2012-02-08 23:14:28 +01:00
< ? php
class ModelUserAuth extends Model {
public function checkLogin ( $username = '' , $password = '' ) {
2012-10-06 14:18:00 +02:00
$ok = 0 ;
2012-02-08 23:14:28 +01:00
2013-03-02 12:54:33 +01:00
if ( $username == '' || $password == '' ) { return 0 ; }
if ( ENABLE_LDAP_AUTH == 1 ) {
$ok = $this -> checkLoginAgainstLDAP ( $username , $password );
if ( $ok == 1 ) { return $ok ; }
}
2012-12-10 12:41:40 +01:00
if ( ENABLE_IMAP_AUTH == 1 ) {
require 'Zend/Mail/Protocol/Imap.php' ;
$ok = $this -> checkLoginAgainstIMAP ( $username , $password );
2013-03-02 12:54:33 +01:00
if ( $ok == 1 ) { return $ok ; }
2012-12-10 12:41:40 +01:00
}
2013-03-02 12:54:33 +01:00
// fallback local auth
$query = $this -> db -> query ( " SELECT u.username, u.uid, u.realname, u.dn, u.password, u.isadmin, u.domain FROM " . TABLE_USER . " u, " . TABLE_EMAIL . " e WHERE e.email=? AND e.uid=u.uid " , array ( $username ));
2012-02-08 23:14:28 +01:00
if ( ! isset ( $query -> row [ 'password' ])) { return 0 ; }
$pass = crypt ( $password , $query -> row [ 'password' ]);
if ( $pass == $query -> row [ 'password' ]){
2012-10-06 14:18:00 +02:00
$ok = 1 ;
2012-02-08 23:14:28 +01:00
2012-10-06 14:18:00 +02:00
AUDIT ( ACTION_LOGIN , $username , '' , '' , 'successful auth against user table' );
}
else {
AUDIT ( ACTION_LOGIN_FAILED , $username , '' , '' , 'failed auth against user table' );
}
if ( $ok == 0 && strlen ( $query -> row [ 'dn' ]) > 3 ) {
2013-03-02 12:54:33 +01:00
$ok = $this -> checkLoginAgainstFallbackLDAP ( $query -> row , $password );
2012-10-06 14:18:00 +02:00
}
if ( $ok == 1 ) {
2012-02-08 23:14:28 +01:00
$_SESSION [ 'username' ] = $query -> row [ 'username' ];
$_SESSION [ 'uid' ] = $query -> row [ 'uid' ];
$_SESSION [ 'admin_user' ] = $query -> row [ 'isadmin' ];
$_SESSION [ 'email' ] = $username ;
$_SESSION [ 'domain' ] = $query -> row [ 'domain' ];
$_SESSION [ 'realname' ] = $query -> row [ 'realname' ];
2013-01-05 16:42:36 +01:00
$_SESSION [ 'auditdomains' ] = $this -> model_user_user -> get_users_all_domains ( $query -> row [ 'uid' ]);
2012-07-06 15:02:23 +02:00
$_SESSION [ 'emails' ] = $this -> model_user_user -> get_users_all_email_addresses ( $query -> row [ 'uid' ]);
2012-09-06 15:27:20 +02:00
$_SESSION [ 'folders' ] = $this -> model_folder_folder -> get_all_folder_ids ( $query -> row [ 'uid' ]);
2012-09-15 15:30:35 +02:00
$_SESSION [ 'extra_folders' ] = $this -> model_folder_folder -> get_all_extra_folder_ids ( $query -> row [ 'uid' ]);
2012-02-08 23:14:28 +01:00
return 1 ;
}
2013-03-02 12:54:33 +01:00
return 0 ;
}
private function checkLoginAgainstLDAP ( $username = '' , $password = '' ) {
$ldap = new LDAP ( LDAP_HOST , LDAP_HELPER_DN , LDAP_HELPER_PASSWORD );
if ( $ldap -> is_bind_ok ()) {
2013-04-17 11:32:05 +02:00
$query = $ldap -> query ( LDAP_BASE_DN , " (&(objectClass= " . LDAP_ACCOUNT_OBJECTCLASS . " )( " . LDAP_MAIL_ATTR . " = $username )) " , array ());
2013-03-02 12:54:33 +01:00
2013-04-17 16:33:36 +02:00
if ( isset ( $query -> row [ 'dn' ])) {
2013-03-02 12:54:33 +01:00
$a = $query -> row ;
$ldap_auth = new LDAP ( LDAP_HOST , $a [ 'dn' ], $password );
2013-04-03 22:45:05 +02:00
if ( ENABLE_SYSLOG == 1 ) { syslog ( LOG_INFO , " ldap auth against ' " . LDAP_HOST . " ', dn: ' " . $a [ 'dn' ] . " ', result: " . $ldap_auth -> is_bind_ok ()); }
2013-03-02 12:54:33 +01:00
if ( $ldap_auth -> is_bind_ok ()) {
2013-04-17 11:32:05 +02:00
$query = $ldap -> query ( LDAP_BASE_DN , " (|(&(objectClass= " . LDAP_ACCOUNT_OBJECTCLASS . " )( " . LDAP_MAIL_ATTR . " = $username ))(&(objectClass= " . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . " )( " . LDAP_DISTRIBUTIONLIST_ATTR . " = $username ) " . " )(&(objectClass= " . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . " )( " . LDAP_DISTRIBUTIONLIST_ATTR . " = " . $a [ 'dn' ] . " ))) " , array ());
2013-05-03 09:48:32 +02:00
$is_auditor = $this -> check_ldap_membership ( $query -> rows );
2013-03-02 14:09:06 +01:00
$emails = $this -> get_email_array_from_ldap_attr ( $query -> rows );
2013-03-02 12:54:33 +01:00
2013-05-03 09:48:32 +02:00
$this -> add_session_vars ( $a [ 'cn' ], $username , $emails , $is_auditor );
2013-03-02 12:54:33 +01:00
AUDIT ( ACTION_LOGIN , $username , '' , '' , 'successful auth against LDAP' );
return 1 ;
}
else {
AUDIT ( ACTION_LOGIN_FAILED , $username , '' , '' , 'failed auth against LDAP' );
}
}
}
else if ( ENABLE_SYSLOG == 1 ) {
syslog ( LOG_INFO , " cannot bind to ' " . LDAP_HOST . " ' as ' " . LDAP_HELPER_DN . " ' " );
}
2012-02-08 23:14:28 +01:00
return 0 ;
}
2013-05-03 09:48:32 +02:00
private function check_ldap_membership ( $e = array ()) {
if ( LDAP_AUDITOR_MEMBER_DN == '' ) { return 0 ; }
foreach ( $e as $a ) {
foreach ( array ( " member " , " memberof " ) as $memberattr ) {
if ( isset ( $a [ $memberattr ])) {
if ( isset ( $a [ $memberattr ][ 'count' ])) {
for ( $i = 0 ; $i < $a [ $memberattr ][ 'count' ]; $i ++ ) {
if ( $a [ $memberattr ][ $i ] == LDAP_AUDITOR_MEMBER_DN ) {
return 1 ;
}
}
}
else {
if ( $a [ $memberattr ] == LDAP_AUDITOR_MEMBER_DN ) {
return 1 ;
}
}
}
}
}
return 0 ;
}
2013-03-02 14:09:06 +01:00
private function get_email_array_from_ldap_attr ( $e = array ()) {
2013-03-02 12:54:33 +01:00
$data = array ();
2013-03-02 14:09:06 +01:00
foreach ( $e as $a ) {
foreach ( array ( " mail " , " mailalternateaddress " , " proxyaddresses " , LDAP_MAIL_ATTR , LDAP_DISTRIBUTIONLIST_ATTR ) as $mailattr ) {
if ( isset ( $a [ $mailattr ])) {
2013-03-02 12:54:33 +01:00
2013-03-02 14:09:06 +01:00
if ( isset ( $a [ $mailattr ][ 'count' ])) {
for ( $i = 0 ; $i < $a [ $mailattr ][ 'count' ]; $i ++ ) {
if ( preg_match ( " /^smtp \ :/i " , $a [ $mailattr ][ $i ]) || strchr ( $a [ $mailattr ][ $i ], '@' ) ) {
$email = strtolower ( preg_replace ( " /^smtp \ :/i " , " " , $a [ $mailattr ][ $i ]));
if ( ! in_array ( $email , $data )) { array_push ( $data , $email ); }
}
2013-03-02 12:54:33 +01:00
}
}
2013-03-02 14:09:06 +01:00
else {
$email = strtolower ( preg_replace ( " /^smtp \ :/i " , " " , $a [ $mailattr ]));
if ( ! in_array ( $email , $data )) { array_push ( $data , $email ); }
}
2013-03-02 12:54:33 +01:00
}
}
}
return $data ;
}
2013-05-03 09:48:32 +02:00
private function add_session_vars ( $name = '' , $email = '' , $emails = array (), $is_auditor = 0 ) {
2013-03-02 12:54:33 +01:00
$a = explode ( " @ " , $email );
$uid = $this -> model_user_user -> get_uid_by_email ( $email );
if ( $uid < 1 ) {
2013-04-12 22:30:48 +02:00
$uid = $this -> model_user_user -> get_next_uid ( TABLE_EMAIL );
2013-03-02 12:54:33 +01:00
$query = $this -> db -> query ( " INSERT INTO " . TABLE_EMAIL . " (uid, email) VALUES(?,?) " , array ( $uid , $email ));
}
$_SESSION [ 'username' ] = $name ;
$_SESSION [ 'uid' ] = $uid ;
2013-05-03 09:48:32 +02:00
if ( $is_auditor == 1 ) {
$_SESSION [ 'admin_user' ] = 2 ;
} else {
$_SESSION [ 'admin_user' ] = 0 ;
}
2013-03-02 12:54:33 +01:00
$_SESSION [ 'email' ] = $email ;
$_SESSION [ 'domain' ] = $a [ 1 ];
$_SESSION [ 'realname' ] = $name ;
$_SESSION [ 'auditdomains' ] = array ();
$_SESSION [ 'emails' ] = $emails ;
$_SESSION [ 'folders' ] = array ();
$_SESSION [ 'extra_folders' ] = array ();
}
private function checkLoginAgainstFallbackLDAP ( $user = array (), $password = '' ) {
2012-02-08 23:14:28 +01:00
if ( $password == '' || ! isset ( $user [ 'username' ]) || ! isset ( $user [ 'domain' ]) || ! isset ( $user [ 'dn' ]) || strlen ( $user [ 'domain' ]) < 2 ){ return 0 ; }
$query = $this -> db -> query ( " SELECT remotehost, basedn FROM " . TABLE_REMOTE . " WHERE remotedomain=? " , array ( $user [ 'domain' ]));
if ( $query -> num_rows != 1 ) { return 0 ; }
$ldap = new LDAP ( $query -> row [ 'remotehost' ], $user [ 'dn' ], $password );
if ( $ldap -> is_bind_ok ()) {
2012-06-22 15:22:02 +02:00
$this -> change_password ( $user [ 'username' ], $password );
2012-02-08 23:14:28 +01:00
AUDIT ( ACTION_LOGIN , $user [ 'username' ], '' , '' , 'changed password in local table' );
return 1 ;
}
else {
AUDIT ( ACTION_LOGIN_FAILED , $user [ 'username' ], '' , '' , 'failed bind to ' . $query -> row [ 'remotehost' ], $user [ 'dn' ]);
}
return 0 ;
}
2012-12-10 12:41:40 +01:00
private function checkLoginAgainstIMAP ( $username = '' , $password = '' ) {
$user = array ();
$imap = new Zend_Mail_Protocol_Imap ( IMAP_HOST , IMAP_PORT , IMAP_SSL );
if ( $imap -> login ( $username , $password )) {
$imap -> logout ();
2013-05-03 09:48:32 +02:00
$this -> add_session_vars ( $username , $username , array ( $username ), 0 );
2012-12-10 12:41:40 +01:00
2013-04-02 22:22:30 +02:00
$_SESSION [ 'password' ] = $password ;
2012-12-10 12:41:40 +01:00
return 1 ;
}
return 0 ;
}
2012-10-17 13:11:08 +02:00
public function check_ntlm_auth () {
if ( ! isset ( $_SERVER [ 'REMOTE_USER' ])) { return 0 ; }
$u = explode ( " \\ " , $_SERVER [ 'REMOTE_USER' ]);
if ( ! isset ( $u [ 1 ])) { return 0 ; }
2013-04-19 20:39:38 +02:00
$ldap = new LDAP ( LDAP_HOST , LDAP_HELPER_DN , LDAP_HELPER_PASSWORD );
2012-10-17 13:11:08 +02:00
2013-04-19 20:39:38 +02:00
if ( $ldap -> is_bind_ok ()) {
2012-10-17 13:11:08 +02:00
2013-04-19 20:39:38 +02:00
$query = $ldap -> query ( LDAP_BASE_DN , " (&(objectClass= " . LDAP_ACCOUNT_OBJECTCLASS . " )(samaccountname= " . $u [ 1 ] . " )) " , array ());
if ( isset ( $query -> row [ 'dn' ])) {
$a = $query -> row ;
if ( isset ( $a [ 'mail' ][ 'count' ])) { $username = $a [ 'mail' ][ 0 ]; } else { $username = $a [ 'mail' ]; }
$username = strtolower ( preg_replace ( " /^smtp \ :/i " , " " , $username ));
$query = $ldap -> query ( LDAP_BASE_DN , " (|(&(objectClass= " . LDAP_ACCOUNT_OBJECTCLASS . " )( " . LDAP_MAIL_ATTR . " = $username ))(&(objectClass= " . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . " )( " . LDAP_DISTRIBUTIONLIST_ATTR . " = $username ) " . " )(&(objectClass= " . LDAP_DISTRIBUTIONLIST_OBJECTCLASS . " )( " . LDAP_DISTRIBUTIONLIST_ATTR . " = " . $a [ 'dn' ] . " ))) " , array ());
$emails = $this -> get_email_array_from_ldap_attr ( $query -> rows );
2013-05-03 09:48:32 +02:00
$this -> add_session_vars ( $a [ 'cn' ], $username , $emails , 0 );
2013-04-19 20:39:38 +02:00
AUDIT ( ACTION_LOGIN , $username , '' , '' , 'successful auth against LDAP' );
return 1 ;
}
2012-10-17 13:11:08 +02:00
}
return 0 ;
}
2012-06-22 15:22:02 +02:00
public function change_password ( $username = '' , $password = '' ) {
2012-02-08 23:14:28 +01:00
if ( $username == " " || $password == " " ){ return 0 ; }
$query = $this -> db -> query ( " UPDATE " . TABLE_USER . " SET password=? WHERE username=? " , array ( crypt ( $password ), $username ));
$rc = $this -> db -> countAffected ();
return $rc ;
}
}
?>