**
* Advanced options. whitelist / blacklist options.
*
* These are on the fuzzy line between authentication and authorization
* and determine if a user is allowed to authenticate with ldap.
*/
/**
* Text which must be present in user's LDAP entry's DN for user to authenticate with LDAP
* e.g. "ou=people".
*
* @var string
*/
/**
* Eg ou=education that must be met to allow ldap authentication.
*/
public $allowOnlyIfTextInDn = [];
/**
* Text which prohibits logon if found in user's LDAP entry's DN for user to authenticate with LDAP
* e.g. "ou=guest accounts".
*
* @var string
*/
public $excludeIfTextInDn = [];
/**
* Code that prints 1 or 0 signifying if user is allowed
* should not start with <?php.
*
* @var stringofphp
*/
public $allowTestPhp = NULL;
/**
* If at least 1 ldap authorization must exist for user to be allowed
* True signfies disallow if no authorizations.
* False signifies don't consider authorizations.
*
* @var bool
*/
public $excludeIfNoAuthorizations = LDAP_AUTHENTICATION_EXCL_IF_NO_AUTHZ_DEFAULT;
public $saveable = [
'sids',
'authenticationMode',
'loginUIUsernameTxt',
'loginUIPasswordTxt',
'ldapUserHelpLinkUrl',
'ldapUserHelpLinkText',
'emailOption',
'emailUpdate',
'passwordOption',
'allowOnlyIfTextInDn',
'excludeIfTextInDn',
'allowTestPhp',
'excludeIfNoAuthorizations',
'ssoRemoteUserStripDomainName',
'ssoExcludedPaths',
'ssoExcludedHosts',
'seamlessLogin',
'ssoNotifyAuthentication',
'ldapImplementation',
'cookieExpire',
'emailTemplate',
'emailTemplateHandling',
'templateUsagePromptUser',
'templateUsageNeverUpdate',
'templateUsageResolveConflict',
'templateUsagePromptRegex',
'templateUsageRedirectOnLogin',
];
/**
*
*/
public function hasEnabledAuthenticationServers() {
return !(count($this->enabledAuthenticationServers) == 0);
}
/**
*
*/
public function enabled_servers() {
return $this
->hasEnabledAuthenticationServers();
}
/**
*
*/
public function __construct() {
$this
->load();
}
/**
*
*/
public function load() {
if ($saved = variable_get("ldap_authentication_conf", FALSE)) {
$this->inDatabase = TRUE;
foreach ($this->saveable as $property) {
if (isset($saved[$property])) {
$this->{$property} = $saved[$property];
}
}
// Reset in case reloading instantiated object.
$this->enabledAuthenticationServers = [];
$enabled_ldap_servers = ldap_servers_get_servers(NULL, 'enabled');
foreach ($this->sids as $sid => $enabled) {
if ($enabled && isset($enabled_ldap_servers[$sid])) {
$this->enabledAuthenticationServers[$sid] = $enabled_ldap_servers[$sid];
}
}
}
else {
$this->inDatabase = FALSE;
}
$this->ldapUser = new LdapUserConf();
$this->ssoEnabled = module_exists('ldap_sso');
$this->apiPrefs['requireHttps'] = variable_get('ldap_servers_require_ssl_for_credentials', 0);
$this->apiPrefs['encryption'] = variable_get('ldap_servers_encryption', LDAP_SERVERS_ENC_TYPE_CLEARTEXT);
}
/**
* Destructor Method.
*/
public function __destruct() {
}
/**
* Decide if a username is excluded or not.
*
* @param string $name
* as proposed drupal username.
* @param array $ldap_user
* where top level keys are 'dn','attr','mail'.
*
* @return boolean FALSE means NOT allow; TRUE means allow
*
* @todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter
* and most of this function should go in ldap_authentication_allowuser_results_alter
*/
public function allowUser($name, $ldap_user) {
/**
* do one of the exclude attribute pairs match
*/
$ldap_user_conf = ldap_user_conf();
// If user does not already exists and deferring to user settings AND user settings only allow.
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
foreach ($this->excludeIfTextInDn as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
// Match.
return FALSE;
}
}
/**
* evaluate php if it exists
*/
if ($this->allowTestPhp) {
if (module_exists('php')) {
global $_name, $_ldap_user_entry;
$_name = $name;
$_ldap_user_entry = $ldap_user;
$code = '<?php ' . "global \$_name; \n global \$_ldap_user_entry; \n" . $this->allowTestPhp . ' ?>';
$code_result = php_eval($code);
$_name = NULL;
$_ldap_user_entry = NULL;
if ((bool) $code_result == FALSE) {
return FALSE;
}
}
else {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = [
'!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
];
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens);
return FALSE;
}
}
/**
* do one of the allow attribute pairs match
*/
if (count($this->allowOnlyIfTextInDn)) {
$fail = TRUE;
foreach ($this->allowOnlyIfTextInDn as $test) {
if (stripos($ldap_user['dn'], $test) !== FALSE) {
$fail = FALSE;
}
}
if ($fail) {
return FALSE;
}
}
/**
* is excludeIfNoAuthorizations option enabled and user not granted any groups
*/
if ($this->excludeIfNoAuthorizations) {
if (!module_exists('ldap_authorization')) {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = [
'!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'),
];
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens);
return FALSE;
}
$user = new stdClass();
$user->name = $name;
// Fake user property added for query.
$user->ldap_authenticated = TRUE;
$consumers = ldap_authorization_get_consumers();
$has_enabled_consumers = FALSE;
$has_ldap_authorizations = FALSE;
foreach ($consumers as $consumer_type => $consumer_config) {
$consumer_obj = ldap_authorization_get_consumer_object($consumer_type);
if ($consumer_obj->consumerConf->status) {
$has_enabled_consumers = TRUE;
list($authorizations, $notifications) = ldap_authorizations_user_authorizations($user, 'query', $consumer_type, 'test_if_authorizations_granted');
if (isset($authorizations[$consumer_type]) && count($authorizations[$consumer_type]) > 0) {
$has_ldap_authorizations = TRUE;
}
}
}
if (!$has_enabled_consumers) {
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning');
$tokens = [
'!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'),
];
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens);
return FALSE;
}
elseif (!$has_ldap_authorizations) {
return FALSE;
}
}
// Allow other modules to hook in and refuse if they like.
$hook_result = TRUE;
drupal_alter('ldap_authentication_allowuser_results', $ldap_user, $name, $hook_result);
if ($hook_result === FALSE) {
watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", [
'%name' => $name,
], WATCHDOG_NOTICE);
return FALSE;
}
/**
* default to allowed
*/
return TRUE;
}
}Classes
Name |
Description |
|---|---|
| LdapAuthenticationConf |