diff --git a/plugins/auth_ldap/init.php b/plugins/auth_ldap/init.php index fc49e86..d64c91a 100644 --- a/plugins/auth_ldap/init.php +++ b/plugins/auth_ldap/init.php @@ -4,7 +4,7 @@ * @author hydrian (ben.tyger@tygerclan.net) * @copyright GPL2 * Requires php-ldap and PEAR Net::LDAP2 - * @version 0.04 + * @version 0.05 */ /** @@ -14,13 +14,14 @@ * define('LDAP_AUTH_SERVER_URI', 'ldaps://LDAPServerHostname:port/'); * define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps:// * define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate - * define('LDAP_AUTH_BINDDN', 'cn=serviceaccount,dc=example,dc=com'); - * define('LDAP_AUTH_BINDPW', 'ServiceAccountsPassword'); * define('LDAP_AUTH_BASEDN', 'dc=example,dc=com'); * define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); * // ??? will be replaced with the entered username(escaped) at login * define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=person)(uid=???))'); * // Optional configuration + * define('LDAP_AUTH_BINDDN', 'cn=serviceaccount,dc=example,dc=com'); + * define('LDAP_AUTH_BINDPW', 'ServiceAccountsPassword'); + * define('LDAP_AUTH_LOGIN_ATTRIB', 'uid'); * * define('LDAP_AUTH_SCHEMA_CACHE_ENABLE', TRUE); * Enables Schema Caching (Recommended) @@ -71,35 +72,64 @@ function init($host) { } private function _log($msg, $level = E_USER_WARNING) { - trigger_error($msg, $level); + $loggerFunction = Logger::get(); + if (is_object($loggerFunction)) { + $loggerFunction->log_error($level, $msg); + } else { + trigger_error($msg, $level); + } + } + /** + * Logs login attempts + * @param string $username Given username that attempts to log in to TTRSS + * @param string $result "Logging message for type of result. (Success / Fail)" + * @return boolean + * @deprecated + * + * Now that _log support syslog and log levels and graceful fallback user. + */ private function _logAttempt($username, $result) { + + + return trigger_error('TT-RSS Login Attempt: user '.(string)$username. + ' attempted to login ('.(string)$result.') from '.(string)$ip, + E_USER_NOTICE + ); + } + + /** + * Finds client's IP address + * @return string + */ + private function _getClientIP () { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { //check ip from share internet - + $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { - //to check ip is pass from proxy + //to check ip is pass from proxy $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } - return trigger_error('TT-RSS Login Attempt: user '.(string)$username. - ' attempted to login ('.(string)$result.') from '.(string)$ip, - E_USER_NOTICE - ); + return $ip; } + /** + * Main Authentication method + * Required for plugin interface + * @param unknown $login User's username + * @param unknown $password User's password + * @return boolean + */ function authenticate($login, $password) { - $this->logClass = Logger::get(); if ($login && $password) { - - if (!function_exists('ldap_connect')) { trigger_error('auth_ldap requires PHP\'s PECL LDAP package installed.'); return FALSE; @@ -115,6 +145,9 @@ function authenticate($login, $password) { $anonymousBeforeBind=defined('LDAP_AUTH_ANONYMOUSBEFOREBIND') ? LDAP_AUTH_ANONYMOUSBEFOREBIND : FALSE; + $bindDN = defined('LDAP_AUTH_BINDDN') ? LDAP_AUTH_BINDDN : null; + $bindPW = defined('LDAP_AUTH_BINDPW') ? LDAP_AUTH_BINDPW : null; + $parsedURI=parse_url(LDAP_AUTH_SERVER_URI); if ($parsedURI === FALSE) { $this->_log('Could not parse LDAP_AUTH_SERVER_URI in config.php'); @@ -127,8 +160,8 @@ function authenticate($login, $password) { ); if (!$anonymousBeforeBind) { - $ldapConnParams['binddn']= LDAP_AUTH_BINDDN; - $ldapConnParams['bindpw']= LDAP_AUTH_BINDPW; + $ldapConnParams['binddn']= $bindDN; + $ldapConnParams['bindpw']= $bindPW; } $ldapConnParams['starttls']= defined('LDAP_AUTH_USETLS') ? LDAP_AUTH_USETLS : FALSE; @@ -152,15 +185,21 @@ function authenticate($login, $password) { } $this->ldapObj = new Net_LDAP2; $ldapConn=$this->ldapObj->connect($ldapConnParams); - if (Net_LDAP2::isError($ldapConn)) { - $this->_log('Could not connect to LDAP Server: '.$ldapConn->getMessage()); + if ($this->ldapObj->isError($ldapConn)) { + $this->_log( + 'Could not connect to LDAP Server: '.$ldapConn->getMessage(), + E_USER_ERROR + ); return FALSE; } // Bind with service account if orignal connexion was anonymous if ($anonymousBeforeBind) { - $binding=$this->ldapObj->bind(LDAP_AUTH_BINDDN, LDAP_AUTH_BINDPW); + $binding=$this->ldapObj->bind($bindDN, $bindPW); if ($this->ldapObj->isError($binding)) { - $this->_log('Cound not bind service account: '.$binding->getMessage()); + $this->_log( + 'Cound not bind service account: '.$binding->getMessage(), + E_USER_ERROR + ); return FALSE; } } @@ -196,30 +235,35 @@ function authenticate($login, $password) { } //Searching for user - $completedSearchFiler=str_replace('???',$login,LDAP_AUTH_SEARCHFILTER); - $filterObj=Net_LDAP2_Filter::parse($completedSearchFiler); + $completedSearchFilter=str_replace('???',$login,LDAP_AUTH_SEARCHFILTER); + $filterObj=Net_LDAP2_Filter::parse($completedSearchFilter); + if (PEAR::isError($filterObj)) { + $this->_log( 'Could not parse LDAP Search filter', E_USER_ERROR); + return FALSE; + } $searchResults=$this->ldapObj->search(LDAP_AUTH_BASEDN, $filterObj); if ($this->ldapObj->isError($searchResults)) { $this->_log('LDAP Search Failed: '.$searchResults->getMessage()); return FALSE; } elseif ($searchResults->count() === 0) { - if ($logAttempts) $this->_logAttempt((string)$login, 'Unknown User'); + $this->_log((string)$login, 'Unknown User', E_USER_NOTICE); return FALSE; } elseif ($searchResults->count() > 1 ) { - $this->_log('Multiple DNs found for username '.$login); + $this->_log('Multiple DNs found for username '.$login, E_USER_WARNING); return FALSE; } //Getting user's DN from search $userEntry=$searchResults->shiftEntry(); $userDN=$userEntry->dn(); //Binding with user's DN. - $loginAttempt=$this->ldapObj->bind($userDN, $password); + $this->_log('Try binding with user\'s DN: '.$userDN); + $loginAttempt=$ldapConn->bind($userDN, $password); $ldapConn->disconnect(); if ($loginAttempt === TRUE) { - if ($logAttempts) $this->_logAttempt((string)$login, 'successful'); + $this->_log('User: '.(string)$login.' authentication successful', E_USER_NOTICE); return $this->base->auto_create_user($login); } elseif ($loginAttempt->getCode() == 49) { - if ($logAttempts) $this->_logAttempt((string)$login, 'bad password'); + $this->_log('User: '.(string)$login.' authentication failed', E_USER_NOTICE); return FALSE; } else { $this->_log('Unknown Error: Code: '.$loginAttempt->getCode(). @@ -230,6 +274,11 @@ function authenticate($login, $password) { return false; } + /** + * Returns plugin API version + * Required for plugin interface + * @return number + */ function api_version() { return 2; }