2012-02-08 23:14:28 +01:00
< ? php
class ModelUserAuth extends Model {
2015-02-19 15:17:20 +01:00
public function apply_user_auth_session ( $data = array ()) {
$session = Registry :: get ( 'session' );
$session -> set ( " username " , $data [ 'username' ]);
$session -> set ( " uid " , $data [ 'uid' ]);
$session -> set ( " admin_user " , $data [ 'admin_user' ]);
$session -> set ( " email " , $data [ 'username' ]);
$session -> set ( " domain " , $data [ 'domain' ]);
$session -> set ( " realname " , $data [ 'realname' ]);
$session -> set ( " auditdomains " , $data [ 'auditdomains' ]);
$session -> set ( " emails " , $data [ 'emails' ]);
$session -> set ( " folders " , $data [ 'folders' ]);
}
2012-02-08 23:14:28 +01:00
public function checkLogin ( $username = '' , $password = '' ) {
2012-10-06 14:18:00 +02:00
$ok = 0 ;
2012-02-08 23:14:28 +01:00
2015-11-26 14:59:40 +01:00
$imap_server = array ();
2015-02-19 15:17:20 +01:00
$data = array ();
$data [ 'username' ] = '' ;
$data [ 'uid' ] = - 1 ;
$data [ 'admin_user' ] = 0 ;
$data [ 'email' ] = '' ;
$data [ 'domain' ] = '' ;
$data [ 'realname' ] = '' ;
$data [ 'auditdomains' ] = array ();
$data [ 'emails' ] = array ();
$data [ 'folders' ] = array ();
2018-05-13 08:53:16 +02:00
if ( $username == '' || $password == '' ) { return $ok ; }
2013-03-02 12:54:33 +01:00
2015-11-26 14:59:40 +01:00
if ( CUSTOM_PRE_AUTH_FUNCTION && function_exists ( CUSTOM_PRE_AUTH_FUNCTION )) {
call_user_func ( CUSTOM_PRE_AUTH_FUNCTION , $username );
}
2018-05-13 08:53:16 +02:00
// Check the fallback login first to prevent sending local account
// data (admin@local or auditor@local passwords) to remote imap, etc. servers.
$ok = $this -> checkFallbackLogin ( $username , $password , $data );
if ( $ok == 1 ) { return $ok ; }
2013-03-02 12:54:33 +01:00
if ( ENABLE_LDAP_AUTH == 1 ) {
2015-02-19 15:17:20 +01:00
$ok = $this -> checkLoginAgainstLDAP ( $username , $password , $data );
2015-06-23 15:46:04 +02:00
if ( $ok == 1 ) {
if ( CUSTOM_EMAIL_QUERY_FUNCTION && function_exists ( CUSTOM_EMAIL_QUERY_FUNCTION )) {
call_user_func ( CUSTOM_EMAIL_QUERY_FUNCTION , $username );
}
return $ok ;
}
2013-03-02 12:54:33 +01:00
}
2012-12-10 12:41:40 +01:00
if ( ENABLE_IMAP_AUTH == 1 ) {
require 'Zend/Mail/Protocol/Imap.php' ;
2015-11-26 14:59:40 +01:00
2015-12-03 12:57:40 +01:00
if ( ! isset ( $imap_server [ 'IMAP_HOST' ])) { $imap_server [ 'IMAP_HOST' ] = IMAP_HOST ; }
if ( ! isset ( $imap_server [ 'IMAP_PORT' ])) { $imap_server [ 'IMAP_PORT' ] = IMAP_PORT ; }
if ( ! isset ( $imap_server [ 'IMAP_SSL' ])) { $imap_server [ 'IMAP_SSL' ] = IMAP_SSL ; }
2015-11-26 14:59:40 +01:00
$ok = $this -> checkLoginAgainstIMAP ( $imap_server , $username , $password , $data );
2015-01-15 23:29:48 +01:00
if ( $ok == 1 ) {
if ( CUSTOM_EMAIL_QUERY_FUNCTION && function_exists ( CUSTOM_EMAIL_QUERY_FUNCTION )) {
call_user_func ( CUSTOM_EMAIL_QUERY_FUNCTION , $username );
}
return $ok ;
}
2012-12-10 12:41:40 +01:00
}
2013-09-30 21:43:41 +02:00
if ( ENABLE_POP3_AUTH == 1 ) {
require 'Zend/Mail/Protocol/Pop3.php' ;
2015-02-19 15:17:20 +01:00
$ok = $this -> checkLoginAgainstPOP3 ( $username , $password , $data );
2015-01-15 23:29:48 +01:00
if ( $ok == 1 ) {
if ( CUSTOM_EMAIL_QUERY_FUNCTION && function_exists ( CUSTOM_EMAIL_QUERY_FUNCTION )) {
call_user_func ( CUSTOM_EMAIL_QUERY_FUNCTION , $username );
}
return $ok ;
}
2013-09-30 21:43:41 +02:00
}
2013-03-02 12:54:33 +01:00
2018-05-13 08:53:16 +02:00
return $ok ;
}
// fallback local auth
private function checkFallbackLogin ( username = '' , $password = '' , $data = array ()) {
$session = Registry :: get ( 'session' );
2013-03-02 12:54:33 +01:00
$query = $this -> db -> query ( " SELECT u.username, u.uid, u.realname, u.dn, u.password, u.isadmin, u.domain FROM " . TABLE_USER . " u, " . TABLE_EMAIL . " e WHERE e.email=? AND e.uid=u.uid " , array ( $username ));
2012-02-08 23:14:28 +01:00
if ( ! isset ( $query -> row [ 'password' ])) { return 0 ; }
$pass = crypt ( $password , $query -> row [ 'password' ]);
if ( $pass == $query -> row [ 'password' ]){
2012-10-06 14:18:00 +02:00
$ok = 1 ;
2012-02-08 23:14:28 +01:00
2012-10-06 14:18:00 +02:00
AUDIT ( ACTION_LOGIN , $username , '' , '' , 'successful auth against user table' );
}
else {
AUDIT ( ACTION_LOGIN_FAILED , $username , '' , '' , 'failed auth against user table' );
}
if ( $ok == 1 ) {
2015-02-19 15:17:20 +01:00
$data [ 'username' ] = $username ;
$data [ 'uid' ] = $query -> row [ 'uid' ];
$data [ 'admin_user' ] = $query -> row [ 'isadmin' ];
$data [ 'email' ] = $username ;
$data [ 'domain' ] = $query -> row [ 'domain' ];
$data [ 'realname' ] = $query -> row [ 'realname' ];
2013-10-16 14:55:17 +02:00
2015-02-19 15:17:20 +01:00
$data [ 'auditdomains' ] = $this -> model_user_user -> get_users_all_domains ( $query -> row [ 'uid' ]);
2015-01-15 23:29:48 +01:00
if ( CUSTOM_EMAIL_QUERY_FUNCTION && function_exists ( CUSTOM_EMAIL_QUERY_FUNCTION )) {
call_user_func ( CUSTOM_EMAIL_QUERY_FUNCTION , $username );
}
else {
2015-02-19 15:17:20 +01:00
$data [ 'emails' ] = $this -> model_user_user -> get_users_all_email_addresses ( $query -> row [ 'uid' ]);
2015-01-15 23:29:48 +01:00
}
2015-03-10 16:22:19 +01:00
$extra_emails = $this -> model_user_user -> get_email_addresses_from_groups ( $data [ 'emails' ]);
$data [ 'emails' ] = array_merge ( $data [ 'emails' ], $extra_emails );
2015-09-18 14:56:09 +02:00
$data [ 'folders' ] = $this -> model_folder_folder -> get_folder_id_array_for_user ( $query -> row [ 'uid' ], $data [ 'admin_user' ]);
2013-10-16 14:55:17 +02:00
2015-02-19 15:17:20 +01:00
$session -> set ( " auth_data " , $data );
$this -> is_ga_code_needed ( $username );
2012-02-08 23:14:28 +01:00
2015-02-20 12:58:36 +01:00
$this -> is_four_eye_auth_needed ( $data [ 'admin_user' ]);
2012-02-08 23:14:28 +01:00
return 1 ;
}
2013-03-02 12:54:33 +01:00
return 0 ;
}
2015-02-19 15:17:20 +01:00
private function checkLoginAgainstLDAP ( $username = '' , $password = '' , $data = array ()) {
2014-09-04 16:18:47 +02:00
$a = array ();
$ret = 0 ;
if ( ENABLE_SAAS == 1 ) {
$params = $this -> model_saas_ldap -> get_ldap_params_by_email ( $username );
foreach ( $params as $param ) {
2015-02-19 15:17:20 +01:00
$ret = $this -> checkLoginAgainstLDAP_real ( $username , $password , $data , $param );
2014-09-04 16:18:47 +02:00
2016-09-21 21:59:57 +02:00
if ( LOG_LEVEL >= NORMAL ) { syslog ( LOG_INFO , " ldap auth result against " . $param [ 'ldap_host' ] . " / " . $param [ 'ldap_type' ] . " : $ret " ); }
2014-09-04 16:18:47 +02:00
if ( $ret == 1 ) { return $ret ; }
}
}
else {
2015-02-19 15:17:20 +01:00
$ret = $this -> checkLoginAgainstLDAP_real ( $username , $password , $data );
2014-09-04 16:18:47 +02:00
}
return $ret ;
}
2015-02-19 15:17:20 +01:00
private function checkLoginAgainstLDAP_real ( $username = '' , $password = '' , $data = array (), $a = array ()) {
2015-03-10 16:35:22 +01:00
$session = Registry :: get ( 'session' );
2014-09-04 16:18:47 +02:00
2013-07-20 11:15:13 +02:00
$ldap_type = '' ;
2013-07-08 11:31:17 +02:00
$ldap_host = LDAP_HOST ;
$ldap_base_dn = LDAP_BASE_DN ;
$ldap_helper_dn = LDAP_HELPER_DN ;
$ldap_helper_password = LDAP_HELPER_PASSWORD ;
2013-07-23 22:44:34 +02:00
$ldap_auditor_member_dn = LDAP_AUDITOR_MEMBER_DN ;
2013-08-20 12:15:45 +02:00
$ldap_admin_member_dn = LDAP_ADMIN_MEMBER_DN ;
$role = 0 ;
2013-12-23 11:27:36 +01:00
$username_prefix = '' ;
2013-07-08 11:31:17 +02:00
2014-09-04 16:18:47 +02:00
if ( count ( $a ) >= 6 ) {
$ldap_type = $a [ 'ldap_type' ];
$ldap_host = $a [ 'ldap_host' ];
$ldap_base_dn = $a [ 'ldap_base_dn' ];
$ldap_helper_dn = $a [ 'ldap_bind_dn' ];
$ldap_helper_password = $a [ 'ldap_bind_pw' ];
$ldap_auditor_member_dn = $a [ 'ldap_auditor_member_dn' ];
$ldap_mail_attr = $a [ 'ldap_mail_attr' ];
$ldap_account_objectclass = $a [ 'ldap_account_objectclass' ];
$ldap_distributionlist_attr = $a [ 'ldap_distributionlist_attr' ];
$ldap_distributionlist_objectclass = $a [ 'ldap_distributionlist_objectclass' ];
2013-07-08 11:31:17 +02:00
}
2014-01-15 14:47:30 +01:00
if ( $ldap_type != LDAP_TYPE_GENERIC ) {
list ( $ldap_mail_attr , $ldap_account_objectclass , $ldap_distributionlist_attr , $ldap_distributionlist_objectclass ) = get_ldap_attribute_names ( $ldap_type );
}
2013-07-20 11:15:13 +02:00
2013-12-23 11:27:36 +01:00
if ( $ldap_mail_attr == 'proxyAddresses' ) { $username_prefix = 'smtp:' ; }
2013-07-20 11:15:13 +02:00
if ( $ldap_host == '' || $ldap_helper_password == '' ) { return 0 ; }
2013-07-08 11:31:17 +02:00
$ldap = new LDAP ( $ldap_host , $ldap_helper_dn , $ldap_helper_password );
2013-03-02 12:54:33 +01:00
if ( $ldap -> is_bind_ok ()) {
2013-04-17 11:32:05 +02:00
2013-12-23 11:27:36 +01:00
$query = $ldap -> query ( $ldap_base_dn , " (&(objectClass= $ldap_account_objectclass )( $ldap_mail_attr = $username_prefix $username )) " , array ());
2013-03-02 12:54:33 +01:00
2013-07-03 11:36:41 +02:00
if ( isset ( $query -> row [ 'dn' ]) && $query -> row [ 'dn' ]) {
2013-03-02 12:54:33 +01:00
$a = $query -> row ;
2013-07-08 11:31:17 +02:00
$ldap_auth = new LDAP ( $ldap_host , $a [ 'dn' ], $password );
2013-03-02 12:54:33 +01:00
2016-09-21 21:59:57 +02:00
if ( LOG_LEVEL >= NORMAL ) { syslog ( LOG_INFO , " ldap auth against ' " . $ldap_host . " ', dn: ' " . $a [ 'dn' ] . " ', result: " . $ldap_auth -> is_bind_ok ()); }
2013-04-03 22:45:05 +02:00
2013-03-02 12:54:33 +01:00
if ( $ldap_auth -> is_bind_ok ()) {
2013-04-17 11:32:05 +02:00
2016-05-03 22:24:09 +02:00
$a [ 'dn' ] = $this -> escapeLdapFilter ( $a [ 'dn' ]);
2014-10-21 10:27:18 +02:00
$query = $ldap -> query ( $ldap_base_dn , " (|(&(objectClass= $ldap_account_objectclass )( $ldap_mail_attr = $username_prefix $username ))(&(objectClass= $ldap_distributionlist_objectclass )( $ldap_distributionlist_attr = $username_prefix $username ) " . " )(&(objectClass= $ldap_distributionlist_objectclass )( $ldap_distributionlist_attr = " . $a [ 'dn' ] . " ))) " , array ());
2013-04-17 11:32:05 +02:00
2013-08-20 12:15:45 +02:00
if ( $this -> check_ldap_membership ( $ldap_auditor_member_dn , $query -> rows ) == 1 ) { $role = 2 ; }
if ( $this -> check_ldap_membership ( $ldap_admin_member_dn , $query -> rows ) == 1 ) { $role = 1 ; }
2013-05-03 09:48:32 +02:00
2013-03-02 14:09:06 +01:00
$emails = $this -> get_email_array_from_ldap_attr ( $query -> rows );
2013-03-02 12:54:33 +01:00
2014-07-05 17:29:35 +02:00
$extra_emails = $this -> model_user_user -> get_email_addresses_from_groups ( $emails );
2014-07-05 17:09:38 +02:00
$emails = array_merge ( $emails , $extra_emails );
2015-02-19 15:17:20 +01:00
$data = $this -> fix_user_data ( $a [ 'cn' ], $username , $emails , $role );
$session -> set ( " auth_data " , $data );
2013-03-02 12:54:33 +01:00
2015-09-03 14:46:38 +02:00
$this -> is_ga_code_needed ( $username );
2015-02-20 12:58:36 +01:00
$this -> is_four_eye_auth_needed ( $role );
2013-03-02 12:54:33 +01:00
AUDIT ( ACTION_LOGIN , $username , '' , '' , 'successful auth against LDAP' );
return 1 ;
}
else {
AUDIT ( ACTION_LOGIN_FAILED , $username , '' , '' , 'failed auth against LDAP' );
}
}
}
2016-09-21 21:59:57 +02:00
else if ( LOG_LEVEL >= NORMAL ) {
2013-07-08 11:31:17 +02:00
syslog ( LOG_INFO , " cannot bind to ' " . $ldap_host . " ' as ' " . $ldap_helper_dn . " ' " );
2013-03-02 12:54:33 +01:00
}
2012-02-08 23:14:28 +01:00
return 0 ;
}
2013-07-23 22:44:34 +02:00
private function check_ldap_membership ( $ldap_auditor_member_dn = '' , $e = array ()) {
if ( $ldap_auditor_member_dn == '' ) { return 0 ; }
2013-05-03 09:48:32 +02:00
foreach ( $e as $a ) {
2013-08-09 10:13:54 +02:00
foreach ( array ( " memberof " , " dn " ) as $memberattr ) {
2013-05-03 09:48:32 +02:00
if ( isset ( $a [ $memberattr ])) {
2014-09-16 08:48:19 +02:00
if ( isset ( $a [ $memberattr ][ 'count' ]) && $a [ $memberattr ][ 'count' ] > 0 ) {
2013-05-03 09:48:32 +02:00
for ( $i = 0 ; $i < $a [ $memberattr ][ 'count' ]; $i ++ ) {
2013-07-23 22:44:34 +02:00
if ( $a [ $memberattr ][ $i ] == $ldap_auditor_member_dn ) {
2013-05-03 09:48:32 +02:00
return 1 ;
}
}
}
else {
2013-07-23 22:44:34 +02:00
if ( $a [ $memberattr ] == $ldap_auditor_member_dn ) {
2013-05-03 09:48:32 +02:00
return 1 ;
}
}
}
}
}
return 0 ;
}
2013-08-22 11:24:54 +02:00
public function get_email_array_from_ldap_attr ( $e = array ()) {
2013-03-02 12:54:33 +01:00
$data = array ();
2013-03-02 14:09:06 +01:00
foreach ( $e as $a ) {
2016-09-21 21:59:57 +02:00
if ( LOG_LEVEL >= DEBUG ) { syslog ( LOG_INFO , " checking ldap entry dn: " . $a [ 'dn' ] . " , cn: " . $a [ 'cn' ]); }
2014-07-29 21:52:29 +02:00
2017-06-25 14:38:28 +02:00
foreach ( array ( " mail " , " mailalternateaddress " , " proxyaddresses " , " zimbraMailForwardingAddress " , " member " , " memberOfGroup " , " othermailbox " ) as $mailattr ) {
2013-03-02 14:09:06 +01:00
if ( isset ( $a [ $mailattr ])) {
2013-03-02 12:54:33 +01:00
2013-08-28 13:11:05 +02:00
if ( is_array ( $a [ $mailattr ])) {
2013-03-02 14:09:06 +01:00
for ( $i = 0 ; $i < $a [ $mailattr ][ 'count' ]; $i ++ ) {
2013-12-23 11:27:36 +01:00
2016-09-21 21:59:57 +02:00
if ( LOG_LEVEL >= DEBUG ) { syslog ( LOG_INFO , " checking entry: " . $a [ $mailattr ][ $i ]); }
2014-07-29 21:52:29 +02:00
2013-12-23 11:27:36 +01:00
$a [ $mailattr ][ $i ] = strtolower ( $a [ $mailattr ][ $i ]);
if ( strchr ( $a [ $mailattr ][ $i ], '@' )) {
if ( preg_match ( " /^([ \ w]+) \ :/i " , $a [ $mailattr ][ $i ], $p )) {
if ( isset ( $p [ 0 ]) && $p [ 0 ] != " smtp: " ) { continue ; }
}
$email = preg_replace ( " /^([ \ w]+) \ :/i " , " " , $a [ $mailattr ][ $i ]);
if ( validemail ( $email ) && ! in_array ( $email , $data )) { array_push ( $data , $email ); }
2013-03-02 14:09:06 +01:00
}
2013-03-02 12:54:33 +01:00
}
}
2013-03-02 14:09:06 +01:00
else {
2016-09-21 21:59:57 +02:00
if ( LOG_LEVEL >= DEBUG ) { syslog ( LOG_INFO , " checking entry #2: " . $a [ $mailattr ]); }
2014-07-29 21:52:29 +02:00
2013-12-23 11:27:36 +01:00
$email = strtolower ( preg_replace ( " /^([ \ w]+) \ :/i " , " " , $a [ $mailattr ]));
if ( validemail ( $email ) && ! in_array ( $email , $data )) { array_push ( $data , $email ); }
2013-03-02 14:09:06 +01:00
}
2013-03-02 12:54:33 +01:00
}
2013-07-12 15:30:49 +02:00
}
2013-03-02 12:54:33 +01:00
}
return $data ;
}
2015-02-19 15:17:20 +01:00
private function fix_user_data ( $name = '' , $email = '' , $emails = array (), $role = 0 ) {
$data = array ();
2013-10-16 14:55:17 +02:00
2015-02-19 15:17:20 +01:00
$data [ 'username' ] = $email ;
$data [ 'uid' ] = - 1 ;
$data [ 'admin_user' ] = $role ;
$data [ 'email' ] = $email ;
$data [ 'domain' ] = '' ;
$data [ 'realname' ] = $name ;
$data [ 'auditdomains' ] = $this -> model_domain_domain -> get_your_all_domains_by_email ( $email );
$data [ 'emails' ] = $emails ;
$data [ 'folders' ] = array ();
2013-03-02 12:54:33 +01:00
$uid = $this -> model_user_user -> get_uid_by_email ( $email );
if ( $uid < 1 ) {
2013-04-12 22:30:48 +02:00
$uid = $this -> model_user_user -> get_next_uid ( TABLE_EMAIL );
2013-03-02 12:54:33 +01:00
$query = $this -> db -> query ( " INSERT INTO " . TABLE_EMAIL . " (uid, email) VALUES(?,?) " , array ( $uid , $email ));
}
2015-02-19 15:17:20 +01:00
$data [ 'uid' ] = $uid ;
2013-10-16 14:55:17 +02:00
2015-02-19 15:17:20 +01:00
$a = explode ( " @ " , $email );
$data [ 'domain' ] = $a [ 1 ];
2012-02-08 23:14:28 +01:00
2015-02-19 15:17:20 +01:00
return $data ;
2012-02-08 23:14:28 +01:00
}
2015-11-26 14:59:40 +01:00
private function checkLoginAgainstIMAP ( $imap_server = array (), $username = '' , $password = '' , $data = array ()) {
2013-10-16 14:55:17 +02:00
$session = Registry :: get ( 'session' );
2014-07-05 17:09:38 +02:00
$emails = array ( $username );
2013-10-16 14:55:17 +02:00
2016-09-15 22:08:04 +02:00
/*
* usernames without the domain part are allowed , though
* they won ' t see any emails unless a post auth hook is run
* to assign some email addresses to them
*/
2012-12-10 12:41:40 +01:00
2015-01-15 23:29:48 +01:00
$login = $username ;
if ( STRIP_DOMAIN_NAME_FROM_USERNAME == 1 ) {
$a = explode ( " @ " , $username );
$login = $a [ 0 ];
}
2015-11-26 14:59:40 +01:00
$imap = new Zend_Mail_Protocol_Imap ( $imap_server [ 'IMAP_HOST' ], $imap_server [ 'IMAP_PORT' ], $imap_server [ 'IMAP_SSL' ]);
2015-01-15 23:29:48 +01:00
if ( $imap -> login ( $login , $password )) {
2012-12-10 12:41:40 +01:00
$imap -> logout ();
2014-07-05 17:29:35 +02:00
$extra_emails = $this -> model_user_user -> get_email_addresses_from_groups ( $emails );
2014-07-05 17:09:38 +02:00
$emails = array_merge ( $emails , $extra_emails );
2015-02-19 15:17:20 +01:00
$data [ 'username' ] = $username ;
$data [ 'email' ] = $username ;
$data [ 'emails' ] = $emails ;
$data [ 'role' ] = 0 ;
$data = $this -> fix_user_data ( $username , $username , $emails , 0 );
2015-09-03 14:46:38 +02:00
$this -> is_ga_code_needed ( $username );
2015-02-19 15:17:20 +01:00
$session -> set ( " auth_data " , $data );
2012-12-10 12:41:40 +01:00
2013-10-16 14:55:17 +02:00
$session -> set ( " password " , $password );
2013-04-02 22:22:30 +02:00
2012-12-10 12:41:40 +01:00
return 1 ;
}
return 0 ;
}
2015-02-19 15:17:20 +01:00
private function checkLoginAgainstPOP3 ( $username = '' , $password = '' , $data = array ()) {
2013-09-30 21:43:41 +02:00
$rc = 0 ;
2014-07-05 17:09:38 +02:00
$emails = array ( $username );
2013-09-30 21:43:41 +02:00
try {
$conn = new Zend_Mail_Protocol_Pop3 ( POP3_HOST , POP3_PORT , POP3_SSL );
if ( $conn ) {
$s = $conn -> connect ( POP3_HOST );
if ( $s ) {
try {
$conn -> login ( $username , $password );
2014-07-05 17:29:35 +02:00
$extra_emails = $this -> model_user_user -> get_email_addresses_from_groups ( $emails );
2014-07-05 17:09:38 +02:00
$emails = array_merge ( $emails , $extra_emails );
2015-02-19 15:17:20 +01:00
$data = $this -> fix_user_data ( $username , $username , $emails , 0 );
2015-09-03 14:46:38 +02:00
$this -> is_ga_code_needed ( $username );
2015-02-19 15:17:20 +01:00
$session = Registry :: get ( 'session' );
$session -> set ( " auth_data " , $data );
2013-09-30 21:43:41 +02:00
$rc = 1 ;
}
catch ( Zend_Mail_Protocol_Exception $e ) {}
}
}
}
catch ( Zend_Mail_Protocol_Exception $e ) {}
return $rc ;
}
2018-01-01 10:39:22 +01:00
public function get_sso_user () {
if ( ! isset ( $_SERVER [ 'REMOTE_USER' ]) || $_SERVER [ 'REMOTE_USER' ] == '' ) { return '' ; }
// check if REMOTE_USER format is DOMAIN\user
$u = explode ( " \\ " , $_SERVER [ 'REMOTE_USER' ]);
if ( isset ( $u [ 1 ])) { return $u [ 1 ]; }
// or REMOTE_USER might be in the form of user@domain
$u = explode ( " @ " , $_SERVER [ 'REMOTE_USER' ]);
if ( isset ( $u [ 0 ])) { return $u [ 0 ]; }
return $_SERVER [ 'REMOTE_USER' ];
}
2012-10-17 13:11:08 +02:00
public function check_ntlm_auth () {
2013-08-20 12:15:45 +02:00
$ldap_auditor_member_dn = LDAP_AUDITOR_MEMBER_DN ;
$ldap_admin_member_dn = LDAP_ADMIN_MEMBER_DN ;
$role = 0 ;
2013-07-12 11:14:09 +02:00
2018-01-01 10:39:22 +01:00
$sso_user = $this -> get_sso_user ();
if ( $sso_user == '' ) { return 0 ; }
2012-10-17 13:11:08 +02:00
2013-08-21 00:06:41 +02:00
2017-12-23 18:14:17 +01:00
if ( LOG_LEVEL >= NORMAL ) { syslog ( LOG_INFO , " sso login: $sso_user " ); }
2012-10-17 13:11:08 +02:00
2013-04-19 20:39:38 +02:00
$ldap = new LDAP ( LDAP_HOST , LDAP_HELPER_DN , LDAP_HELPER_PASSWORD );
2012-10-17 13:11:08 +02:00
2013-04-19 20:39:38 +02:00
if ( $ldap -> is_bind_ok ()) {
2012-10-17 13:11:08 +02:00
2017-12-23 18:14:17 +01:00
$query = $ldap -> query ( LDAP_BASE_DN , " (&(objectClass=user)(samaccountname= " . $sso_user . " )) " , array ());
2013-04-19 20:39:38 +02:00
if ( isset ( $query -> row [ 'dn' ])) {
$a = $query -> row ;
2015-03-17 18:58:31 +01:00
if ( is_array ( $a [ 'mail' ])) { $username = $a [ 'mail' ][ 0 ]; } else { $username = $a [ 'mail' ]; }
2013-04-19 20:39:38 +02:00
$username = strtolower ( preg_replace ( " /^smtp \ :/i " , " " , $username ));
2013-10-17 23:22:03 +02:00
if ( $username == '' ) {
2016-09-21 21:59:57 +02:00
if ( LOG_LEVEL >= NORMAL ) { syslog ( LOG_INFO , " no email address found for " . $a [ 'dn' ]); }
2013-10-17 23:22:03 +02:00
return 0 ;
}
2014-09-09 15:30:26 +02:00
$ldap_mail_attr = LDAP_MAIL_ATTR ;
2017-06-25 14:38:28 +02:00
if ( LDAP_MAIL_ATTR == 'proxyAddresses' ) {
$ldap_mail_attr = 'proxyAddresses=smtp:' ;
}
else {
$ldap_mail_attr .= '=' ;
}
2014-09-09 15:30:26 +02:00
2017-06-25 14:38:28 +02:00
$query = $ldap -> query ( LDAP_BASE_DN , " (|(&(objectClass=user)( " . $ldap_mail_attr . " $username ))(&(objectClass=group)(member= $username ))(&(objectClass=group)(member= " . stripslashes ( $a [ 'dn' ]) . " ))) " , array ());
2013-04-19 20:39:38 +02:00
$emails = $this -> get_email_array_from_ldap_attr ( $query -> rows );
2014-07-05 17:29:35 +02:00
$extra_emails = $this -> model_user_user -> get_email_addresses_from_groups ( $emails );
2014-09-15 10:39:24 +02:00
$emails = array_merge ( $emails , $extra_emails );
if ( ! in_array ( $username , $emails )) { array_push ( $emails , $username ); }
2014-07-05 17:09:38 +02:00
2013-08-20 12:15:45 +02:00
if ( $this -> check_ldap_membership ( $ldap_auditor_member_dn , $query -> rows ) == 1 ) { $role = 2 ; }
if ( $this -> check_ldap_membership ( $ldap_admin_member_dn , $query -> rows ) == 1 ) { $role = 1 ; }
2015-02-19 15:17:20 +01:00
$data = $this -> fix_user_data ( $a [ 'cn' ], $username , $emails , $role );
$this -> apply_user_auth_session ( $data );
2013-04-19 20:39:38 +02:00
2014-07-29 21:52:29 +02:00
$this -> model_user_prefs -> get_user_preferences ( $username );
2013-04-19 20:39:38 +02:00
AUDIT ( ACTION_LOGIN , $username , '' , '' , 'successful auth against LDAP' );
2017-12-23 17:43:34 +01:00
if ( CUSTOM_EMAIL_QUERY_FUNCTION && function_exists ( CUSTOM_EMAIL_QUERY_FUNCTION )) {
2017-12-23 18:14:17 +01:00
call_user_func ( CUSTOM_EMAIL_QUERY_FUNCTION , $sso_user );
2017-12-23 17:43:34 +01:00
}
2013-04-19 20:39:38 +02:00
return 1 ;
}
2012-10-17 13:11:08 +02:00
}
2016-11-26 11:50:51 +01:00
else {
syslog ( LOG_INFO , LDAP_HELPER_DN . " cannot bind to " . LDAP_HOST );
}
2012-10-17 13:11:08 +02:00
return 0 ;
}
2013-08-30 15:18:59 +02:00
public function get_failed_login_count () {
$session = Registry :: get ( 'session' );
$n = $session -> get ( 'failed_logins' );
if ( $n == '' ) { $n = 0 ; }
return $n ;
}
public function increment_failed_login_count ( $n = 0 ) {
$session = Registry :: get ( 'session' );
$n = $session -> get ( 'failed_logins' ) + 1 ;
$session -> set ( 'failed_logins' , $n );
}
2015-02-19 15:17:20 +01:00
private function is_ga_code_needed ( $username = '' ) {
2013-10-16 14:55:17 +02:00
$session = Registry :: get ( 'session' );
2015-02-19 15:17:20 +01:00
$query = $this -> db -> query ( " SELECT ga_enabled FROM " . TABLE_USER_SETTINGS . " WHERE username=? " , array ( $username ));
2013-10-16 14:55:17 +02:00
if ( isset ( $query -> row [ 'ga_enabled' ]) && $query -> row [ 'ga_enabled' ] == 1 ) {
$session -> set ( " ga_block " , 1 );
}
}
2015-02-20 12:58:36 +01:00
public function is_four_eye_auth_needed ( $admin_user = 0 ) {
2015-02-19 15:17:20 +01:00
$session = Registry :: get ( 'session' );
2015-02-20 12:58:36 +01:00
if ( 1 == FOUR_EYES_LOGIN_FOR_AUDITOR && 2 == $admin_user ) {
2015-02-19 15:17:20 +01:00
$session -> set ( " four_eyes " , 1 );
}
}
2012-06-22 15:22:02 +02:00
public function change_password ( $username = '' , $password = '' ) {
2012-02-08 23:14:28 +01:00
if ( $username == " " || $password == " " ){ return 0 ; }
2018-05-10 09:26:38 +02:00
$query = $this -> db -> query ( " UPDATE " . TABLE_USER . " SET password=? WHERE uid=(SELECT uid FROM " . TABLE_EMAIL . " WHERE email=?) " , array ( crypt ( $password ), $username ));
2012-02-08 23:14:28 +01:00
$rc = $this -> db -> countAffected ();
return $rc ;
}
2016-05-03 22:24:09 +02:00
/*
* For more explanation , see https :// bitbucket . org / jsuto / piler / issues / 679 / get - mailing - list - members - from - active
* Credits : Thoth
*/
public function escapeLdapFilter ( $str = '' ) {
// The characters that need to be escape.
//
// NOTE: It's important that the slash is the first character replaced.
// Otherwise the slash added by other replacements will then be
// replaced as well, resulted in double-escaping all characters
// replaced before the slashes were replaced.
//
$metaChars = array (
chr ( 0x5c ), // \
chr ( 0x2a ), // *
chr ( 0x28 ), // (
chr ( 0x29 ), // )
chr ( 0x00 ) // NUL
);
// Build the list of the escaped versions of those characters.
$quotedMetaChars = array ();
foreach ( $metaChars as $key => $value ) {
$quotedMetaChars [ $key ] = '\\' .
str_pad ( dechex ( ord ( $value )), 2 , '0' , STR_PAD_LEFT );
}
// Make all the necessary replacements in the input string and return
// the result.
return str_replace ( $metaChars , $quotedMetaChars , $str );
}
2012-02-08 23:14:28 +01:00
}
?>
