View source
<?php
function ldap_sso_user($op, &$edit, &$account, $category = NULL) {
switch ($op) {
case 'load':
if ($account->uid == 0 && $GLOBALS['user']->uid == $account->uid) {
if (!isset($_COOKIE['seamless_login']) || $_COOKIE['seamless_login'] == 'auto login') {
if (arg(0) == 'user' && !is_numeric(arg(1)) || arg(0) == 'logout' || (arg(0) == 'node' && arg(1) == 'add' || arg(0) == 'node' && arg(2) == 'edit') && $_POST['op'] == 'Preview') {
return;
}
else {
if (variable_get('ldap_sso_seamless_login', 0) == 1 && $_COOKIE['seamless_login_attempted'] != 'true') {
setcookie("seamless_login_attempted", 'true', time() + variable_get('ldap_sso_cookie_expire', 315360000), base_path(), "");
$_SESSION['seamless_login_attempted'] = $_COOKIE['seamless_login_attempted'];
$destination = 'destination=' . rawurlencode($_GET['q']);
drupal_goto('user/login/sso', $destination);
}
else {
return;
}
}
}
}
break;
case 'logout':
if (variable_get('ldap_sso_seamless_login', 0) == 1) {
setcookie("seamless_login", 'do not auto login', time() + variable_get('ldap_sso_cookie_expire', 315360000), base_path(), "");
$_SESSION['seamless_login'] = $_COOKIE['seamless_login'];
}
break;
}
}
function ldap_sso_menu() {
$items = array();
$items['user/login/sso'] = array(
'title' => t('Log In'),
'page callback' => 'ldap_sso_user_login',
'access callback' => '_ldap_sso_user_access',
'type' => MENU_NORMAL_ITEM,
);
$items['admin/settings/ldap/sso'] = array(
'title' => 'LDAP Single Sign-On',
'page callback' => 'ldap_sso_admin',
'page arguments' => array(),
'access arguments' => array(
'administer ldap modules',
),
'weight' => 0,
'type' => MENU_NORMAL_ITEM,
);
return $items;
}
function ldap_sso_admin($callback_arg = '') {
$output = drupal_get_form('ldap_sso_form');
return $output;
}
function ldap_sso_form($form_state) {
$period = array(
0 => t('Immediately'),
) + drupal_map_assoc(array(
3600,
86400,
604800,
2592000,
31536000,
315360000,
), 'format_interval') + array(
-1 => t('Never'),
);
$form['ldap_sso_seamless_login'] = array(
'#type' => 'checkbox',
'#title' => t('Turn on automated single sign-on'),
'#description' => t('This requires that you ' . 'have operational NTLM authentication turned on for at least
the path user/login/sso, or for the whole domain.'),
'#default_value' => variable_get('ldap_sso_seamless_login', 0),
);
$form['ldap_sso_cookie_expire'] = array(
'#type' => 'select',
'#title' => t('Cookie Lifetime'),
'#description' => t('If using the seamless login, a cookie is necessary to prevent automatic login after a user manually logs out. Select the lifetime of the cookie.'),
'#default_value' => variable_get('ldap_sso_cookie_expire', 315360000),
'#options' => $period,
);
$form['ldap_sso_ldap_implementation'] = array(
'#type' => 'select',
'#title' => t('Authentication Mechanism'),
'#description' => t('Select the type of authentication mechanism you are using.'),
'#default_value' => variable_get('ldap_sso_ldap_implementation', 'mod_auth_sspi'),
'#options' => array(
'mod_auth_sspi' => t('mod_auth_sspi'),
),
);
return system_settings_form($form);
}
function ldap_sso_theme() {
return array(
'ldap_sso_login_message' => array(
'arguments' => array(
'message' => NULL,
),
),
'ldap_sso_message_not_found' => array(
'arguments' => array(
'message' => NULL,
),
),
'ldap_sso_message_not_authenticated' => array(
'arguments' => array(
'message' => NULL,
),
),
);
}
function theme_ldap_sso_login_message($message) {
return $message;
}
function theme_ldap_sso_message_not_found($message) {
return $message;
}
function theme_ldap_sso_message_not_authenticated($message) {
return $message;
}
function _ldap_sso_user_access() {
if (!$GLOBALS['user']->uid || !empty($GLOBALS['menu_admin'])) {
return true;
}
else {
return false;
}
}
function _ldap_sso_user_logout_access() {
return !_ldap_sso_user_access();
}
function ldap_sso_user_login() {
$implementation = variable_get('ldap_sso_ldap_implementation', 'mod_auth_sspi');
switch ($implementation) {
case 'mod_auth_sspi':
$remote_user = $_SERVER['REMOTE_USER'] ? $_SERVER['REMOTE_USER'] : $_SERVER['REDIRECT_REMOTE_USER'];
break;
}
if ($remote_user) {
$user = ldap_sso_authenticate($remote_user);
if ($user && $user->uid > 0) {
if (variable_get('ldap_sso_seamless_login', 0) == 1) {
setcookie("seamless_login", 'auto login', time() + variable_get('ldap_sso_cookie_expire', 315360000), base_path(), "");
$_SESSION['seamless_login'] = $_COOKIE['seamless_login'];
setcookie("seamless_login_attempted", '');
unset($_SESSION['seamless_login_attempted']);
}
drupal_set_message(t(theme('ldap_sso_login_message', 'You have been successfully authenticated')));
drupal_goto('home');
}
else {
if (variable_get('ldap_sso_seamless_login', 0) == 1) {
setcookie("seamless_login", 'do not auto login', time() + variable_get('ldap_sso_cookie_expire', 315360000), base_path(), "");
$_SESSION['seamless_login'] = $_COOKIE['seamless_login'];
}
drupal_set_message(theme('ldap_sso_message_not_found', t('Sorry, your LDAP credentials were not found, ' . 'or the LDAP is not available. You may log in ' . 'with other credentials on the !user_login_form.', array(
'!user_login_form' => l(t('user login form'), 'user/login'),
))), 'error');
drupal_goto('user/login');
}
}
else {
if (variable_get('ldap_sso_seamless_login', 0) == 1) {
setcookie("seamless_login", 'do not auto login', time() + variable_get('ldap_sso_cookie_expire', 315360000), base_path(), "");
$_SESSION['seamless_login'] = $_COOKIE['seamless_login'];
}
drupal_set_message(t(theme('ldap_sso_message_not_authenticated', 'You were not authenticated by the server. You may log in with your credentials below.')), 'error');
drupal_goto('user/login');
}
}
function ldap_sso_perm() {
return array(
'administer ldap sso',
);
}
function ldap_sso_authenticate($name) {
module_load_include('module', 'ldapauth');
ldapauth_init();
global $user, $_ldapauth_ldap;
$result = db_query("SELECT sid FROM {ldapauth} WHERE status = 1 ORDER BY weight");
while ($row = db_fetch_object($result)) {
if (!_ldapauth_init($row->sid)) {
continue;
}
}
if (!$_ldapauth_ldap) {
drupal_set_message(t('There was an error contacting the LDAP server'), 'error');
return false;
}
$pass = user_password(20);
$form_state = array(
'values' => array(
'name' => $name,
),
);
user_login_name_validate(NULL, $form_state);
$account = user_load(array(
'name' => $name,
'status' => 1,
));
if ($account && drupal_is_denied('mail', $account->mail)) {
form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
'%name' => $account->name,
)));
}
if (form_get_errors()) {
return;
}
$ldap_user = _ldapauth_user_lookup($name);
if (!$account) {
if ($ldap_user) {
$init = $mail = key_exists($_ldapauth_ldap
->getOption('mail_attr') ? $_ldapauth_ldap
->getOption('mail_attr') : LDAPAUTH_DEFAULT_MAIL_ATTR, $ldap_user) ? $ldap_user[$_ldapauth_ldap
->getOption('mail_attr')][0] : $name;
if (drupal_is_denied('mail', $mail)) {
form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
'%name' => $name,
)));
return;
}
$pass_new = $pass;
$userinfo = array(
'name' => $name,
'pass' => $pass_new,
'mail' => $mail,
'init' => $init,
'status' => 1,
'authname_ldapauth' => $name,
'ldap_authentified' => TRUE,
'ldap_dn' => $ldap_user['dn'],
'ldap_config' => $_ldapauth_ldap
->getOption('sid'),
);
$user = user_save('', $userinfo);
$_SESSION['new_account_created'] = 1;
watchdog('ldapauth', 'New external user %name created from the LDAP server %server.', array(
'%name' => $name,
'%server' => $_ldapauth_ldap
->getOption('name'),
), WATCHDOG_NOTICE, l(t('edit'), 'user/' . $user->uid . '/edit'));
}
}
else {
$data = array(
'ldap_dn' => $ldap_user['dn'],
'ldap_config' => $_ldapauth_ldap
->getOption('sid'),
);
if (!isset($account->ldap_authentified)) {
if (LDAPAUTH_LOGIN_CONFLICT == LDAPAUTH_CONFLICT_LOG) {
watchdog('ldapauth', 'LDAP user with DN %dn has a naming conflict with a local drupal user %name', array(
'%dn' => $dn,
'%name' => $account->name,
), WATCHDOG_ERROR);
drupal_set_message(t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.'), 'error');
return;
}
else {
$data['ldap_authentified'] = TRUE;
$data['authname_ldapauth'] = $name;
}
}
if (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_MIXED && LDAPAUTH_SYNC_PASSWORDS) {
$data['pass'] = $pass;
}
$user = user_save($account, $data);
}
$_SESSION['ldap_login']['dn'] = $dn;
$_SESSION['ldap_login']['pass'] = $pass;
user_authenticate_finalize($form_values);
return $user;
}