From 150bc74d36fc9cbf9778a684456c93cfb8761ca6 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Thu, 26 Jan 2012 15:19:23 +0100
Subject: [PATCH] Started implementing LDAP Auth support

---
 src/include/config.sample.php   |  10 +++
 src/include/functions_users.php | 104 +++++++++++++++++++++++++++++---
 2 files changed, 107 insertions(+), 7 deletions(-)

diff --git a/src/include/config.sample.php b/src/include/config.sample.php
index 721fe3f..fe8fd0b 100644
--- a/src/include/config.sample.php
+++ b/src/include/config.sample.php
@@ -54,6 +54,16 @@ $CFG['UserDBPref'] = "";
 $CFG['UserDBUser'] = "";
 $CFG['UserDBPass'] = "";
 $CFG['UserDBLoginRequired'] = false;
+// LDAP auth options
+$CFG['LDAPUserLoginRequired'] = false;			// activate LDAP auth
+$CFG['LDAPServer'] = "localhost";				// LDAP server hostname or IP
+$CFG['LDAPPort'] = 389;							// LDAP port, 389 or 636 for SSL
+$CFG['LDAPBaseDN'] = "ou=my,o=ldap";			// Base DN for LDAP search
+$CFG['LDAPSearchFilter'] = "(objectclass=inetOrgPerson)"; // search filter
+$CFG['LDAPUidAttribute'] = "uid";				// the LDAP attribute used in the search to find the user. ex : uid, cn
+$CFG['LDAPBindDN'] = "cn=Manager,ou=my,o=ldap";	// DN of the privileged user for the search
+$CFG['LDAPBindPassword'] = 'secret';			// Password of the privilegied user
+$CFG['LDAPGroupAttribute'] = 'member';			// attribute used to search for groups
 // --- 
 
 // --- Misc Options
diff --git a/src/include/functions_users.php b/src/include/functions_users.php
index 81d1f8d..d1df080 100644
--- a/src/include/functions_users.php
+++ b/src/include/functions_users.php
@@ -161,12 +161,20 @@ function CheckUserLogin( $username, $password )
 {
 	global $content;
 
-	// TODO: SessionTime and AccessLevel check
-
-	$md5pass = md5($password);
-	$sqlquery = "SELECT * FROM " . DB_USERS . " WHERE username = '" . $username . "' and password = '" . $md5pass . "'";
-	$result = DB_Query($sqlquery);
-	$myrow = DB_GetSingleRow($result, true);
+	// Check if LDAP Auth has to be used!
+	if ( GetConfigSetting("LDAPUserLoginRequired", "") == "true")
+	{
+		// perform user auth using LDAP, will add user record to loganalyzer DB if necessary
+		$myrow = CheckLDAPUserLogin( $username, $password );
+	}
+	else // Normal MYSQL Login!
+	{
+		// TODO: SessionTime and AccessLevel check
+		$md5pass = md5($password);
+		$sqlquery = "SELECT * FROM " . DB_USERS . " WHERE username = '" . $username . "' and password = '" . $md5pass . "'";
+		$result = DB_Query($sqlquery);
+		$myrow = DB_GetSingleRow($result, true);
+	}
 
 	// The admin field must be set!
 	if ( isset($myrow['is_admin']) )
@@ -261,14 +269,96 @@ function CheckUserLogin( $username, $password )
 	}
 	else
 	{
+		/*
+		if (isset($myrow) && is_numeric($myrow) ) 
+		{
+			//return error code!
+			return $myrow;
+		}
+		*/
 		if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
 			DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre><br><B>SQL Statement</B>: " . $sqlselect );
-		
+			
 		// Default return false
 		return false;
 	}
 }
 
+
+function CheckLDAPUserLogin( $username, $password )
+{
+	global $content;
+	 
+	$ldap_filter='('.$content['LDAPSearchFilter'].'('.$content['LDAPUidAttribute'].'="'.$username.'"))';
+	 
+	// Open LDAP connection
+	if (!($ds=ldap_connect($content['LDAPServer'],$content['LDAPPort'])))
+		return false;
+	
+	ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+	 
+	// Bind as the privilegied user
+	if (!($r = ldap_bind($ds, $content['LDAPBindDN'], $content['LDAPBindPassword'])))
+		return false;
+
+	// search for the user
+	if (!($r=ldap_search( $ds, $content['LDAPBaseDN'], $ldap_filter, array("uid","cn","localentryid","userpassword") )))
+	{
+		DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "'
+		<strong>Sessionarray</strong>
+		<pre>" . var_export($_SESSION, true) . "</pre>
+		<strong>Search Filter </strong>: " . $ldap_filter );
+		
+		// return not really needed here
+		return false;
+	}
+	 
+	$info = ldap_get_entries($ds, $r);
+	if (!$info || $info["count"] != 1)
+	{
+		DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "'
+		<strong>Sessionarray</strong>
+		<pre>" . var_export($_SESSION, true) . "</pre>
+		<strong>Search Filter </strong>: " . $ldap_filter );
+
+		// return not really needed here
+		return false;
+	}
+	 
+	// now we have the user data. Do a bind to check for his password
+	if (!($r=ldap_bind( $ds, $info[0]['dn'],$password)))
+		return false;
+	 
+	// for the moment when a user logs in from LDAP, create it in the DB.
+	// then the prefs and group management is done in the DB and we don't rewrite the whole Loganalyzer code…
+	 
+	// check if the user already exist
+	$sqlquery = "SELECT * FROM " . DB_USERS . " WHERE username = '" . $username . "'";
+	$result = DB_Query($sqlquery);
+	$myrow = DB_GetSingleRow($result, true);
+	if (!isset($myrow['is_admin']) )
+	{
+		// Create User
+		$result = DB_Query("INSERT INTO " . DB_USERS . " (id, username, password, is_admin, is_readonly) VALUES (".$info[0]['localentryid'][0].", '$username', rnd".md5(mt_rand()."rnd")."', 0, 1)");
+		DB_FreeQuery($result);
+		$myrow['is_admin'] = 0;
+		$myrow['last_login'] = 0;
+		$myrow['is_readonly'] = 1;
+	}
+	
+	
+	$myrowfinal['username'] = $info[0][$content['LDAPUidAttribute']][0];
+	$myrowfinal['password'] = "hidden";
+	$myrowfinal['dn'] = $info[0]['dn'];
+	$myrowfinal['ID'] = $info[0]['localentryid'][0];
+	$myrowfinal['is_admin'] = $myrow['is_admin'];
+	$myrowfinal['is_readonly'] = $myrow['is_readonly'];
+	$myrowfinal['last_login'] = $myrow['last_login'];
+	 
+	return $myrowfinal;
+}
+
+
 function DoLogOff()
 {
 	global $content;