You cannot access this file

ERROR: You can\'t access this file directly!

'); } include_once($config['homedir'] . "/include/functions_profile.php"); enterprise_include ('include/auth/mysql.php'); $config["user_can_update_info"] = true; $config["user_can_update_password"] = true; $config["admin_can_add_user"] = true; $config["admin_can_delete_user"] = true; $config["admin_can_disable_user"] = false; //currently not implemented $config["admin_can_make_admin"] = true; /** * process_user_login accepts $login and $pass and handles it according to current authentication scheme * * @param string $login * @param string $pass * @param boolean $api * * @return mixed False in case of error or invalid credentials, the username in case it's correct. */ function process_user_login ($login, $pass, $api = false) { global $config, $mysql_cache; // Always authenticate admins against the local database if (strtolower ($config["auth"]) == 'mysql' || is_user_admin ($login)) { return process_user_login_local ($login, $pass, $api); } else { $login_remote = process_user_login_remote ($login, io_safe_output($pass), $api); if ($login_remote == false && $config['fallback_local_auth'] == '1') { return process_user_login_local ($login, $pass, $api); } else { return $login_remote; } } return false; } function process_user_login_local ($login, $pass, $api = false) { global $config, $mysql_cache; // Connect to Database switch ($config["dbtype"]) { case "mysql": if (!$api) { $sql = sprintf ("SELECT `id_user`, `password` FROM `tusuario` WHERE `id_user` = '%s' AND `not_login` = 0 AND `disabled` = 0", $login); } else { $sql = sprintf ("SELECT `id_user`, `password` FROM `tusuario` WHERE `id_user` = '%s' AND `disabled` = 0", $login); } break; case "postgresql": if (!$api) { $sql = sprintf ('SELECT "id_user", "password" FROM "tusuario" WHERE "id_user" = \'%s\' AND "not_login" = 0 AND "disabled" = 0', $login); } else { $sql = sprintf ('SELECT "id_user", "password" FROM "tusuario" WHERE "id_user" = \'%s\' AND "disabled" = 0', $login); } break; case "oracle": if (!$api) { $sql = sprintf ('SELECT id_user, password FROM tusuario WHERE id_user = \'%s\' AND not_login = 0 AND disabled = 0', $login); } else { $sql = sprintf ('SELECT id_user, password FROM tusuario WHERE id_user = \'%s\' AND disabled = 0', $login); } break; } $row = db_get_row_sql ($sql); //Check that row exists, that password is not empty and that password is the same hash if ($row !== false && $row["password"] !== md5 ("") && $row["password"] == md5 ($pass)) { // Login OK // Nick could be uppercase or lowercase (select in MySQL // is not case sensitive) // We get DB nick to put in PHP Session variable, // to avoid problems with case-sensitive usernames. // Thanks to David Muñiz for Bug discovery :) $filter = array("id_usuario" => $login); $user_profile = db_get_row_filter ("tusuario_perfil", $filter); if(!users_is_admin($login) && !$user_profile){ $mysql_cache["auth_error"] = "User does not have any profile"; $config["auth_error"] = "User does not have any profile"; return false; } return $row["id_user"]; } else { if (!user_can_login($login)) { $mysql_cache["auth_error"] = "User only can use the API."; $config["auth_error"] = "User only can use the API."; } else { $mysql_cache["auth_error"] = "User not found in database or incorrect password"; $config["auth_error"] = "User not found in database or incorrect password"; } } return false; } function process_user_login_remote ($login, $pass, $api = false) { global $config, $mysql_cache; // Remote authentication switch ($config["auth"]) { // LDAP case 'ldap': $sr = ldap_process_user_login ($login, $pass); if(!$sr) { return false; } break; // Active Directory case 'ad': if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Remote Pandora FMS case 'pandora': if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Remote Integria case 'integria': if (enterprise_hook ('remote_integria_process_user_login', array ($login, $pass)) === false) { $config["auth_error"] = "User not found in database or incorrect password"; return false; } break; // Unknown authentication method default: $config["auth_error"] = "User not found in database or incorrect password"; return false; break; } if ($config["auth"] === 'ldap') { $login_user_attribute = $login; if ($config['ldap_login_user_attr'] == 'mail') { $login = $sr["mail"][0]; } } // Authentication ok, check if the user exists in the local database if (is_user ($login)) { if (!user_can_login($login)) { return false; } if (($config["auth"] === 'ad') && (isset($config['ad_advanced_config']) && $config['ad_advanced_config'])) { $return = enterprise_hook ('prepare_permissions_groups_of_user_ad', array ($login, $pass, false, true, defined('METACONSOLE'))); if ($return === "error_permissions") { $config["auth_error"] = __("Problems with configuration permissions. Please contact with Administrator"); return false; } else { if ($return === "permissions_changed") { $config["auth_error"] = __("Your permissions have changed. Please, login again."); return false; } } } elseif ($config["auth"] === 'ldap') { if ($config['ldap_save_password']) { $update_credentials = change_local_user_pass_ldap ($login, $pass); if ($update_credentials) { $config["auth_error"] = __("Your permissions have changed. Please, login again."); return false; } } else { delete_user_pass_ldap ($login); } $permissions = array(); if($config['ldap_advanced_config']){ $i = 0; $ldap_adv_perms = json_decode(io_safe_output($config['ldap_adv_perms']), true); foreach ($ldap_adv_perms as $ldap_adv_perm) { $attributes = $ldap_adv_perm['groups_ldap']; foreach ($attributes as $attr) { $attr = explode('=', $attr, 2); foreach ($sr[$attr[0]] as $s_attr) { if(preg_match('/' . $attr[1] . '/', $s_attr)){ $permissions[$i]["profile"] = $ldap_adv_perm['profile']; $permissions[$i]["groups"] = $ldap_adv_perm['group']; $permissions[$i]["tags"] = implode(",",$ldap_adv_perm['tags']); $i++; } } } } } else { $permissions[0]["profile"] = $config['default_remote_profile']; $permissions[0]["groups"][] = $config['default_remote_group']; $permissions[0]["tags"] = $config['default_assign_tags']; } if(empty($permissions)) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } else { // check permissions $result = check_permission_ad ($login, $pass, false, $permissions, defined('METACONSOLE')); if ($return === "error_permissions") { $config["auth_error"] = __("Problems with configuration permissions. Please contact with Administrator"); return false; } else { if ($return === "permissions_changed") { $config["auth_error"] = __("Your permissions have changed. Please, login again."); return false; } } } } return $login; } // The user does not exist and can not be created if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) { $config["auth_error"] = __("Ooops User not found in database or incorrect password"); return false; } if ($config["auth"] === 'ad' && (isset($config['ad_advanced_config']) && $config['ad_advanced_config'])) { if ( defined('METACONSOLE') ) { enterprise_include_once('include/functions_metaconsole.php'); enterprise_include_once ('meta/include/functions_groups_meta.php'); $return = groups_meta_synchronizing(); if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) { $config["auth_error"] = __('Fail the group synchronizing'); return false; } $return = meta_tags_synchronizing(); if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) { $config["auth_error"] = __('Fail the tag synchronizing'); return false; } } // Create the user if (enterprise_hook ('prepare_permissions_groups_of_user_ad', array($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth']), false, defined('METACONSOLE'))) === false) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } } elseif ($config["auth"] === 'ldap') { if ( defined('METACONSOLE') ) { enterprise_include_once('include/functions_metaconsole.php'); enterprise_include_once ('meta/include/functions_groups_meta.php'); $return = groups_meta_synchronizing(); if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) { $config["auth_error"] = __('Fail the group synchronizing'); return false; } $return = meta_tags_synchronizing(); if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) { $config["auth_error"] = __('Fail the tag synchronizing'); return false; } } $permissions = array(); if($config['ldap_advanced_config']){ $i = 0; $ldap_adv_perms = json_decode(io_safe_output($config['ldap_adv_perms']), true); foreach ($ldap_adv_perms as $ldap_adv_perm) { $attributes = $ldap_adv_perm['groups_ldap']; foreach ($attributes as $attr) { $attr = explode('=', $attr, 2); foreach ($sr[$attr[0]] as $s_attr) { if(preg_match('/' . $attr[1] . '/', $s_attr)){ $permissions[$i]["profile"] = $ldap_adv_perm['profile']; $permissions[$i]["groups"] = $ldap_adv_perm['group']; $permissions[$i]["tags"] = implode(",",$ldap_adv_perm['tags']); $i++; } } } } } else { $permissions[0]["profile"] = $config['default_remote_profile']; $permissions[0]["groups"][] = $config['default_remote_group']; $permissions[0]["tags"] = $config['default_assign_tags']; } if(empty($permissions)) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } else { $user_info['fullname'] = $sr['cn'][0]; $user_info['email'] = $sr['mail'][0]; // Create the user $create_user = create_user_and_permisions_ldap($login, $pass, $user_info, $permissions, defined('METACONSOLE')); } } else { $user_info = array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth']); if ( is_metaconsole() && $config["auth"] === 'ad') $user_info['metaconsole_access_node'] = $config['ad_adv_user_node']; // Create the user in the local database if (create_user ($login, $pass, $user_info ) === false) { $config["auth_error"] = __("User not found in database or incorrect password"); return false; } profile_create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group'], false, $config['default_assign_tags']); //TODO: Check the creation in the nodes if ( is_metaconsole() ) { enterprise_include_once('include/functions_metaconsole.php'); enterprise_include_once ('meta/include/functions_groups_meta.php'); $return = groups_meta_synchronizing(); if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) { $config["auth_error"] = __('Fail the group synchronizing'); return false; } $return = meta_tags_synchronizing(); if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) { $config["auth_error"] = __('Fail the tag synchronizing'); return false; } $servers = metaconsole_get_servers(); foreach ($servers as $server) { $perfil_maestro = db_get_row('tperfil', 'id_perfil', $config['default_remote_profile']); if (metaconsole_connect($server) == NOERR ) { if (!profile_exist($perfil_maestro['name'])) { unset($perfil_maestro['id_perfil']); $id_profile = db_process_sql_insert('tperfil', $perfil_maestro); } else { $id_profile = db_get_value('id_perfil', 'tperfil', 'name', $perfil_maestro['name']); } if ($config["auth"] === 'ad') { unset($user_info['metaconsole_access_node']); $user_info['not_login'] = (int) !$config['ad_adv_user_node']; } if (create_user ($login, $pass, $user_info) === false) continue; profile_create_user_profile ($login, $id_profile, $config['default_remote_group'], false, $config['default_assign_tags']); } metaconsole_restore_db(); } } } return $login; } /** * Checks if a user is administrator. * * @param string User id. * * @return bool True is the user is admin */ function is_user_admin ($id_user) { require_once(__DIR__ . "/../functions_users.php"); return users_is_admin($id_user); } /** * Get the user id field on a mixed structure. * * This function is needed to make auth system more compatible and independant. * * @param mixed User structure to get id. It might be a row returned from * tusuario or tusuario_perfil. If it's not a row, the int value is returned. * * @return int User id of the mixed parameter. */ function get_user_id ($user) { if (is_array ($user)) { if (isset ($user['id_user'])) return $user['id_user']; elseif (isset ($user['id_usuario'])) return $user['id_usuario']; else return false; } else { return $user; } } /** * Check is a user exists in the system * * @param mixed User id. * * @return bool True if the user exists. */ function is_user ($user) { $user = db_get_row('tusuario', 'id_user', get_user_id ($user)); if (! $user) return false; return true; } function user_can_login($user) { $not_login = db_get_value('not_login', 'tusuario', 'id_user', $user); if ($not_login != 0) { return false; } return true; } /** * Gets the users real name * * @param mixed User id. * * @return string The users full name */ function get_user_fullname ($user) { return (string) db_get_value ('fullname', 'tusuario', 'id_user', get_user_id ($user)); } /** * Gets the users email * * @param mixed User id. * * @return string The users email address */ function get_user_email ($user) { return (string) db_get_value ('email', 'tusuario', 'id_user', get_user_id ($user)); } /** * Gets a Users info * * @param mixed User id * * @return mixed An array of users */ function get_user_info ($user) { static $cache_user_info = array(); if (array_key_exists($user, $cache_user_info)){ return $cache_user_info[$user]; } else{ $return = db_get_row ("tusuario", "id_user", get_user_id ($user)); $cache_user_info[$user] = $return; return $return; } } /** * Get a list of all users in an array [username] => array (userinfo) * We can't simplify this because some auth schemes (like LDAP) automatically (or it's at least cheaper to) return all the information * Functions like get_user_info allow selection of specifics (in functions_db) * * @param string Field to order by (id_user, fullname or registered) * * @return array An array of user information */ function get_users ($order = "fullname", $filter = false, $fields = false) { if (is_array($order)) { $filter['order'] = $order['field'] . ' ' . $order['order']; } else { switch ($order) { case "registered": case "last_connect": case "fullname": break; default: $order = "fullname"; break; } $filter['order'] = $order." ASC"; } $output = array(); $result = db_get_all_rows_filter ("tusuario", $filter, $fields); if ($result !== false) { foreach ($result as $row) { $output[$row["id_user"]] = $row; } } return $output; } /** * Sets the last login for a user * * @param string User id */ function process_user_contact ($id_user) { return db_process_sql_update ("tusuario", array ("last_connect" => get_system_time ()), array ("id_user" => $id_user)); } /** * Create a new user * * @return bool false */ function create_user ($id_user, $password, $user_info) { $values = $user_info; $values["id_user"] = $id_user; $values["password"] = md5 ($password); $values["last_connect"] = 0; $values["registered"] = get_system_time (); return (@db_process_sql_insert ("tusuario", $values)) !== false; } /** * Save password history * * @return bool false */ function save_pass_history ($id_user, $password) { $values["id_user"] = $id_user; $values["password"] = md5 ($password); $values["date_begin"] = date ("Y/m/d H:i:s", get_system_time()); return (@db_process_sql_insert ("tpassword_history", $values)) !== false; } /** * Deletes the user * * @param string User id */ function delete_user ($id_user) { $result = db_process_sql_delete('tusuario_perfil', array('id_usuario' => $id_user)); if ($result === false) { return false; } $result = db_process_sql_delete('tusuario', array('id_user' => $id_user)); if ($result === false) { return false; } return true; } /** * Update the password in MD5 for user pass as id_user with * password in plain text. * * @param string user User ID * @param string password Password in plain text. * * @return mixed False in case of error or invalid values passed. Affected rows otherwise */ function update_user_password ($user, $password_new) { global $config; if (isset($config['auth']) && $config['auth'] == 'pandora') { $sql = sprintf("UPDATE tusuario SET password = '" . md5($password_new) . "', last_pass_change = '" . date("Y-m-d H:i:s", get_system_time()) . "' WHERE id_user = '" . $user . "'"); $connection = mysql_connect_db($config['rpandora_server'], $config['rpandora_dbname'], $config['rpandora_user'], $config['rpandora_pass']); $remote_pass_update = db_process_sql ($sql, 'affected_rows', $connection); if (!$remote_pass_update) { $config["auth_error"] = __('Could not changes password on remote pandora'); return false; } } return db_process_sql_update ('tusuario', array ('password' => md5 ($password_new), 'last_pass_change' => date ("Y/m/d H:i:s", get_system_time())), array ('id_user' => $user)); } /** * Update the data of a user that user is choose with * id_user. * * @param string user User ID * @param array values Associative array with index as name of field and content. * * @return mixed False in case of error or invalid values passed. Affected rows otherwise */ function update_user ($id_user, $values) { if (! is_array ($values)) return false; return db_process_sql_update ("tusuario", $values, array ("id_user" => $id_user)); } /** * Authenticate against an LDAP server. * * @param string User login * @param string User password (plain text) * * @return bool True if the login is correct, false in other case */ function ldap_process_user_login ($login, $password) { global $config; if (! function_exists ("ldap_connect")) { $config["auth_error"] = __('Your installation of PHP does not support LDAP'); return false; } // Connect to the LDAP server $ds = @ldap_connect ($config["ldap_server"], $config["ldap_port"]); if (!$ds) { $config["auth_error"] = 'Error connecting to LDAP server'; return false; } // Set the LDAP version ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["ldap_version"]); if ($config["ldap_start_tls"]) { if (!@ldap_start_tls ($ds)) { $config["auth_error"] = 'Could not start TLS for LDAP connection'; @ldap_close ($ds); return false; } } if($config['ldap_function'] == 'local'){ $sr = local_ldap_search($config["ldap_server"], $config["ldap_port"], $config["ldap_version"], io_safe_output($config["ldap_base_dn"]), $config['ldap_login_attr'], io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'], io_safe_output($login)); if($sr) { $user_dn = $sr["dn"][0]; $ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : ''; if(!empty($ldap_base_dn)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password) ) { @ldap_close ($ds); return $sr; } } else { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) { @ldap_close ($ds); return $sr; } } } } else { // PHP LDAP function if ($config['ldap_admin_login'] != "" && $config['ldap_admin_pass'] != "") { if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), $config['ldap_admin_pass'])) { $config["auth_error"] = 'Admin ldap connection fail'; @ldap_close ($ds); return false; } } $filter="(" . $config['ldap_login_attr'] . "=" . io_safe_output($login) . ")"; $sr = ldap_search($ds, io_safe_output($config["ldap_base_dn"]), $filter); $memberof = ldap_get_entries($ds, $sr); if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) { @ldap_close ($ds); return false; } else { $memberof = $memberof[0]; } unset($memberof["count"]); $ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : ''; if(!empty($ldap_base_dn)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password) ) { @ldap_close ($ds); return $memberof; } } else { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) { @ldap_close ($ds); return $memberof; } } } @ldap_close ($ds); $config["auth_error"] = 'User not found in database or incorrect password'; return false; } /** * Checks if a user is in the autocreate blacklist. * * @param string User * * @return bool True if the user is in the blacklist, false otherwise. */ function is_user_blacklisted ($user) { global $config; $blisted_users = explode (',', $config['autocreate_blacklist']); foreach ($blisted_users as $blisted_user) { if ($user == $blisted_user) { return true; } } return false; } /** * Create progile with data obtaint from AD * * @param string Login * @param string Password * @param array user_info * @param array permiisons * * @return bool */ function create_user_and_permisions_ldap ($id_user, $password, $user_info, $permissions, $syncronize = false) { global $config; $values = $user_info; $values["id_user"] = $id_user; if ($config['ldap_save_password']) { $values["password"] = md5 ($password); } $values["last_connect"] = 0; $values["registered"] = get_system_time (); if ( defined("METACONSOLE") && $syncronize ) $values['metaconsole_access_node'] = $config['ldap_adv_user_node']; $user = (@db_process_sql_insert ("tusuario", $values)) !== false; if ($user) { if (!empty($permissions)) { foreach ($permissions as $permission) { $id_profile = $permission["profile"]; $id_groups = $permission["groups"]; $tags = $permission["tags"]; foreach ($id_groups as $id_group) { $profile = profile_create_user_profile( $id_user, $id_profile, $id_group, false, $tags); } if ( defined("METACONSOLE") && $syncronize ) { enterprise_include_once('include/functions_metaconsole.php'); unset($values['metaconsole_access_node']); $values['not_login'] = (int) !$config['ldap_adv_user_node']; $servers = metaconsole_get_servers(); foreach ($servers as $server) { $perfil_maestro = db_get_row('tperfil', 'id_perfil', $permission["profile"]); if (metaconsole_connect($server) == NOERR ) { if (!profile_exist($perfil_maestro['name'])) { unset($perfil_maestro['id_perfil']); $id_profile = db_process_sql_insert('tperfil', $perfil_maestro); } else { $id_profile = db_get_value('id_perfil', 'tperfil', 'name', $perfil_maestro['name']); } db_process_sql_insert ("tusuario", $values); foreach ($id_groups as $id_group) { $profile = profile_create_user_profile ($id_user, $id_profile, $id_group, false, $tags); } } metaconsole_restore_db(); } } if (!$profile) return false; } } else { $profile = profile_create_user_profile( $id_user, $config['default_remote_profile'], $config['default_remote_group'], false, $config['default_assign_tags']); if (!$profile) return false; } } return true; } /** * Check if user have right permission in pandora. This * permission depend of ldap. * * @param string Login * @param string Password * * @return string */ function check_permission_ldap ($id_user, $password, $user_info, $permissions, $syncronize = false) { global $config; include_once($config['homedir'] . "/enterprise/include/functions_metaconsole.php"); $result_user = users_get_user_by_id($id_user); $filter = array("id_usuario" => $id_user); $profiles_user = array(); $user_profiles = db_get_all_rows_filter ("tusuario_perfil", $filter); foreach ($user_profiles as $user_profile) { $profiles_user[$user_profile["id_up"]] = $user_profile["id_perfil"]; } $profiles_user_nodes = array(); $permissions_nodes = array(); if ( is_metaconsole() && $syncronize ) { $servers = metaconsole_get_servers(); foreach ($servers as $server) { if ( metaconsole_connect($server) == NOERR ) { $user_profiles_nodes = db_get_all_rows_filter ("tusuario_perfil", $filter); foreach ($user_profiles_nodes as $user_profile_node) { $profiles_user_nodes[$server['server_name']][$user_profile_node["id_up"]] = $user_profile_node["id_perfil"]; } } metaconsole_restore_db(); } foreach ($permissions as $key => $permission) { $perfil_maestro = db_get_row('tperfil', 'id_perfil', $permission['profile']); foreach ($servers as $server) { if (metaconsole_connect($server) == NOERR ) { if (profile_exist($perfil_maestro['name'])) { $id_profile = db_get_value('id_perfil', 'tperfil', 'name', $perfil_maestro['name']); $permissions_nodes[$server['server_name']][$key] = $permission; $permissions_nodes[$server['server_name']][$key]['profile'] = $id_profile; } } metaconsole_restore_db(); } } } $no_found = array(); if ($result_user) { foreach ($permissions as $permission) { $id_profile = $permission["profile"]; $id_groups = $permission["groups"]; $tags = $permission["tags"]; foreach ($id_groups as $id_group) { $filter = array("id_usuario" => $id_user, "id_perfil"=>$id_profile, "id_grupo" => $id_group); //~ Find perfil with advance permissions in //~ authentication menu. This data depends on //~ groups where this user it belong. $result_profiles = db_get_row_filter ("tusuario_perfil", $filter); if (!$result_profiles) { #If not found save in array. $no_found[] = array("id_perfil"=>$id_profile, "id_grupo" => $id_group, "tags" =>$tags); } else { #if profile is find, delete from array. db_process_sql_update("tusuario_perfil", array("tags" =>$tags), array('id_usuario' => $id_user, 'id_up' => $profiles_user[$id_profile])); unset($profiles_user[$result_profiles["id_up"]]); } } } if (is_metaconsole() && $syncronize) { $servers = metaconsole_get_servers(); foreach ($servers as $server) { foreach ($permissions_nodes[$server['server_name']] as $permission_node) { $id_profile = $permission_node["profile"]; $id_groups = $permission_node["groups"]; $tags = $permission_node["tags"]; foreach ($id_groups as $id_group) { $filter = array("id_usuario" => $id_user, "id_perfil"=>$id_profile, "id_grupo" => $id_group); if (metaconsole_connect($server) == NOERR ) { $result_profiles = db_get_row_filter ("tusuario_perfil", $filter); if (!$result_profiles) { #If not found save in array. $no_found_server[$server['server_name']][] = array("id_perfil" => $id_profile, "id_grupo" => $id_group, "tags" => $tags); } else { #if profile is find, delete from array. db_process_sql_update("tusuario_perfil", array("tags" =>$tags), array('id_usuario' => $id_user, 'id_up' => $profiles_user_nodes[$server_name][$id_profile])); unset($profiles_user_nodes[$server_name][$result_profiles["id_up"]]); } } } } metaconsole_restore_db(); } } if ( empty($profiles_user) && empty($no_found) ) { #The permmisions of user not changed return true; } else { foreach ($profiles_user as $key => $profile_user) { #The other profiles are deleted profile_delete_user_profile ($id_user, $key); } if ( is_metaconsole() && $syncronize ) { foreach ($profiles_user_nodes as $server_name => $profile_users) { $server = metaconsole_get_connection($server_name); foreach ($profile_users as $key => $profile_user) { if ( metaconsole_connect($server) == NOERR ) { profile_delete_user_profile ($id_user, $key); } } metaconsole_restore_db(); } } foreach ($no_found as $new_profiles) { //Add the missing permissions profile_create_user_profile ($id_user, $new_profiles["id_perfil"], $new_profiles["id_grupo"], false, $new_profiles["tags"]); } if ( is_metaconsole() && $syncronize ) { $servers = metaconsole_get_servers(); foreach ($servers as $server) { if ( metaconsole_connect($server) == NOERR ) { foreach ($no_found_server[$server['server_name']] as $new_profiles) { profile_create_user_profile ($id_user, $new_profiles["id_perfil"], $new_profiles["id_grupo"], false, $new_profiles["tags"]); } } metaconsole_restore_db(); } } return "permissions_changed"; } } else { return "error_permissions"; } } /** * Update local user pass from ldap user * * @param string Login * @param string Password * * @return bool */ function change_local_user_pass_ldap ($id_user, $password) { $local_user_pass = db_get_value_filter('password', 'tusuario', array('id_user' => $id_user)); $return = false; if (md5($password) !== $local_user_pass) { $values_update = array(); $values_update['password'] = md5($password); $return = db_process_sql_update('tusuario', $values_update, array('id_user' => $id_user)); } return $return; } function delete_user_pass_ldap ($id_user) { $values_update = array(); $values_update['password'] = null; $return = db_process_sql_update('tusuario', $values_update, array('id_user' => $id_user)); return; } function safe_output_accute($string) { $no_allowed= array ("á","é","í","ó","ú","Á","É","Í","Ó","Ú","ñ","Ñ"); $allowed= array ("a","e","i","o","u","A","E","I","O","U","n","N"); $result = str_replace($no_allowed, $allowed ,$string); return $result; } function local_ldap_search($ldap_host, $ldap_port=389, $ldap_version=3, $dn, $access_attr, $ldap_admin_user, $ldap_admin_pass, $user) { global $config; $filter = ""; if(!empty($access_attr) && !empty($user)){ $filter = " -s sub '(" . $access_attr . "=" . $user . ")' "; } $tls = ""; if($config["ldap_start_tls"]) { $tls = " -ZZ "; } $ldap_host = " -h " . $ldap_host; $ldap_port = " -p ". $ldap_port; $ldap_version = " -P ". $ldap_version; if(!empty($ldap_admin_user)){ $ldap_admin_user = " -D '". $ldap_admin_user."'"; } if(!empty($ldap_admin_pass)){ $ldap_admin_pass = " -w " . $ldap_admin_pass; } $dn = " -b '". $dn ."'"; $shell_ldap_search = explode("\n", shell_exec('ldapsearch -LLL -o ldif-wrap=no -x' . $ldap_host . $ldap_port . $ldap_version . ' -E pr=10000/noprompt ' . $ldap_admin_user . $ldap_admin_pass . $dn . $filter . $tls . ' | grep -v "^#\|^$" | sed "s/:\+ /=>/g"')); foreach($shell_ldap_search as $line) { $values = explode("=>", $line); if(!empty($values[0]) && !empty($values[1])) { $user_attr[$values[0]][] = $values[1]; } } if (empty($user_attr)) { return false; } $base64 = preg_match('/^[a-zA-Z0-9\/\r\n+]*={0,2}$/', $user_attr["dn"][0]); if($base64){ $user_dn = safe_output_accute(base64_decode($user_attr["dn"][0])); } else { $user_dn = safe_output_accute($user_attr["dn"][0]); } if(strlen($user_dn) > 0) { $user_attr["dn"][0]=$user_dn; } return $user_attr; } //Reference the global use authorization error to last auth error. $config["auth_error"] = &$mysql_cache["auth_error"]; ?>