View source
<?php
include_once 'ldap_integration/ldapauth.conf.php';
include_once 'ldap_integration/libdebug.php';
include_once 'ldap_integration/LDAPInterface.php';
define('LDAP_FIRST_DRUPAL', 0);
define('LDAP_FIRST_LDAP', 1);
define('LDAP_RESET_FORM_NO', 0);
define('LDAP_RESET_FORM_OVERWRITE', 1);
define('LDAP_RESET_FORM_MERGE', 2);
define('LDAP_EMAIL_FIELD_NO', 0);
define('LDAP_EMAIL_FIELD_REMOVE', 1);
define('LDAP_EMAIL_FIELD_DISABLE', 2);
define('LDAP_DEFAULT_ORG', 'LDAP Directory');
define('LDAP_DEFAULT_BASE_DN', 'ou=Users,dc=drupal,dc=org');
define('LDAP_DEFAULT_USER_ATTRIBUTE', 'sAMAccountName');
define('LDAP_DEFAULT_MAIL_ATTRIBUTE', 'mail');
$GLOBALS['ldapauth_ldap'] = new LDAPInterface();
function ldapauth_help($section) {
$output = '';
switch ($section) {
case 'admin/modules#name':
$output = 'ldapauth';
break;
case 'admin/modules#description':
case 'admin/help#ldapauth':
$output = t('Enables authentication via LDAP.');
break;
case 'user/help#ldapauth':
$output = t('Login using LDAP.');
break;
}
return $output;
}
function ldapauth_info($field = 0) {
$info['name'] = 'LDAP authentication';
$info['protocol'] = 'LDAP';
if ($field) {
return $info[$field];
}
else {
return $info;
}
}
function ldapauth_menu($may_cache) {
$items = array();
if ($may_cache) {
$items[] = array(
'path' => 'admin/settings/ldapauth',
'title' => t('LDAP Integration'),
'callback' => 'ldapauth_admin_list',
'access' => user_access('administer ldap modules'),
'description' => t('Configure LDAP settings'),
);
$items[] = array(
'path' => 'admin/settings/ldapauth/list',
'title' => t('List'),
'callback' => 'ldapauth_admin_list',
'access' => user_access('administer ldap modules'),
'type' => MENU_DEFAULT_LOCAL_TASK,
);
$items[] = array(
'path' => 'admin/settings/ldapauth/add',
'title' => t('Configure LDAP Server'),
'callback' => 'drupal_get_form',
'callback arguments' => array(
'ldapauth_admin_form',
),
'type' => MENU_LOCAL_TASK,
'weight' => 1,
'access' => user_access('administer ldap modules'),
);
$items[] = array(
'path' => 'admin/settings/ldapauth/options',
'title' => t('System Wide Options'),
'callback' => 'drupal_get_form',
'callback arguments' => array(
'ldapauth_admin_options',
),
'type' => MENU_LOCAL_TASK,
'weight' => 2,
'access' => user_access('administer ldap modules'),
);
$items[] = array(
'path' => 'admin/settings/ldapauth/edit',
'title' => t('Configure LDAP Server'),
'callback' => 'drupal_get_form',
'callback arguments' => array(
'ldapauth_admin_form',
),
'type' => MENU_CALLBACK,
'access' => user_access('administer ldap modules'),
);
$items[] = array(
'path' => 'admin/settings/ldapauth/delete',
'title' => t('Delete LDAP Server'),
'callback' => 'drupal_get_form',
'callback arguments' => array(
'ldapauth_admin_delete',
),
'type' => MENU_CALLBACK,
'access' => user_access('administer ldap modules'),
);
$items[] = array(
'path' => 'admin/settings/ldapauth/activate',
'title' => t('Activate LDAP Source'),
'callback' => 'drupal_get_form',
'callback arguments' => array(
'ldapauth_admin_activate',
),
'type' => MENU_CALLBACK,
'access' => user_access('administer ldap modules'),
);
$items[] = array(
'path' => 'admin/settings/ldapauth/deactivate',
'title' => t('De-Activate LDAP Source'),
'callback' => 'drupal_get_form',
'callback arguments' => array(
'ldapauth_admin_deactivate',
),
'type' => MENU_CALLBACK,
'access' => user_access('administer ldap modules'),
);
}
return $items;
}
function ldapauth_perm() {
return array(
'administer ldap modules',
);
}
function ldapauth_cron() {
cache_clear_all(NULL, 'cache_filter');
}
function ldapauth_admin_list() {
$sql = "SELECT sid, name, status FROM {ldapauth} ORDER BY sid";
$result = db_query($sql);
$rows = array();
while ($row = db_fetch_object($result)) {
if ($row->status) {
$link_text = "de-activate";
$link_comp = "deactivate";
}
else {
$link_text = "activate";
$link_comp = "activate";
}
$rows[] = array(
$row->name,
l(t('edit'), 'admin/settings/ldapauth/edit/' . $row->sid),
l(t('!link_text', array(
'!link_text' => $link_text,
)), 'admin/settings/ldapauth/' . $link_comp . '/' . $row->sid),
l(t('delete'), 'admin/settings/ldapauth/delete/' . $row->sid),
);
}
$header = array(
t('LDAP Config'),
array(
'data' => t('Operations'),
'colspan' => '3',
),
);
return theme('table', $header, $rows);
}
function ldapauth_admin_deactivate() {
if (!($sid = arg(4))) {
drupal_goto('admin/settings/ldapauth');
}
if ($row = db_fetch_object(db_query("SELECT name FROM {ldapauth} WHERE sid = %d", $sid))) {
$form['sid'] = array(
'#type' => 'hidden',
'#value' => $sid,
);
return confirm_form($form, t('Are you sure you want to de-activate the ldap configration named <em><strong>%server</strong></em>?', array(
'%server' => $row->name,
)), 'admin/settings/ldapauth', '', t('De-activate'), t('Cancel'));
}
else {
drupal_set_message(t('No such LDAP configuration.'));
drupal_goto('admin/settings/ldapauth');
}
}
function ldapauth_admin_deactivate_submit($form_id, $form_values) {
if ($sid = $form_values['sid']) {
db_query("UPDATE {ldapauth} SET status = %d WHERE sid = %d", 0, $sid);
drupal_set_message(t('LDAP Configuration has been de-activated.'));
watchdog('ldap', t('ldapauth: ldap config %config de-activated.', array(
'%config' => $sid,
)));
}
drupal_goto('admin/settings/ldapauth');
}
function ldapauth_admin_activate() {
if (!($sid = arg(4))) {
drupal_goto('admin/settings/ldapauth');
}
if ($row = db_fetch_object(db_query("SELECT name FROM {ldapauth} WHERE sid = %d", $sid))) {
$form['sid'] = array(
'#type' => 'hidden',
'#value' => $sid,
);
return confirm_form($form, t('Are you sure you want to activate the ldap configration named <em><strong>%server</strong></em>?', array(
'%server' => $row->name,
)), 'admin/settings/ldapauth', '', t('Activate'), t('Cancel'));
}
else {
drupal_set_message(t('No such LDAP configuration.'));
drupal_goto('admin/settings/ldapauth');
}
}
function ldapauth_admin_activate_submit($form_id, $form_values) {
if ($sid = $form_values['sid']) {
db_query("UPDATE {ldapauth} SET status = %d WHERE sid = %d", 1, $sid);
drupal_set_message(t('LDAP Configuration %config has been activated.'));
watchdog('ldap', t('ldapauth: ldap config %config activated.', array(
'%config' => $sid,
)));
}
drupal_goto('admin/settings/ldapauth');
}
function ldapauth_admin_options() {
$options_login_process = array(
LDAP_FIRST_DRUPAL => t('Drupal\'s DB first, then LDAP directory'),
LDAP_FIRST_LDAP => t('LDAP directory only'),
);
$form['system-options'] = array(
'#type' => 'fieldset',
'#title' => t('Authentication mode'),
'#description' => t('<p><strong>NOTE:</strong> These settings have no effect on Drupal user with uid 1. The admin account never uses LDAP.</p>'),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['system-options']['ldap_login_process'] = array(
'#type' => 'radios',
'#title' => t('Choose authentication mode'),
'#description' => t('<p>Pick the mode based on the types of user accounts and other configuration decisions...</p>'),
'#default_value' => variable_get('ldap_login_process', LDAP_FIRST_DRUPAL),
'#options' => $options_login_process,
'#required' => true,
);
$form['security-options'] = array(
'#type' => 'fieldset',
'#title' => t('Security Options'),
'#collapsible' => TRUE,
'#description' => t('<p>If you use the <strong>ldapdata</strong> module and want to allow users to modify their LDAP attributes, you have two options:</p><ul><li>Setup a special ldap manager DN that has (limited) permissions to edit the requisite LDAP records - using this method means Drupal\'s built in password reset will work;</li> <li>or allow this module to store the user\'s LDAP password, in clear text, during the session;</li></ul><p>Physically, these passwords are stored in the Drupal\'s session table in clear text. This is not ideal and is not the recomended configuration.</p><p>Unless you need to use the latter configuration, leave this checked.</p>'),
'#collapsed' => TRUE,
);
$form['security-options']['ldap_forget_passwords'] = array(
'#type' => 'checkbox',
'#title' => t('Do not store users\' passwords during sessions'),
'#return_value' => true,
'#default_value' => variable_get('ldap_forget_passwords', true),
);
$form['anonymous-ui'] = array(
'#type' => 'fieldset',
'#title' => t('Anonymous UI Options'),
'#description' => t('<p>Effects the interface for all non-authenticated users.</p>'),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['anonymous-ui']['ldap_disable_request_new_password'] = array(
'#type' => 'checkbox',
'#title' => t('Remove <em>Request new password</em> link from login block'),
'#return_value' => TRUE,
'#default_value' => variable_get('ldap_disable_request_new_password', FALSE),
);
$options_reset_form = array(
LDAP_RESET_FORM_NO => t('Do nothing'),
LDAP_RESET_FORM_OVERWRITE => t('Overwrite form with HTML in textfield'),
LDAP_RESET_FORM_MERGE => t('Prepend HTML to form'),
);
$form['anonymous-ui']['ldap_alter_reset_form'] = array(
'#type' => 'radios',
'#title' => t('Alter <em>Request New Password</em> form'),
'#default_value' => variable_get('ldap_alter_reset_form', LDAP_RESET_FORM_NO),
'#options' => $options_reset_form,
'#required' => true,
);
$form['anonymous-ui']['ldap_user_pass_form'] = array(
'#type' => 'textarea',
'#title' => t('New password reset message'),
'#default_value' => variable_get('ldap_user_pass_form', '<h2>Form disabled by administrator.<h2>'),
'#cols' => 45,
'#rows' => 3,
'#maxlength' => 250,
'#disabled' => variable_get('ldap_alter_reset_form', LDAP_RESET_FORM_NO) == LDAP_RESET_FORM_NO ? TRUE : FALSE,
'#description' => t('<p>The <em>Request New Password</em> form cannot be removed, but it can be altered. Pick the mode based on the types of user accounts and other configuration decisions.</p>'),
);
$form['ldap-ui'] = array(
'#type' => 'fieldset',
'#title' => t('LDAP UI Options'),
'#description' => t('<p>Alters LDAP users\' interface only, though admin accounts can still access email and password fields of LDAP users regardless of selections. Does not effect non-LDAP authenticated accounts. </p>'),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['ldap-ui']['ldap_disable_user_request_password'] = array(
'#type' => 'checkbox',
'#title' => t('Remove password change fields from user edit form'),
'#default_value' => variable_get('ldap_disable_user_request_password', FALSE),
);
$options_email_field = array(
LDAP_EMAIL_FIELD_NO => t('Do nothing'),
LDAP_EMAIL_FIELD_REMOVE => t('Remove email field from form'),
LDAP_EMAIL_FIELD_DISABLE => t('Disable email field on form'),
);
$form['ldap-ui']['ldap_alter_email_field'] = array(
'#type' => 'radios',
'#title' => t('Alter email field on user edit form'),
'#description' => t('<p>Remove or disable email field from user edit form for LDAP authenticated users.</p>'),
'#default_value' => variable_get('ldap_alter_email_field', LDAP_EMAIL_FIELD_NO),
'#options' => $options_email_field,
'#required' => true,
);
$form['ldap_restore_defaults'] = array(
'#type' => 'checkbox',
'#title' => t('Reset to default values'),
'#default_value' => variable_get('ldap_restore_defaults', FALSE),
);
$form['submit'] = array(
'#type' => 'submit',
'#value' => 'Save configuration',
);
return $form;
}
function ldapauth_admin_options_submit($form_id, $form_values) {
if ($form_values['ldap_restore_defaults']) {
variable_del('ldap_disable_request_new_password');
variable_del('ldap_alter_reset_form');
variable_del('ldap_alter_email_field');
variable_del('ldap_user_pass_form');
variable_del('ldap_disable_user_request_password');
variable_del('ldap_forget_passwords');
variable_del('ldap_login_process');
$msg = 'System wide LDAP settings reset to defaults';
}
else {
variable_set('ldap_user_pass_form', $form_values['ldap_user_pass_form']);
variable_set('ldap_disable_request_new_password', $form_values['ldap_disable_request_new_password']);
variable_set('ldap_forget_passwords', $form_values['ldap_forget_passwords']);
variable_set('ldap_login_process', $form_values['ldap_login_process']);
variable_set('ldap_disable_user_request_password', $form_values['ldap_disable_user_request_password']);
variable_set('ldap_alter_reset_form', $form_values['ldap_alter_reset_form']);
variable_set('ldap_alter_email_field', $form_values['ldap_alter_email_field']);
$msg = 'System wide LDAP settings saved';
}
drupal_set_message($msg);
return 'admin/settings/ldapauth/options';
}
function ldapauth_admin_form() {
$sid = arg(4);
if (arg(3) == "edit" && is_numeric($sid)) {
$edit = db_fetch_array(db_query("SELECT * FROM {ldapauth} WHERE sid = %d", $sid));
$form['sid'] = array(
'#type' => 'hidden',
'#value' => $sid,
);
}
$form['server-settings'] = array(
'#type' => 'fieldset',
'#title' => t('Server settings'),
'#collapsible' => TRUE,
'#collapsed' => FALSE,
);
$form['server-settings']['name'] = array(
'#type' => 'textfield',
'#title' => t('Name'),
'#default_value' => $edit['name'],
'#description' => t('Choose a <em><strong>unique</strong></em> name for this server configuration.'),
'#size' => 50,
'#maxlength' => 255,
'#required' => TRUE,
);
$form['server-settings']['server'] = array(
'#type' => 'textfield',
'#title' => t('LDAP server'),
'#default_value' => $edit['server'],
'#size' => 50,
'#maxlength' => 255,
'#description' => t('<p>The domain name or IP address of your LDAP Server.</p>'),
'#required' => TRUE,
);
$_port = $edit['port'] == '0' ? "389" : $edit['port'];
$form['server-settings']['port'] = array(
'#type' => 'textfield',
'#title' => t('LDAP port'),
'#default_value' => $_port,
'#size' => 50,
'#maxlength' => 255,
'#description' => t('<p>The TCP/IP port on the above server which accepts LDAP connections. Must be an integer.</p>'),
);
$form['server-settings']['tls'] = array(
'#type' => 'checkbox',
'#title' => t('Use Start-TLS'),
'#return_value' => 1,
'#default_value' => $edit['tls'],
'#description' => t('<p>Secure the connection between the Drupal and the LDAP servers using TLS.<br /><em>Note: To use START-TLS, you must set the LDAP Port to 389.</em></p>'),
);
$form['server-settings']['encrypted'] = array(
'#type' => 'checkbox',
'#title' => t('Store passwords in encrypted form'),
'#return_value' => 1,
'#default_value' => $edit['encrypted'],
'#description' => t('<p>Secure the password in LDAP by storing it MD5 encrypted (use with care, as some LDAP directories may do this automatically, what would cause logins problems).</p>'),
);
$form['login-procedure'] = array(
'#type' => 'fieldset',
'#title' => 'Login procedure',
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['login-procedure']['basedn'] = array(
'#type' => 'textarea',
'#title' => t('Base DNs'),
'#default_value' => $edit['basedn'],
'#cols' => 50,
'#rows' => 6,
'#description' => t('<p>Base DNs for users. Enter one per line in case you need several of them.</p>'),
);
$form['login-procedure']['user_attr'] = array(
'#type' => 'textfield',
'#title' => t('UserName attribute'),
'#default_value' => $edit['user_attr'],
'#size' => 50,
'#maxlength' => 255,
'#description' => t('<p>The attribute that holds the users\' login name. (eg. <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">cn</em> for eDir or <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">sAMAccountName</em> for Active Directory).</p>'),
);
$form['login-procedure']['mail_attr'] = array(
'#type' => 'textfield',
'#title' => t('Email attribute'),
'#default_value' => $edit['mail_attr'],
'#size' => 50,
'#maxlength' => 255,
'#description' => t('<p>The attribute that holds the users\' email address. (eg. <em style="font-style: normal; padding: 1px 3px; border: 1px solid #8888CC; background-color: #DDDDFF">mail</em>).</p>'),
);
$form['advanced'] = array(
'#type' => 'fieldset',
'#title' => 'Advanced configuration',
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
$form['advanced']['ldap-note'] = array(
'#value' => '<p>The process of authentication starts by establishing an anonymous connection to the LDAP directory and looking up for the user on it. Once this user is found, LDAP authentication is performed on them.</p><p>However, some LDAP configurations (specially common in <strong>Active Directory</strong> setups) restrict anonymous searches.</p><p>If your LDAP setup does not allow anonymous searches, or these are restricted in such a way that login names for users cannot be retrieved as a result of them, then you have to specify here a DN//password pair that will be used for these searches.</p><p>For security reasons, this pair should belong to an LDAP account with stripped down permissions.</p>',
);
$form['advanced']['binddn'] = array(
'#type' => 'textfield',
'#title' => t('DN for non-anonymous search'),
'#default_value' => $edit['binddn'],
'#size' => 50,
'#maxlength' => 255,
);
if ($edit['bindpw_clear'] || !$edit['bindpw']) {
$form['advanced']['bindpw'] = array(
'#type' => 'password',
'#title' => t('Password for non-anonymous search'),
'#size' => 50,
'#maxlength' => 255,
);
}
else {
$form['advanced']['bindpw_clear'] = array(
'#type' => 'checkbox',
'#title' => t('Clear current password'),
'#default_value' => false,
);
}
$form['submit'] = array(
'#type' => 'submit',
'#value' => 'Save configuration',
);
return $form;
}
function ldapauth_admin_form_submit($form_id, $form_values) {
if (arg(3) == 'add') {
if (db_fetch_object(db_query("SELECT name FROM {ldapauth} WHERE name = '%s'", $form_values['name']))) {
form_set_error('name', t('An LDAP config with that name already exists.'));
}
db_query("INSERT INTO {ldapauth} (name, status, server, port, tls, encrypted, basedn, user_attr, mail_attr, binddn, bindpw) VALUES ('%s', '%d', '%s', '%d', '%d', '%d', '%s', '%s', '%s', '%s', '%s')", $form_values['name'], 1, $form_values['server'], $form_values['port'], $form_values['tls'], $form_values['encrypted'], $form_values['basedn'], trim($form_values['user_attr']), trim($form_values['mail_attr']), $form_values['binddn'], $form_values['bindpw']);
drupal_set_message(t('LDAP Configuration %config has been added.', array(
'%config' => $form_values['name'],
)));
watchdog('ldap', t('ldapauth: ldap config %config added.', array(
'%config' => $form_values['name'],
)));
}
else {
if (!$form_values['bindpw_clear'] && $form_values['bindpw']) {
db_query("UPDATE {ldapauth} SET name = '%s', server = '%s', port = '%d', tls = '%d', encrypted = '%d', basedn = '%s', user_attr = '%s', mail_attr = '%s', binddn = '%s', bindpw = '%s', bindpw_clear = '%d' WHERE sid = %d", $form_values['name'], $form_values['server'], $form_values['port'], $form_values['tls'], $form_values['encrypted'], $form_values['basedn'], trim($form_values['user_attr']), trim($form_values['mail_attr']), $form_values['binddn'], $form_values['bindpw'], $form_values['bindpw_clear'], $form_values['sid']);
}
else {
db_query("UPDATE {ldapauth} SET name = '%s', server = '%s', port = '%d', tls = '%d', encrypted = '%d', basedn = '%s', user_attr = '%s', mail_attr = '%s', binddn = '%s', bindpw_clear = '%d' WHERE sid = %d", $form_values['name'], $form_values['server'], $form_values['port'], $form_values['tls'], $form_values['encrypted'], $form_values['basedn'], trim($form_values['user_attr']), trim($form_values['mail_attr']), $form_values['binddn'], $form_values['bindpw_clear'], $form_values['sid']);
}
drupal_set_message(t('LDAP Configuration %config has been updated.', array(
'%config' => $form_values['name'],
)));
watchdog('ldap', t('ldapauth: ldap config %config updated.', array(
'%config' => $form_values['name'],
)));
}
return 'admin/settings/ldapauth';
}
function ldapauth_admin_delete() {
if (!($sid = arg(4))) {
drupal_goto('admin/settings/ldapauth');
}
if ($result = db_fetch_object(db_query("SELECT name FROM {ldapauth} WHERE sid = %d", $sid))) {
$form['sid'] = array(
'#type' => 'hidden',
'#value' => $sid,
);
return confirm_form($form, t('Are you sure you want to delete the ldap configration named <em><strong>%server</strong></em>?', array(
'%server' => $result->name,
)), 'admin/settings/ldapauth', t('<p>This action cannot be undone.</p>'), t('Delete'), t('Cancel'));
}
else {
drupal_set_message(t('No such LDAP configuration.'));
drupal_goto('admin/settings/ldapauth');
}
}
function ldapauth_admin_delete_submit($form_id, $form_values) {
if ($sid = $form_values['sid']) {
db_query("DELETE FROM {ldapauth} WHERE sid = %d", $sid);
drupal_set_message(t('LDAP Configuration has been deleted.'));
watchdog('ldap', t('ldapauth: ldap config %config deleted.', array(
'%config' => $form_values['sid'],
)));
}
return 'admin/settings/ldapauth';
}
function ldapauth_auth($name, $pass, $server) {
global $ldapauth_ldap;
if (empty($pass)) {
return false;
}
$login_name = $server ? $name . '@' . $server : $name;
if (function_exists('ldapauth_transform_login_name')) {
$login_name = call_user_func('ldapauth_transform_login_name', $login_name);
}
$result = db_query("SELECT name FROM {ldapauth} WHERE status = '%d' ORDER BY sid", 1);
while ($row = db_fetch_object($result)) {
_ldapauth_init($row->name);
$dn = _ldapauth_login2dn($login_name);
if (empty($dn)) {
continue;
}
if (!$ldapauth_ldap
->connect($dn, $pass)) {
continue;
}
if (function_exists('ldapauth_user_filter') && !call_user_func('ldapauth_user_filter', $ldapauth_ldap
->retrieveAttributes($dn))) {
continue;
}
return true;
}
return false;
}
function ldapauth_exit() {
if (variable_get('ldap_forget_passwords', false) && isset($_SESSION['ldap_login'])) {
unset($_SESSION['ldap_login']);
}
}
function ldapauth_user($op, &$edit, &$edit_user, $category = NULL) {
global $user;
switch ($op) {
case 'login':
if ($user->ldap_authentified) {
db_query("UPDATE {authmap} SET module = 'ldapauth' WHERE uid = '%d'", $user->uid);
return;
}
break;
case 'form':
if (user_access('administer users')) {
$form['ldap_settings'] = array(
'#type' => 'fieldset',
'#title' => 'LDAP authentication settings',
'#collapsible' => TRUE,
);
$form['ldap_settings']['ldap_authentified'] = array(
'#type' => 'checkbox',
'#title' => 'Authenticate via LDAP',
'#default_value' => $edit_user->ldap_authentified,
);
$form['ldap_settings']['ldap_dn'] = array(
'#type' => 'textfield',
'#title' => 'LDAP User DN',
'#default_value' => $edit_user->ldap_dn,
);
return $form;
}
break;
}
}
function _ldapauth_init($config) {
global $ldapauth_ldap;
$row = db_fetch_object(db_query("SELECT * FROM {ldapauth} WHERE name = '%s'", $config));
$ldapauth_ldap
->setOption('name', $row->name);
$ldapauth_ldap
->setOption('server', $row->server);
$ldapauth_ldap
->setOption('port', $row->port);
$ldapauth_ldap
->setOption('tls', $row->tls);
$ldapauth_ldap
->setOption('encrypted', $row->encrypted);
$ldapauth_ldap
->setOption('basedn', $row->basedn);
$ldapauth_ldap
->setOption('user_attr', $row->user_attr);
$ldapauth_ldap
->setOption('mail_attr', $row->mail_attr);
return;
}
function _ldapauth_login2dn($login) {
global $ldapauth_ldap;
$ret = '';
$user = _ldapauth_user_lookup($login);
if ($user) {
$ret = $user['dn'];
}
return $ret;
}
function _ldapauth_user_lookup($name) {
global $ldapauth_ldap;
$ret = null;
if (!$ldapauth_ldap) {
return;
}
$row = db_fetch_object(db_query("SELECT binddn, bindpw FROM {ldapauth} WHERE name = '%s'", $ldapauth_ldap
->getOption('name')));
$dn = $row->binddn;
$pass = $row->bindpw;
$ldapauth_ldap
->connect($dn, $pass);
$possible_base_dns = explode("\r\n", $ldapauth_ldap
->getOption('basedn'));
foreach ($possible_base_dns as $base_dn) {
if (!$base_dn) {
continue;
}
$name_attr = $ldapauth_ldap
->getOption('user_attr') ? $ldapauth_ldap
->getOption('user_attr') : LDAP_DEFAULT_USER_ATTRIBUTE;
$filter = "{$name_attr}={$name}";
$result = $ldapauth_ldap
->search($base_dn, $filter);
if (!$result) {
continue;
}
$num_matches = $result['count'];
if ($num_matches != 1) {
watchdog('user', "Error: {$num_matches} users found with {$filter} under {$base_dn}", WATCHDOG_ERROR);
continue;
}
$match = $result[0];
if (!isset($match[$name_attr][0])) {
$name_attr = strtolower($name_attr);
if (!isset($match[$name_attr][0])) {
continue;
}
}
$ok = false;
foreach ($match[$name_attr] as $value) {
if (strtolower($value) == strtolower($name)) {
$ok = true;
break;
}
}
if (!$ok) {
continue;
}
$ret = $match;
}
return $ret;
}
function ldapauth_form_alter($form_id, &$form) {
global $user;
if (isset($form['#validate']['user_login_validate'])) {
$form['#validate'] = array(
'ldapauth_login_validate' => array(),
);
}
switch ($form_id) {
case 'user_login_block':
if (variable_get('ldap_disable_request_new_password', FALSE)) {
unset($form['links']);
}
break;
case 'user_pass':
$opt = variable_get('ldap_alter_reset_form', LDAP_RESET_FORM_NO);
if ($opt != LDAP_RESET_FORM_NO && variable_get('ldap_user_pass_form', FALSE)) {
if ($opt == LDAP_RESET_FORM_OVERWRITE) {
$form = array(
'#value' => t(variable_get('ldap_user_pass_form', '<h2>Form disabled by administrator.</h2>')),
);
}
else {
$form_stub = array(
array(
'#value' => t(variable_get('ldap_user_pass_form', '<h2>Form disabled by administrator.</h2>')),
),
);
$form = array_merge($form_stub, $form);
}
}
break;
case 'user_edit':
if ($user->ldap_authentified) {
if (variable_get('ldap_disable_user_request_password', FALSE)) {
unset($form['account']['pass']);
}
$opt = variable_get('ldap_alter_email_field', LDAP_EMAIL_FIELD_NO);
if ($opt != LDAP_EMAIL_FIELD_NO) {
if ($opt == LDAP_EMAIL_FIELD_REMOVE) {
$form['account']['mail']['#type'] = 'hidden';
$form['account']['mail']['#attributes']['READONLY'] = 'READONLY';
$form['account']['mail']['#value'] = $form['account']['mail']['#default_value'];
}
else {
$form['account']['mail']['#attributes']['READONLY'] = 'READONLY';
}
}
if (key_exists('account', $form) && !key_exists('pass', $form['account']) && key_exists('mail', $form['account']) && $form['account']['mail']['#type'] == 'hidden') {
foreach ($form['account'] as $key => $value) {
if (substr($key, 0, 1) != '#' && !($key == 'mail' || $key == 'pass')) {
break;
}
}
$form['mail'] = $form['account']['mail'];
unset($form['account']);
}
}
break;
}
}
function ldapauth_login_validate($form_id, $form_values) {
global $user;
if (isset($form_values['name'])) {
if (user_is_blocked($form_values['name'])) {
form_set_error('login', t('The username %name has been blocked.', array(
'%name' => $form_values['name'],
)));
}
else {
if (drupal_is_denied('user', $form_values['name'])) {
form_set_error('login', t('The name %name is a reserved username.', array(
'%name' => $form_values['name'],
)));
}
else {
if ($form_values['pass']) {
$user = _ldapauth_user_authenticate($form_values['name'], trim($form_values['pass']));
if (!$user->uid) {
form_set_error('login', t('Sorry. Unrecognized username or password.') . ' ' . l(t('Have you forgotten your password?'), 'user/password'));
watchdog('user', t('Login attempt failed for %user: %error.', array(
'%user' => theme('placeholder', $form_values['name']),
)));
}
}
}
}
}
}
function _ldapauth_user_authenticate($name, $pass) {
global $user, $ldapauth_ldap;
if ($account = user_load(array(
'name' => $name,
'pass' => $pass,
'status' => 1,
))) {
if (drupal_is_denied('mail', $account->mail)) {
form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
'%name' => $account->name,
)));
return;
}
}
$result = db_query("SELECT uid FROM {users} WHERE name = '%s'", $name);
if (($_user = db_fetch_object($result)) && $_user->uid == 1) {
$user = user_authenticate($name, $pass);
}
else {
if (variable_get('ldap_login_process', LDAP_FIRST_DRUPAL) != LDAP_FIRST_LDAP) {
$result = db_query("SELECT name,data FROM {users} WHERE name='%s'", $name);
$local_user_count = db_num_rows($result);
$data = db_fetch_array($result);
$data = unserialize($data['data']);
if ($local_user_count > 0 && (!isset($data['ldap_authentified']) || $data['ldap_authentified'] == 0)) {
$ldapauth_ldap = "";
$user = user_authenticate($name, $pass);
}
else {
if (ldapauth_auth($name, $pass, null)) {
$user = _ldapauth_save_user($name, $pass);
}
}
}
else {
if (ldapauth_auth($name, $pass, null)) {
$user = _ldapauth_save_user($name, $pass);
}
}
}
return $user;
}
function _ldapauth_save_user($login_string, $pass) {
global $user, $ldapauth_ldap;
$account = user_load(array(
'name' => $login_string,
));
$ldap_user = _ldapauth_user_lookup($login_string);
if ($ldap_user) {
$dn = $ldap_user['dn'];
}
if (!isset($account->uid)) {
if (variable_get('ldap_forget_passwords', true)) {
$pass = user_password(20);
}
if (key_exists($ldapauth_ldap
->getOption('mail_attr') ? $ldapauth_ldap
->getOption('mail_attr') : LDAP_DEFAULT_MAIL_ATTRIBUTE, $ldap_user)) {
$mail = $ldap_user[$ldapauth_ldap
->getOption('mail_attr')][0];
}
else {
$mail = "";
}
$init = $mail;
$userinfo = array(
'name' => $login_string,
'pass' => $pass,
'mail' => $mail,
'init' => $init,
'status' => 1,
'authname_ldapauth' => $login_string,
'ldap_authentified' => TRUE,
'ldap_dn' => $dn,
);
$user = user_save('', $userinfo);
watchdog('user', t('New external user - ldapauth: %user using module %module.', array(
'%user' => theme('placeholder', $login_string),
'%module' => theme('placeholder', 'ldapauth'),
)), WATCHDOG_NOTICE, l(t('edit'), 'user/' . $user->uid . '/edit'));
}
else {
if (!$account->ldap_authentified) {
drupal_set_message(t('Another user already exists in this system with the same login name. You should contact the system\'s administrator in order to solve this conflict.'), 'error');
watchdog('user', t('LDAP user with DN %dn has a naming conflict with non-LDAP user %account', array(
'%dn' => theme('placeholder', $dn),
'%account' => theme('placeholder', $account->name),
)), WATCHDOG_ERROR);
module_invoke_all('user', 'logout', NULL, $user);
}
else {
$user = $account;
}
}
if (key_exists($ldapauth_ldap
->getOption('mail_attr') ? $ldapauth_ldap
->getOption('mail_attr') : LDAP_DEFAULT_MAIL_ATTRIBUTE, $ldap_user)) {
$mail = $ldap_user[$ldapauth_ldap
->getOption('mail_attr')][0];
}
$config_name = $ldapauth_ldap
->getOption('name');
$userinfo = array(
'mail' => $mail,
'ldap_dn' => $dn,
'ldap_config' => $config_name,
);
$user = user_save($user, $userinfo);
$_SESSION['ldap_login']['dn'] = $dn;
$_SESSION['ldap_login']['pass'] = $pass;
return $user;
}