diff --git a/src/include/functions_users.php b/src/include/functions_users.php
index d1df080..d707ede 100644
--- a/src/include/functions_users.php
+++ b/src/include/functions_users.php
@@ -65,7 +65,9 @@ function InitUserSession()
if ( isset($_SESSION['SESSION_LOGGEDIN']) )
{
- if ( !$_SESSION['SESSION_LOGGEDIN'] )
+ if ( !$_SESSION['SESSION_LOGGEDIN'] ||
+ !isset($_SESSION['SESSION_USERID']) /* Check if UserID is set! */
+ )
{
$content['SESSION_LOGGEDIN'] = false;
@@ -289,45 +291,57 @@ function CheckLDAPUserLogin( $username, $password )
{
global $content;
- $ldap_filter='('.$content['LDAPSearchFilter'].'('.$content['LDAPUidAttribute'].'="'.$username.'"))';
+ // Create LDAP Searchfilter
+ $ldap_filter='(&'.$content['LDAPSearchFilter'].'('.$content['LDAPUidAttribute'].'='.$username.'))';
// Open LDAP connection
- if (!($ds=ldap_connect($content['LDAPServer'],$content['LDAPPort'])))
+ if (!($ldapConn=@ldap_connect($content['LDAPServer'],$content['LDAPPort'])))
return false;
- ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+ ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3);
// Bind as the privilegied user
- if (!($r = ldap_bind($ds, $content['LDAPBindDN'], $content['LDAPBindPassword'])))
+ if (!($r = ldap_bind($ldapConn, $content['LDAPBindDN'], $content['LDAPBindPassword'])))
return false;
- // search for the user
- if (!($r=ldap_search( $ds, $content['LDAPBaseDN'], $ldap_filter, array("uid","cn","localentryid","userpassword") )))
+ // Search for the user
+ if (!($r=@ldap_search( $ldapConn, $content['LDAPBaseDN'], $ldap_filter, array("uid","cn","localentryid","userpassword") )))
{
- DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "'
- Sessionarray
- " . var_export($_SESSION, true) . "
- Search Filter : " . $ldap_filter );
-
- // return not really needed here
+ if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
+ {
+ // Die with error
+ DebugLDAPErrorAndDie( GetAndReplaceLangStr($content['LN_LOGIN_LDAP_USERCOULDNOTLOGIN'], $username, ldap_err2str(ldap_errno($ldapConn))), $ldap_filter );
+ }
+
+ // return false in this case
return false;
}
-
- $info = ldap_get_entries($ds, $r);
+
+ $info = ldap_get_entries($ldapConn, $r);
if (!$info || $info["count"] != 1)
{
- DieWithFriendlyErrorMsg( "Debug Error: Could not login user '" . $username . "'
- Sessionarray
- " . var_export($_SESSION, true) . "
- Search Filter : " . $ldap_filter );
+ if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
+ {
+ // Die with error
+ DebugLDAPErrorAndDie( GetAndReplaceLangStr( $content['LN_LOGIN_LDAP_USERNOTFOUND'], $username ), $ldap_filter );
+ }
- // return not really needed here
+ // return false in this case
return false;
}
// now we have the user data. Do a bind to check for his password
- if (!($r=ldap_bind( $ds, $info[0]['dn'],$password)))
+ if (!($r=@ldap_bind( $ldapConn, $info[0]['dn'],$password)))
+ {
+ if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
+ {
+ // Die with error
+ DebugLDAPErrorAndDie( GetAndReplaceLangStr( $content['LN_LOGIN_LDAP_PASSWORDFAIL'], $username ), $ldap_filter );
+ }
+
+ // return false in this case
return false;
+ }
// for the moment when a user logs in from LDAP, create it in the DB.
// then the prefs and group management is done in the DB and we don't rewrite the whole Loganalyzer code…
@@ -338,26 +352,50 @@ function CheckLDAPUserLogin( $username, $password )
$myrow = DB_GetSingleRow($result, true);
if (!isset($myrow['is_admin']) )
{
- // Create User
- $result = DB_Query("INSERT INTO " . DB_USERS . " (id, username, password, is_admin, is_readonly) VALUES (".$info[0]['localentryid'][0].", '$username', rnd".md5(mt_rand()."rnd")."', 0, 1)");
+ // Create User | use password to create MD5 Hash, so technically the user could login without LDAP as well
+ $sqlcmd = "INSERT INTO " . DB_USERS . " (username, password, is_admin, is_readonly) VALUES ('" . $username . "', '" . md5($password) . "', 0, 1)";
+
+ $result = DB_Query($sqlcmd);
DB_FreeQuery($result);
$myrow['is_admin'] = 0;
$myrow['last_login'] = 0;
$myrow['is_readonly'] = 1;
}
-
- $myrowfinal['username'] = $info[0][$content['LDAPUidAttribute']][0];
- $myrowfinal['password'] = "hidden";
+ // Construct Row and return
+ $myrowfinal['username'] = $username;
+ $myrowfinal['password'] = md5($password);
$myrowfinal['dn'] = $info[0]['dn'];
- $myrowfinal['ID'] = $info[0]['localentryid'][0];
+ if ( isset($myrow['ID']) )
+ $myrowfinal['ID'] = $myrow['ID']; // Get from SELECT
+ else
+ $myrowfinal['ID'] = DB_ReturnLastInsertID(); // Get from last insert!
$myrowfinal['is_admin'] = $myrow['is_admin'];
$myrowfinal['is_readonly'] = $myrow['is_readonly'];
$myrowfinal['last_login'] = $myrow['last_login'];
-
return $myrowfinal;
}
+/*
+* LDAP Debug Helpre function
+*/
+function DebugLDAPErrorAndDie($szErrorMsg, $szLdapFilter)
+{
+ global $content;
+
+ // Add extra debug if wanted!
+ if ( GetConfigSetting("MiscShowDebugMsg", 0, CFGLEVEL_USER) == 1 )
+ {
+ $szErrorMsg .=
+ "LDAPBind DN: " . $content['LDAPBindDN'] .
+ "Search Filter: " . $szLdapFilter .
+ "Session Array: " . var_export($_SESSION, true) . "
";
+ }
+
+ // USER NOT FOUND
+ DieWithFriendlyErrorMsg( $szErrorMsg );
+}
+
function DoLogOff()
{
diff --git a/src/lang/en/main.php b/src/lang/en/main.php
index dc7ecbe..1828dee 100644
--- a/src/lang/en/main.php
+++ b/src/lang/en/main.php
@@ -226,6 +226,10 @@ $content['LN_LOGIN_PASSWORD'] = "Password";
$content['LN_LOGIN_SAVEASCOOKIE'] = "Stay logged on";
$content['LN_LOGIN_ERRWRONGPASSWORD'] = "Wrong username or password!";
$content['LN_LOGIN_USERPASSMISSING'] = "Username or password not given";
+$content['LN_LOGIN_LDAP_USERNOTFOUND'] = "User '%1' could not be found";
+$content['LN_LOGIN_LDAP_USERCOULDNOTLOGIN'] = "Could not login user '%1', LDAP error: %2";
+$content['LN_LOGIN_LDAP_PASSWORDFAIL'] = "User '%1' could not login with the given password";
+
// Install Site
$content['LN_INSTALL_TITLETOP'] = "Installing LogAnalyzer Version %1 - Step %2";