2013-06-10 16:03:51 +02:00
|
|
|
<?php
|
2013-06-10 17:03:01 +02:00
|
|
|
// {{{ICINGA_LICENSE_HEADER}}}
|
|
|
|
|
// {{{ICINGA_LICENSE_HEADER}}}
|
2013-06-10 16:03:51 +02:00
|
|
|
|
|
|
|
|
namespace Icinga\Authentication\Backend;
|
|
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
use Icinga\User;
|
|
|
|
|
use Icinga\Authentication\UserBackend;
|
|
|
|
|
use Icinga\Protocol\Ldap\Connection;
|
2014-06-02 15:52:58 +02:00
|
|
|
use Icinga\Exception\AuthenticationException;
|
2014-06-25 12:38:31 +02:00
|
|
|
use Icinga\Protocol\Ldap\Exception as LdapException;
|
2013-06-10 16:03:51 +02:00
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
class LdapUserBackend extends UserBackend
|
2013-06-10 16:03:51 +02:00
|
|
|
{
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-03-03 17:21:17 +01:00
|
|
|
* Connection to the LDAP server
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
|
|
|
|
* @var Connection
|
2013-08-13 18:08:21 +02:00
|
|
|
**/
|
2014-03-03 17:21:17 +01:00
|
|
|
protected $conn;
|
2013-07-12 15:37:36 +02:00
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
protected $userClass;
|
2013-06-10 16:03:51 +02:00
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
protected $userNameAttribute;
|
2013-08-28 10:16:18 +02:00
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
public function __construct(Connection $conn, $userClass, $userNameAttribute)
|
2013-06-10 16:03:51 +02:00
|
|
|
{
|
2014-03-03 17:21:17 +01:00
|
|
|
$this->conn = $conn;
|
|
|
|
|
$this->userClass = $userClass;
|
|
|
|
|
$this->userNameAttribute = $userNameAttribute;
|
2013-06-10 16:03:51 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-03-03 17:21:17 +01:00
|
|
|
* Create query
|
2013-08-13 18:08:21 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @param string $username
|
2013-08-13 18:08:21 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @return \Icinga\Protocol\Ldap\Query
|
2013-08-13 18:08:21 +02:00
|
|
|
**/
|
2014-03-03 17:21:17 +01:00
|
|
|
protected function createQuery($username)
|
2013-06-10 16:03:51 +02:00
|
|
|
{
|
2014-03-03 17:21:17 +01:00
|
|
|
return $this->conn->select()
|
|
|
|
|
->from(
|
|
|
|
|
$this->userClass,
|
|
|
|
|
array($this->userNameAttribute)
|
|
|
|
|
)
|
|
|
|
|
->where(
|
|
|
|
|
$this->userNameAttribute,
|
|
|
|
|
str_replace('*', '', $username)
|
|
|
|
|
);
|
2013-06-10 16:03:51 +02:00
|
|
|
}
|
|
|
|
|
|
2014-06-11 14:22:52 +02:00
|
|
|
/**
|
|
|
|
|
* Probe the backend to test if authentication is possible
|
|
|
|
|
*
|
|
|
|
|
* Try to bind to the backend and query all available users to check if:
|
|
|
|
|
* <ul>
|
|
|
|
|
* <li>User connection credentials are correct and the bind is possible</li>
|
|
|
|
|
* <li>At least one user exists</li>
|
|
|
|
|
* <li>The specified userClass has the property specified by userNameAttribute</li>
|
|
|
|
|
* </ul>
|
|
|
|
|
*
|
|
|
|
|
* @throws AuthenticationException When authentication is not possible
|
|
|
|
|
*/
|
2014-06-11 15:04:19 +02:00
|
|
|
public function assertAuthenticationPossible()
|
2014-06-11 14:22:52 +02:00
|
|
|
{
|
|
|
|
|
$q = $this->conn->select()->from($this->userClass);
|
|
|
|
|
$result = $q->fetchRow();
|
2014-07-03 16:20:45 +02:00
|
|
|
if (! isset($result)) {
|
2014-06-11 14:22:52 +02:00
|
|
|
throw new AuthenticationException(
|
2014-07-03 16:20:45 +02:00
|
|
|
sprintf(
|
|
|
|
|
'No objects with objectClass="%s" in DN="%s" found.',
|
|
|
|
|
$this->userClass,
|
|
|
|
|
$this->conn->getDN()
|
|
|
|
|
)
|
|
|
|
|
);
|
2014-06-11 14:22:52 +02:00
|
|
|
}
|
|
|
|
|
|
2014-07-03 16:20:45 +02:00
|
|
|
if (! isset($result->{$this->userNameAttribute})) {
|
2014-06-11 14:22:52 +02:00
|
|
|
throw new AuthenticationException(
|
2014-07-03 16:20:45 +02:00
|
|
|
sprintf(
|
|
|
|
|
'UserNameAttribute "%s" not existing in objectClass="%s"',
|
2014-06-11 14:22:52 +02:00
|
|
|
$this->userNameAttribute,
|
|
|
|
|
$this->userClass
|
2014-07-03 16:20:45 +02:00
|
|
|
)
|
|
|
|
|
);
|
2014-06-11 14:22:52 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-03-03 17:21:17 +01:00
|
|
|
* Test whether the given user exists
|
2013-08-13 18:08:21 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @param User $user
|
2013-08-13 18:08:21 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @return bool
|
2014-06-11 14:22:52 +02:00
|
|
|
* @throws AuthenticationException
|
2014-03-03 17:21:17 +01:00
|
|
|
*/
|
|
|
|
|
public function hasUser(User $user)
|
2013-06-10 16:03:51 +02:00
|
|
|
{
|
2014-03-03 17:21:17 +01:00
|
|
|
$username = $user->getUsername();
|
|
|
|
|
return $this->conn->fetchOne($this->createQuery($username)) === $username;
|
2013-06-10 16:03:51 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-03-28 14:45:03 +01:00
|
|
|
* Authenticate the given user and return true on success, false on failure and null on error
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @param User $user
|
|
|
|
|
* @param string $password
|
2014-06-23 13:57:41 +02:00
|
|
|
* @param boolean $healthCheck Perform additional health checks to generate more useful exceptions in case
|
|
|
|
|
* of a configuration or backend error
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
2014-06-23 13:57:41 +02:00
|
|
|
* @return bool True when the authentication was successful, false when the username
|
|
|
|
|
* or password was invalid
|
2014-06-11 14:22:52 +02:00
|
|
|
* @throws AuthenticationException When an error occurred during authentication and authentication is not possible
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2014-06-11 14:22:52 +02:00
|
|
|
public function authenticate(User $user, $password, $healthCheck = true)
|
2013-06-10 16:03:51 +02:00
|
|
|
{
|
2014-06-11 14:22:52 +02:00
|
|
|
if ($healthCheck) {
|
|
|
|
|
try {
|
|
|
|
|
$this->assertAuthenticationPossible();
|
|
|
|
|
} catch (AuthenticationException $e) {
|
|
|
|
|
// Authentication not possible
|
|
|
|
|
throw new AuthenticationException(
|
|
|
|
|
sprintf(
|
|
|
|
|
'Authentication against backend "%s" not possible: ',
|
|
|
|
|
$this->getName()
|
|
|
|
|
),
|
|
|
|
|
0,
|
|
|
|
|
$e
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-06-23 13:57:41 +02:00
|
|
|
if (! $this->hasUser($user)) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2014-03-28 14:45:03 +01:00
|
|
|
try {
|
2014-06-23 13:57:41 +02:00
|
|
|
return $this->conn->testCredentials(
|
|
|
|
|
$this->conn->fetchDN($this->createQuery($user->getUsername())),
|
|
|
|
|
$password
|
|
|
|
|
);
|
2014-06-25 12:38:31 +02:00
|
|
|
} catch (LdapException $e) {
|
2014-06-11 14:22:52 +02:00
|
|
|
// Error during authentication of this specific user
|
2014-06-02 15:52:58 +02:00
|
|
|
throw new AuthenticationException(
|
2014-03-28 14:45:03 +01:00
|
|
|
sprintf(
|
2014-06-02 15:52:58 +02:00
|
|
|
'Failed to authenticate user "%s" against backend "%s". An exception was thrown:',
|
2014-03-28 14:45:03 +01:00
|
|
|
$user->getUsername(),
|
2014-06-02 15:52:58 +02:00
|
|
|
$this->getName()
|
|
|
|
|
),
|
|
|
|
|
0,
|
|
|
|
|
$e
|
2014-03-28 14:45:03 +01:00
|
|
|
);
|
2013-06-10 16:03:51 +02:00
|
|
|
}
|
|
|
|
|
}
|
2013-08-26 16:56:23 +02:00
|
|
|
|
2013-08-30 15:31:21 +02:00
|
|
|
/**
|
2014-03-03 17:21:17 +01:00
|
|
|
* Get the number of users available
|
2013-08-30 15:31:21 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @return int
|
2013-08-30 15:31:21 +02:00
|
|
|
*/
|
2014-03-03 17:21:17 +01:00
|
|
|
public function count()
|
2013-08-27 14:37:22 +02:00
|
|
|
{
|
2014-06-11 14:22:52 +02:00
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
return $this->conn->count(
|
|
|
|
|
$this->conn->select()->from(
|
|
|
|
|
$this->userClass,
|
2013-08-26 16:56:23 +02:00
|
|
|
array(
|
2014-03-03 17:21:17 +01:00
|
|
|
$this->userNameAttribute
|
2013-08-26 16:56:23 +02:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
2013-06-10 16:03:51 +02:00
|
|
|
}
|
2014-03-03 17:21:17 +01:00
|
|
|
|
