function ldap_sso_authenticate in LDAP Single Sign On 6

Main user authentication function.

This is a facimile of ldapauth_authenticate() from the ldapauth module; the main differences are that since we are trusting that the web server's authentication mechanism, this only performs a lookup in LDAP on the user's name to make sure they exist, and avoids passwords except where required, such as storing the user's password in the user table.

If successful, sets the global $user object.

1 call to ldap_sso_authenticate()

ldap_sso_user_login in ./ldap_sso.module

A proxy function for the actual authentication routine. This is in place so various implementations of grabbing NTLM credentials can be used and selected from an administration page. This is the real gatekeeper since this assumes that any NTLM…

File

./ldap_sso.module, line 235

Code

function ldap_sso_authenticate($name) {
  module_load_include('module', 'ldapauth');
  ldapauth_init();
  global $user, $_ldapauth_ldap;
  $result = db_query("SELECT sid FROM {ldapauth} WHERE status = 1 ORDER BY weight");
  while ($row = db_fetch_object($result)) {

    // Initialize LDAP.
    if (!_ldapauth_init($row->sid)) {
      continue;
    }
  }
  if (!$_ldapauth_ldap) {
    drupal_set_message(t('There was an error contacting the LDAP server'), 'error');
    return false;
  }
  $pass = user_password(20);

  // The user_login_name_validate() is not called if the user is being authenticated
  // from the httpauth or services modules, therefore call it here.
  $form_state = array(
    'values' => array(
      'name' => $name,
    ),
  );
  user_login_name_validate(NULL, $form_state);
  $account = user_load(array(
    'name' => $name,
    'status' => 1,
  ));
  if ($account && drupal_is_denied('mail', $account->mail)) {
    form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
      '%name' => $account->name,
    )));
  }

  // If there is any validations errors, we do not query LDAP.
  if (form_get_errors()) {
    return;
  }

  //Replace authentication with a lookup on the user's credentials. This is

  //assuming that the webserver's authentication mechanism is a good enough

  //gate keeper.
  $ldap_user = _ldapauth_user_lookup($name);

  //drupal_set_message('<pre>'.var_export($ldap_user, true). '</pre>');
  if (!$account) {

    // Register this new user.
    if ($ldap_user) {

      // If mail attribute is missing, set the name as mail.
      $init = $mail = key_exists($_ldapauth_ldap
        ->getOption('mail_attr') ? $_ldapauth_ldap
        ->getOption('mail_attr') : LDAPAUTH_DEFAULT_MAIL_ATTR, $ldap_user) ? $ldap_user[$_ldapauth_ldap
        ->getOption('mail_attr')][0] : $name;

      // Check if the e-mail is not denied.
      if (drupal_is_denied('mail', $mail)) {
        form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array(
          '%name' => $name,
        )));
        return;
      }

      // Generate a random drupal password. LDAP password will be used anyways.
      $pass_new = $pass;
      $userinfo = array(
        'name' => $name,
        'pass' => $pass_new,
        'mail' => $mail,
        'init' => $init,
        'status' => 1,
        'authname_ldapauth' => $name,
        'ldap_authentified' => TRUE,
        'ldap_dn' => $ldap_user['dn'],
        'ldap_config' => $_ldapauth_ldap
          ->getOption('sid'),
      );
      $user = user_save('', $userinfo);

      //Set a session variable, so elsewhere we can provide terms & conditions and the such
      $_SESSION['new_account_created'] = 1;
      watchdog('ldapauth', 'New external user %name created from the LDAP server %server.', array(
        '%name' => $name,
        '%server' => $_ldapauth_ldap
          ->getOption('name'),
      ), WATCHDOG_NOTICE, l(t('edit'), 'user/' . $user->uid . '/edit'));
    }
  }
  else {

    // Login existing user.
    $data = array(
      'ldap_dn' => $ldap_user['dn'],
      'ldap_config' => $_ldapauth_ldap
        ->getOption('sid'),
    );
    if (!isset($account->ldap_authentified)) {

      // LDAP and local user conflict.
      if (LDAPAUTH_LOGIN_CONFLICT == LDAPAUTH_CONFLICT_LOG) {
        watchdog('ldapauth', 'LDAP user with DN %dn has a naming conflict with a local drupal user %name', array(
          '%dn' => $dn,
          '%name' => $account->name,
        ), WATCHDOG_ERROR);
        drupal_set_message(t('Another user already exists in the system with the same login name. You should contact the system administrator in order to solve this conflict.'), 'error');
        return;
      }
      else {
        $data['ldap_authentified'] = TRUE;
        $data['authname_ldapauth'] = $name;
      }
    }

    // Successfull login.
    // Save the new login data.
    if (LDAPAUTH_LOGIN_PROCESS == LDAPAUTH_AUTH_MIXED && LDAPAUTH_SYNC_PASSWORDS) {
      $data['pass'] = $pass;
    }
    $user = user_save($account, $data);
  }

  // Save user's authentication data to the session.
  $_SESSION['ldap_login']['dn'] = $dn;
  $_SESSION['ldap_login']['pass'] = $pass;
  user_authenticate_finalize($form_values);
  return $user;
}